Closed dladlk closed 3 years ago
@dladlk thanks for the issue. Do I understand you correctly: SML requires the -----BEGIN CERTIFICATE-----
and -----END CERTIFICATE-----
delimiters around the certificate to work?
Sorry for the late answer, Philip! I am your fan - all what you do for Peppol is really amazing :)
Yes, I spent several hours to realize this. At first started on your tool for SMP certificate change at https://peppol.helger.com/public/menuitem-tools-smp-sml - and pasted PEM without begin/end with http response error badRequestFault. Then upgraded my SMP 5.0.8 to your latest version - with same result. Then installed SoapUI project and tried to invoke web service directly - and at that point noticed, that in SML documentation at https://peppol.eu/wp-content/uploads/2018/06/PEPPOL_Certificates_Change_V1.2.pdf they have an example of certificate wrapped with begin/end:
Below you can see a snippet from your SMP audit file with example of failed and successful execution - nothing was changed in between except BEGIN/END (thank you for logging it so clear 👍 ):
<item ldt="2020-12-30T12:02:43.497705" user="admin" type="modify" success="true">{"user":["update-last-login","admin"]}</item>
<item ldt="2020-12-30T12:04:19.605370" user="admin" type="execute" success="false">{"smp-sml-update-cert":["https://acc.edelivery.tech.ec.europa.eu/edelivery-sml","MIIF0zCCA7ugAwIBAgIQMpBeMAxDfBBpH1rLOSVm1TANBgkqhkiG9w0BAQsFADB5\r\nMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQT3BlblBFUFBPTCBBSVNCTDEWMBQGA1UE\r\nCxMNRk9SIFRFU1QgT05MWTE3MDUGA1UEAxMuUEVQUE9MIFNFUlZJQ0UgTUVUQURB\r\nVEEgUFVCTElTSEVSIFRFU1QgQ0EgLSBHMjAeFw0yMDEyMjQwMDAwMDBaFw0yMjEy\r\nMTQyMzU5NTlaMFIxEjAQBgNVBAMMCVBESzAwMDI1MzEYMBYGA1UECwwPUEVQUE9M\r\nIFRFU1QgU01QMRUwEwYDVQQKDAxUcnVlTGluayBBL1MxCzAJBgNVBAYTAkRLMIIB\r\nIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+6oh+zBOeNFznWwvUz6t+Ltg\r\n9qAdxOrEIljB23nuAHOIMU2My4O1Sc9mFPsKYcbDw6X2jAi1SHzpDu+QB7VxhXTa\r\n9JlbjtSZyqXUbvsoELZ+vEzkhL/am8FbEeS+WxR5Faor1d4Z+LOy9gObBnBbekDj\r\n+5v6xC25JbeZ3tua2FKfahJT/u9IbqDLm/ez61bRQ3wbOVHh5B71avMemhfjqNL0\r\nrBlezScedwynfhBBbS/CdW/mh4FhT+GLMkJZd2hfJ1uA6rFqNg+IJUQmGlTDfOrj\r\nIi7Ov+ObQU6AYsLhlN08tUhJVQX/SF1c/c3ufE6hvUDim9DTWJY1ExnQBzrgZQID\r\nAQABo4IBfDCCAXgwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCA6gwFgYDVR0l\r\nAQH/BAwwCgYIKwYBBQUHAwIwHQYDVR0OBBYEFM3p2l4Q9bkArpQZNymy8me68SzL\r\nMF0GA1UdHwRWMFQwUqBQoE6GTGh0dHA6Ly9wa2ktY3JsLnN5bWF1dGguY29tL2Nh\r\nX2I2ZDBkYzFkYzMxNDc3MjNmZTM2Yjc1NzU5OTdhZmM0L0xhdGVzdENSTC5jcmww\r\nNwYIKwYBBQUHAQEEKzApMCcGCCsGAQUFBzABhhtodHRwOi8vcGtpLW9jc3Auc3lt\r\nYXV0aC5jb20wHwYDVR0jBBgwFoAUfB2ySPG62QoGyhZjqfB6T70jnXswLQYKYIZI\r\nAYb4RQEQAwQfMB0GE2CGSAGG+EUBEAECAwEBgajVgQoWBjk1NzYwODA5BgpghkgB\r\nhvhFARAFBCswKQIBABYkYUhSMGNITTZMeTl3YTJrdGNtRXVjM2x0WVhWMGFDNWpi\r\nMjA9MA0GCSqGSIb3DQEBCwUAA4ICAQBtN41db7VpotxVCRmiXLXIYx00zYzSDCWo\r\nmuXyrTvCAeAi6e3XP1YNNOSFm+6j7x8TwO3Owcgd/7P9TyRC62S5j1DpjIeC2UDZ\r\npILWzvKgyL7ZVlo/noLTyP6AxNKRqz3iC7U8tug+bnsVDrasxqOWxsUAm4MbBCKP\r\nv/KWodC0vLtuQpNSwv9jmogGFWRWNzbQYCAdKoNjTB//5N6Rmze8u6NQI8WYK+Pb\r\nTBlC0QvGIY8Ei02Rdcrh31UJdplvUb8HX91OaDc+UesAiR13bJX3vxS5fD1H6YCd\r\nI/WQRbZ50htJNxt/4RDJ/50H4i11cEuJBfjZ2QQQ7rGmM0/oUXScF5c1b2B9e5ig\r\nDC+nxySBO5eYkrbmYGh1DqNpqC50rVq7ib5aJtea7VLx1Ab864AkmOXiUQdu+I1Y\r\nKWxYYlKhi1dLFjgGhAv5bsgupZlWyTKXszSK+YPlxMbK66AdCdZ5kCNxyPGUFlTD\r\nJcCb/gOUv+TIRimG2WDfRxBZ+GgKumckNZbI6jvfztJxcJRLYNIWGa97Q8AOl3z0\r\nHR9K/MgFs0PxCpYe3/mwJ+EGWcVk1aR4NOKmfCjaOTAbhI6+JGucD6tDlyl1Nmqn\r\n8fGC6Nd7mvJ1Bu6KYyH85rrzg5tKvvFylGqrUt2pkTtmqG0N2FttDYhVGh/GD3kS\r\ncFkkGlCv4g==","2020-12-31","class com.sun.xml.ws.client.ClientTransportException","The server sent HTTP status code 400: Bad Request"]}</item>
...
<item ldt="2020-12-30T12:56:14.590807" user="admin" type="modify" success="true">{"user":["update-last-login","admin"]}</item>
<item ldt="2020-12-30T12:56:33.894104" user="admin" type="execute" success="true">{"smp-sml-update-cert":["https://acc.edelivery.tech.ec.europa.eu/edelivery-sml","-----BEGIN CERTIFICATE-----\r\nMIIF0zCCA7ugAwIBAgIQMpBeMAxDfBBpH1rLOSVm1TANBgkqhkiG9w0BAQsFADB5\r\nMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQT3BlblBFUFBPTCBBSVNCTDEWMBQGA1UE\r\nCxMNRk9SIFRFU1QgT05MWTE3MDUGA1UEAxMuUEVQUE9MIFNFUlZJQ0UgTUVUQURB\r\nVEEgUFVCTElTSEVSIFRFU1QgQ0EgLSBHMjAeFw0yMDEyMjQwMDAwMDBaFw0yMjEy\r\nMTQyMzU5NTlaMFIxEjAQBgNVBAMMCVBESzAwMDI1MzEYMBYGA1UECwwPUEVQUE9M\r\nIFRFU1QgU01QMRUwEwYDVQQKDAxUcnVlTGluayBBL1MxCzAJBgNVBAYTAkRLMIIB\r\nIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+6oh+zBOeNFznWwvUz6t+Ltg\r\n9qAdxOrEIljB23nuAHOIMU2My4O1Sc9mFPsKYcbDw6X2jAi1SHzpDu+QB7VxhXTa\r\n9JlbjtSZyqXUbvsoELZ+vEzkhL/am8FbEeS+WxR5Faor1d4Z+LOy9gObBnBbekDj\r\n+5v6xC25JbeZ3tua2FKfahJT/u9IbqDLm/ez61bRQ3wbOVHh5B71avMemhfjqNL0\r\nrBlezScedwynfhBBbS/CdW/mh4FhT+GLMkJZd2hfJ1uA6rFqNg+IJUQmGlTDfOrj\r\nIi7Ov+ObQU6AYsLhlN08tUhJVQX/SF1c/c3ufE6hvUDim9DTWJY1ExnQBzrgZQID\r\nAQABo4IBfDCCAXgwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCA6gwFgYDVR0l\r\nAQH/BAwwCgYIKwYBBQUHAwIwHQYDVR0OBBYEFM3p2l4Q9bkArpQZNymy8me68SzL\r\nMF0GA1UdHwRWMFQwUqBQoE6GTGh0dHA6Ly9wa2ktY3JsLnN5bWF1dGguY29tL2Nh\r\nX2I2ZDBkYzFkYzMxNDc3MjNmZTM2Yjc1NzU5OTdhZmM0L0xhdGVzdENSTC5jcmww\r\nNwYIKwYBBQUHAQEEKzApMCcGCCsGAQUFBzABhhtodHRwOi8vcGtpLW9jc3Auc3lt\r\nYXV0aC5jb20wHwYDVR0jBBgwFoAUfB2ySPG62QoGyhZjqfB6T70jnXswLQYKYIZI\r\nAYb4RQEQAwQfMB0GE2CGSAGG+EUBEAECAwEBgajVgQoWBjk1NzYwODA5BgpghkgB\r\nhvhFARAFBCswKQIBABYkYUhSMGNITTZMeTl3YTJrdGNtRXVjM2x0WVhWMGFDNWpi\r\nMjA9MA0GCSqGSIb3DQEBCwUAA4ICAQBtN41db7VpotxVCRmiXLXIYx00zYzSDCWo\r\nmuXyrTvCAeAi6e3XP1YNNOSFm+6j7x8TwO3Owcgd/7P9TyRC62S5j1DpjIeC2UDZ\r\npILWzvKgyL7ZVlo/noLTyP6AxNKRqz3iC7U8tug+bnsVDrasxqOWxsUAm4MbBCKP\r\nv/KWodC0vLtuQpNSwv9jmogGFWRWNzbQYCAdKoNjTB//5N6Rmze8u6NQI8WYK+Pb\r\nTBlC0QvGIY8Ei02Rdcrh31UJdplvUb8HX91OaDc+UesAiR13bJX3vxS5fD1H6YCd\r\nI/WQRbZ50htJNxt/4RDJ/50H4i11cEuJBfjZ2QQQ7rGmM0/oUXScF5c1b2B9e5ig\r\nDC+nxySBO5eYkrbmYGh1DqNpqC50rVq7ib5aJtea7VLx1Ab864AkmOXiUQdu+I1Y\r\nKWxYYlKhi1dLFjgGhAv5bsgupZlWyTKXszSK+YPlxMbK66AdCdZ5kCNxyPGUFlTD\r\nJcCb/gOUv+TIRimG2WDfRxBZ+GgKumckNZbI6jvfztJxcJRLYNIWGa97Q8AOl3z0\r\nHR9K/MgFs0PxCpYe3/mwJ+EGWcVk1aR4NOKmfCjaOTAbhI6+JGucD6tDlyl1Nmqn\r\n8fGC6Nd7mvJ1Bu6KYyH85rrzg5tKvvFylGqrUt2pkTtmqG0N2FttDYhVGh/GD3kS\r\ncFkkGlCv4g==\r\n-----END CERTIFICATE-----","2020-12-31"]}</item>
It was so sad to see that I could plan migration in 5mins this just being more attentive when look at the documentation of SML - but that is as usual :)
Anyway, if you could give a hint on SMP GUI or fix it on the fly (if not wrapped - wrap) before invoking webservice - other people (and me in 2 years from now) would not notice how close they were to troubles for multiple hours :)
@dladlk Thank you very much for giving this advice. It helped me already with our certificate change.
This was done in https://github.com/phax/phoss-smp/commit/a3193657bc1a296c961d37843bec93544fe101ec and will be part of the 5.4.0 release. Thanks!
PrepareChangeCertificate certificate requires public key to be wrapped with
There are already multiple validations of posted information on SML certificate update page - but it does not warn about it or fix it, so it is unclear, why SML rejects requests.
At least an info line at "New public key*" could be expanded with such hint:
Paste the public part of your new certificate here (using PEM encoding). Do NOT paste your new private key here. Public part should start with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----"
As in other places, where certificates are uploaded or shown, it is omitted, it was confusing...