Re: [OpenXPKI-users] Unexpected error This workflow was interrupted by an unexpected event

[James B. Byrne via OpenXPKI-users]

On Wed, March 13, 2024 07:52, Martin Bartosch wrote:
> Hi James,
. . .
>
> You should get more information about the error in the openxpki.log file. I
> suspect something is wrong with the CSR or the CA key, but the details you
> posted do not contain sufficient detail to tell what exactly went wrong.

]# tail -15 /var/log/openxpki/openxpki.log
30356799270912:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
decrypt:/usr/src/crypto/openssl/crypto/evp/evp_enc.c:612:
30356799270912:error:0906A065:PEM routines:PEM_do_header:bad
decrypt:/usr/src/crypto/openssl/crypto/pem/pem_lib.c:461:
 [pid=28821|sid=Xo3x]
2024/03/13 08:16:05 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__
=> cms -sign -binary -nosmimecap -outform PEM -nodetach -in
/var/tmp/openxpki2882150mH98yQ -inkey
/var/tmp/openxpki28821I21Uh1bg/ca-signer-1 -signer
/var/tmp/openxpki28821N0I0U0Uk -out /var/tmp/openxpki28821zjQtwDW0 -passin
env:pwd, __EXIT_STATUS__ => 512 [pid=28821|sid=Xo3x]
2024/03/13 08:16:05 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary
-nosmimecap -outform PEM -nodetach -in /var/tmp/openxpki2882150mH98yQ -inkey
/var/tmp/openxpki28821I21Uh1bg/ca-signer-1 -signer
/var/tmp/openxpki28821N0I0U0Uk -out /var/tmp/openxpki28821zjQtwDW0 -passin
env:pwd, __EXIT_STATUS__ => 512 [pid=28821|sid=Xo3x]
2024/03/13 08:16:31 ERROR OpenSSL error: Using configuration from
/var/tmp/openxpki28821VniVdpfp/openssl.cnf
unable to load CA private key
. . .

I guess that this is the problem: unable to load CA private key

The realm was created using:

openxpkiadm alias   \
  --realm "democa"   \
  --token certsign    \
  --file
/root/CLCA/CAS/democa/certs/1A84E8FBE282453D5F22038C58A89786BCD6CCAC.pem  \
  --key /root/CLCA/CAS/democa_i/private/democa_i_key.pem

openxpkicli get_token_info --realm=democa --arg alias=vault-1
{
   "key_name" : "/usr/local/etc/openxpki/local/keys/vault-1.pem",
   "key_secret" : 1,
   "key_store" : "OPENXPKI",
   "key_usable" : 1
}

I have verified that the private key password provided in
config/realm/democa/crypto.yaml is correct:

. .
  ca-signer:
    inherit: default
    key_store: DATAPOOL
    key: "[% ALIAS %]"
. . .
secret:

    ca-signer:
        label:  Secret group for certsign Token
        export: 1
        method: literal
        value:  "democa"

openssl rsa \
  -noout \
  -text \
  -in /root/CLCA/CAS/democa_i/private/democa_i_key.pem

Enter pass phrase for /root/CLCA/CAS/democa_i/private/democa_i_key.pem:
RSA Private-Key: (4096 bit, 2 primes)
modulus:


>
> Is your CA set up correctly? Are you able to create a CRL?

# openxpkicmd --realm democa crl_issuance
Workflow created (ID: 1791), State: LOAD_NEXT_CA_CRL_GET_NEXT_CA_0

# openxpkicmd --realm hll_ca2016 crl_issuance
Workflow created (ID: 2047), State: LOAD_NEXT_CA_CRL_GET_NEXT_CA_0

What is wrong with my setup?

Thanks,


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3



_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users