On Wed, March 13, 2024 09:25, Martin Bartosch wrote: > Hi James, > . . . > > 1. the output of openxpkicli get_token_info (file in file system) is not > consistent with your configuration (key in datapool). I have no idea why, > because I cannot see more details on your system, but to me it looks like the > ca-signer token configuration is not the config the system is using > > 2. the config snippet is missing the definition for "default" in crypto.yaml > where I assume the secret group is defined. If that does not match the secret > group you seemingly intend to use for your ca signer tokens (which you named > "ca-signer") then the passphrase will not be set correctly. Again, without > being able to see more or your config it is impossible to tell.
This is the diff between the current config.d and the original before any changes were made. # git diff -G. hllv1.00 -- --follow config.d diff --git a/config.d/realm.tpl/crypto.yaml b/config.d/realm.tpl/crypto.yaml index 95614f5..bda48a1 100644 --- a/config.d/realm.tpl/crypto.yaml +++ b/config.d/realm.tpl/crypto.yaml @@ -15,7 +15,8 @@ token: # Template to create key, available vars are # ALIAS (ca-signer-1), GROUP (ca-signer), GENERATION (1) # KEY_IDENTIFIER (00:AA:BB...), IDENTIFIER (aGSNY1Z...) - key: /etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem +# key: /etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem + key: /usr/local/etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem # possible values are OpenSSL, nCipher, LunaCA engine: OpenSSL @@ -42,7 +43,8 @@ token: vault: inherit: default - key: /etc/openxpki/local/keys/[% ALIAS %].pem +# key: /etc/openxpki/local/keys/[% ALIAS %].pem + key: /usr/local/etc/openxpki/local/keys/[% ALIAS %].pem ratoken: inherit: default @@ -58,6 +60,13 @@ token: # Define the secret groups secret: + + ca-signer: + label: Secret group for certsign Token + export: 1 + method: literal + value: "democa" + default: # this let OpenXPKI use the secret of the same name from system.crypto # if you do not want to share the secret just replace this line with @@ -69,4 +78,4 @@ secret: label: Secret group for RA Token export: 1 method: literal - value: root \ No newline at end of file + value: root diff --git a/config.d/system/database.yaml b/config.d/system/database.yaml old mode 100644 new mode 100755 index 472217a..3043863 --- a/config.d/system/database.yaml +++ b/config.d/system/database.yaml @@ -1,9 +1,9 @@ main: debug: 0 - type: MariaDB + type: PostgreSQL name: openxpki host: localhost - port: 3306 + port: 5432 user: openxpki passwd: openxpki diff --git a/config.d/system/realms.yaml b/config.d/system/realms.yaml old mode 100644 new mode 100755 index 9b0036b..bc50e30 --- a/config.d/system/realms.yaml +++ b/config.d/system/realms.yaml @@ -4,3 +4,7 @@ democa: label: Example.org Demo CA baseurl: https://pki.example.com/openxpki/ + +hll_ca2016: + label: Harte & Lyne Limited CA + baseurl: https://openxpki-3.internal.harte-lyne.ca/openxpki/ diff --git a/config.d/system/server.yaml b/config.d/system/server.yaml old mode 100644 new mode 100755 index e667f0f..2b4d741 --- a/config.d/system/server.yaml +++ b/config.d/system/server.yaml @@ -1,19 +1,20 @@ # Shown in the processlist to distinguish multiple instances -name: main +name: hll_main # Location of the log4perl configuration -log4perl: /etc/openxpki/log.conf +#log4perl: /etc/openxpki/log.conf +log4perl: /usr/local/etc/openxpki/log.conf # Daemon settings user: openxpki group: openxpki socket_file: /var/openxpki/openxpki.socket -pid_file: /run/openxpkid.pid +pid_file: /var/run/openxpkid.pid stderr: /var/log/openxpki/stderr.log tmpdir: /var/tmp # we need to give write permission to the socket for the webserver -socket_owner: www-data +socket_owner: www # This is experimental! #type: PreFork > > 2a. a fixed value for a CA key is not a good idea True, On the other hand this is a proof of concept test and literal values allow one to grep for things. > > Bottom line: your system cannot access the private key, and this is either a > permission problem or a problem with the CA passphrase. The passphrase has been verified as correct as I can expose the private key using openssl. The service script provided with the pr-openxpki pkg from FreeBSD ports trashes the permissions and ownerships. I ran that instead of openxpkictl (once) and discovered that the hard way. So a permissions problem is possible. On the other hand I have just completed a thorough check of file permissions against those in the community branch and these are all the same. Thanks, -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users