Hi Robert,
can you please look into the workflow via the UI and check if you can
see the "signer certificate" in the workflow?
If not, check if the Issuing CA you used is in /etc/openxpki/tls/chain/
and the symlink with the hash value exists for ii, to check if apache is
setup properly run
openssl s_client -connect localhost:8443
and look for the line "Acceptable client certificate CA names", the
issuing ca of your client certificate should be listed here.
The logline with the Anonymous login is ok, the connection to the server
from the EST process is done with the anonymous System stack, the
authentication certificate is passed in as a parameter. If this all does
not help, raise the log level to debug in "est/log.conf" (restart
apache) and check the logfile for what is coming into the system.
Oliver
Am 09.08.21 um 15:28 schrieb Robert Krahl:
> Hello everyone,
>
> I am currently trying my best with Openxpki.
> More precisely, I want to use EST to automatically issue or renew
> certificates.
> Regarding the deployment, I have made use of the docker resource and
> the shell script "sampleconfig.sh". So far so good.
> I have made some adjustments to the file "est/default.yaml".
> I have modified the following:
>
> allow_anon_enroll: 0
> approval_points: 0
>
> This should allow only authenticated EST queries to get through and
> then be processed automatically.
>
> Now I have created a keypair using OpenSSL:
>
> > openssl req -new -newkey rsa:2048 -nodes -subj "/CN=tls cert"
> -keyout tls.key -out tls.csr
>
> I then used the generated "tls.csr" and the Web-GUI to create a
> certificate ("tls.crt") in PEM format (Certificate Profile: TLS
> Client; Application Name: pkiclient).
> Now I have created another keypair:
>
> > openssl req -new -newkey rsa:2048 -nodes -subj "/CN=test cert"
> -keyout test.key -outform der -out - | base64 > test.pem
>
> The next thing I'm trying to do is make an authenticated EST query
> using Curl and the artifacts I've created:
>
> > curl -v -k -H "Content-Type: application/pkcs10" --data
> @test.pem --key tls.key --cert tls.crt
> https://localhost:8443/.well-known/est/simpleenroll
> <https://localhost:8443/.well-known/est/simpleenroll> -o device.b64
>
> My problem is that the file "device.b64" does not contain the
> certificate, but:
>
> Request was rejected:
> I18N_OPENXPKI_UI_ENROLLMENT_ERROR_NOT_AUTHENTICATED
>
> I don't know if it helps, but in "var/log/openxpki/openxpki.log" the
> following entry occurs after the Curl command:
>
> 2021/08/09 13:09:58 INFO Login successful (user: Anonymous, role:
> System) [pid=711|sid=IKeI]
>
> There is something I seem to be doing wrong or overlooking regarding
> the authentication.... I am very grateful for any help!
>
> Best regards/ Liebe Grüße
> rkrahl
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
