gmane.comp.security.openxpki.user

Re: Hi, problem with installation

Oliver Welter — 2012-02-15T07:12:41

Hi Luigi,

I published new packages yesterday.
LDAP Publishing is now working again.

Oliver

On 01.02.2012 15:44, Oliver Welter wrote:

Re: Hi, problem with installation

Oliver Welter — 2012-02-01T14:44:43

Hello Luigi,

as promised I prepared some debian squeeze packages with the current 
development status.

The packages are available at http://packages.openxpki.org/debian

The packages feature a new (internal) certification interface, therefore 
there are some limitations:
* You can use only PKCS10 or server side key generation in CSRs
* LDAP publication is not working (will follow soon)
* SCEP suport is currently under redesign and has not been migrated yet. 
But if you need a test now, let me know and I can help you get it 
working with some efforts hopefully.

To get a test setup working do the following:
* Install a plain debian squeeze 64bit with at least 2GB disksapce.
* *Important* - activate the "en_US.utf-8" locale (remove the # from it 
in /etc/locale.gen and run locale-gen afterwards)
* Add the archive to your apt list and update
* Install the server packages
aptitude install libopenxpki-perl openxpki-i18n libopenxpki-client-perl

Install the HTML interface
aptitude install libopenxpki-client-html-mason-perl

Run the test deployment:
aptitude install openxpki-deployment

You will some some perl warnings, this is ok - if everthing works fine, 
you can now reach the Web GUI un http://yourhost/openxpki/

First step: Login using "External Dynamic" Authentication, Username 
"admin", Password "CA Operator", and activate the CA key using the 
choosen password.

You should now be able to request and issue certificates - note, you 
always need a certiticate approval from another person than the 
requestor! After approving a request the certificate will be avail 
immediately.

Happy Testing!

Oliver

Re: Hi, problem with installation

Luigi Palmieri — 2012-01-30T11:23:57

Certainly Oliver, thanks you.

I'll wait for your packages :)

Thank you again

Luigi



On Mon, Jan 30, 2012 at 11:54 AM, Oliver Welter <mail-8eKq2Qo/W76zQB+pC5nmwQ< at >public.gmane.org> wrote:

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f< at >public.gmane.org
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: Hi, problem with installation

Oliver Welter — 2012-01-30T10:54:56

Cabn you afford to wait another day ?

We are currently doing a heavy refactoring and I would packup a new 
debian package with the lastest changes till Wednesday.
If not I can send you the latest packages but there is at least one bug 
that the Revocation is not working at the moment.

Oliver

On 30.01.2012 09:02, Luigi Palmieri wrote:

Re: Hi, problem with installation

Luigi Palmieri — 2012-01-30T08:02:22

Thanks for your help!! Where can i find your pre-build packages ? When I
try to access http://localhost/openxpki/ i get a page with these :

"Internal Server Error

The server encountered an internal error or misconfiguration and was unable
to complete your request.

Please contact the server administrator, webmaster< at >localhost and inform
them of the time the error occurred, and anything you might have done that
may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 404 Not Found error was encountered while trying to use an
ErrorDocument to handle the request.

Apache/2.2.16 (Debian) Server at localhost Port 80"

I looked in the Apache configuration files and everything seems to be Ok.

Any suggestions??


Luigi




On Sun, Jan 29, 2012 at 4:38 PM, Oliver Welter <mail-8eKq2Qo/W76zQB+pC5nmwQ< at >public.gmane.org> wrote:

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f< at >public.gmane.org
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: Hi, problem with installation

Oliver Welter — 2012-01-29T15:38:32

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Luigi,


What happens when you try to access http://localhost/openxpki/ ?

Anyway, the packages on the cynops box are a bit outdated - you should
perhaps try to build from source:
http://wiki.openxpki.org/index.php/Best_Practices/Operating_systems/Debian/Debian_Etch_installation

If you use squeeze 64bit, I can provide you with prebuild packages.

Oliver

- -- 
Protect your environment -  close windows and adopt a penguin!
PGP-Key: 3B2C 8095 A7DF 8BB5 2CFF  8168 CAB7 B0DD 3985 1721
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8lZ/IACgkQyrew3TmFFyHLKwCfXCaU6wHbnRSqf93aRomJq78y
TVoAnAp+bP343WSKkvnOpV7I4B/yMfLH
=0bXA
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

Hi, problem with installation

Luigi Palmieri — 2012-01-28T09:25:45

Hi everyone,

i'm trying to install on Debian the OpenXPKI CA, i followed this tutorial (
http://wiki.openxpki.org/index.php/Best_Practices/Operating_systems/Debian/Debian_Package_Installation#How_To_Install_OpenXPKI_on_Debian),
but after the installation of everything apache2 doesn't work.when i try to
go to http:\\localhost there is no server available, In the error.log file
of apache2 it appears this:

[Mason] "Cannot resolve file to component: /var/www/index.html (is file
outside component root?) at /usr/share/perl5/HTML/Mason/ApacheHandler.pm
line 858. "


Anyone can help me??

Thank you

Luigi
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f< at >public.gmane.org
https://lists.sourceforge.net/lists/listinfo/openxpki-users

new versioning of snapshots

Sergei Vyshenski — 2011-10-10T10:43:53

Hi,

Last midnight snapshot generator is back:

http://www7.openxpki.org/lastmidnight/index.html

New version numbering is as follows:

(distribution-name).(major-version).ccyymmdd.hhmmss

with (major-version) = (number).(number) as returned by vergen utility
from the OpenXPKI toolkit,
and date-time label ccyymmdd.hhmmss identifying the last commit to the
part of code related to this particular tarball.

All the best, Sergei

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

status of openxpki resources

Sergei Vyshenski — 2011-09-12T18:56:14

Hi,

1. WebSVN viewer of the OpenXPKI's SVN repository, which is hosted at

http://www7.openxpki.org/svn/openxpki

will be shortly put down because of lack of popularity.

2. Last Midnight Snapshot generator which reported its activity to
the page

http://www7.openxpki.org/lastmidnight/index.html

has been recently switched off until needed code fix.

3. All refs to both resources have been removed from the sources of
the web site of the openxpki. Hopefully soon these changes will
propagate through to all mirrors causing refs actually disappear.

All the best, Sergei

------------------------------------------------------------------------------
Doing More with Less: The Next Generation Virtual Desktop 
What are the key obstacles that have prevented many mid-market businesses
from deploying virtual desktops?   How do next-generation virtual desktops
provide companies an easier-to-deploy, easier-to-manage and more affordable
virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/

OpenXPKI Wiki write restrictions, website revamp

Martin Bartosch — 2011-09-10T10:55:56

Hi,

recently a wave of Wiki spam has been hitting the OpenXPKI wiki. As we currently have few contributions, I have decided to remove write permissions for normal users in order to deal with this problem. I apologize for this measure, but I at that rate I cannot keep up with the rate spammers continue to modify the Wiki.

Regarding the website: we are currently setting up a revamp of the OpenXPKI website. In the future we will be using the SourceForge web hosting, eventually migrating away from the distributed web mirrors. 
For content management our idea is to keep the web site in a separate Git repository, based on the popular Jekyll blogging site generator.

In the future I see user contributions to the web site and/or the documentation happening via Git pull requests and an integration step by one of the developers.

cu

Martin


------------------------------------------------------------------------------
Malware Security Report: Protecting Your Business, Customers, and the 
Bottom Line. Protect your business and customers by understanding the 
threat from malware and how it can impact your online business. 
http://www.accelacomm.com/jaw/sfnl/114/51427462/

Re: OpenXPKI interface error

Hasnat Raza — 2011-08-12T04:32:50

hi Scot,
You should reconfigure apache
Firstly you should use these steps:-
                - Remove OPENXPKIPKI folder from httdocs
               - Reconfigure Apache or install again.
               - Rerun OPENXPKI deployment Package.
Regards,
Hasnat Raza


On Tue, Jun 28, 2011 at 12:23 PM, Scott Thomas <scott_thomas007-/E1597aS9LQAvxtiuMwx3w< at >public.gmane.org>wrote:

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. 
http://p.sf.net/sfu/wandisco-dev2dev_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f< at >public.gmane.org
https://lists.sourceforge.net/lists/listinfo/openxpki-users

OpenXPKI interface error

Scott Thomas — 2011-06-28T07:23:08

Bonjour Users,

I am having the following error in OpenXPKI web interface.

error: could not find component for path '/service/index.html'

When i checked the apache error log then got the following lines : 

Trace begun at /usr/lib/perl5/site_perl/5.10.0/HTML/Mason/Request.pm line 1226
HTML::Mason::Request::comp('HTML::Mason::Request::ApacheHandler=HASH(0xb88f1284)', '/service/index.html') called at /srv/www/htdocs/index.html line 1
HTML::Mason::Commands::__ANON__ at /usr/lib/perl5/site_perl/5.10.0/HTML/Mason/Component.pm line 135
HTML::Mason::Component::run('HTML::Mason::Component::FileBased=HASH(0xb88ee7f4)') called at /usr/lib/perl5/site_perl/5.10.0/HTML/Mason/Request.pm line 1279
eval {...} at /usr/lib/perl5/site_perl/5.10.0/HTML/Mason/Request.pm line 1274
HTML::Mason::Request::comp(undef, undef, undef) called at /usr/lib/perl5/site_perl/5.10.0/HTML/Mason/Request.pm line 473
eval {...} at /usr/lib/perl5/site_perl/5.10.0/HTML/Mason/Request.pm line 473
eval {...} at /usr/lib/perl5/site_perl/5.10.0/HTML/Mason/Request.pm line 425
HTML::Mason::Request::exec('HTML::Mason::Request::ApacheHandler=HASH(0xb88f1284)') called at /usr/lib/perl5/site_perl/5.10.0/HTML/Mason/ApacheHandler.pm line 168
HTML::Mason::Request::ApacheHandler::exec('HTML::Mason::Request::ApacheHandler=HASH(0xb88f1284)') called at /usr/lib/perl5/site_perl/5.10.0/HTML/Mason/ApacheHandler.pm line 825
HTML::Mason::ApacheHandler::handle_request('HTML::Mason::ApacheHandler=HASH(0xb84ace24)', 'Apache2::RequestRec=SCALAR(0xb832ef9c)') called at /usr/lib/perl5/site_perl/5.10.0/OpenXPKI/Client/HTML/Mason/ApacheHandler.pm line 22
OpenXPKI::Client::HTML::Mason::ApacheHandler::handler('Apache2::RequestRec=SCALAR(0xb832ef9c)') called at -e line 0
eval {...} at -e line 0

Thanks
Scott Thomas
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f< at >public.gmane.org
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: WAITING_FOR_CHILD problem

Martin Bartosch — 2011-05-11T12:50:08

Hi,


looks like your LDAP directory is not accessible. Either you should fix the login credentials or deactivate LDAP publication in config.xml.
The error description is not sufficient to provide more help...

Regards,

Martin


------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay

WAITING_FOR_CHILD problem

Hasnat Raza — 2011-05-05T05:04:15

hi i am using openxpki 09.1, my problem is that when i approve certificate
it status shows "WAITING_FOR CHILD". Is this LDAP integration problem or
what if LDAP then how
i recover it. please anyone guide me .
thx
regards,
raza
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f< at >public.gmane.org
https://lists.sourceforge.net/lists/listinfo/openxpki-users

LDAP Manager cause problem

Hasnat Raza — 2011-04-07T09:53:57

I have installed a package called ldap-account-manager
taht I am unable de uninstall ...

d# dpkg -r ldap-account-manager
dpkg: error processing ldap-account-manager (--remove):
Package is in a very bad inconsistent state - you should
reinstall it before attempting a removal.
Errors were encountered while processing:
ldap-account-manager


the reinstallation fails too

any way to remove by hand this package ?

Thanks


regards,
raza
------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f< at >public.gmane.org
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: Unable to approve CSR/CRR with digitalsignature

Marc Posch — 2011-03-31T20:20:13

Hi Martin and Alexander,
thank you both for your reply, I didn't expect it that fast. :)

Unfortunately, I already have defined the following in 
workflow_validator_certificate_signing_request.xml:
---------------------------------------------
  <validator name="ValidApprovalSignatureCSR"
 
class="OpenXPKI::Server::Workflow::Validator::ApprovalSignature">
       <!-- if you set the following parameter to 1, you can enforce
            signatures on all CSR approvals -->
       <param name="signature_required" value="0"/>
       <param name="pkcs7tool" value="testsceppkcs7tool1"/>
       <!-- if you set signature_required to 1, you have to defined
            identifiers for your trust anchors:
            -->
       <param name="trust_anchors" 
value="I18N_OPENXPKI_DEPLOYMENT_TEST_DUMMY_CA"/>

       <!-- Alternatively, you can also specify realms, which will then be
       replaced by all CA identifiers defined in that realm
       -->

   </validator>
---------------------------------------------
and in workflow_validator_certificate_revocation_request.xml:
---------------------------------------------
<validator name="ValidApprovalSignatureCRR"
 
class="OpenXPKI::Server::Workflow::Validator::ApprovalSignature">
       <!-- if you set the following parameter to 1, you can enforce
            signatures on all CSR approvals -->
       <param name="signature_required" value="0"/>
       <param name="pkcs7tool" value="testsceppkcs7tool1"/>
       <!-- if you set signature_required to 1, you have to defined
            identifiers for your trust anchors:
            -->
       <param name="trust_anchors" 
value="I18N_OPENXPKI_DEPLOYMENT_TEST_DUMMY_CA"/>

       <!--Feature request: allow Realms instead of identifiers, too
       Code should replace the realm by all configured identifiers in
       that realm.
       -->

   </validator>
---------------------------------------------

I have restarted the server and retried CSRs and CRRs, but all of them 
fail with the same error. :/

What can I try next? Which Module(s) should I debug to see if it is able 
to read in the certificate chain and/or trust anchor?

Marc

On 31.03.2011 10:07, Alexander Klink wrote:

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf

Re: Unable to approve CSR/CRR with digitalsignature

Alexander Klink — 2011-03-31T08:07:26

Hi,

Excerpts from Martin Bartosch's message of Thu Mar 31 09:54:53 +0200 2011:

Also, make sure to create a new workflow for testing once you've done
this as the old one will still use the old configuration (which is a
pretty nice feature but in testing/debugging situations it has bit me
more than once).

Cheers,
  Alex

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf

Re: Unable to approve CSR/CRR with digitalsignature

Martin Bartosch — 2011-03-31T07:54:53

Hi,

I need to correct myself. Don't touch the activity configuration, it's correct. Instead edit the file workflow_validator_certificate_signing_request.xml and add the missing trust anchor there. It also already contains some sample settings you just need to modify.

Sorry for the confusion.

cheers

Martin



------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf

Re: Unable to approve CSR/CRR with digitalsignature

Martin Bartosch — 2011-03-31T07:48:08

Hi Marc,

Am 30.03.2011 um 23:26 schrieb Marc Posch:


thanks for the detailed debugging output. I reproduced the error and added the -verbose flag. The result confirms my suspicion that the verify command was missing either the cert chain or the trust anchor:

$ openca-sv verify -data openxpkigFRhUb.txt -in openxpkiAhYhyo.txt -verbose
[Info]: Input file intialized.
[Info]: Signaturefile initialized.
[Info]: Reading Certificate file.
[Info]: PKCS#7 object loaded.
[Info]: Data is ready for verification.
[Info]: Signature Informations (PKCS#7):
depth:0 serial:02DF687F2ADC4D88CAFF subject:UID=raop+CN=RA Operator,DC=Test Deployment,DC=OpenXPKI,DC=org
        error:20:unable to get local issuer certificate
[Info]: Signature is corrupt. Errorcode -1.
signature:error:-1
[Error]: Digest mismatch. Signature is wrong.

This indicates that you have not configured the Root CA certificates which are considered as trusted for signature verification.

In your certificate signing request activity configuration file (workflow_activity_certificate_signing_request.xml) you should find a section that looks like:

  <action name="I18N_OPENXPKI_WF_ACTION_APPROVE_CSR"
          class="OpenXPKI::Server::Workflow::Activity::Tools::Approve"
          pkcs7tool="testsceppkcs7tool1"
          multi_role_approval="0"
          check_creator="0">
          <!-- if multi_role_approval is set to 1, a user is allowed
               to approve the certificate request with different
               session roles -->
      <field name="_check_hash"/>
      <field name="_signature"/>
      <field name="_signature_text"/>
      <validator name="ValidApprovalSignatureCSR">
        <arg>$_signature</arg>
        <arg>$_signature_text</arg>
     </validator>
  </action>

Without having tested this (we currently do not use signed approvals here), you should change this to something like that.

...
      <validator name="ValidApprovalSignatureCSR"
        pkcs7tool="testsceppkcs7tool1"
        signature_required="1"
        trust_anchors="REPLACEME"
        >
        <arg>$_signature</arg>
        <arg>$_signature_text</arg>
     </validator>
...

In the above configuration use the same pkcs7tool value as in the action definition above. 
Setting "signature_required" to 1 disables unsigned signatures (your decision).
The trust_anchors value can either be a comma separated list of certificate identifiers you explicitly trust (e. g. all cert identifiers of your trusted Root CA certificates) or a Realm name (same as in the config.xml realm definition).
If you specify a Realm name, the validation implicitly trusts all CAs within this Realm. This is what I suggest to do.

Hope this helps,

Martin



------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf

Re: Unable to approve CSR/CRR with digitalsignature

Marc Posch — 2011-03-30T21:26:45

Hi,

I have done some debugging, commenting out the "unlink"-statements in 
CLI.pm so the files would stay under /var/tmp for analysis. I have come 
that far:

OpenXPKI was started with:
openxpkictl start --debug OpenXPKI::Crypto::CLI:128

2011-03-30 23:09:23.996493 DEBUG:1 PID:12245 
OpenXPKI::Crypto::CLI::prepare (line 76): start
2011-03-30 23:09:23.996627 DEBUG:2 PID:12245 
OpenXPKI::Crypto::CLI::prepare (line 78): handle parameter COMMAND
2011-03-30 23:09:23.996904 DEBUG:4 PID:12245 
OpenXPKI::Crypto::CLI::prepare (line 93): prepared command: 
/usr/bin/openca-sv  verify -in /var/tmp/openxpkiAhYhyo -data 
/var/tmp/openxpkigFRhUb 1>>/var/tmp/openxpki8dSKJh 
2>>/var/tmp/openxpkijzlYtt
2011-03-30 23:09:23.997091 DEBUG:1 PID:12245 
OpenXPKI::Crypto::CLI::prepare (line 95): end
2011-03-30 23:09:23.997246 DEBUG:1 PID:12245 
OpenXPKI::Crypto::CLI::execute (line 110): start
2011-03-30 23:09:23.997382 DEBUG:2 PID:12245 
OpenXPKI::Crypto::CLI::execute (line 124): execute commands
2011-03-30 23:09:23.997580 DEBUG:4 PID:12245 
OpenXPKI::Crypto::CLI::execute (line 127): command: /usr/bin/openca-sv 
verify -in /var/tmp/openxpkiAhYhyo -data /var/tmp/openxpkigFRhUb 
1>>/var/tmp/openxpki8dSKJh 2>>/var/tmp/openxpkijzlYtt
2011-03-30 23:09:24.095248 DEBUG:64 PID:12245 
OpenXPKI::Crypto::CLI::execute (line 181): CHILD_ERROR: 256
2011-03-30 23:09:24.104578 DEBUG:1 PID:12245 
OpenXPKI::Crypto::CLI::cleanup (line 270): start
2011-03-30 23:09:24.112553 DEBUG:1 PID:12245 
OpenXPKI::Crypto::CLI::cleanup (line 283): end

I also got hold of the input- and output files, they are attached.

The output openca-sv generates seems to be:
[Error]: Digest mismatch. Signature is wrong.

What can be wrong?

Regards,
Marc

On 30.03.2011 4:19, Marc Posch wrote:
depth:0 serial:02DF687F2ADC4D88CAFF subject:UID=raop+CN=RA Operator,DC=Test Deployment,DC=OpenXPKI,DC=org
-----BEGIN PKCS7-----
MIIIFgYJKoZIhvcNAQcCoIIIBzCCCAMCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3
DQEHAaCCBfQwggXwMIIE2KADAgECAgoC32h/KtxNiMr/MA0GCSqGSIb3DQEBBQUA
MFYxEzARBgoJkiaJk/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdleGFtcGxl
MRQwEgYDVQQLEwtUcnVzdGNlbnRlcjEQMA4GA1UEAxMHVGVzdCBDQTAeFw0xMTAz
MzAxMTQ0MjdaFw0xMTA5MzAxMTQ0MjdaMHoxEzARBgoJkiaJk/IsZAEZFgNvcmcx
GDAWBgoJkiaJk/IsZAEZFghPcGVuWFBLSTEfMB0GCgmSJomT8ixkARkWD1Rlc3Qg
RGVwbG95bWVudDEoMBIGA1UEAwwLUkEgT3BlcmF0b3IwEgYKCZImiZPyLGQBAQwE
cmFvcDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiP6SnIQ/S1nPNm
ZGuRLieT7JKIXvcanWxNZL0mhOSB+M5NPjN1xo/DmdD5sPOOIuZUgTTG0Mose1mN
Tziay3+uFc73QN9jGPr/oZhOqIrlM7d1CNuBBKN6j1k4UjUhJTpFDxLZZ+P9c8UQ
t0ktnaeUrr2ql7E2VQd9/h2Ee+0lPbwWiVxgeaO0b4XI11LN0b3lCJw4qKLO3Z4I
9Cd6hB+ERBZp+sotLzbJva3dwyciR+nC7wcvIBmIBAZsuwrZgXP+ZB7oqiBibS08
ry1jcPF5UIgZ+5hGZm5b4UaAQq1ZoMY3cx1oCNUfiN32NZx/UXd+8TnkwpZ/wNBy
zgOKsJsCAwEAAaOCApowggKWMF4GCCsGAQUFBwEBBFIwUDAnBggrBgEFBQcwAoYb
aHR0cDovL2xvY2FsaG9zdC9jYWNlcnQuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8v
b2NzcC5vcGVueHBraS5vcmcvMH4GA1UdIwR3MHWAFDf4yZNDmB3a8ItJO6hIKBUA
L68loVqkWDBWMRMwEQYKCZImiZPyLGQBGRYDb3JnMRcwFQYKCZImiZPyLGQBGRYH
ZXhhbXBsZTEUMBIGA1UECxMLVHJ1c3RjZW50ZXIxEDAOBgNVBAMTB1Rlc3QgQ0GC
AQEwDAYDVR0TAQH/BAIwADBhBgNVHR8EWjBYMCCgHqAchhpodHRwOi8vbG9jYWxo
b3N0L2NhY3JsLmNydDA0oDKgMIYubGRhcDovL2xvY2FsaG9zdC9jbj1NeSUyMENB
LGRjPU9wZW5YUEtJLGRjPW9yZzAfBgNVHSUEGDAWBggrBgEFBQcDBAYKKwYBBAGC
NxQCAjALBgNVHQ8EBAMCA/gwKQYJYIZIAYb4QgEEBBwWGmh0dHA6Ly9sb2NhbGhv
c3QvY2FjcmwuY3J0MCkGCWCGSAGG+EIBAwQcFhpodHRwOi8vbG9jYWxob3N0L2Nh
Y3JsLmNydDARBglghkgBhvhCAQEEBAMCBLAwXgYJYIZIAYb4QgENBFEWT1RoaXMg
aXMgYSB1c2VyIGNlcnRpZmljYXRlLlxuCSAgICBHZW5lcmF0ZWQgd2l0aCBPcGVu
WFBLSSB0cnVzdGNlbnRlciBzb2Z0d2FyZS4wEAYDVR0gBAkwBzAFBgMqAwQwGwYD
VR0RBBQwEoEQcmFvcEBleGFtcGxlLmNvbTAdBgNVHQ4EFgQUpZbs6bvGiZzbqlqF
yAEGOySLgzkwDQYJKoZIhvcNAQEFBQADggEBAIMi3EHuCYwbIZJo1vk/zr7jECSL
oJbtr6gVLBs0+rtG54RcNqFPXi8sBcnRd4NkAgFBtGwIRKF2vLb9c9kxIQI2lTOV
0prlU+4RzIBpFMPbUThr0bHn7JsqiYzAh/Dm1J2iM5rpNfGCwDStb0ZjMiJQPAu9
fkEMiT01TiWwjAVhJBe10L6ei/Y2WOHaqQalggc/hifDyhL3byxk9cDAXGBtJhQ5
5Hv5ZWTpPCq7ZCtNmJGvGwBi1V8Llrlj6x1bkdbBQCMInpzTm8nVRl+j53OofhU9
BG3HnXgbdUbZW8UtMfRj2YQ9o7noNxFmMpD5wjYRi4DgVPxRXKxqzji8hPcxggHq
MIIB5gIBATBkMFYxEzARBgoJkiaJk/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZ
FgdleGFtcGxlMRQwEgYDVQQLEwtUcnVzdGNlbnRlcjEQMA4GA1UEAxMHVGVzdCBD
QQIKAt9ofyrcTYjK/zAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTEwMzMwMjEwODI5WjAjBgkqhkiG9w0BCQQx
FgQUOYTyW4Dk969A6HIf4fWRiG7kjUAwDQYJKoZIhvcNAQEBBQAEggEAPy3nfwCq
iIc+YC3v1EeMpBiKr2tRCws83HpIN2Hf6H2fe9alqCyQ+EN4NrDrynvNFcgyEpFg
HAYscoxIh1/HQVP8PlJbWmFqd98jOsxFvjltNzalxApJl7d89bXJyrrSY5/tgqf/
zANdWZoGJGrzG1YCq0cHGzBckosqoU6Xqo7IOpWuwBN7yTlTa1Vje5FsbCpSg/gD
VOYnA3olSvwtf38WEvixkBrLKsmeh6MHmMB5dGT/5JZjxmWSwPtBRFE0lnHBW+GO
UkodhLffD8PGZZyahUdI1JWRE/9prWA3UF6ong63Zav3J3zBilCWc10ceLv3g8Yj
QgcEZRoxBzbSTg==
-----END PKCS7-----
I approve the CRR for workflow 9727.
ID of the certificate to be revoked:
3bB6OOHm5m-EmKhpVN1UpGfJtDw
SHA1-Hash of the session ID:
4euGQYxdX7E0SCHx4Nn8jVcNHEs[Error]: Digest mismatch. Signature is wrong.
------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f< at >public.gmane.org
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Unable to approve CSR/CRR with digital signature

Marc Posch — 2011-03-30T14:19:33

Hi again,

I have worked through a "test plan" which I have set up for myself with 
the default TESTDUMMYCA and got to the following point:

- Sign in as root and unlock CA key -> successful
- Issue CRL -> successful
- Request CA Operator Certificate using basic template -> successful
- Login as raop and approve CSR without signature -> successful
- Request RA Operator Certificate using basic template -> successful
- Login as root using external static mode and approve CSR without 
signature -> successful
- Login as John Doe and request User Certificate using basic template -> 
successful
- Login as raop with digital signature -> successful
- Approve CSR with digital signature -> error

I have already configured my trust_anchors in auth.xml, 
workflow_validator_certificate_revocation_request.xml and 
workflow_validator_certificate_signing_request.xml
to
I18N_OPENXPKI_DEPLOYMENT_TEST_DUMMY_CA.

Here is what the webinterface returns:
--------------------------------------------
Error

I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATOR_APPROVALSIGNATURE_SIGNATURE_INVALID

Raw Error Data:

{
   'LIST' => [
     {
       'LABEL' => 
'I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATOR_APPROVALSIGNATURE_SIGNATURE_INVALID',
       'PARAMS' => {}
     }
   ],
   'SERVICE_MSG' => 'ERROR'
}


Certificate Revocation Request: Approval

To approve this certificate revocation request, you can either approve 
with out without signature. Please choose the appropriate button to 
approve the certificate revocation request.
--------------------------------------------
I can still approve the CSR without signature after that. This is the 
content of /var/log/openxpki.log during approval:

--------------------------------------------
2011/03/30 13:48:54 openxpki.system.DEBUG [OpenXPKI::Crypto::CLI 
(/usr/lib/perl5/OpenXPKI/Crypto/CLI.pm:182); raop(RA Operator)< at >f644] 
Exception: I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_CHILD_ERROR; _
_SIGNAL__ => 0; __EXIT_CODE__ => 1
2011/03/30 13:48:54 openxpki.system.DEBUG [OpenXPKI::Crypto::CLI 
(/usr/lib/perl5/OpenXPKI/Crypto/CLI.pm:182); raop(RA Operator)< at >f644] 
Exception: I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_CHILD_ERROR; _
_SIGNAL__ => 0; __EXIT_CODE__ => 1
2011/03/30 13:48:54 openxpki.system.DEBUG [OpenXPKI::Crypto::Toolkit 
(/usr/lib/perl5/OpenXPKI/Crypto/Toolkit.pm:464); raop(RA Operator)< at >f644] 
Exception: I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; _
_COMMAND__ => OpenXPKI::Crypto::Tool::PKCS7::Command::verify; __ERRVAL__ 
=> I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_CHILD_ERROR; __SIGNAL__ => 0; 
__EXIT_CODE__ => 1
2011/03/30 13:48:54 openxpki.system.DEBUG [OpenXPKI::Crypto::Toolkit 
(/usr/lib/perl5/OpenXPKI/Crypto/Toolkit.pm:464); raop(RA Operator)< at >f644] 
Exception: I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; _
_COMMAND__ => OpenXPKI::Crypto::Tool::PKCS7::Command::verify; __ERRVAL__ 
=> I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_CHILD_ERROR; __SIGNAL__ => 0; 
__EXIT_CODE__ => 1
2011/03/30 13:48:54 openxpki.system.WARN 
[OpenXPKI::Server::Workflow::Validator::ApprovalSignature 
(/usr/lib/perl5/OpenXPKI/Server/Workflow/Validator/ApprovalSignature.pm:159); 
raop(RA Operato
r)< at >f644] Exception: 
I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATOR_APPROVALSIGNATURE_SIGNATURE_INVALID
2011/03/30 13:48:54 openxpki.system.WARN 
[OpenXPKI::Server::Workflow::Validator::ApprovalSignature 
(/usr/lib/perl5/OpenXPKI/Server/Workflow/Validator/ApprovalSignature.pm:159); 
raop(RA Operato
r)< at >f644] Exception: 
I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATOR_APPROVALSIGNATURE_SIGNATURE_INVALID
2011/03/30 13:48:54 Workflow.ERROR Caught exception from action: 
I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATOR_APPROVALSIGNATURE_SIGNATURE_INVALID; 
reset workflow to old state 'PENDING'
2011/03/30 13:48:54 Workflow.ERROR Caught exception from action: 
I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATOR_APPROVALSIGNATURE_SIGNATURE_INVALID; 
reset workflow to old state 'PENDING'
--------------------------------------------

I will try to investigate a little bit more by activating debug logging...

Regards,
Marc

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf