Closed Shriyanshmit closed 5 years ago
I am somewhat unsure what the issue at hand might be...
@Shriyanshmit, I also don't understand what you mean by your comment. Please expand.
Hi All,
I am using EJBCA CA to generate the certificates so I used this code with openssl for generating the certificates.
I created one api server which is creating URL as mentioned below
server = https://132.186.189.217:8443 path=/api/cmp
I set the below all the parameters in openssl.cnf file.
tls_trusted = /home/TestUser/Certs/ACIssuingCA.cacert.pem tls_cert=/home/TestUser/Certs/TLS_User_EE.p12 tls_key=/home/TestUser/Certs/TLS_User_EE.p12 tls_keypass=pass:** trusted=/home/TestUser/Certs/ACIssuingCA-chain.pem
cert=/home/TestUser/Certs/ppki_cmp_signer.p12 key=/home/TestUser/Certs/ppki_cmp_signer.p12 keypass=pass:**
subject="/CN=test20181204/O=TestOrg/C=DE/serialNumber=1122333f" digest=sha256 popo=1 disableconfirm=1 unprotectederrors=1
certout=/home/TestUser/Certs/ACIssuingCA.cacert.pem extracertsout=/home/TestUser/Certs/ACIssuingCA.cacert.pem cacertsout=/home/TestUser/Certs/ACIssuingCA.cacert.pem
Now I am using command(./openssl cmp - cmd ir) to generate the certificate but giving the same message send_receive_check():crypto/cmp/cmp_ses.c:183: INFO: sending ir
I am not able to get any request to any api server.
Please help.
@Shriyanshmit, I also don't understand what you mean by your comment. Please expand.
Hi All,
I am using EJBCA CA to generate the certificates so I used this code with openssl for generating the certificates.
I created one api server which is creating URL as mentioned below
server = https://132.186.189.217:8443 path=/api/cmp
I set the below all the parameters in openssl.cnf file.
tls_trusted = /home/TestUser/Certs/ACIssuingCA.cacert.pem tls_cert=/home/TestUser/Certs/TLS_User_EE.p12 tls_key=/home/TestUser/Certs/TLS_User_EE.p12 tls_keypass=pass:** trusted=/home/TestUser/Certs/ACIssuingCA-chain.pem
cert=/home/TestUser/Certs/ppki_cmp_signer.p12 key=/home/TestUser/Certs/ppki_cmp_signer.p12 keypass=pass:**
subject="/CN=test20181204/O=TestOrg/C=DE/serialNumber=1122333f" digest=sha256 popo=1 disableconfirm=1 unprotectederrors=1
certout=/home/TestUser/Certs/ACIssuingCA.cacert.pem extracertsout=/home/TestUser/Certs/ACIssuingCA.cacert.pem cacertsout=/home/TestUser/Certs/ACIssuingCA.cacert.pem
Now I am using command(./openssl cmp - cmd ir) to generate the certificate but giving the same message send_receive_check():crypto/cmp/cmp_ses.c:183: INFO: sending ir
I am not able to get any request to any api server.
Please help.
The message "INFO: sending ir" by the CMP client obviously tells that it started sending the first request message. If nothing else is output thereafter this means that the client got stuck. Likely because it could not reach the server or the server did not answer or its answer did not reach the client.
Check your network setup, including any (local or remote) firewalls.
The message "INFO: sending ir" by the CMP client obviously tells that it started sending the first request message. If nothing else is output thereafter this means that the client got stuck. Likely because it could not reach the server or the server did not answer or its answer did not reach the client.
Check your network setup, including any (local or remote) firewalls.
As i checked i am able to access the same URL from browser and command prompt as well.
Good that you checked this. Are you sure that you are using the same URL, including port 8443?
Does the client actually use the openssl.cnf file you provided? It should output, e.g.,
INFO: using OpenSSL configuration file '/home/TestUser/openssl.cnf'
Thanks for your quick response.
Yes it is using the same file. INFO: using OpenSSL configuration file '/opt/openssl/openssl.cnf'
Good that you checked this. Are you sure that you are using the same URL, including port 8443? Does the client actually use the openssl.cnf file you provided? It should output, e.g.,
INFO: using OpenSSL configuration file '/home/TestUser/openssl.cnf'
Good that you checked this. Are you sure that you are using the same URL, including port 8443? Does the client actually use the openssl.cnf file you provided? It should output, e.g.,
INFO: using OpenSSL configuration file '/home/TestUser/openssl.cnf'
Thanks for your quick response.
Yes it is using the same file. INFO: using OpenSSL configuration file '/opt/openssl/openssl.cnf'
All right, so it is pretty much confirmed that your CMP client instance actually tries to reach https://132.186.189.217:8443/api/cmp
.
Then very strange that you could reach this URL from the same machine using a browser while apparently the CMP client cannot.
You may also try not using TLS (e.g., by commenting out all respective lines in your config file) and use server=132.186.189.217
.
For instance, I've just tried
apps/openssl cmp -cmd ir -server 132.186.189.217:80 -path api/cmp -config "" -secret pass:test -ref test -newkey test.ECC.priv.pem -certout test.pem
and did get a response:
OpenSSL:(PEDANTIC disallows function name)():apps/cmp.c:3216: WARNING: missing -recipient, -srvcert, -issuer, -oldcert or -cert; recipient will be set to "NULL-DN"
OpenSSL:(PEDANTIC disallows function name)():crypto/cmp/cmp_ses.c:183: INFO: sending ir
140179742328576:error:27076072:OCSP routines:parse_http_line1:server response error:crypto/ocsp/ocsp_ht.c:260:Code=404,Reason=Not Found
140179742328576:error:390AF090:CMP routines:OSSL_CMP_MSG_http_perform:failed to receive pkimessage:crypto/cmp/cmp_http.c:520:
140179742328576:error:3909F097:CMP routines:OSSL_CMP_exec_IR_ses:ip not received:crypto/cmp/cmp_ses.c:200:
BTW, please do not write duplicate comments/responses. I've hidden/deleted them above.
Having a look into network traces taken with Wireshark/ (or cpdump) for the communication by browser and the client with the server might quickly give hints what goes wrong.
I assume that the problem was more networking-related and is probably resolved by now.
no its not resolved till now
On Mon, Jul 15, 2019 at 3:43 PM Martin Peylo notifications@github.com wrote:
I assume that the problem was more networking-related and is probably resolved by now.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mpeylo/cmpossl/issues/181?email_source=notifications&email_token=ACZU5Z7FTBEV5V4ZZZQKIJ3P7RETVA5CNFSM4H3QILNKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZ5IJ4I#issuecomment-511345905, or mute the thread https://github.com/notifications/unsubscribe-auth/ACZU5ZYRBMBZVUUE3LNUES3P7RETVANCNFSM4H3QILNA .
-- Regards.. Shreyansh Jain
Did you check with Wireshark what is actually going on "on the wire"?
I was busy with som other work plz give me sometime i will check and let you know.
On Mon, Jul 15, 2019, 15:54 Martin Peylo notifications@github.com wrote:
Did you check with Wireshark what is actually going on "on the wire"?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mpeylo/cmpossl/issues/181?email_source=notifications&email_token=ACZU5Z7HTR24KTEUGEFG7D3P7RF4RA5CNFSM4H3QILNKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZ5JAPA#issuecomment-511348796, or mute the thread https://github.com/notifications/unsubscribe-auth/ACZU5Z4FMRKOISLM4KCST63P7RF4RANCNFSM4H3QILNA .
No hurry on our side, while in the meantime we just assume that the code works as it should ;-)
error: unable to load new private key for certificate to be enrolled from '/home/siemensuser/Certs/ACIssuingCA.cacert.pem'
Now i am getting below message.
root@ubuntu:/opt/openssl/bin# ./openssl cmp -cmd ir -server 132.186.189.206:444 -path api/cmp -config "" -secret pass:test -ref test -newkey Key-2019.pem -certout Key-2019.pem OpenSSL:setup_ctx():apps/cmp.c:3216: WARNING: missing -recipient, -srvcert, -issuer, -oldcert or -cert; recipient will be set to "NULL-DN" OpenSSL:send_receive_check():crypto/cmp/cmp_ses.c:183: INFO: sending ir 140641880569600:error:390B10A8:CMP routines:OSSL_CMP_MSG_http_perform:read timeout:crypto/cmp/cmp_http.c:516: 140641880569600:error:390A1098:CMP routines:OSSL_CMP_exec_IR_ses:ip not received:crypto/cmp/cmp_ses.c:199:
OpenSSL:send_receive_check():crypto/cmp/cmp_ses.c:183: INFO: sending ir
Showing same message.