Hi Frank,
I am not able to reproduce this here - works like expected.
A sidenote on the workflow configuration: actions in the workflow config
without the "global" prefix must be defined inside the workflow itself,
therefore it is useless to change the stuff in global/action (yes we
need to consolidate this..)
Second: In the actual situation the output is generated at the first the
time the workflow is finalized, sending the same CSR again will pickup
the old workflow with the old configuration result. So my educated
guess: You changed the config and resend an old request and now you are
wondering why the output does not change? Send a new CSR and it should
work as expected.
Oli
On 09.07.25 10:41, Frank Schimmelpfennig wrote:
Hi there,
I try to get*issuerca*,/and/*rootca*in|chain|when I call the
certificate_enrollworkflow viaRPC server.
My config:
|/etc/openxpki/rpc/default.conf|
|... [RequestCertificate] workflow = certificate_enroll param =
pkcs10, profile, comment, signature output = cert_identifier,
certificate, chain, error_code, transaction_id env = signer_cert
servername = default pickup = pkcs10, transaction_id pickup_workflow =
check_enrollment |
|/etc/openxpki/config.d/realm/<my-realm>/rpc/default.yaml|
|... policy: ... export_certificate: fullchain ... |
|/etc/openxpki/config.d/realm/<my-realm>/workflow/def/certificate_enroll.yaml|
|... export_chain: class:
OpenXPKI::Server::Workflow::Activity::Tools::CertificateExport param:
_map_cert_identifier: $cert_identifier target_key: chain #template:
'[% chain.join("\n") %]' export_format: BUNDLE include_root_cert: 1
export_fullchain: class:
OpenXPKI::Server::Workflow::Activity::Tools::CertificateExport param:
_map_cert_identifier: $cert_identifier target_key: chain #template:
'[% chain.join("\n"); "\n"; ca %]' export_format: BUNDLE
#export_format: PEM include_root_cert: 1 #bundle: 1 ... |
|/etc/openxpki/config.d/realm/<my-realm>/workflow/global/action/export_fullchain.yaml|
|class: OpenXPKI::Server::Workflow::Activity::Tools::CertificateExport
param: _map_cert_identifier: $cert_identifier target_key: chain
#template: '[% chain.join("\n"); "\n"; ca %]' export_format: BUNDLE
#export_format: PEM include_root_cert: 1 #bundle: 1 |
|/etc/openxpki/config.d/realm/<my-realm>/workflow/global/action/export_chain.yaml|
|class: OpenXPKI::Server::Workflow::Activity::Tools::CertificateExport
param: _map_cert_identifier: $cert_identifier target_key: chain
#template: '[% chain.join("\n") %]' export_format: BUNDLE
#export_format: PEM include_root_cert: 1 #bundle: 1 |
The|/var/log/openxpki/rpc.log|shows that the chain field contains only
one certificate: the issuerca. The rootca cert is missing.
|... 2025/07/08 14:58:17 DEB HTTP status: [200 OK] [pid=72|endpoint=]
2025/07/08 14:58:17 TRA bless( { 'http_status_code' => '200',
'http_status_line' => '200 OK', 'http_status_message' => 'OK',
'proc_state' => 'finished', 'result' => { 'data' => {
'cert_identifier' => 'hajclENHARzszexXX5-cj_mAHxE', 'certificate' =>
'-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----', 'chain'
=> '-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----',
'transaction_id' => '42eaaf48d915fa9ed82e6032278d7be8174c2a64' }, 'id'
=> 9215, 'pid' => 72, 'proc_state' => 'finished', 'state' => 'SUCCESS'
}, 'state' => 'SUCCESS', 'transaction_id' =>
'42eaaf48d915fa9ed82e6032278d7be8174c2a64', 'workflow' => {
'archive_at' => undef, 'context' => { 'approval_points' => '1',
'approvals' => 'OXJSF1:[{"mode":"generated","comment":"Auto-Approval
based on eligibility result:"}]', 'cert_identifier' =>
'hajclENHARzszexXX5-cj_mAHxE', 'cert_info' => '', 'cert_profile' =>
'tls_server', 'cert_san_parts' => '', 'cert_subject' =>
'CN=website-dev.aic-group.local', 'cert_subject_alt_name' =>
'OXJSF1:[["DNS","website-dev.aic-group.local"]]', 'cert_subject_parts'
=>
'OXJSF1:{"CN":["website-dev.aic-group.local"],"SAN_DNS":["website-dev.aic-group.local"]}',
'cert_subject_style' => 'enroll', 'certificate' => '-----BEGIN
CERTIFICATE----- ... -----END CERTIFICATE-----', 'chain' =>
'-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----', 'comment'
=> 'acme2certifier', 'creator' => 'Anonymous', 'csr_digest_alg' =>
'sha256', 'csr_key_alg' => 'rsa', 'csr_key_params' =>
'OXJSF1:{"key_length":4096}', 'csr_serial' => '2303', 'csr_subject' =>
'CN=website-dev.aic-group.local', 'csr_subject_key_identifier' =>
'BE:C6:65:00:69:DA:B1:46:62:BD:A0:C5:06:59:EE:E7:82:2F:C8:D5',
'error_code' => '', 'interface' => 'rpc', 'is_eligible' => '1',
'p_allow_anon_enroll' => '0', 'p_allow_eligibility_recheck' => '0',
'p_allow_man_approv' => '1', 'p_allow_man_authen' => '1',
'p_allow_replace' => '1', 'p_approval_points' => '1',
'p_auto_revoke_existing_certs' => '1', 'p_export_certificate' =>
'chain', 'p_max_active_certs' => '1', 'pkcs10' => '-----BEGIN
CERTIFICATE REQUEST----- ... -----END CERTIFICATE REQUEST-----',
'req_attributes' => 'OXJSF1:{}', 'req_extensions' => 'OXJSF1:{}',
'request_mode' => 'onbehalf', 'revoke_cert_identifier' => '',
'revoke_delay_revocation_time' => '', 'revoke_reason_code' => '',
'revoke_workflow_id' => '', 'server' => 'default', 'signer_authorized'
=> '1', 'signer_cert' => '-----BEGIN CERTIFICATE----- ... -----END
CERTIFICATE----- ', 'signer_cert_identifier' =>
'LGq5Db3oMKkfn1HuS-lfnzOCqYo', 'signer_in_current_realm' => '1',
'signer_revoked' => '0', 'signer_subject' =>
'CN=acme2certifier-dev.aic-group.local:acme2ca,DC=aic-group-local,DC=dev,DC=aic-group,DC=local',
'signer_subject_key_identifier' =>
'CA:FB:6E:7A:86:E7:01:76:44:5F:26:7D:7F:2F:FE:CC:C8:4C:3C:14',
'signer_trusted' => '1', 'signer_validity_ok' => '1', 'sources' =>
'OXJSF1:{"server":"api","signer_cert":"api","pkcs10":"api","req_attributes":"PKCS10","req_extensions":"PKCS10","cert_subject_parts":"PKCS10","cert_subject_alt_name":"PKCS10","interface":"api","comment":"api"}',
'transaction_id' => '42eaaf48d915fa9ed82e6032278d7be8174c2a64',
'wfl_notify' =>
'OXJSF1:{"smtp":{"requestor":{"to":null,"prefix":"OpenXPKI-Dev
9215","cc":[]}}}', 'workflow_id' => '9215' }, 'count_try' => 0,
'description' => 'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_DESC',
'id' => 9215, 'label' =>
'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_LABEL', 'last_update' =>
'2025-07-01T14:38:43', 'proc_state' => 'finished', 'reap_at' =>
1751381022, 'state' => 'SUCCESS', 'title' =>
'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_LABEL', 'type' =>
'certificate_enroll', 'wake_up_at' => undef } },
'OpenXPKI::Client::Service::Response' ) [pid=72|endpoint=] 2025/07/08
14:58:17 DEB Disconnect client [pid=72|endpoint=] |
Is there someone who has a hint for me?
Thanks in advance!!
--
with kind regards
Frank
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
