Hi Oliver,
Your suggestion, of replacing the secret with 64 chars, seems to correct
the issue, but I run into another problem, where the workflow execution fails
and keep retrying. See the LOGs below:
openxpki@0f29cbd7bca9:/var/log$ tail -f openxpki-server/workflows.log
2025/08/14 01:34:37 511 NICE issueCertificate failed but pause_on_error is
requested
2025/08/14 01:34:37 511 Action 'global_nice_issue_certificate' paused
(I18N_OPENXPKI_UI_NICE_BACKEND_ERROR), wakeup 2025-08-13T17:41:09
2025/08/14 01:41:13 511 start cert issue for serial 255, workflow 511
2025/08/14 01:41:13 511 NICE backend error: Could not find token alias by
group; __group__ => ca-signer, __noafter__ => 1786642873, __notbefore__ =>
1755106873, __pki_realm__ => democa
2025/08/14 01:41:13 511 NICE issueCertificate failed but pause_on_error is
requested
2025/08/14 01:41:13 511 Action 'global_nice_issue_certificate' paused
(I18N_OPENXPKI_UI_NICE_BACKEND_ERROR), wakeup 2025-08-13T17:46:54
2025/08/14 01:46:59 511 start cert issue for serial 255, workflow 511
2025/08/14 01:46:59 511 NICE backend error: Could not find token alias by
group; __group__ => ca-signer, __noafter__ => 1786643219, __notbefore__ =>
1755107219, __pki_realm__ => democa
2025/08/14 01:46:59 511 NICE issueCertificate failed but pause_on_error is
requested
2025/08/14 01:46:59 511 Action 'global_nice_issue_certificate' paused
(I18N_OPENXPKI_UI_NICE_BACKEND_ERROR), wakeup 2025-08-13T17:50:49
openxpki@0f29cbd7bca9:/var/log$ tail -f openxpki-server/openxpki.log
"OpenXPKI::Crypto::API" requires that the reference isa
OpenXPKI::Crypto::API
The reference (in $_[1]) isa Moose::Object and
OpenXPKI::Crypto::Token::Vault
[pid=1138|sid=Wbeh]
2025/08/14 01:28:31 ERROR Could not find token alias by group; __group__ =>
ca-signer, __noafter__ => 1786642111, __notbefore__ => 1755106111,
__pki_realm__ => democa [pid=1887|sid=Wbeh]
2025/08/14 01:31:37 ERROR Could not find token alias by group; __group__ =>
ca-signer, __noafter__ => 1786642297, __notbefore__ => 1755106297,
__pki_realm__ => democa [pid=2132|sid=Mzrd]
2025/08/14 01:34:37 ERROR Could not find token alias by group; __group__ =>
ca-signer, __noafter__ => 1786642477, __notbefore__ => 1755106477,
__pki_realm__ => democa [pid=2374|sid=Mzrd]
2025/08/14 01:41:13 ERROR Could not find token alias by group; __group__ =>
ca-signer, __noafter__ => 1786642873, __notbefore__ => 1755106873,
__pki_realm__ => democa [pid=2904|sid=Mzrd]
2025/08/14 01:46:59 ERROR Could not find token alias by group; __group__ =>
ca-signer, __noafter__ => 1786643219, __notbefore__ => 1755107219,
__pki_realm__ => democa [pid=3360|sid=Mzrd]
2025/08/14 01:50:50 ERROR Could not find token alias by group; __group__ =>
ca-signer, __noafter__ => 1786643450, __notbefore__ => 1755107450,
__pki_realm__ => democa [pid=3677|sid=Mzrd]
2025/08/14 01:54:41 ERROR Could not find token alias by group; __group__ =>
ca-signer, __noafter__ => 1786643681, __notbefore__ => 1755107681,
__pki_realm__ => democa [pid=3981|sid=Mzrd]
Also do you know why the "make sample-config" fails, as described in my first
email.
Thanks,
Ed
From: Oliver Welter <[email protected]>
Sent: Wednesday, August 13, 2025 9:21 AM
To: [email protected]
Subject: Re: [OpenXPKI-users] Error while installing OpenXPKI (Community
Edition v3.32.0), and testing the WebUI (with user alice)
CAUTION: This message originated from an External Source outside of
CommScope.com. This may be a phishing email that can result in unauthorized
access to CommScope. Please use caution when opening attachments, clicking
links, scanning QR codes, or responding. You can report suspicious emails
directly in Microsoft Outlook.
Hello Ed,
the WebUI session issue is described in the README of the docker repo.
Regarding the Vault token - the problem is the provided secret in the example
config, the string in system/crypto.yaml must be 64 characters long, I
accidentially missed one character in the repo :(
Oliver
On 12.08.25 22:16, Jean-Baptiste, Edwige via OpenXPKI-users wrote:
Hi,
I encounter few issues while installing the latest OpenXPKI (Community
Edition v3.32.0), I followed the instruction steps by steps. See below for the
problem descriptions. This is a fresh install (not an upgrade), I had to
upgrade Docker and Docker-compose on the system before I started the install.
1. At first I couldn't connect to the WebUI due to the error below from the
page:
"The webserver did not return the expected data.
Possible causes: OpenXPKI client is not running; authentication session has
expired; an internal error.
HTTP code: 500"
I was able to get further by modifying the the WebUI file with the a different
DB user/password: "openxpki-config/client.d/service/webui/default.yaml"
I replaced this:
User: openxpki_session
Password: mysecret
With this:
User: openxpki
Password: openxpki
1. After resolving the issue above, I was able to access the WebUI, and log
in as "alice", but in the process of generating the RSA Key, I got this error:
"This workflow was interrupted by an unexpected event, it will not continue
without a manual interaction. Please contact the support team!
Last Update
2025-08-12 19:04:15 UTC
Failed Action
global_store_pkey_in_datapool"
WEBUI.log indicates the following:
openxpkiclient@cf7bea636378:/var/log$ tail -f openxpki-client/webui.log
2025/08/12 19:00:35 INF Run 'csr_edit_cert_info' on workflow #255
[rid=5I_OocalVhrM|role=User|sid=1ac9|ssid=t5sz|ep=default|wfid=255|pid=9|name=alice]
2025/08/12 19:01:55 INF Incoming request: action
'workflow!select!wf_action!csr_submit!wf_id!255'
[rid=KpH5p9Kn9fW-|role=User|sid=1ac9|ssid=t5sz|ep=default|pid=9|name=alice]
2025/08/12 19:01:55 INF Handle action
'workflow!select!wf_action!csr_submit!wf_id!255'
[rid=KpH5p9Kn9fW-|role=User|sid=1ac9|ssid=t5sz|ep=default|pid=9|name=alice]
2025/08/12 19:04:13 INF Incoming request: action 'workflow'
[rid=uaGFcJVcOdvR|role=User|sid=1ac9|ssid=t5sz|ep=default|pid=9|name=alice]
2025/08/12 19:04:13 INF Handle action 'workflow'
[rid=uaGFcJVcOdvR|role=User|sid=1ac9|ssid=t5sz|ep=default|pid=9|name=alice]
2025/08/12 19:04:13 INF Run 'csr_retype_server_password' on workflow #255
[rid=uaGFcJVcOdvR|role=User|sid=1ac9|ssid=t5sz|ep=default|wfid=255|pid=9|name=alice]
2025/08/12 19:04:15 ERR Command 'execute_workflow_activity' failed (ERROR)
[rid=uaGFcJVcOdvR|role=User|sid=1ac9|ssid=t5sz|ep=default|wfid=255|pid=9|name=alice]
2025/08/12 19:04:15 ERR I18N_OPENXPKI_SERVER_WORKFLOW_ERROR_ON_EXECUTE
[rid=uaGFcJVcOdvR|role=User|sid=1ac9|ssid=t5sz|ep=default|wfid=255|pid=9|name=alice]
2025/08/12 19:04:15 ERR workflow acton failed!
[rid=uaGFcJVcOdvR|role=User|sid=1ac9|ssid=t5sz|ep=default|wfid=255|pid=9|name=alice]
2025/08/12 19:04:15 INF Handle page 'workflow!load'
[rid=uaGFcJVcOdvR|role=User|sid=1ac9|ssid=t5sz|ep=default|wfid=255|pid=9|name=alice]
OPENXPKI-SERVER LOGs:
openxpki@087f53771df1:/var/log$ tail -f openxpki-server/openxpki.log
2025/08/13 02:54:08 INFO Login successful (user: alice, role: User)
[pid=7776|sid=t5sz]
2025/08/13 03:04:15 ERROR Vault requires a 256 bit length secret value encoded
in 64 uppercase hex characters - is
6F70656E78706B6969736D796661766F72697465747275737463656E746572
[pid=8579|sid=t5sz]
2025/08/13 03:04:15 ERROR Workflow
255/certificate_signing_request_v2/KEY_GENERATED_CSR_GENERATE_PKCS10_0 uncaught
exception [pid=8579|sid=t5sz]
2025/08/13 03:04:15 ERROR I18N_OPENXPKI_SERVER_WORKFLOW_ERROR_ON_EXECUTE;
__ACTION__ => global_store_pkey_in_datapool, __ERROR__ => Vault requires a 256
bit length secret value encoded in 64 uppercase hex characters - is
6F70656E78706B6969736D796661766F72697465747275737463656E746572, __EXCEPTION__
=> Workflow::Exception [pid=8579|sid=t5sz]
2025/08/13 03:04:15 ERROR Error executing workflow activity
"csr_retype_server_password" on workflow id #255 (type
"certificate_signing_request_v2"):
I18N_OPENXPKI_SERVER_WORKFLOW_ERROR_ON_EXECUTE; __ACTION__ =>
global_store_pkey_in_datapool, __ERROR__ => Vault requires a 256 bit length
secret value encoded in 64 uppercase hex characters - is
6F70656E78706B6969736D796661766F72697465747275737463656E746572, __EXCEPTION__
=> Workflow::Exception [pid=8579|sid=t5sz]
WORKFLOWS LOGs:
openxpki@087f53771df1:/var/log$ cat openxpki-server/workflows.log
2025/08/13 03:00:36 255 Rendering subject: CN=lai.wenglang:ocsp,DC=Test
Deployment,DC=OpenXPKI,DC=org
openxpki@087f53771df1:/var/log$
CATCHALL LOGs:
openxpki@087f53771df1:/var/log$ cat openxpki-server/catchall.log
2025/08/13 02:54:08 openxpki.auth.INFO Login successful (user: alice, role:
User) [pid=7776|sid=t5sz]
2025/08/13 02:58:41 openxpki.application.INFO Purged 59 expired sessions
[pid=22|sid=eLKt]
2025/08/13 03:00:36 openxpki.application.INFO Rendering subject:
CN=lai.wenglang:ocsp,DC=Test Deployment,DC=OpenXPKI,DC=org [pid=8286|sid=t5sz]
2025/08/13 03:03:46 openxpki.application.INFO Purged 58 expired sessions
[pid=22|sid=eLKt]
2025/08/13 03:04:13 openxpki.audit.key.INFO generating private
keyHASH(0x55de7a4a17a0) [pid=8579|sid=t5sz]
2025/08/13 03:04:14 openxpki.audit.key.INFO generating private
keyHASH(0x55de7a64e558) [pid=8579|sid=t5sz]
2025/08/13 03:04:15 openxpki.system.ERROR Vault requires a 256 bit length
secret value encoded in 64 uppercase hex characters - is
6F70656E78706B6969736D796661766F72697465747275737463656E746572
[pid=8579|sid=t5sz]
2025/08/13 03:04:15
OpenXPKI.Server.Workflow.Activity.Tools.Datapool.SetEntry.ERROR workflow_error
exception thrown from
[OpenXPKI::Server::Workflow::Activity::Tools::Datapool::SetEntry: 72; before:
Workflow: 123]: Vault requires a 256 bit length secret value encoded in 64
uppercase hex characters - is
6F70656E78706B6969736D796661766F72697465747275737463656E746572
[pid=8579|sid=t5sz]
2025/08/13 03:04:15 OpenXPKI.Server.Workflow.ERROR Caught exception from
action: Vault requires a 256 bit length secret value encoded in 64 uppercase
hex characters - is
6F70656E78706B6969736D796661766F72697465747275737463656E746572; reset workflow
to old state 'KEY_GENERATED_CSR_GENERATE_PKCS10_0' [pid=8579|sid=t5sz]
2025/08/13 03:04:15 openxpki.workflow.ERROR Workflow
255/certificate_signing_request_v2/KEY_GENERATED_CSR_GENERATE_PKCS10_0 uncaught
exception [pid=8579|sid=t5sz]
2025/08/13 03:04:15 openxpki.system.ERROR
I18N_OPENXPKI_SERVER_WORKFLOW_ERROR_ON_EXECUTE; __ACTION__ =>
global_store_pkey_in_datapool, __ERROR__ => Vault requires a 256 bit length
secret value encoded in 64 uppercase hex characters - is
6F70656E78706B6969736D796661766F72697465747275737463656E746572, __EXCEPTION__
=> Workflow::Exception [pid=8579|sid=t5sz]
2025/08/13 03:04:15 openxpki.workflow.ERROR Error executing workflow activity
"csr_retype_server_password" on workflow id #255 (type
"certificate_signing_request_v2"):
I18N_OPENXPKI_SERVER_WORKFLOW_ERROR_ON_EXECUTE; __ACTION__ =>
global_store_pkey_in_datapool, __ERROR__ => Vault requires a 256 bit length
secret value encoded in 64 uppercase hex characters - is
6F70656E78706B6969736D796661766F72697465747275737463656E746572, __EXCEPTION__
=> Workflow::Exception [pid=8579|sid=t5sz]
2025/08/13 03:08:47 openxpki.application.INFO Purged 63 expired sessions
[pid=22|sid=eLKt]
2025/08/13 03:13:52 openxpki.application.INFO Purged 59 expired sessions
[pid=22|sid=eLKt]
1. Sample-Config also fails, but I ran it multiple times, could that be a
problem?
[root@autosmoke openxpki-docker]# make sample-config
docker compose exec -u root -it server /etc/openxpki/contrib/sampleconfig.sh
Fully automated sample setup using tmpdir /tmp/tmp.ckpVoJuApQ
creating configuration for openssl () .. done.
Creating certificates ..
Did not find a root ca certificate file.
Creating an own self signed root ca .. done.
Did not find existing issuing CA key file.
Creating an issuing CA request .. done.
Signing issuing certificate with own root CA .. done.
Did not find existing DataVault certificate file.
Creating a self signed DataVault certificate .. done.
Did not find existing SCEP certificate file.
Creating a SCEP request .. done.
Signing SCEP certificate with Issuing CA .. done.
Did not find existing WEB certificate file.
Creating a Web request .. done.
Signing Web certificate with Issuing CA .. done.
Successfully wrote alias:
Alias : ca-signer-7
Identifier: TXaycrvaO3p0grmq2gGIHUHlT7A
NotBefore : 2025-08-12 20:02:32
NotAfter : 2035-08-15 20:02:32
Token is certsign, looking for root...
Creating alias for root ca:
Alias : root-7
Identifier: TXaycrvaO3p0grmq2gGIHUHlT7A
NotBefore : 2025-08-12 20:02:32
NotAfter : 2035-08-15 20:02:32
make: *** [sample-config] Error 1
Could you help me figure this out?
Thanks,
Ed
_______________________________________________
OpenXPKI-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
