Re: [OpenXPKI-users] SCEP enrollment failure ( sending request to 'http://localhost:8080/scep/pkiclient?operation=PKIOperation'... did not receive a valid SCEP response: HTTP 400)

[Jean-Baptiste, Edwige via OpenXPKI-users]

Hi Oliver,
    The SCEP enrollment works fine as you specified, and after generating a new 
key. I signed in the WebUI as RA "rob" to approve the request. As I continue to 
read the document, could you answer the following questions?


  1.  Can the Request approval be done automatically, instead of waiting for 
the RA intervention.
  2.  Can a Renewal request be issued if the certificate just enrolled is not 
expired (I've yet to test it).

Thanks for your help,

Ed
From: Oliver Welter <m...@oliwel.de>
Sent: Thursday, February 6, 2025 4:28 AM
To: openxpki-users@lists.sourceforge.net
Subject: Re: [OpenXPKI-users] SCEP enrollment failure ( sending request to 
'http://localhost:8080/scep/pkiclient?operation=PKIOperation'... did not 
receive a valid SCEP response: HTTP 400)

Hi Ed,

did you create a new Key/CSR? As OpenXPKI picks up existing workflows based on 
the used CSR you will otherwise always end up in the old/broken workflow.

best regards

Oliver

On 06.02.25 03:51, Jean-Baptiste, Edwige via OpenXPKI-users wrote:
Hi Oliver,
    Thank you for the feedback, however changing the endpoint as you suggested 
did not make any difference (with or without appending "pkiclient"). I am still 
getting the same error, except that the scep log makes reference to 
"ep=generic", as seen below. Is there anything else I can try to resolve the 
problem?

sending scep request to 'http://localhost:8080/scep/generic/pkiclient'
sending request to 
'http://localhost:8080/scep/generic/pkiclient?operation=PKIOperation'...
did not receive a valid SCEP response: HTTP 400


SCEP Log:
2025/02/06 02:25:16 ERR Request was rejected: I18N_OPENXPKI_UI_INVALID_PROFILE 
[pid=86|ep=generic]
2025/02/06 02:25:16 WAR Client error / malformed request: badRequest (internal 
code: 40006) [pid=86|ep=generic]

Is the scep enrollment command itself missing something? Since I am getting 
malformed request : badRequest

sudo bash -c 'pki --scep --debug 4 --url 
http://localhost:8080/scep/generic/pkiclient --outform pem --cacert-enc 
racert.pem --cacert-sig cacert-1.pem --cacert cacert.pem --in scep.key --san 
"myScepClient.test.org" --dn "C=CH, O=strongswan Project, 
CN=myScepClient.test.org" --interval 10 --maxpolltime 120 > scep.crt'

Thanks,
Ed


From: Oliver Welter <m...@oliwel.de><mailto:m...@oliwel.de>
Sent: Wednesday, February 5, 2025 3:14 AM
To: 
openxpki-users@lists.sourceforge.net<mailto:openxpki-users@lists.sourceforge.net>
Subject: Re: [OpenXPKI-users] SCEP enrollment failure ( sending request to 
'http://localhost:8080/scep/pkiclient?operation=PKIOperation'... did not 
receive a valid SCEP response: HTTP 400)


Hello Ed,

OpenXPKI can serve multiple SCEP endpoints and therefore requires that you 
address them properly - the default configuration provides the endpoint named 
"generic", so please replace the SCEP URI with http://yourhost/scep/generic 
(you can leave the pkiclient at the end as this is stripped)

Oliver
On 05.02.25 00:16, Jean-Baptiste, Edwige via OpenXPKI-users wrote:
I am new to SCEP. I installed OpenXPKI following the installation guide, I ran 
the sampleconfig script. I am able to use the WebUI test platform to 
generate/enroll certificates. When I try to enroll a certificate using "pki 
--scep" from the Strongswan 5.9.13 package, I encounter an error. Can anyone 
help me figure this out?
Here are the steps I took until the the failure from the client side. The first 
two commands succeeded. The full enrollment output is attached.

sudo openssl genrsa -out scep.key 2048

sudo pki --scepca --debug 3 --url http://localhost:8080/scep/pkiclient 
--outform pem --caout cacert --raout racert
sudo bash -c 'pki --scep --debug 4 --url http://localhost:8080/scep/pkiclient 
--outform pem --cacert-enc racert.pem --cacert-sig cacert-1.pem --cacert 
cacert.pem --in scep.key --san "myScepClient.test.org" --dn "C=CH, O=strongswan 
Project, CN=myScepClient.test.org" --interval 10 --maxpolltime 120 > scep.crt'
sending scep request to 'http://localhost:8080/scep/pkiclient'
sending request to 
'http://localhost:8080/scep/pkiclient?operation=PKIOperation'...
did not receive a valid SCEP response: HTTP 400


SCEP Log:
2025/02/04 06:34:02 ERR Request was rejected: I18N_OPENXPKI_UI_INVALID_PROFILE 
[pid=86|ep=pkiclient]
2025/02/04 06:34:02 WAR Client error / malformed request: badRequest (internal 
code: 40006) [pid=86|ep=pkiclient]

Thanks,
Ed







_______________________________________________

OpenXPKI-users mailing list

OpenXPKI-users@lists.sourceforge.net<mailto:OpenXPKI-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/openxpki-users

--

Protect your environment -  close windows and adopt a penguin!




_______________________________________________

OpenXPKI-users mailing list

OpenXPKI-users@lists.sourceforge.net<mailto:OpenXPKI-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/openxpki-users



--

Protect your environment -  close windows and adopt a penguin!


_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users