Menu
▾
▴
Re: [OpenXPKI-users] We need help - problems creating new certs
|
From: Oliver W. <ma...@ol...> - 2025-09-17 19:07:55
|
Hello Wilhelm, well - thats quite obvious... You want to issue a certificate with a three year validity with a CA certificate that expires in less then 36 month - either issue a new CA generation or reduce your validity. best regards Oliver On 17.09.25 20:34, Wilhelm Greiner via OpenXPKI-users wrote: > > Hello, > > we have an openxpki Server running since years, but now there is a > problem I cant figure out, its our productive server.. :-( > > OpenXPKI Version is: 3.30.9-0 (Debian 12) > > Problem: we cant create certificates anymore, cisco routers try to get > an certificate and we see the workflow and can accept and confirm. > Then the workflow ends with an error and a retry results in the same > Error message. (NICE backend error: Could not find token alias by group) > > Cant remember we changed anything, on the end of this mail are the > list of aliases etc.: > > In the logs are the following lines maybe help: > > 2025/09/17 13:36:20 ERR Request was rejected: > I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED > [pid=2367675|ep=scep] > > 2025/09/17 15:30:38 88963071 Rendering subject: > CN=org543235.net.company.de,O=K11111,OU=company-net,DC=company,DC=de > > 2025/09/17 15:30:38 88963071 Trusted Signer chain - certificate is > self signed > > 2025/09/17 15:30:38 88963071 Trusted Signer not found in trust list > (unstructuredName=org543235.net.company.de). > > 2025/09/17 15:30:38 88963071 validate challenge using compare > validation FAILED! > > 2025/09/17 15:30:54 88963071 Policy subject duplicate check failed, > found certs 8qNus25b6Djl3Fgrq5V3trNF-Pk > > 2025/09/17 15:30:54 88963071 Eligibility check for > scep.scep.eligible.initial failed > > 2025/09/17 15:30:54 88963071 Trigger notification message > enroll_approval_pending > > 2025/09/17 15:30:56 88963071 Unsigned approval for workflow 88963071 > by user klaus, role RA Operator > > 2025/09/17 15:30:56 88963071 Approval points for workflow #88963071: 1 > > 2025/09/17 15:30:56 88963071 persisted csr for > CN=org543235.net.company.de,O=K1114,OU=company-net,DC=company,DC=de > with csr_serial 56831 > > 2025/09/17 15:30:56 88963071 start cert issue for serial 56831, > workflow 88963071 > > 2025/09/17 15:30:56 88963071 NICE backend error: Could not find token > alias by group; __group__ => ca-signer, __noafter__ => 1852810256, > __notbefore__ => 1758115856, __pki_realm__ => ca-one > > 2025/09/17 15:30:56 88963071 NICE issueCertificate failed but > pause_on_error is requested > > 2025/09/17 15:30:56 88963071 Action 'global_nice_issue_certificate' > paused (I18N_OPENXPKI_UI_NICE_BACKEND_ERROR), wakeup 2025-09-17T13:36:48 > > # openxpkiadm alias list > > === functional token === > > vault (datasafe): > > Alias : vault-1 > > Identifier: GNCCvr3lEwtow0tAt2itjP73FHU > > NotBefore : 2018-09-07 12:03:50 > > NotAfter : 2033-09-04 12:03:50 > > ratoken (cmcra): > > Alias : ratoken-1 > > Identifier: JBtxGIPpjYfQYKAkbt7emXmj6LE > > NotBefore : 2018-09-07 12:03:50 > > NotAfter : 2028-09-04 12:03:50 > > ca-signer (certsign): > > Alias : ca-signer-1 > > Identifier: CNPm81r7AIekkx1F3EUNWK1RzXs > > NotBefore : 2018-09-07 12:03:50 > > NotAfter : 2028-09-04 12:03:50 > > ratoken (scep): > > Alias : ratoken-1 > > Identifier: JBtxGIPpjYfQYKAkbt7emXmj6LE > > NotBefore : 2018-09-07 12:03:50 > > NotAfter : 2028-09-04 12:03:50 > > === root ca === > > current root ca: > > Alias : root-1 > > Identifier: SnqdqJAQPkXRkFxifGowf82LrFo > > NotBefore : 2018-09-07 12:03:49 > > NotAfter : 2033-09-04 12:03:49 > > upcoming root ca: > > not set > > # openxpkiadm key list > > Keys for token group ratoken > > c ratoken-1 > > Keys for token group ca-signer > > c ca-signer-1 > > Keys for token group ratoken > > c ratoken-1 > > Keys for token group vault > > c vault-1 > > # openxpkiadm certificate list > > Certificates in ca-one: > > Identifier: CNPm81r7AIekkx1F3EUNWK1RzXs > > Alias: > > ca-signer-1 > > Identifier: JBtxGIPpjYfQYKAkbt7emXmj6LE > > Alias: > > ratoken-1 > > Identifier: SnqdqJAQPkXRkFxifGowf82LrFo > > Alias: > > root-1 > > Identifier: GNCCvr3lEwtow0tAt2itjP73FHU > > Alias: > > vault-1 > > > > _______________________________________________ > OpenXPKI-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! |
