I am working with democa and tried to sign a csr. However I get this error:
Unexpected error
This workflow was interrupted by an unexpected event, it will not continue
without a manual interaction. Please contact the support team!
The csr was generated using:
openssl x509 -x509toreq -signkey
/usr/local/etc/pki/tls/private/ca.harte-lyne.ca.key -in
/usr/local/etc/pki/tls/certs/ca.harte-lyne.ca.pem -out
/usr/local/etc/pki/tls/private/ca.harte-lyne.ca.x509.csr
Tail /var/log/openxpki/workflows.log shows this:
. . .
2024/03/12 15:13:55 1535 Trigger notification message csr_created
2024/03/12 15:14:04 1535 Unsigned approval for workflow 1535 by user rob, role
RA Operator
2024/03/12 15:14:04 1535 Trigger notification message csr_notify_approval
2024/03/12 15:14:04 1535 persisted csr for CN=ca.harte-lyne.ca,DC=Test
Deployment,DC=OpenXPKI,DC=org with csr_serial 255
2024/03/12 15:14:04 1535 start cert issue for serial 255, workflow 1535
2024/03/12 15:14:04 1535 NICE backend error:
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::issue_cert, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => ca -batch -subj
/DC=org/DC=OpenXPKI/DC=Test Deployment/CN=ca.harte-lyne.ca -out
/var/tmp/openxpki63855kHieUFAv -in /var/tmp/openxpki63855rE2mXQyn -passin
env:pwd, __EXIT_STATUS__ => 256
2024/03/12 15:14:04 1535 NICE issueCertificate failed but pause_on_error is
requested
2024/03/12 15:14:04 1535 Action global_nice_issue_certificate paused
(I18N_OPENXPKI_UI_NICE_BACKEND_ERROR), wakeup 2024-03-12T19:18:40
tail -6 /var/log/openxpki/catchall.log
2024/03/12 16:00:47 OpenXPKI.Server.Workflow.ERROR Caught exception from
action: [Generic exception]; reset workflow to old state
'APPROVED_GLOBAL_PERSIST_CSR_0' [pid=64685|user=rob|role=RA
Operator|sid=/uxI|wftype=certificate_signing_request_v2|wfid=1535]
[root@openxpki-3 openxpki (hll_ca2016)]# tail -6 /var/log/openxpki/catchall.log
2024/03/12 16:00:47 openxpki.system.ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED;
__COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::issue_cert,
__ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => ca -batch
-subj /DC=org/DC=OpenXPKI/DC=Test Deployment/CN=ca.harte-lyne.ca -out
/var/tmp/openxpki64685qlCmpRFy -in /var/tmp/openxpki64685mLitkxVt -passin
env:pwd, __EXIT_STATUS__ => 256 [pid=64685|user=rob|role=RA
Operator|sid=/uxI|wftype=certificate_signing_request_v2|wfid=1535]
2024/03/12 16:00:47 openxpki.application.ERROR NICE backend error:
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::issue_cert, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => ca -batch -subj
/DC=org/DC=OpenXPKI/DC=Test Deployment/CN=ca.harte-lyne.ca -out
/var/tmp/openxpki64685qlCmpRFy -in /var/tmp/openxpki64685mLitkxVt -passin
env:pwd, __EXIT_STATUS__ => 256 [pid=64685|user=rob|role=RA
Operator|sid=/uxI|wftype=certificate_signing_request_v2|wfid=1535]
2024/03/12 16:00:47 openxpki.application.WARN NICE issueCertificate failed but
pause_on_error is requested [pid=64685|user=rob|role=RA
Operator|sid=/uxI|wftype=certificate_signing_request_v2|wfid=1535]
2024/03/12 16:00:47 openxpki.workflow.ERROR Workflow
1535/certificate_signing_request_v2/APPROVED_GLOBAL_PERSIST_CSR_0
retry_exceeded [pid=64685|user=rob|role=RA
Operator|sid=/uxI|wftype=certificate_signing_request_v2|wfid=1535]
2024/03/12 16:00:47 openxpki.application.WARN Retry exceeded on action
global_nice_issue_certificate [pid=64685|user=rob|role=RA
Operator|sid=/uxI|wftype=certificate_signing_request_v2|wfid=1535]
2024/03/12 16:00:47 OpenXPKI.Server.Workflow.ERROR Caught exception from
action: [Generic exception]; reset workflow to old state
'APPROVED_GLOBAL_PERSIST_CSR_0' [pid=64685|user=rob|role=RA
Operator|sid=/uxI|wftype=certificate_signing_request_v2|wfid=1535]
I see this in ./config.d/system/crypto.yaml "shell: /usr/bin/openssl" and
command -v openssl gives this result: "/usr/bin/openssl". I am using 'OpenSSL
1.1.1t-freebsd 7 Feb 2023' on FreeBSd-13.2p9.
__EXIT_STATUS__ => 256 == Searching for Openssl error codes the number 256
comes up as related to an unsupported cipher. Where is the cypher being
specified?
# "openssl ciphers" reports these:
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-25
6-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA
Any help welcomed.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Unencrypted messages have no legal claim to privacy
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
