Menu
▾
▴
Re: [OpenCA-Devel] Problem with CSRs exported to CA
|
From: Martin H. <he...@hl...> - 2014-03-07 14:02:24
|
Hello Nicolas, I think you were looking at the right place. The function exportDB in export-import.lib holds a list of states which shall be exported. TEMPNEW is not among the ones to be exported, so these requests which are not validated should not even leave the RA. Nevertheless, it would make sense to handle TEMPNEW in importObjects just in case. However, all other states should already be handled correctly, at least for Openca-base 1.5.1. In the output below I can't see any export of a request. Could you try to export the data base with requests of different states ( TEMPNEW / NEW / APPROVED ) and check the tar file how they are written to the device? best regards, Martin PS: I'm suggesting the attached patch to make sure the TEMPNEW state is correctly handled during import On 02/28/2014 03:35 PM, Nicolas Macia (CeSPI) wrote: > I left to say that this behavior happend on: > - Openca-base 1.5.1 / Openca-tools 1.3.0 on Debian 7 (Stable) > - Openca-base 1.1.1 / Openca-tools 1.3.0 on Debian 6 (Old Stable) > > I think that this problem could be related with another bug related with > putting all objects (CA CERT / CERTIFICATE / REQUEST) in all different > categories regardless their status: CACERT [valid / expired] , REQUEST > [new / renew / pending / signed / approved / archived / deleted] , > CERTIFICATE [valid / expired / revoked / suspended] > > For example, on OpenCA 1.5.1 on my CA that have: > - one CA cert > - one CRL > - two valid certificates > > if I make on the node interface: > Node Ops -> Backup and Recovery -> Database > > I can see the following: > > Thursday 27 February 21:48:13 UTC > Exporting DB ... > Please wait until operation completes > Exporting valid CA_CERTIFICATE ... > > Exporting all necessary objects. > > cc2821c7d9025aadb34c467ea115980f3e64690b.pem > > Exporting expired CA_CERTIFICATE ... > > Exporting all necessary objects. > > cc2821c7d9025aadb34c467ea115980f3e64690b.pem > > Exporting new CRR ... > > No objects are present. > > Exporting pending CRR ... > > No objects are present. > > Exporting signed CRR ... > > No objects are present. > > Exporting approved CRR ... > > No objects are present. > > Exporting archived CRR ... > > No objects are present. > > Exporting deleted CRR ... > > No objects are present. > > Exporting valid CRL ... > > Exporting all necessary objects. > > 1.pem > > Exporting new REQUEST ... > > Exporting all necessary objects. > > 256.spkac > > 512.spkac > > Exporting renew REQUEST ... > > Exporting all necessary objects. > > 256.spkac > > 512.spkac > > Exporting pending REQUEST ... > > Exporting all necessary objects. > > 256.spkac > > 512.spkac > > Exporting signed REQUEST ... > > Exporting all necessary objects. > > 256.spkac > > 512.spkac > > Exporting approved REQUEST ... > > Exporting all necessary objects. > > 256.spkac > > 512.spkac > > Exporting archived REQUEST ... > > Exporting all necessary objects. > > 256.spkac > > 512.spkac > > Exporting deleted REQUEST ... > > Exporting all necessary objects. > > 256.spkac > > 512.spkac > > Exporting valid CERTIFICATE ... > > Exporting all necessary objects. > > 998806535358870519861744.pem > > 419063751874877379914325.pem > > Exporting expired CERTIFICATE ... > > Exporting all necessary objects. > > 998806535358870519861744.pem > > 419063751874877379914325.pem > > Exporting revoked CERTIFICATE ... > > Exporting all necessary objects. > > 998806535358870519861744.pem > > 419063751874877379914325.pem > > Exporting suspended CERTIFICATE ... > > Exporting all necessary objects. > > 998806535358870519861744.pem > > 419063751874877379914325.pem > > Exporting archive ... > > Load required variables ... > > Changing to directory /home/openca/OpenCA/var/openca/tmp/tmp_19420 ... > > Running the export command(s) ... > > /bin/tar -cvpf /tmp/openca_local -C /home/openca/OpenCA/var/openca/tmp/tmp_19420 . > > Archive created successfully. > > Test the archive ... > > /bin/tar -tvf /tmp/openca_local > > Clean up ...Ok. > > > > > Nicolás Macia > _____________ > CERTunlp > > El 27/02/14 21:48, Nicolas Macia escribió: >> Hello, I have a problem. >> >> After requesting Digital Cert at public site, an URL is sent to the >> requester to confirm his email address >> >> The problem is what it is seen at RA interface: >> - CSR confirmed using previous URL are tagged with state NEW >> - CSR not confirmed are tagged with state TEMPNEW >> - Approved CSR are tagged with state APPROVED >> >> When I use the node interface to exchange information to the CA, all CSR of ANY STATE are exported to CA as approved REQUESTS. >> >> Seems to me that the problem is that RA only should export approved >> requests but it doesn't. >> >> anyone who knows what is the problem here?? >> >> >> Thanks >> Nico > > > > > ----- > CeSPI > Centro Superior para el Procesamiento de la Información > > Universidad Nacional de La Plata > ------------------------------------------------------------------------------- > Proteja el Medioambiente. No imprima este mail si no es absolutamente necesario > > > > ------------------------------------------------------------------------------ > Flow-based real-time traffic analytics software. Cisco certified tool. > Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer > Customize your own dashboards, set traffic alerts and generate reports. > Network behavioral analysis & security monitoring. All-in-one tool. > http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk > > > _______________________________________________ > OpenCA-Devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openca-devel |