Re: [OpenXPKI-users] Unexpected error This workflow was interrupted by an unexpected event

Wed, 13 Mar 2024 11:41:35 -0700 

On Wed, March 13, 2024 09:25, Martin Bartosch wrote:
> Hi James,
>
. . .
>
> 1. the output of openxpkicli get_token_info (file in file system) is not
> consistent with your configuration (key in datapool). I have no idea why,
> because I cannot see more details on your system, but to me it looks like the
> ca-signer token configuration is not the config the system is using
>
> 2. the config snippet is missing the definition for "default" in crypto.yaml
> where I assume the secret group is defined. If that does not match the secret
> group you seemingly intend to use for your ca signer tokens (which you named
> "ca-signer") then the passphrase will not be set correctly. Again, without
> being able to see more or your config it is impossible to tell.

This is the diff between the current config.d and the original before any
changes were made.

# git diff -G. hllv1.00  -- --follow config.d
diff --git a/config.d/realm.tpl/crypto.yaml b/config.d/realm.tpl/crypto.yaml
index 95614f5..bda48a1 100644
--- a/config.d/realm.tpl/crypto.yaml
+++ b/config.d/realm.tpl/crypto.yaml
@@ -15,7 +15,8 @@ token:
     # Template to create key, available vars are
     # ALIAS (ca-signer-1), GROUP (ca-signer), GENERATION (1)
     # KEY_IDENTIFIER (00:AA:BB...), IDENTIFIER (aGSNY1Z...)
-    key: /etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem
+#   key: /etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem
+    key: /usr/local/etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem

     # possible values are OpenSSL, nCipher, LunaCA
     engine: OpenSSL
@@ -42,7 +43,8 @@ token:

   vault:
     inherit: default
-    key: /etc/openxpki/local/keys/[% ALIAS %].pem
+#   key: /etc/openxpki/local/keys/[% ALIAS %].pem
+    key: /usr/local/etc/openxpki/local/keys/[% ALIAS %].pem

   ratoken:
     inherit: default
@@ -58,6 +60,13 @@ token:

 # Define the secret groups
 secret:
+
+    ca-signer:
+        label:  Secret group for certsign Token
+        export: 1
+        method: literal
+        value:  "democa"
+
     default:
         # this let OpenXPKI use the secret of the same name from system.crypto
         # if you do not want to share the secret just replace this line with
@@ -69,4 +78,4 @@ secret:
         label: Secret group for RA Token
         export: 1
         method: literal
-        value: root
\ No newline at end of file
+        value: root
diff --git a/config.d/system/database.yaml b/config.d/system/database.yaml
old mode 100644
new mode 100755
index 472217a..3043863
--- a/config.d/system/database.yaml
+++ b/config.d/system/database.yaml
@@ -1,9 +1,9 @@
 main:
     debug: 0
-    type: MariaDB
+    type: PostgreSQL
     name: openxpki
     host: localhost
-    port: 3306
+    port: 5432
     user: openxpki
     passwd: openxpki

diff --git a/config.d/system/realms.yaml b/config.d/system/realms.yaml
old mode 100644
new mode 100755
index 9b0036b..bc50e30
--- a/config.d/system/realms.yaml
+++ b/config.d/system/realms.yaml
@@ -4,3 +4,7 @@
 democa:
     label: Example.org Demo CA
     baseurl: https://pki.example.com/openxpki/
+
+hll_ca2016:
+    label:    Harte & Lyne Limited CA
+    baseurl:  https://openxpki-3.internal.harte-lyne.ca/openxpki/
diff --git a/config.d/system/server.yaml b/config.d/system/server.yaml
old mode 100644
new mode 100755
index e667f0f..2b4d741
--- a/config.d/system/server.yaml
+++ b/config.d/system/server.yaml
@@ -1,19 +1,20 @@
 # Shown in the processlist to distinguish multiple instances
-name: main
+name: hll_main

 # Location of the log4perl configuration
-log4perl: /etc/openxpki/log.conf
+#log4perl: /etc/openxpki/log.conf
+log4perl: /usr/local/etc/openxpki/log.conf

 # Daemon settings
 user:         openxpki
 group:        openxpki
 socket_file:  /var/openxpki/openxpki.socket
-pid_file:     /run/openxpkid.pid
+pid_file:     /var/run/openxpkid.pid
 stderr:       /var/log/openxpki/stderr.log
 tmpdir:       /var/tmp

 # we need to give write permission to the socket for the webserver
-socket_owner: www-data
+socket_owner: www

 # This is experimental!
 #type: PreFork


>
> 2a. a fixed value for a CA key is not a good idea

True, On the other hand this is a proof of concept test and literal values
allow one to grep for things.

>
> Bottom line: your system cannot access the private key, and this is either a
> permission problem or a problem with the CA passphrase.

The passphrase has been verified as correct as I can expose the private key
using openssl.

The service script provided with the pr-openxpki pkg from FreeBSD ports trashes
the permissions and ownerships.  I ran that instead of openxpkictl (once) and
discovered that the hard way.  So a permissions problem is possible. On the
other hand I have just completed a thorough check of file permissions against
those in the community branch and these are all the same.

Thanks,


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3



_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Reply via email to