Hello,
we have an openxpki Server running since years, but now there is a problem I
cant figure out, its our productive server.. :-(
OpenXPKI Version is: 3.30.9-0 (Debian 12)
Problem: we cant create certificates anymore, cisco routers try to get an
certificate and we see the workflow and can accept and confirm. Then the
workflow ends with an error and a retry results in the same Error message.
(NICE backend error: Could not find token alias by group)
Cant remember we changed anything, on the end of this mail are the list of
aliases etc.:
In the logs are the following lines maybe help:
2025/09/17 13:36:20 ERR Request was rejected:
I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED
[pid=2367675|ep=scep]
2025/09/17 15:30:38 88963071 Rendering subject:
CN=org543235.net.company.de,O=K11111,OU=company-net,DC=company,DC=de
2025/09/17 15:30:38 88963071 Trusted Signer chain - certificate is self
signed
2025/09/17 15:30:38 88963071 Trusted Signer not found in trust list
(unstructuredName=org543235.net.company.de).
2025/09/17 15:30:38 88963071 validate challenge using compare validation
FAILED!
2025/09/17 15:30:54 88963071 Policy subject duplicate check failed, found
certs 8qNus25b6Djl3Fgrq5V3trNF-Pk
2025/09/17 15:30:54 88963071 Eligibility check for
scep.scep.eligible.initial failed
2025/09/17 15:30:54 88963071 Trigger notification message
enroll_approval_pending
2025/09/17 15:30:56 88963071 Unsigned approval for workflow 88963071 by user
klaus, role RA Operator
2025/09/17 15:30:56 88963071 Approval points for workflow #88963071: 1
2025/09/17 15:30:56 88963071 persisted csr for
CN=org543235.net.company.de,O=K1114,OU=company-net,DC=company,DC=de with
csr_serial 56831
2025/09/17 15:30:56 88963071 start cert issue for serial 56831, workflow
88963071
2025/09/17 15:30:56 88963071 NICE backend error: Could not find token alias
by group; __group__ => ca-signer, __noafter__ => 1852810256, __notbefore__
=> 1758115856, __pki_realm__ => ca-one
2025/09/17 15:30:56 88963071 NICE issueCertificate failed but pause_on_error
is requested
2025/09/17 15:30:56 88963071 Action 'global_nice_issue_certificate' paused
(I18N_OPENXPKI_UI_NICE_BACKEND_ERROR), wakeup 2025-09-17T13:36:48
# openxpkiadm alias list
=== functional token ===
vault (datasafe):
Alias : vault-1
Identifier: GNCCvr3lEwtow0tAt2itjP73FHU
NotBefore : 2018-09-07 12:03:50
NotAfter : 2033-09-04 12:03:50
ratoken (cmcra):
Alias : ratoken-1
Identifier: JBtxGIPpjYfQYKAkbt7emXmj6LE
NotBefore : 2018-09-07 12:03:50
NotAfter : 2028-09-04 12:03:50
ca-signer (certsign):
Alias : ca-signer-1
Identifier: CNPm81r7AIekkx1F3EUNWK1RzXs
NotBefore : 2018-09-07 12:03:50
NotAfter : 2028-09-04 12:03:50
ratoken (scep):
Alias : ratoken-1
Identifier: JBtxGIPpjYfQYKAkbt7emXmj6LE
NotBefore : 2018-09-07 12:03:50
NotAfter : 2028-09-04 12:03:50
=== root ca ===
current root ca:
Alias : root-1
Identifier: SnqdqJAQPkXRkFxifGowf82LrFo
NotBefore : 2018-09-07 12:03:49
NotAfter : 2033-09-04 12:03:49
upcoming root ca:
not set
# openxpkiadm key list
Keys for token group ratoken
c ratoken-1
Keys for token group ca-signer
c ca-signer-1
Keys for token group ratoken
c ratoken-1
Keys for token group vault
c vault-1
# openxpkiadm certificate list
Certificates in ca-one:
Identifier: CNPm81r7AIekkx1F3EUNWK1RzXs
Alias:
ca-signer-1
Identifier: JBtxGIPpjYfQYKAkbt7emXmj6LE
Alias:
ratoken-1
Identifier: SnqdqJAQPkXRkFxifGowf82LrFo
Alias:
root-1
Identifier: GNCCvr3lEwtow0tAt2itjP73FHU
Alias:
vault-1
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
