Hello Wilhelm,
well - thats quite obvious...
You want to issue a certificate with a three year validity with a CA
certificate that expires in less then 36 month - either issue a new CA
generation or reduce your validity.
best regards
Oliver
On 17.09.25 20:34, Wilhelm Greiner via OpenXPKI-users wrote:
Hello,
we have an openxpki Server running since years, but now there is a
problem I cant figure out, its our productive server.. :-(
OpenXPKI Version is: 3.30.9-0 (Debian 12)
Problem: we cant create certificates anymore, cisco routers try to get
an certificate and we see the workflow and can accept and confirm.
Then the workflow ends with an error and a retry results in the same
Error message. (NICE backend error: Could not find token alias by group)
Cant remember we changed anything, on the end of this mail are the
list of aliases etc.:
In the logs are the following lines maybe help:
2025/09/17 13:36:20 ERR Request was rejected:
I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED
[pid=2367675|ep=scep]
2025/09/17 15:30:38 88963071 Rendering subject:
CN=org543235.net.company.de,O=K11111,OU=company-net,DC=company,DC=de
2025/09/17 15:30:38 88963071 Trusted Signer chain - certificate is
self signed
2025/09/17 15:30:38 88963071 Trusted Signer not found in trust list
(unstructuredName=org543235.net.company.de).
2025/09/17 15:30:38 88963071 validate challenge using compare
validation FAILED!
2025/09/17 15:30:54 88963071 Policy subject duplicate check failed,
found certs 8qNus25b6Djl3Fgrq5V3trNF-Pk
2025/09/17 15:30:54 88963071 Eligibility check for
scep.scep.eligible.initial failed
2025/09/17 15:30:54 88963071 Trigger notification message
enroll_approval_pending
2025/09/17 15:30:56 88963071 Unsigned approval for workflow 88963071
by user klaus, role RA Operator
2025/09/17 15:30:56 88963071 Approval points for workflow #88963071: 1
2025/09/17 15:30:56 88963071 persisted csr for
CN=org543235.net.company.de,O=K1114,OU=company-net,DC=company,DC=de
with csr_serial 56831
2025/09/17 15:30:56 88963071 start cert issue for serial 56831,
workflow 88963071
2025/09/17 15:30:56 88963071 NICE backend error: Could not find token
alias by group; __group__ => ca-signer, __noafter__ => 1852810256,
__notbefore__ => 1758115856, __pki_realm__ => ca-one
2025/09/17 15:30:56 88963071 NICE issueCertificate failed but
pause_on_error is requested
2025/09/17 15:30:56 88963071 Action 'global_nice_issue_certificate'
paused (I18N_OPENXPKI_UI_NICE_BACKEND_ERROR), wakeup 2025-09-17T13:36:48
# openxpkiadm alias list
=== functional token ===
vault (datasafe):
Alias : vault-1
Identifier: GNCCvr3lEwtow0tAt2itjP73FHU
NotBefore : 2018-09-07 12:03:50
NotAfter : 2033-09-04 12:03:50
ratoken (cmcra):
Alias : ratoken-1
Identifier: JBtxGIPpjYfQYKAkbt7emXmj6LE
NotBefore : 2018-09-07 12:03:50
NotAfter : 2028-09-04 12:03:50
ca-signer (certsign):
Alias : ca-signer-1
Identifier: CNPm81r7AIekkx1F3EUNWK1RzXs
NotBefore : 2018-09-07 12:03:50
NotAfter : 2028-09-04 12:03:50
ratoken (scep):
Alias : ratoken-1
Identifier: JBtxGIPpjYfQYKAkbt7emXmj6LE
NotBefore : 2018-09-07 12:03:50
NotAfter : 2028-09-04 12:03:50
=== root ca ===
current root ca:
Alias : root-1
Identifier: SnqdqJAQPkXRkFxifGowf82LrFo
NotBefore : 2018-09-07 12:03:49
NotAfter : 2033-09-04 12:03:49
upcoming root ca:
not set
# openxpkiadm key list
Keys for token group ratoken
c ratoken-1
Keys for token group ca-signer
c ca-signer-1
Keys for token group ratoken
c ratoken-1
Keys for token group vault
c vault-1
# openxpkiadm certificate list
Certificates in ca-one:
Identifier: CNPm81r7AIekkx1F3EUNWK1RzXs
Alias:
ca-signer-1
Identifier: JBtxGIPpjYfQYKAkbt7emXmj6LE
Alias:
ratoken-1
Identifier: SnqdqJAQPkXRkFxifGowf82LrFo
Alias:
root-1
Identifier: GNCCvr3lEwtow0tAt2itjP73FHU
Alias:
vault-1
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
