Hi Oliver, My further test shows that CDP works correctly if the director is owned by openxpki user. Previous it was owned by apache user/group with group writeable permission. openxpki user is a member of apache group. This did not work. I am not sure why, likely because the perl module does not honor the supplementary group permission.
Thank you very much. Lixin. From: Oliver Welter <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Wednesday, February 22, 2023 at 9:39 AM To: "[email protected]" <[email protected]> Subject: Re: [OpenXPKI-users] Questions about publishing CRL and use san_email Hi Lixin, please make individual posts per question - thats easier to follow up :) Regarding the CRL publishing that sounds like your path does not exist or is not writable. The "advanced" style is a leftover from a very old config setup and was never really supported by the 3.x release - it is left there mainly as a reference and you are right, the san_email template is missing in the configuration. The suggested way is to use a matching template in the subject section which looks like you already did. Oliver On 21.02.23 22:02, Lixin Liu wrote: Hi, Questions about setting up openxpki. First, I can issue CRL correctly, but I am unable to publish it (to local directory). Here is the log: 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL executed 'global_noop' (autorun) in state 'LOAD_NEXT_CA' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL changed from state 'LOAD_NEXT_CA' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL_GLOBAL_TMP_QUEUE_NEXT_ITEM_0 executed 'global_tmp_queue_next_item' (autorun) in state 'PUBLISH_CRL' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL_GLOBAL_TMP_QUEUE_NEXT_ITEM_0 changed from state 'PUBLISH_CRL' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.application.INFO Publication failed for target crl, requeuing [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL_GLOBAL_TMP_QUEUE_NEXT_ITEM_0 paused at action crl_publish_crl, cause: I18N_OPENXPKI_UI_ERROR_DURING_PUBLICATION [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.application.INFO Action crl_publish_crl paused (I18N_OPENXPKI_UI_ERROR_DURING_PUBLICATION), wakeup 2023-02-21T20:37:52 [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 OpenXPKI.Server.Workflow.ERROR Caught exception from action: [Generic exception]; reset workflow to old state 'PUBLISH_CRL_GLOBAL_TMP_QUEUE_NEXT_ITEM_0' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] In publishing.yaml, I have crl: crl@: connector:publishing.connectors.cdp connectors: cdp: class: Connector::Builtin::File::Path LOCATION: /var/www/openxpki/CertEnroll/ file: "[% ARGS.0 %].crl" content: "[% pem %]" The second question is about SAN email configuration: Following the “05_advanced_style” example in sample.yaml, I defined san_email, but it failed to recognize email address. From what I can see “san_email” is not defined in profile template. I can work around the issue by adding email to ui subject and then set to subject -> san -> email. Is there a plan to fix this in the future, or this is the proper way doing it. Thanks! Lixin. _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
