Hi,
I’ve set up the WebCA as described in
http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html
When I try to roll out a new certificate I get:
‘X509Req’ object has no attribute ‘get_extensions’
There’s no certificate but the token will be displayed within the token
view.
Google tells me about some “wont fixes” with PyOpenSSL.
I’m using Debian 8 with latest packages from Trusty build.
Any ideas?
Thanks
Michael
Oh,
it looks like get_extensions was added to X509Req AFTER the release of
0.14.
Available in 0.15… :-/
Maybe I will pack a newer version of python-openssl.
Till then you would have to install at least 0.15. Or run in a python
virtualenv…
Kind regards
CorneliusAm Montag, den 06.06.2016, 13:20 -0700 schrieb Michael Muenz:
ii openssl 1.0.1t-1+deb8u2 amd64
Secure Sockets Layer toolkit - cryptographic utility
ii python-openssl 0.14-1 all
Python 2 wrapper around the OpenSSL library[2016-06-06
22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423]
Exception on /token/init [POST]
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py”,
line 57, in event_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
180, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/token.py”,
line 186, in init
tokenrealms=tokenrealms)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
180, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,
line 912, in init_token
tokenobject.update(upd_params)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py”, line 218, in update
crypto.FILETYPE_PEM, req))
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”, line 173, in sign_request
csr_extensions = csr_obj.get_extensions()
AttributeError: ‘X509Req’ object has no attribute ‘get_extensions’On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote:
Hi,can you please post your privacyidea.log? There should be a traceback. Which version of pyopenssl and which version of openssl are you using? Kind regards Cornelius Am Montag, den 06.06.2016, 06:33 -0700 schrieb Michael Muenz: > Hi, > > > I've set up the WebCA as described in > http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html > > > > When I try to roll out a new certificate I get: > 'X509Req' object has no attribute 'get_extensions' > > > > There's no certificate but the token will be displayed within the > token view. > > > Google tells me about some "wont fixes" with PyOpenSSL. > > > I'm using Debian 8 with latest packages from Trusty build. > > > > > Any ideas? > > > Thanks > Michael > -- > Please read the blog post about getting help > https://www.privacyidea.org/getting-help/. > > For professional services and consultancy regarding two factor > authentication please visit > https://netknights.it/en/leistungen/one-time-services/ > > In an enterprise environment you should get a SERVICE LEVEL AGREEMENT > which suites your needs for SECURITY, AVAILABILITY and LIABILITY: > https://netknights.it/en/leistungen/service-level-agreements/ > --- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > Visit this group at https://groups.google.com/group/privacyidea. > To view this discussion on the web visit > https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/137ce9e3-bc5b-4dce-bd01-5fbd46e0f7da%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)
Hi,
can you please post your privacyidea.log?
There should be a traceback.
Which version of pyopenssl and which version of openssl are you using?
Kind regards
CorneliusAm Montag, den 06.06.2016, 06:33 -0700 schrieb Michael Muenz:
Hi,
I’ve set up the WebCA as described in
5.4. CA Connectors — privacyIDEA 3.8 documentationWhen I try to roll out a new certificate I get:
‘X509Req’ object has no attribute ‘get_extensions’There’s no certificate but the token will be displayed within the
token view.Google tells me about some “wont fixes” with PyOpenSSL.
I’m using Debian 8 with latest packages from Trusty build.
Any ideas?
Thanks
MichaelPlease read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)
ii openssl 1.0.1t-1+deb8u2 amd64
Secure Sockets Layer toolkit - cryptographic utility
ii python-openssl 0.14-1 all
Python 2 wrapper around the OpenSSL library
[2016-06-06
22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187] user
u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188] userid
resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187] user
u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188] userid
resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187] user
u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188] userid
resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187] user
u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188] userid
resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187] user
u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188] userid
resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187] user
u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188] userid
resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187] user
u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188] userid
resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423] Exception
on /token/init [POST]
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py”, line
57, in event_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line 180,
in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/token.py”, line
186, in init
tokenrealms=tokenrealms)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line 180,
in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”, line
912, in init_token
tokenobject.update(upd_params)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py”,
line 218, in update
crypto.FILETYPE_PEM, req))
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173, in sign_request
csr_extensions = csr_obj.get_extensions()
AttributeError: ‘X509Req’ object has no attribute 'get_extensions’On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote:
Hi,
can you please post your privacyidea.log?
There should be a traceback.Which version of pyopenssl and which version of openssl are you using?
Kind regards
CorneliusAm Montag, den 06.06.2016, 06:33 -0700 schrieb Michael Muenz:
Hi,
I’ve set up the WebCA as described in
5.4. CA Connectors — privacyIDEA 3.8 documentation
When I try to roll out a new certificate I get:
‘X509Req’ object has no attribute ‘get_extensions’There’s no certificate but the token will be displayed within the
token view.Google tells me about some “wont fixes” with PyOpenSSL.
I’m using Debian 8 with latest packages from Trusty build.
Any ideas?
Thanks
MichaelPlease read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
The CSR extensions are not used at the moment.
So we could as well remove this line and then python-openssl 0.14 would
work fine, again.
Kind regards
CorneliusAm Montag, den 06.06.2016, 13:20 -0700 schrieb Michael Muenz:
ii openssl 1.0.1t-1+deb8u2 amd64
Secure Sockets Layer toolkit - cryptographic utility
ii python-openssl 0.14-1 all
Python 2 wrapper around the OpenSSL library[2016-06-06
22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423]
Exception on /token/init [POST]
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py”,
line 57, in event_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
180, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/token.py”,
line 186, in init
tokenrealms=tokenrealms)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
180, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,
line 912, in init_token
tokenobject.update(upd_params)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py”, line 218, in update
crypto.FILETYPE_PEM, req))
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”, line 173, in sign_request
csr_extensions = csr_obj.get_extensions()
AttributeError: ‘X509Req’ object has no attribute ‘get_extensions’On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote:
Hi,can you please post your privacyidea.log? There should be a traceback. Which version of pyopenssl and which version of openssl are you using? Kind regards Cornelius Am Montag, den 06.06.2016, 06:33 -0700 schrieb Michael Muenz: > Hi, > > > I've set up the WebCA as described in > http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html > > > > When I try to roll out a new certificate I get: > 'X509Req' object has no attribute 'get_extensions' > > > > There's no certificate but the token will be displayed within the > token view. > > > Google tells me about some "wont fixes" with PyOpenSSL. > > > I'm using Debian 8 with latest packages from Trusty build. > > > > > Any ideas? > > > Thanks > Michael > -- > Please read the blog post about getting help > https://www.privacyidea.org/getting-help/. > > For professional services and consultancy regarding two factor > authentication please visit > https://netknights.it/en/leistungen/one-time-services/ > > In an enterprise environment you should get a SERVICE LEVEL AGREEMENT > which suites your needs for SECURITY, AVAILABILITY and LIABILITY: > https://netknights.it/en/leistungen/service-level-agreements/ > --- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > Visit this group at https://groups.google.com/group/privacyidea. > To view this discussion on the web visit > https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/137ce9e3-bc5b-4dce-bd01-5fbd46e0f7da%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)
Hi Michael,
this very much depends on your overall PKI design.
As a matter of fact I am also doing PKI consultancy for enterprise sized
PKIs. Including hardware security modules and smartcards if needed.
Yes, setting up an Intermediate CA would make sense. But the
intermediate CA does not need the Root CA to sign a certificate.
You could however include the whole CA chain for download. But this is
also not required. So technically: No Root CA needed on this machine.
Kind regards
CorneliusAm Dienstag, den 07.06.2016, 02:25 -0700 schrieb Michael Muenz:
Hi,
true that!
So what about users already running a company wide CA via OpenSSL?
Then I would create a new Intermediate CA with no PW, but then the
openssl command has to be edited to include the original
root-certificate in the chain.Any chance to do this?
I’m not a PKI expert, but does this makes sense?
Michael
On Tuesday, June 7, 2016 at 10:15:14 AM UTC+2, Cornelius Kölbel wrote:
Hi Michael,I was thinking the passphrase on the ca key. In my opinion having a passphtase only makes limited sense. The passphrase would be encrypted in the database. Encrypted with the encryption key, which is probably only protected by file access. So you can protect the ca key with file access in the first place. Think of the local ca as a working proof of concept :-) Any feedback and input is appreciated. Kind regards Cornelius Cornelius Kölbel +49 151 2960 1417 NetKnights GmbH Http://NetKnights. It +49 561 3166 797–
Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/ecd70d72-f2a1-4bb5-b21b-fa79b9a65474%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)
I added the Jessie-Backports since they deliver 0.15, but when I wanted to
install it, it greps python-pyopenssl from the trusty ppa and brokes 
After that I forced it with aptitude -t jessie-backports and now I get a
Internal Server Error when accessing the startpage
[Tue Jun 07 09:53:37.895043 2016] [wsgi:error] [pid 489:tid
139726979172096]
/usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning:
Unicode column received non-unicode default value.
[Tue Jun 07 09:53:37.895273 2016] [wsgi:error] [pid 489:tid
139726979172096] default=“/etc/privacyidea/dictionary”)
[Tue Jun 07 09:53:37.921642 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] mod_wsgi (pid=489): Target WSGI script
‘/etc/privacyidea/privacyideaapp.wsgi’ cannot be loaded as Python module.
[Tue Jun 07 09:53:37.921834 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] mod_wsgi (pid=489): Exception occurred
processing WSGI script ‘/etc/privacyidea/privacyideaapp.wsgi’.
[Tue Jun 07 09:53:37.921948 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] Traceback (most recent call last):
[Tue Jun 07 09:53:37.922116 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
“/etc/privacyidea/privacyideaapp.wsgi”, line 3, in
[Tue Jun 07 09:53:37.922265 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from privacyidea.app import create_app
[Tue Jun 07 09:53:37.922359 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
“/usr/lib/python2.7/dist-packages/privacyidea/app.py”, line 28, in
[Tue Jun 07 09:53:37.922952 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] import privacyidea.api.before_after
[Tue Jun 07 09:53:37.923097 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
“/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py”, line
29, in
[Tue Jun 07 09:53:37.923599 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from …lib.user import
get_user_from_param
[Tue Jun 07 09:53:37.923697 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py”, line 55, in
[Tue Jun 07 09:53:37.924472 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from .resolver import
(get_resolver_object,
[Tue Jun 07 09:53:37.924585 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py”, line 47, in
[Tue Jun 07 09:53:37.925108 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from config import (get_resolver_types,
[Tue Jun 07 09:53:37.925207 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py”, line 47, in
[Tue Jun 07 09:53:37.926073 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from .caconnectors.localca import
BaseCAConnector
[Tue Jun 07 09:53:37.926233 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173
[Tue Jun 07 09:53:37.926344 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] csr_extensions =
csr_obj.get_extensions()
[Tue Jun 07 09:53:37.926499 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] ^
[Tue Jun 07 09:53:37.926583 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] IndentationError: unexpected indent
I think I’m gonna reinstall from scratch …On Monday, June 6, 2016 at 11:36:09 PM UTC+2, Cornelius Kölbel wrote:
The CSR extensions are not used at the moment.
So we could as well remove this line and then python-openssl 0.14 would
work fine, again.Kind regards
CorneliusAm Montag, den 06.06.2016, 13:20 -0700 schrieb Michael Muenz:
ii openssl 1.0.1t-1+deb8u2 amd64
Secure Sockets Layer toolkit - cryptographic utility
ii python-openssl 0.14-1 all
Python 2 wrapper around the OpenSSL library[2016-06-06
22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423]
Exception on /token/init [POST]
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py”,
line 57, in event_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
180, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/token.py”,
line 186, in init
tokenrealms=tokenrealms)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
180, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,
line 912, in init_token
tokenobject.update(upd_params)
File“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py”,
line 218, in updatecrypto.FILETYPE_PEM, req))File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173, in sign_requestcsr_extensions = csr_obj.get_extensions()AttributeError: ‘X509Req’ object has no attribute ‘get_extensions’
On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote:
Hi,can you please post your privacyidea.log? There should be a traceback. Which version of pyopenssl and which version of openssl are you using? Kind regards Cornelius Am Montag, den 06.06.2016, 06:33 -0700 schrieb Michael Muenz: > Hi, > > > I've set up the WebCA as described in >5.4. CA Connectors — privacyIDEA 3.8 documentation
> > > > When I try to roll out a new certificate I get: > 'X509Req' object has no attribute 'get_extensions' > > > > There's no certificate but the token will be displayed within the > token view. > > > Google tells me about some "wont fixes" with PyOpenSSL. > > > I'm using Debian 8 with latest packages from Trusty build. > > > > > Any ideas? > > > Thanks > Michael > -- > Please read the blog post about getting help > https://www.privacyidea.org/getting-help/. > > For professional services and consultancy regarding two factor > authentication please visit > https://netknights.it/en/leistungen/one-time-services/ > > In an enterprise environment you should get a SERVICE LEVEL AGREEMENT > which suites your needs for SECURITY, AVAILABILITY and LIABILITY: > https://netknights.it/en/leistungen/service-level-agreements/ > --- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > Visit this group at https://groups.google.com/group/privacyidea. > To view this discussion on the web visit >> For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Hi,
true that!
So what about users already running a company wide CA via OpenSSL?
Then I would create a new Intermediate CA with no PW, but then the openssl
command has to be edited to include the original root-certificate in the
chain.
Any chance to do this?
I’m not a PKI expert, but does this makes sense?
MichaelOn Tuesday, June 7, 2016 at 10:15:14 AM UTC+2, Cornelius Kölbel wrote:
Hi Michael,
I was thinking the passphrase on the ca key.
In my opinion having a passphtase only makes limited sense.
The passphrase would be encrypted in the database. Encrypted with the
encryption key, which is probably only protected by file access. So you can
protect the ca key with file access in the first place.Think of the local ca as a working proof of concept
Any feedback and input is appreciated.Kind regards
CorneliusCornelius Kölbel
+49 151 2960 1417NetKnights GmbH
Http://NetKnights. It
+49 561 3166 797
Ok, removed the line and it works again.
Now I can download the PKCS12.
But I had to remove the password from the ca.key … will this be the final
version or do you plan some fields in the UI to enter the password for the
root-ca?
MichaelOn Tuesday, June 7, 2016 at 9:59:06 AM UTC+2, Michael Muenz wrote:
I added the Jessie-Backports since they deliver 0.15, but when I wanted to
install it, it greps python-pyopenssl from the trusty ppa and brokes
After that I forced it with aptitude -t jessie-backports and now I get a
Internal Server Error when accessing the startpage[Tue Jun 07 09:53:37.895043 2016] [wsgi:error] [pid 489:tid
139726979172096]
/usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning:
Unicode column received non-unicode default value.
[Tue Jun 07 09:53:37.895273 2016] [wsgi:error] [pid 489:tid
139726979172096] default=“/etc/privacyidea/dictionary”)
[Tue Jun 07 09:53:37.921642 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] mod_wsgi (pid=489): Target WSGI script
‘/etc/privacyidea/privacyideaapp.wsgi’ cannot be loaded as Python module.
[Tue Jun 07 09:53:37.921834 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] mod_wsgi (pid=489): Exception occurred
processing WSGI script ‘/etc/privacyidea/privacyideaapp.wsgi’.
[Tue Jun 07 09:53:37.921948 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] Traceback (most recent call last):
[Tue Jun 07 09:53:37.922116 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
“/etc/privacyidea/privacyideaapp.wsgi”, line 3, in
[Tue Jun 07 09:53:37.922265 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from privacyidea.app import create_app
[Tue Jun 07 09:53:37.922359 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
“/usr/lib/python2.7/dist-packages/privacyidea/app.py”, line 28, in
[Tue Jun 07 09:53:37.922952 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] import privacyidea.api.before_after
[Tue Jun 07 09:53:37.923097 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
“/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py”, line
29, in
[Tue Jun 07 09:53:37.923599 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from …lib.user import
get_user_from_param
[Tue Jun 07 09:53:37.923697 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py”, line 55, in
[Tue Jun 07 09:53:37.924472 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from .resolver import
(get_resolver_object,
[Tue Jun 07 09:53:37.924585 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py”, line 47, in
[Tue Jun 07 09:53:37.925108 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from config import (get_resolver_types,
[Tue Jun 07 09:53:37.925207 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py”, line 47, in
[Tue Jun 07 09:53:37.926073 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from .caconnectors.localca import
BaseCAConnector
[Tue Jun 07 09:53:37.926233 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173
[Tue Jun 07 09:53:37.926344 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] csr_extensions =
csr_obj.get_extensions()
[Tue Jun 07 09:53:37.926499 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] ^
[Tue Jun 07 09:53:37.926583 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] IndentationError: unexpected indentI think I’m gonna reinstall from scratch …
On Monday, June 6, 2016 at 11:36:09 PM UTC+2, Cornelius Kölbel wrote:
The CSR extensions are not used at the moment.
So we could as well remove this line and then python-openssl 0.14 would
work fine, again.Kind regards
CorneliusAm Montag, den 06.06.2016, 13:20 -0700 schrieb Michael Muenz:
ii openssl 1.0.1t-1+deb8u2 amd64
Secure Sockets Layer toolkit - cryptographic utility
ii python-openssl 0.14-1 all
Python 2 wrapper around the OpenSSL library[2016-06-06
22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423]
Exception on /token/init [POST]
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py”,
line 57, in event_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
180, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/token.py”,
line 186, in init
tokenrealms=tokenrealms)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
180, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,
line 912, in init_token
tokenobject.update(upd_params)
File“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py”,
line 218, in updatecrypto.FILETYPE_PEM, req))File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173, in sign_requestcsr_extensions = csr_obj.get_extensions()AttributeError: ‘X509Req’ object has no attribute ‘get_extensions’
On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote:
Hi,can you please post your privacyidea.log? There should be a traceback. Which version of pyopenssl and which version of openssl are you using? Kind regards Cornelius Am Montag, den 06.06.2016, 06:33 -0700 schrieb Michael Muenz: > Hi, > > > I've set up the WebCA as described in >5.4. CA Connectors — privacyIDEA 3.8 documentation
> > > > When I try to roll out a new certificate I get: > 'X509Req' object has no attribute 'get_extensions' > > > > There's no certificate but the token will be displayed within the > token view. > > > Google tells me about some "wont fixes" with PyOpenSSL. > > > I'm using Debian 8 with latest packages from Trusty build. > > > > > Any ideas? > > > Thanks > Michael > -- > Please read the blog post about getting help > https://www.privacyidea.org/getting-help/. > > For professional services and consultancy regarding two factor > authentication please visit > https://netknights.it/en/leistungen/one-time-services/ > > In an enterprise environment you should get a SERVICE LEVEL AGREEMENT > which suites your needs for SECURITY, AVAILABILITY and LIABILITY: > https://netknights.it/en/leistungen/service-level-agreements/ > --- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > Visit this group at https://groups.google.com/group/privacyidea. > To view this discussion on the web visit >> For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
You should clearly state HOW you created the user certificate.
Especially HOW you created the keypair!Am Mittwoch, den 13.07.2016, 03:39 -0700 schrieb Michael Muenz:
No, I removed the password after our last discussion (for the testing
system)The certificates get created and I can import them, but they don’t
have a password.Am Mittwoch, 13. Juli 2016 12:38:14 UTC+2 schrieb Cornelius Kölbel:
To avoid confusion:The private key of the CA is not password protected! Kind regards Cornelius Am Mittwoch, den 13.07.2016, 03:37 -0700 schrieb Michael Muenz: > Hi, > > > doesn't work for me. > > > Hm, with my first setup I remember that it was working, but now when > importing an existing CA there are no import pw's. > > > Will try again with a CA from scratch. > > > > Am Mittwoch, 13. Juli 2016 12:16:14 UTC+2 schrieb Cornelius Kölbel: > Hi Michael, > > this already can be done. > When setting the token PIN, this will be the password for the > pkcs12 > file. > > Kind regards > Cornelius > > Am Mittwoch, den 13.07.2016, 02:45 -0700 schrieb Michael > Muenz: > > Hi, > > > > > > Again playing around with the CA connector. > > Are there any plans for setting an import password for the > generated > > PKCS12 files? > > > > > > Thanks > > Michael > > > > Am Dienstag, 7. Juni 2016 10:15:14 UTC+2 schrieb Cornelius > Kölbel: > > Hi Michael, > > > > > > I was thinking the passphrase on the ca key. > > In my opinion having a passphtase only makes limited > sense. > > The passphrase would be encrypted in the database. > Encrypted > > with the encryption key, which is probably only > protected by > > file access. So you can protect the ca key with file > access in > > the first place. > > > > > > Think of the local ca as a working proof of concept > :-) > > Any feedback and input is appreciated. > > > > > > Kind regards > > Cornelius > > > > > > > > > > > > > > Cornelius Kölbel > > +49 151 2960 1417 > > > > NetKnights GmbH > > Http://NetKnights. It > > +49 561 3166 797 > > > > > > > > > > -------- Ursprüngliche Nachricht -------- > > Von: Michael Muenz <m.m...@gmail.com> > > Datum: 07.06.16 10:04 (GMT+01:00) > > An: privacyidea <priva...@googlegroups.com> > > Betreff: Re: [privacyidea] CA Connector can't > create > > certificate > > > > > > Ok, removed the line and it works again. > > Now I can download the PKCS12. > > > > > > But I had to remove the password from the ca.key ... > will this > > be the final version or do you plan some fields in > the UI to > > enter the password for the root-ca? > > > > > > Michael > > > > On Tuesday, June 7, 2016 at 9:59:06 AM UTC +2, Michael Muenz wrote: > > I added the Jessie-Backports since they > deliver 0.15, > > but when I wanted to install it, it greps > > python-pyopenssl from the trusty ppa and > brokes :) > > After that I forced it with aptitude -t > > jessie-backports and now I get a Internal > Server Error > > when accessing the startpage > > > > > > > > > > [Tue Jun 07 09:53:37.895043 2016] > [wsgi:error] [pid > > 489:tid > > > 139726979172096] /usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning: Unicode column received non-unicode default value. > > [Tue Jun 07 09:53:37.895273 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] > > default="/etc/privacyidea/dictionary") > > [Tue Jun 07 09:53:37.921642 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > mod_wsgi > > (pid=489): Target WSGI script > > '/etc/privacyidea/privacyideaapp.wsgi' > cannot be > > loaded as Python module. > > [Tue Jun 07 09:53:37.921834 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > mod_wsgi > > (pid=489): Exception occurred processing > WSGI script > > '/etc/privacyidea/privacyideaapp.wsgi'. > > [Tue Jun 07 09:53:37.921948 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > Traceback > > (most recent call last): > > [Tue Jun 07 09:53:37.922116 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > File > > "/etc/privacyidea/privacyideaapp.wsgi", line > 3, in > > <module> > > [Tue Jun 07 09:53:37.922265 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > from > > privacyidea.app import create_app > > [Tue Jun 07 09:53:37.922359 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/app.py", > > line 28, in <module> > > [Tue Jun 07 09:53:37.922952 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > import > > privacyidea.api.before_after > > [Tue Jun 07 09:53:37.923097 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py", line 29, in <module> > > [Tue Jun 07 09:53:37.923599 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > > from ..lib.user import get_user_from_param > > [Tue Jun 07 09:53:37.923697 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", > line 55, in <module> > > [Tue Jun 07 09:53:37.924472 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > > from .resolver import (get_resolver_object, > > [Tue Jun 07 09:53:37.924585 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py", line 47, in <module> > > [Tue Jun 07 09:53:37.925108 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > from > > config import (get_resolver_types, > > [Tue Jun 07 09:53:37.925207 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", > line 47, in <module> > > [Tue Jun 07 09:53:37.926073 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > > from .caconnectors.localca import > BaseCAConnector > > [Tue Jun 07 09:53:37.926233 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173 > > [Tue Jun 07 09:53:37.926344 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > > csr_extensions = csr_obj.get_extensions() > > [Tue Jun 07 09:53:37.926499 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > ^ > > [Tue Jun 07 09:53:37.926583 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > > IndentationError: unexpected indent > > > > > > > > > > I think I'm gonna reinstall from > scratch ... > > > > On Monday, June 6, 2016 at 11:36:09 PM UTC +2, Cornelius Kölbel wrote: > > The CSR extensions are not used at > the > > moment. > > > > So we could as well remove this line > and then > > python-openssl 0.14 would > > work fine, again. > > > > Kind regards > > Cornelius > > > > Am Montag, den 06.06.2016, 13:20 0700 schrieb > > Michael Muenz: > > > ii openssl > 1.0.1t-1 > > +deb8u2 amd64 > > > Secure Sockets Layer > toolkit - > > cryptographic utility > > > ii python-openssl > 0.14-1 > > all > > > Python 2 wrapper around the > OpenSSL > > library > > > > > > > > > > > > > > > [2016-06-06 > > > > > > 22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > user u'mimu' found in resolver > u'maxadmins' > > > [2016-06-06 > > > > > > 22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > userid resolved to > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > [2016-06-06 > > > > > > 22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > user u'mimu' found in resolver > u'maxadmins' > > > [2016-06-06 > > > > > > 22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > userid resolved to > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > [2016-06-06 > > > > > > 22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > user u'mimu' found in resolver > u'maxadmins' > > > [2016-06-06 > > > > > > 22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > userid resolved to > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > [2016-06-06 > > > > > > 22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > user u'mimu' found in resolver > u'maxadmins' > > > [2016-06-06 > > > > > > 22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > userid resolved to > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > [2016-06-06 > > > > > > 22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > user u'mimu' found in resolver > u'maxadmins' > > > [2016-06-06 > > > > > > 22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > userid resolved to > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > [2016-06-06 > > > > > > 22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > user u'mimu' found in resolver > u'maxadmins' > > > [2016-06-06 > > > > > > 22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > userid resolved to > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > [2016-06-06 > > > > > > 22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > user u'mimu' found in resolver > u'maxadmins' > > > [2016-06-06 > > > > > > 22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > userid resolved to > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > [2016-06-06 > > > > > > 22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423] > > > Exception on /token/init [POST] > > > Traceback (most recent call > last): > > > File > > > "/usr/lib/python2.7/dist-packages/flask/app.py", line 1817, > in > > > wsgi_app > > > response = > self.full_dispatch_request() > > > File > > > "/usr/lib/python2.7/dist-packages/flask/app.py", line 1477, > in > > > full_dispatch_request > > > rv = > self.handle_user_exception(e) > > > File > > > "/usr/lib/python2.7/dist-packages/flask/app.py", line 1381, > in > > > handle_user_exception > > > reraise(exc_type, exc_value, > tb) > > > File > > > "/usr/lib/python2.7/dist-packages/flask/app.py", line 1475, > in > > > full_dispatch_request > > > rv = self.dispatch_request() > > > File > > > "/usr/lib/python2.7/dist-packages/flask/app.py", line 1461, > in > > > dispatch_request > > > return > > > self.view_functions[rule.endpoint](**req.view_args) > > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py", > > > line 57, in event_wrapper > > > f_result = func(*args, > **kwds) > > > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", > line > > > 180, in log_wrapper > > > f_result = func(*args, > **kwds) > > > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/token.py", > > > line 186, in init > > > tokenrealms=tokenrealms) > > > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", > line > > > 180, in log_wrapper > > > f_result = func(*args, > **kwds) > > > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", > > > line 912, in init_token > > > > tokenobject.update(upd_params) > > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py", line 218, in update > > > crypto.FILETYPE_PEM, req)) > > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173, in sign_request > > > csr_extensions = > > csr_obj.get_extensions() > > > AttributeError: 'X509Req' object > has no > > attribute 'get_extensions' > > > > > > > > > > > > > > > > > > > > > > > > On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote: > > > Hi, > > > > > > can you please post your > > privacyidea.log? > > > There should be a > traceback. > > > > > > Which version of pyopenssl > and which > > version of openssl are > > > you using? > > > > > > Kind regards > > > Cornelius > > > > > > Am Montag, den 06.06.2016, > 06:33 > > -0700 schrieb Michael Muenz: > > > > Hi, > > > > > > > > > > > > I've set up the WebCA as > described > > in > > > > > > > > > > http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html > > > > > > > > > > > > > > > > When I try to roll out a > new > > certificate I get: > > > > 'X509Req' object has no > attribute > > 'get_extensions' > > > > > > > > > > > > > > > > There's no certificate > but the > > token will be displayed > > > within the > > > > token view. > > > > > > > > > > > > Google tells me about > some "wont > > fixes" with PyOpenSSL. > > > > > > > > > > > > I'm using Debian 8 with > latest > > packages from Trusty build. > > > > > > > > > > > > > > > > > > > > Any ideas? > > > > > > > > > > > > Thanks > > > > Michael > > > > -- > > > > Please read the blog > post about > > getting help > > > > > > > https://www.privacyidea.org/getting-help/. > > > > > > > > For professional > services and > > consultancy regarding two > > > factor > > > > authentication please > visit > > > > > > > https://netknights.it/en/leistungen/one-time-services/ > > > > > > > > In an enterprise > environment you > > should get a SERVICE LEVEL > > > AGREEMENT > > > > which suites your needs > for > > SECURITY, AVAILABILITY and > > > LIABILITY: > > > > > > > > > > https://netknights.it/en/leistungen/service-level-agreements/ > > > > --- > > > > You received this > message because > > you are subscribed to the > > > Google > > > > Groups "privacyidea" > group. > > > > To unsubscribe from this > group and > > stop receiving emails > > > from it, send > > > > an email to > > privacyidea...@googlegroups.com. > > > > To post to this group, > send email > > to > > > > priva...@googlegroups.com. > > > > Visit this group at > > > > > > https://groups.google.com/group/privacyidea. > > > > To view this discussion > on the web > > visit > > > > > > > > > > https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com. > > > > For more options, visit > > https://groups.google.com/d/optout. > > > > > > -- > > > Cornelius Kölbel > > > corneliu...@netknights.it > > > +49 151 2960 1417 > > > > > > NetKnights GmbH > > > http://www.netknights.it > > > Landgraf-Karl-Str. 19, > 34131 Kassel, > > Germany > > > Tel: +49 561 3166797, Fax: > +49 561 > > 3166798 > > > > > > Amtsgericht Kassel, HRB > 16405 > > > Geschäftsführer: Cornelius > Kölbel > > > > > > > > > -- > > > Please read the blog post about > getting > > help > > > > https://www.privacyidea.org/getting-help/. > > > > > > For professional services and > consultancy > > regarding two factor > > > authentication please visit > > > > > > https://netknights.it/en/leistungen/one-time-services/ > > > > > > In an enterprise environment you > should get > > a SERVICE LEVEL AGREEMENT > > > which suites your needs for > SECURITY, > > AVAILABILITY and LIABILITY: > > > > > > https://netknights.it/en/leistungen/service-level-agreements/ > > > --- > > > You received this message because > you are > > subscribed to the Google > > > Groups "privacyidea" group. > > > To unsubscribe from this group and > stop > > receiving emails from it, send > > > an email to > > privacyidea...@googlegroups.com. > > > To post to this group, send email > to > > priva...@googlegroups.com. > > > Visit this group at > > > https://groups.google.com/group/privacyidea. > > > To view this discussion on the web > visit > > > > > > https://groups.google.com/d/msgid/privacyidea/137ce9e3-bc5b-4dce-bd01-5fbd46e0f7da%40googlegroups.com. > > > For more options, visit > > https://groups.google.com/d/optout. > > > > -- > > Cornelius Kölbel > > corneliu...@netknights.it > > +49 151 2960 1417 > > > > NetKnights GmbH > > http://www.netknights.it > > Landgraf-Karl-Str. 19, 34131 Kassel, > Germany > > Tel: +49 561 3166797, Fax: +49 561 > 3166798 > > > > Amtsgericht Kassel, HRB 16405 > > Geschäftsführer: Cornelius Kölbel > > > > > > > > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > Please read the blog post about getting help > https://www.privacyidea.org/getting-help/. > > For professional services and consultancy regarding two factor > authentication please visit > https://netknights.it/en/leistungen/one-time-services/ > > In an enterprise environment you should get a SERVICE LEVEL AGREEMENT > which suites your needs for SECURITY, AVAILABILITY and LIABILITY: > https://netknights.it/en/leistungen/service-level-agreements/ > --- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > Visit this group at https://groups.google.com/group/privacyidea. > To view this discussion on the web visit > https://groups.google.com/d/msgid/privacyidea/82a9b56a-0708-45fe-81d4-67717ace99df%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/c8e30961-5972-4aaa-a38f-78e44f56a284%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)
Hi Michael,
this already can be done.
When setting the token PIN, this will be the password for the pkcs12
file.
Kind regards
CorneliusAm Mittwoch, den 13.07.2016, 02:45 -0700 schrieb Michael Muenz:
Hi,
Again playing around with the CA connector.
Are there any plans for setting an import password for the generated
PKCS12 files?Thanks
MichaelAm Dienstag, 7. Juni 2016 10:15:14 UTC+2 schrieb Cornelius Kölbel:
Hi Michael,I was thinking the passphrase on the ca key. In my opinion having a passphtase only makes limited sense. The passphrase would be encrypted in the database. Encrypted with the encryption key, which is probably only protected by file access. So you can protect the ca key with file access in the first place. Think of the local ca as a working proof of concept :-) Any feedback and input is appreciated. Kind regards Cornelius Cornelius Kölbel +49 151 2960 1417 NetKnights GmbH Http://NetKnights. It +49 561 3166 797 -------- Ursprüngliche Nachricht -------- Von: Michael Muenz <m.m...@gmail.com> Datum: 07.06.16 10:04 (GMT+01:00) An: privacyidea <priva...@googlegroups.com> Betreff: Re: [privacyidea] CA Connector can't create certificate Ok, removed the line and it works again. Now I can download the PKCS12. But I had to remove the password from the ca.key ... will this be the final version or do you plan some fields in the UI to enter the password for the root-ca? Michael On Tuesday, June 7, 2016 at 9:59:06 AM UTC+2, Michael Muenz wrote: I added the Jessie-Backports since they deliver 0.15, but when I wanted to install it, it greps python-pyopenssl from the trusty ppa and brokes :) After that I forced it with aptitude -t jessie-backports and now I get a Internal Server Error when accessing the startpage [Tue Jun 07 09:53:37.895043 2016] [wsgi:error] [pid 489:tid 139726979172096] /usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning: Unicode column received non-unicode default value. [Tue Jun 07 09:53:37.895273 2016] [wsgi:error] [pid 489:tid 139726979172096] default="/etc/privacyidea/dictionary") [Tue Jun 07 09:53:37.921642 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] mod_wsgi (pid=489): Target WSGI script '/etc/privacyidea/privacyideaapp.wsgi' cannot be loaded as Python module. [Tue Jun 07 09:53:37.921834 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] mod_wsgi (pid=489): Exception occurred processing WSGI script '/etc/privacyidea/privacyideaapp.wsgi'. [Tue Jun 07 09:53:37.921948 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] Traceback (most recent call last): [Tue Jun 07 09:53:37.922116 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] File "/etc/privacyidea/privacyideaapp.wsgi", line 3, in <module> [Tue Jun 07 09:53:37.922265 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] from privacyidea.app import create_app [Tue Jun 07 09:53:37.922359 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] File "/usr/lib/python2.7/dist-packages/privacyidea/app.py", line 28, in <module> [Tue Jun 07 09:53:37.922952 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] import privacyidea.api.before_after [Tue Jun 07 09:53:37.923097 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] File "/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py", line 29, in <module> [Tue Jun 07 09:53:37.923599 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] from ..lib.user import get_user_from_param [Tue Jun 07 09:53:37.923697 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] File "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", line 55, in <module> [Tue Jun 07 09:53:37.924472 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] from .resolver import (get_resolver_object, [Tue Jun 07 09:53:37.924585 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] File "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py", line 47, in <module> [Tue Jun 07 09:53:37.925108 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] from config import (get_resolver_types, [Tue Jun 07 09:53:37.925207 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] File "/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", line 47, in <module> [Tue Jun 07 09:53:37.926073 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] from .caconnectors.localca import BaseCAConnector [Tue Jun 07 09:53:37.926233 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] File "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173 [Tue Jun 07 09:53:37.926344 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] csr_extensions = csr_obj.get_extensions() [Tue Jun 07 09:53:37.926499 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] ^ [Tue Jun 07 09:53:37.926583 2016] [wsgi:error] [pid 489:tid 139726979172096] [remote X:512] IndentationError: unexpected indent I think I'm gonna reinstall from scratch ... On Monday, June 6, 2016 at 11:36:09 PM UTC+2, Cornelius Kölbel wrote: The CSR extensions are not used at the moment. So we could as well remove this line and then python-openssl 0.14 would work fine, again. Kind regards Cornelius Am Montag, den 06.06.2016, 13:20 -0700 schrieb Michael Muenz: > ii openssl 1.0.1t-1 +deb8u2 amd64 > Secure Sockets Layer toolkit - cryptographic utility > ii python-openssl 0.14-1 all > Python 2 wrapper around the OpenSSL library > > > > > [2016-06-06 > 22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187] > user u'mimu' found in resolver u'maxadmins' > [2016-06-06 > 22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188] > userid resolved to u'6ce8f8fe-5848-1030-9368-cd33db809b50' > [2016-06-06 > 22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187] > user u'mimu' found in resolver u'maxadmins' > [2016-06-06 > 22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188] > userid resolved to u'6ce8f8fe-5848-1030-9368-cd33db809b50' > [2016-06-06 > 22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187] > user u'mimu' found in resolver u'maxadmins' > [2016-06-06 > 22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188] > userid resolved to u'6ce8f8fe-5848-1030-9368-cd33db809b50' > [2016-06-06 > 22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187] > user u'mimu' found in resolver u'maxadmins' > [2016-06-06 > 22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188] > userid resolved to u'6ce8f8fe-5848-1030-9368-cd33db809b50' > [2016-06-06 > 22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187] > user u'mimu' found in resolver u'maxadmins' > [2016-06-06 > 22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188] > userid resolved to u'6ce8f8fe-5848-1030-9368-cd33db809b50' > [2016-06-06 > 22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187] > user u'mimu' found in resolver u'maxadmins' > [2016-06-06 > 22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188] > userid resolved to u'6ce8f8fe-5848-1030-9368-cd33db809b50' > [2016-06-06 > 22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187] > user u'mimu' found in resolver u'maxadmins' > [2016-06-06 > 22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188] > userid resolved to u'6ce8f8fe-5848-1030-9368-cd33db809b50' > [2016-06-06 > 22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423] > Exception on /token/init [POST] > Traceback (most recent call last): > File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1817, in > wsgi_app > response = self.full_dispatch_request() > File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1477, in > full_dispatch_request > rv = self.handle_user_exception(e) > File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1381, in > handle_user_exception > reraise(exc_type, exc_value, tb) > File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1475, in > full_dispatch_request > rv = self.dispatch_request() > File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1461, in > dispatch_request > return self.view_functions[rule.endpoint](**req.view_args) > File > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > line 104, in policy_wrapper > return wrapped_function(*args, **kwds) > File > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > line 104, in policy_wrapper > return wrapped_function(*args, **kwds) > File > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > line 104, in policy_wrapper > return wrapped_function(*args, **kwds) > File > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > line 104, in policy_wrapper > return wrapped_function(*args, **kwds) > File > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > line 104, in policy_wrapper > return wrapped_function(*args, **kwds) > File > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > line 104, in policy_wrapper > return wrapped_function(*args, **kwds) > File > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > line 104, in policy_wrapper > return wrapped_function(*args, **kwds) > File > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > line 104, in policy_wrapper > return wrapped_function(*args, **kwds) > File > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > line 104, in policy_wrapper > return wrapped_function(*args, **kwds) > File "/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py", > line 57, in event_wrapper > f_result = func(*args, **kwds) > File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line > 180, in log_wrapper > f_result = func(*args, **kwds) > File "/usr/lib/python2.7/dist-packages/privacyidea/api/token.py", > line 186, in init > tokenrealms=tokenrealms) > File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line > 180, in log_wrapper > f_result = func(*args, **kwds) > File "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", > line 912, in init_token > tokenobject.update(upd_params) > File > "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py", line 218, in update > crypto.FILETYPE_PEM, req)) > File > "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173, in sign_request > csr_extensions = csr_obj.get_extensions() > AttributeError: 'X509Req' object has no attribute 'get_extensions' > > > > > > > > On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote: > Hi, > > can you please post your privacyidea.log? > There should be a traceback. > > Which version of pyopenssl and which version of openssl are > you using? > > Kind regards > Cornelius > > Am Montag, den 06.06.2016, 06:33 -0700 schrieb Michael Muenz: > > Hi, > > > > > > I've set up the WebCA as described in > > > http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html > > > > > > > > When I try to roll out a new certificate I get: > > 'X509Req' object has no attribute 'get_extensions' > > > > > > > > There's no certificate but the token will be displayed > within the > > token view. > > > > > > Google tells me about some "wont fixes" with PyOpenSSL. > > > > > > I'm using Debian 8 with latest packages from Trusty build. > > > > > > > > > > Any ideas? > > > > > > Thanks > > Michael > > -- > > Please read the blog post about getting help > > https://www.privacyidea.org/getting-help/. > > > > For professional services and consultancy regarding two > factor > > authentication please visit > > https://netknights.it/en/leistungen/one-time-services/ > > > > In an enterprise environment you should get a SERVICE LEVEL > AGREEMENT > > which suites your needs for SECURITY, AVAILABILITY and > LIABILITY: > > > https://netknights.it/en/leistungen/service-level-agreements/ > > --- > > You received this message because you are subscribed to the > Google > > Groups "privacyidea" group. > > To unsubscribe from this group and stop receiving emails > from it, send > > an email to privacyidea...@googlegroups.com. > > To post to this group, send email to > priva...@googlegroups.com. > > Visit this group at > https://groups.google.com/group/privacyidea. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > Please read the blog post about getting help > https://www.privacyidea.org/getting-help/. > > For professional services and consultancy regarding two factor > authentication please visit > https://netknights.it/en/leistungen/one-time-services/ > > In an enterprise environment you should get a SERVICE LEVEL AGREEMENT > which suites your needs for SECURITY, AVAILABILITY and LIABILITY: > https://netknights.it/en/leistungen/service-level-agreements/ > --- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > Visit this group at https://groups.google.com/group/privacyidea. > To view this discussion on the web visit > https://groups.google.com/d/msgid/privacyidea/137ce9e3-bc5b-4dce-bd01-5fbd46e0f7da%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)
Hello Michael, Please explain to me: In the moment you need to MOST help, you refuse to get help. You try with a lot of effort to do everything on your own. Why?Because I’m not the one in the company who decides to spend money
for
When we are so far to sell services, we’ll also order some consultancy
to check if everything is setup correctly.
Also, when the CA stuff doesn’t work the way we want, we’ll just don’t
use it and use CLI (as before), but the way PI does it, it’s a good
way to roll them out to the user.
Honestly I very much doubt this. At the moment you have a big pain. But
you (your company) is not willing. Why should they be later, when
everything runs smoothly? Well, we will see 
Anyways: The PIN is not correctly set during the enrollment of the
token.
You need to
PKCS12 does not require to contain a CA certificate.
Kind regards
CorneliusAm Mittwoch, den 13.07.2016, 11:40 -0700 schrieb Michael Muenz:
Am Mittwoch, 13. Juli 2016 19:06:14 UTC+2 schrieb Cornelius Kölbel:
> So, I created the CA as documented before and enrolled a certificate > token for user e.g. mimu. STOP. You say a complicated process very lightly in half a sentence? Please think about it yourself: How did you enroll the certificate token? There are many different ways to do so. This is important information - also to you! This is really what makes it very challenging for me to act on the mailing list. Because most people to not take a look at what they are doing.OK, I setup a small article with some pictures, hopefully you can
follow me now, sorry for not beeing clear enough:
Debug Certificates in privacyIDEA – RouterperformanceI checked the privacyidea.log, no traceback (the certificate token
gets created mostly perfect) and apache log is also quit.Thanks
MichaelHere probably is your problem. "You enrolled the certificate token"... Did it ever came up to your mind, that the problem the certificate token does not behave as expected is due to the fact, that the token was not enrolled as you thought you would? So the logical consequence would be, to take a deeper look at the token enrollment process. And not only drop this topic in half a sentence. So again. How did you enroll the certificate token? I very much recommend for all of you to study physics! ...to train your analytic skills... Kind regards Cornelius > Now I can download the certificate as PKCS12. Normally this file > should include certificate, key and root cert. > With a doubleclick I can install the certificate (PKCS12) but when > asked for a import pw only a empty password works. > > > Now, when opening the mmc snapin I can see the certificate unter Own > Certificates. But there's no root ca installed. > That's why I tried to extract the root ca from the pkcs12 via openssl, > but it's empty. > > > I'm quite sure that with a first test machine with Ubuntu ppa version > 2.12 it worked. > Now I'm using PiP 2.13 > > > Michael > > > > Am Mittwoch, 13. Juli 2016 18:23:27 UTC+2 schrieb Cornelius Kölbel: > The below mentioned link does not contain any pkcs12. > > http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html > > I am really not sure what you mean here. > > Are you talking about the CA certificate, this is the > certificate > signing the others? > Or are you talking about a "certificate token", i.e. a user > certificate. > > Which PKCS12 did you copy, export CA certificate? > This all makes no sense to me. > > But no problem, I also provide great PKI workshops: > https://netknights.it/en/leistungen/one-time-services/ > > Please note: Certificates is a topic it is very important you > understand > the underlying processes, rules and crytpography. > privacyIDEA has very basic certificate management > capabilities. > But I am happy, if you help to improve the software. > > Kind regards > Cornelius > > Am Mittwoch, den 13.07.2016, 04:44 -0700 schrieb Michael > Muenz: > > I copied the pkcs12 to the otp machine and exported the CA > Cert but > > it's empty. > > There seems to be something wrong, but I'm not sure if it's > my > > fault. :/ > > > > > > root@otp1:~# openssl pkcs12 -in CRT000032EE.p12 -cacerts > -nokeys -out > > cacert.pem > > Enter Import Password: > > MAC verified OK > > root@otp1:~# cat cacert.pem > > root@otp1:~# > > > > > > Did the same with an existing .p12 created for another > project and the > > corret root ca was exported. > > > > > > > > Am Mittwoch, 13. Juli 2016 13:25:22 UTC+2 schrieb Michael > Muenz: > > Hm, I followed > > now: > http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html > > > > > > mkdir /etc/privacyidea/CA > > > cp /opt/privacyidea/lib/python2.7/site-packages/tests/testdata/ca/openssl.cnf /etc/privacyidea/CA/ > > > > > > openssl req -days 3650 -new -x509 > > -keyout /etc/privacyidea/CA/ca.key \ > > -out /etc/privacyidea/CA/ca.crt \ > > -config /etc/privacyidea/CA/openssl.cnf > > > > chmod 0600 /etc/privacyidea/CA/ca.key > > touch /etc/privacyidea/CA/index.txt > > echo 01 > /etc/privacyidea/CA/serial > > openssl rsa -in ca.key -out ca-nopw.key > > mv ca-nopw.key ca.key > > chown -R privacyidea /etc/privacyidea/CA > > > > > > > > > > > > > > I enroll a certificate and set a PW in the PIN > field, but I > > can import it successfully with my W10 > > > > > > > > > > > > > > > > Am Mittwoch, 13. Juli 2016 12:50:38 UTC+2 schrieb > Cornelius > > Kölbel: > > You should clearly state HOW you created the > user > > certificate. > > Especially HOW you created the keypair! > > > > Am Mittwoch, den 13.07.2016, 03:39 0700 schrieb > > Michael Muenz: > > > :) > > > > > > > > > No, I removed the password after our last > discussion > > (for the testing > > > system) > > > > > > > > > The certificates get created and I can > import them, > > but they don't > > > have a password. > > > > > > > > > Am Mittwoch, 13. Juli 2016 12:38:14 UTC+2 schrieb > > Cornelius Kölbel: > > > To avoid confusion: > > > > > > The private key of the CA is not > password > > protected! > > > > > > Kind regards > > > Cornelius > > > > > > Am Mittwoch, den 13.07.2016, 03:37 > -0700 > > schrieb Michael > > > Muenz: > > > > Hi, > > > > > > > > > > > > doesn't work for me. > > > > > > > > > > > > Hm, with my first setup I > remember that it > > was working, but > > > now when > > > > importing an existing CA there > are no > > import pw's. > > > > > > > > > > > > Will try again with a CA from > scratch. > > > > > > > > > > > > > > > > Am Mittwoch, 13. Juli 2016 > 12:16:14 UTC+2 > > schrieb Cornelius > > > Kölbel: > > > > Hi Michael, > > > > > > > > this already can be > done. > > > > When setting the token > PIN, this > > will be the > > > password for the > > > > pkcs12 > > > > file. > > > > > > > > Kind regards > > > > Cornelius > > > > > > > > Am Mittwoch, den 13.07.2016, 02:45 0700 schrieb > > > Michael > > > > Muenz: > > > > > Hi, > > > > > > > > > > > > > > > Again playing around > with the CA > > connector. > > > > > Are there any plans > for setting > > an import password > > > for the > > > > generated > > > > > PKCS12 files? > > > > > > > > > > > > > > > Thanks > > > > > Michael > > > > > > > > > > Am Dienstag, 7. Juni 2016 10:15:14 UTC+2 schrieb > > > Cornelius > > > > Kölbel: > > > > > Hi Michael, > > > > > > > > > > > > > > > I was thinking > the > > passphrase on the ca > > > key. > > > > > In my opinion > having a > > passphtase only > > > makes limited > > > > sense. > > > > > The passphrase > would be > > encrypted in the > > > database. > > > > Encrypted > > > > > with the > encryption key, > > which is probably > > > only > > > > protected by > > > > > file access. > So you can > > protect the ca key > > > with file > > > > access in > > > > > the first > place. > > > > > > > > > > > > > > > Think of the > local ca as > > a working proof > > > of concept > > > > :-) > > > > > Any feedback > and input > > is appreciated. > > > > > > > > > > > > > > > Kind regards > > > > > Cornelius > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Cornelius > Kölbel > > > > > +49 151 2960 > 1417 > > > > > > > > > > NetKnights > GmbH > > > > > > Http://NetKnights. It > > > > > +49 561 3166 > 797 > > > > > > > > > > > > > > > > > > > > > > > > > -------- > Ursprüngliche > > Nachricht -------- > > > > > Von: Michael > Muenz > > <m.m...@gmail.com> > > > > > Datum: > 07.06.16 10:04 > > (GMT+01:00) > > > > > An: > privacyidea > > > <priva...@googlegroups.com> > > > > > Betreff: Re: > > [privacyidea] CA Connector > > > can't > > > > create > > > > > certificate > > > > > > > > > > > > > > > Ok, removed > the line and > > it works again. > > > > > Now I can > download the > > PKCS12. > > > > > > > > > > > > > > > But I had to > remove the > > password from the > > > ca.key ... > > > > will this > > > > > be the final > version or > > do you plan some > > > fields in > > > > the UI to > > > > > enter the > password for > > the root-ca? > > > > > > > > > > > > > > > Michael > > > > > > > > > > On Tuesday, June 7, 2016 at 9:59:06 AM UTC +2, Michael Muenz wrote: > > > > > I > added the > > Jessie-Backports since > > > they > > > > deliver 0.15, > > > > > but > when I > > wanted to install it, > > > it greps > > > > > > python-pyopenssl > > from the trusty > > > ppa and > > > > brokes :) > > > > > After > that I > > forced it with > > > aptitude -t > > > > > > jessie-backports > > and now I get a > > > Internal > > > > Server Error > > > > > when > accessing > > the startpage > > > > > > > > > > > > > > > > > > > > > > > > > [Tue > Jun 07 > > 09:53:37.895043 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > > > > > > > > > > > > > > 139726979172096] /usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning: Unicode column received non-unicode default value. > > > > > [Tue > Jun 07 > > 09:53:37.895273 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] > > > > > > > > > default="/etc/privacyidea/dictionary") > > > > > [Tue > Jun 07 > > 09:53:37.921642 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > mod_wsgi > > > > > > (pid=489): > > Target WSGI script > > > > > > > > > '/etc/privacyidea/privacyideaapp.wsgi' > > > > cannot be > > > > > loaded > as Python > > module. > > > > > [Tue > Jun 07 > > 09:53:37.921834 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > mod_wsgi > > > > > > (pid=489): > > Exception occurred > > > processing > > > > WSGI script > > > > > > > > > '/etc/privacyidea/privacyideaapp.wsgi'. > > > > > [Tue > Jun 07 > > 09:53:37.921948 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > Traceback > > > > > (most > recent > > call last): > > > > > [Tue > Jun 07 > > 09:53:37.922116 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > File > > > > > > > > > "/etc/privacyidea/privacyideaapp.wsgi", > > line > > > > 3, in > > > > > > <module> > > > > > [Tue > Jun 07 > > 09:53:37.922265 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > from > > > > > > privacyidea.app > > import create_app > > > > > [Tue > Jun 07 > > 09:53:37.922359 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/app.py", > > > > > line > 28, in > > <module> > > > > > [Tue > Jun 07 > > 09:53:37.922952 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > import > > > > > > > privacyidea.api.before_after > > > > > [Tue > Jun 07 > > 09:53:37.923097 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py", line 29, in <module> > > > > > [Tue > Jun 07 > > 09:53:37.923599 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > > > from ..lib.user > > import > > > get_user_from_param > > > > > [Tue > Jun 07 > > 09:53:37.923697 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", > > > > line 55, in <module> > > > > > [Tue > Jun 07 > > 09:53:37.924472 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > > > from .resolver > > import > > > (get_resolver_object, > > > > > [Tue > Jun 07 > > 09:53:37.924585 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py", line 47, in <module> > > > > > [Tue > Jun 07 > > 09:53:37.925108 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > from > > > > > config > import > > > (get_resolver_types, > > > > > [Tue > Jun 07 > > 09:53:37.925207 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", > > > > line 47, in <module> > > > > > [Tue > Jun 07 > > 09:53:37.926073 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > > > > from .caconnectors.localca import > > > > BaseCAConnector > > > > > [Tue > Jun 07 > > 09:53:37.926233 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173 > > > > > [Tue > Jun 07 > > 09:53:37.926344 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > > > csr_extensions > > = > > > csr_obj.get_extensions() > > > > > [Tue > Jun 07 > > 09:53:37.926499 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > ^ > > > > > [Tue > Jun 07 > > 09:53:37.926583 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > > > > IndentationError: unexpected > > > indent > > > > > > > > > > > > > > > > > > > > > > > > > I > think I'm > > gonna reinstall from > > > > scratch ... > > > > > > > > > > On Monday, June 6, 2016 at 11:36:09 PM UTC +2, Cornelius Kölbel wrote: > > > > > > The CSR > > extensions are not > > > used at > > > > the > > > > > > moment. > > > > > > > > > > > > So we > > could as well remove > > > this line > > > > and then > > > > > > > python-openssl 0.14 would > > > > > > work > > fine, again. > > > > > > > > > > > > Kind > > regards > > > > > > > Cornelius > > > > > > > > > > > > Am Montag, den 06.06.2016, 13:20 0700 schrieb > > > > > > Michael > > Muenz: > > > > > > > ii > > openssl > > > > 1.0.1t-1 > > > > > > +deb8u2 > > amd64 > > > > > > > > > Secure Sockets > > > Layer > > > > toolkit - > > > > > > > cryptographic utility > > > > > > > ii > > python-openssl > > > > 0.14-1 > > > > > > > all > > > > > > > > > Python 2 wrapper > > > around the > > > > OpenSSL > > > > > > library > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > 22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > > > > > user > > u'mimu' found in > > > resolver > > > > u'maxadmins' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > 22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > > > > > userid > > resolved to > > > > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > 22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > > > > > user > > u'mimu' found in > > > resolver > > > > u'maxadmins' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > 22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > > > > > userid > > resolved to > > > > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > 22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > > > > > user > > u'mimu' found in > > > resolver > > > > u'maxadmins' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > 22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > > > > > userid > > resolved to > > > > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > 22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > > > > > user > > u'mimu' found in > > > resolver > > > > u'maxadmins' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > 22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > > > > > userid > > resolved to > > > > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > 22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > > > > > user > > u'mimu' found in > > > resolver > > > > u'maxadmins' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > 22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > > > > > userid > > resolved to > > > > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > 22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > > > > > user > > u'mimu' found in > > > resolver > > > > u'maxadmins' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > 22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > > > > > userid > > resolved to > > > > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > 22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > > > > > user > > u'mimu' found in > > > resolver > > > > u'maxadmins' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > 22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > > > > > userid > > resolved to > > > > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > 22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423] > > > > > > > > > Exception on /token/init > > > [POST] > > > > > > > > > Traceback (most recent > > > call > > > > last): > > > > > > > > > File > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > > > line 1817, > > > > in > > > > > > > > > wsgi_app > > > > > > > > > response = > > > > > self.full_dispatch_request() > > > > > > > > > File > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > > > line 1477, > > > > in > > > > > > > > > full_dispatch_request > > > > > > > rv > > = > > > > > self.handle_user_exception(e) > > > > > > > > > File > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > > > line 1381, > > > > in > > > > > > > > > handle_user_exception > > > > > > > > > reraise(exc_type, > > > exc_value, > > > > tb) > > > > > > > > > File > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > > > line 1475, > > > > in > > > > > > > > > full_dispatch_request > > > > > > > rv > > = > > > self.dispatch_request() > > > > > > > > > File > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > > > line 1461, > > > > in > > > > > > > > > dispatch_request > > > > > > > > > return > > > > > > > > > > > > self.view_functions[rule.endpoint](**req.view_args) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > > > > line > > 104, in > > > policy_wrapper > > > > > > > > > return > > > wrapped_function(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > > > > line > > 104, in > > > policy_wrapper > > > > > > > > > return > > > wrapped_function(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > > > > line > > 104, in > > > policy_wrapper > > > > > > > > > return > > > wrapped_function(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > > > > line > > 104, in > > > policy_wrapper > > > > > > > > > return > > > wrapped_function(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > > > > line > > 104, in > > > policy_wrapper > > > > > > > > > return > > > wrapped_function(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > > > > line > > 104, in > > > policy_wrapper > > > > > > > > > return > > > wrapped_function(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > > > > line > > 104, in > > > policy_wrapper > > > > > > > > > return > > > wrapped_function(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > > > > line > > 104, in > > > policy_wrapper > > > > > > > > > return > > > wrapped_function(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > > > > line > > 104, in > > > policy_wrapper > > > > > > > > > return > > > wrapped_function(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py", > > > > > > > line > > 57, in > > > event_wrapper > > > > > > > > > f_result = > > > func(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", > > > > line > > > > > > > 180, > > in log_wrapper > > > > > > > > > f_result = > > > func(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/token.py", > > > > > > > line > > 186, in init > > > > > > > > > > tokenrealms=tokenrealms) > > > > > > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", > > > > line > > > > > > > 180, > > in log_wrapper > > > > > > > > > f_result = > > > func(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", > > > > > > > line > > 912, in init_token > > > > > > > > > > > > tokenobject.update(upd_params) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py", line 218, in update > > > > > > > > > crypto.FILETYPE_PEM, > > > req)) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173, in sign_request > > > > > > > > > csr_extensions = > > > > > > > csr_obj.get_extensions() > > > > > > > > > AttributeError: > > > 'X509Req' object > > > > has no > > > > > > > attribute > > > 'get_extensions' > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote: > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > can you please > > > post your > > > > > > > privacyidea.log? > > > > > > > > > There should be > > > a > > > > traceback. > > > > > > > > > > > > > > > > > > Which version of > > > pyopenssl > > > > and which > > > > > > version > > of openssl are > > > > > > > > > you using? > > > > > > > > > > > > > > > > > > Kind regards > > > > > > > > > Cornelius > > > > > > > > > > > > > > > > > > Am Montag, den > > > 06.06.2016, > > > > 06:33 > > > > > > -0700 > > schrieb Michael > > > Muenz: > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I've set up > > > the WebCA as > > > > described > > > > > > in > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > When I try to > > > roll out a > > > > new > > > > > > > certificate I get: > > > > > > > > > > 'X509Req' > > > object has no > > > > attribute > > > > > > > 'get_extensions' > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > There's no > > > certificate > > > > but the > > > > > > token > > will be displayed > > > > > > > > > within the > > > > > > > > > > token view. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Google tells > > > me about > > > > some "wont > > > > > > fixes" > > with PyOpenSSL. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I'm using > > > Debian 8 with > > > > latest > > > > > > packages > > from Trusty > > > build. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any ideas? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks > > > > > > > > > > Michael > > > > > > > > > > -- > > > > > > > > > > Please read > > > the blog > > > > post about > > > > > > getting > > help > > > > > > > > > > > > > > > > > > > > > https://www.privacyidea.org/getting-help/. > > > > > > > > > > > > > > > > > > > > For > > > professional > > > > services and > > > > > > > consultancy regarding two > > > > > > > > > factor > > > > > > > > > > authentication > > > please > > > > visit > > > > > > > > > > > > > > > > > > > > > > > > > https://netknights.it/en/leistungen/one-time-services/ > > > > > > > > > > > > > > > > > > > > In an > > > enterprise > > > > environment you > > > > > > should > > get a SERVICE > > > LEVEL > > > > > > > > > AGREEMENT > > > > > > > > > > which suites > > > your needs > > > > for > > > > > > > SECURITY, AVAILABILITY > > > and > > > > > > > > > LIABILITY: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://netknights.it/en/leistungen/service-level-agreements/ > > > > > > > > > > --- > > > > > > > > > > You received > > > this > > > > message because > > > > > > you are > > subscribed to the > > > > > > > > > Google > > > > > > > > > > Groups > > > "privacyidea" > > > > group. > > > > > > > > > > To unsubscribe > > > from this > > > > group and > > > > > > stop > > receiving emails > > > > > > > > > from it, send > > > > > > > > > > an email to > > > > > > > > privacyidea...@googlegroups.com. > > > > > > > > > > To post to > > > this group, > > > > send email > > > > > > to > > > > > > > > > > > > priva...@googlegroups.com. > > > > > > > > > > Visit this > > > group at > > > > > > > > > > > > > > > > > > > https://groups.google.com/group/privacyidea. > > > > > > > > > > To view this > > > discussion > > > > on the web > > > > > > visit > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com. > > > > > > > > > > For more > > > options, visit > > > > > > > > > https://groups.google.com/d/optout. > > > > > > > > > > > > > > > > > > -- > > > > > > > > > Cornelius > > > Kölbel > > > > > > > > > > corneliu...@netknights.it > > > > > > > > > +49 151 2960 > > > 1417 > > > > > > > > > > > > > > > > > > NetKnights GmbH > > > > > > > > > > http://www.netknights.it > > > > > > > > > > Landgraf-Karl-Str. 19, > > > > 34131 Kassel, > > > > > > Germany > > > > > > > > > Tel: +49 561 > > > 3166797, Fax: > > > > +49 561 > > > > > > 3166798 > > > > > > > > > > > > > > > > > > Amtsgericht > > > Kassel, HRB > > > > 16405 > > > > > > > > > Geschäftsführer: > > > Cornelius > > > > Kölbel > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Please > > read the blog > > > post about > > > > getting > > > > > > help > > > > > > > > > > > > > https://www.privacyidea.org/getting-help/. > > > > > > > > > > > > > > For > > professional > > > services and > > > > consultancy > > > > > > > regarding two factor > > > > > > > > > authentication please > > > visit > > > > > > > > > > > > > > > > > > > > > > https://netknights.it/en/leistungen/one-time-services/ > > > > > > > > > > > > > > In an > > enterprise > > > environment you > > > > should get > > > > > > a > > SERVICE LEVEL AGREEMENT > > > > > > > which > > suites your needs > > > for > > > > SECURITY, > > > > > > > AVAILABILITY and > > > LIABILITY: > > > > > > > > > > > > > > > > > > > > > > https://netknights.it/en/leistungen/service-level-agreements/ > > > > > > > --- > > > > > > > You > > received this > > > message because > > > > you are > > > > > > > subscribed to the Google > > > > > > > Groups > > "privacyidea" > > > group. > > > > > > > To > > unsubscribe from this > > > group and > > > > stop > > > > > > > receiving emails from it, > > > send > > > > > > > an > > email to > > > > > > > > privacyidea...@googlegroups.com. > > > > > > > To > > post to this group, > > > send email > > > > to > > > > > > > > priva...@googlegroups.com. > > > > > > > Visit > > this group at > > > > > > > > > > > ... > > -- > > Please read the blog post about getting help > > https://www.privacyidea.org/getting-help/. > > > > For professional services and consultancy regarding two > factor > > authentication please visit > > https://netknights.it/en/leistungen/one-time-services/ > > > > In an enterprise environment you should get a SERVICE LEVEL > AGREEMENT > > which suites your needs for SECURITY, AVAILABILITY and > LIABILITY: > > > https://netknights.it/en/leistungen/service-level-agreements/ > > --- > > You received this message because you are subscribed to the > Google > > Groups "privacyidea" group. > > To unsubscribe from this group and stop receiving emails > from it, send > > an email to privacyidea...@googlegroups.com. > > To post to this group, send email to > priva...@googlegroups.com. > > Visit this group at > https://groups.google.com/group/privacyidea. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/privacyidea/91212e60-bed1-45dc-8e3b-45ee56faa34b%40googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > Please read the blog post about getting help > https://www.privacyidea.org/getting-help/. > > For professional services and consultancy regarding two factor > authentication please visit > https://netknights.it/en/leistungen/one-time-services/ > > In an enterprise environment you should get a SERVICE LEVEL AGREEMENT > which suites your needs for SECURITY, AVAILABILITY and LIABILITY: > https://netknights.it/en/leistungen/service-level-agreements/ > --- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > Visit this group at https://groups.google.com/group/privacyidea. > To view this discussion on the web visit > https://groups.google.com/d/msgid/privacyidea/df8a609c-66f5-4d1b-be20-27e7f0daaf32%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/6366a308-d759-4698-b199-e5af5f13d6b8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)
Hm, I followed now:
http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html
http://www.google.com/url?q=http%3A%2F%2Fprivacyidea.readthedocs.io%2Fen%2Flatest%2Fconfiguration%2Fcaconnectors.html&sa=D&sntz=1&usg=AFQjCNE2YGHa26p_SdTwuiZ1zsgC-AHgTA
mkdir /etc/privacyidea/CA
cp
/opt/privacyidea/lib/python2.7/site-packages/tests/testdata/ca/openssl.cnf
/etc/privacyidea/CA/
openssl req -days 3650 -new -x509 -keyout /etc/privacyidea/CA/ca.key
-out /etc/privacyidea/CA/ca.crt
-config /etc/privacyidea/CA/openssl.cnf
chmod 0600 /etc/privacyidea/CA/ca.key
touch /etc/privacyidea/CA/index.txt
echo 01 > /etc/privacyidea/CA/serial
openssl rsa -in ca.key -out ca-nopw.key
mv ca-nopw.key ca.key
chown -R privacyidea /etc/privacyidea/CA
I enroll a certificate and set a PW in the PIN field, but I can import it
successfully with my W10Am Mittwoch, 13. Juli 2016 12:50:38 UTC+2 schrieb Cornelius Kölbel:
You should clearly state HOW you created the user certificate.
Especially HOW you created the keypair!Am Mittwoch, den 13.07.2016, 03:39 -0700 schrieb Michael Muenz:
No, I removed the password after our last discussion (for the testing
system)The certificates get created and I can import them, but they don’t
have a password.Am Mittwoch, 13. Juli 2016 12:38:14 UTC+2 schrieb Cornelius Kölbel:
To avoid confusion:The private key of the CA is not password protected! Kind regards Cornelius Am Mittwoch, den 13.07.2016, 03:37 -0700 schrieb Michael Muenz: > Hi, > > > doesn't work for me. > > > Hm, with my first setup I remember that it was working, but now when > importing an existing CA there are no import pw's. > > > Will try again with a CA from scratch. > > > > Am Mittwoch, 13. Juli 2016 12:16:14 UTC+2 schrieb Cornelius Kölbel: > Hi Michael, > > this already can be done. > When setting the token PIN, this will be the password for the > pkcs12 > file. > > Kind regards > Cornelius > > Am Mittwoch, den 13.07.2016, 02:45 -0700 schrieb Michael > Muenz: > > Hi, > > > > > > Again playing around with the CA connector. > > Are there any plans for setting an import password for the > generated > > PKCS12 files? > > > > > > Thanks > > Michael > > > > Am Dienstag, 7. Juni 2016 10:15:14 UTC+2 schrieb Cornelius > Kölbel: > > Hi Michael, > > > > > > I was thinking the passphrase on the ca key. > > In my opinion having a passphtase only makes limited > sense. > > The passphrase would be encrypted in the database. > Encrypted > > with the encryption key, which is probably only > protected by > > file access. So you can protect the ca key with file > access in > > the first place. > > > > > > Think of the local ca as a working proof of concept > :-) > > Any feedback and input is appreciated. > > > > > > Kind regards > > Cornelius > > > > > > > > > > > > > > Cornelius Kölbel > > +49 151 2960 1417 > > > > NetKnights GmbH > > Http://NetKnights. It > > +49 561 3166 797 > > > > > > > > > > -------- Ursprüngliche Nachricht -------- > > Von: Michael Muenz <m.m...@gmail.com> > > Datum: 07.06.16 10:04 (GMT+01:00) > > An: privacyidea <priva...@googlegroups.com> > > Betreff: Re: [privacyidea] CA Connector can't > create > > certificate > > > > > > Ok, removed the line and it works again. > > Now I can download the PKCS12. > > > > > > But I had to remove the password from the ca.key ... > will this > > be the final version or do you plan some fields in > the UI to > > enter the password for the root-ca? > > > > > > Michael > > > > On Tuesday, June 7, 2016 at 9:59:06 AM UTC +2, Michael Muenz wrote: > > I added the Jessie-Backports since they > deliver 0.15, > > but when I wanted to install it, it greps > > python-pyopenssl from the trusty ppa and > brokes :) > > After that I forced it with aptitude -t > > jessie-backports and now I get a Internal > Server Error > > when accessing the startpage > > > > > > > > > > [Tue Jun 07 09:53:37.895043 2016] > [wsgi:error] [pid > > 489:tid > > > 139726979172096]/usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning:
Unicode column received non-unicode default value.> > [Tue Jun 07 09:53:37.895273 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] > > default="/etc/privacyidea/dictionary") > > [Tue Jun 07 09:53:37.921642 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > mod_wsgi > > (pid=489): Target WSGI script > > '/etc/privacyidea/privacyideaapp.wsgi' > cannot be > > loaded as Python module. > > [Tue Jun 07 09:53:37.921834 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > mod_wsgi > > (pid=489): Exception occurred processing > WSGI script > > '/etc/privacyidea/privacyideaapp.wsgi'. > > [Tue Jun 07 09:53:37.921948 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > Traceback > > (most recent call last): > > [Tue Jun 07 09:53:37.922116 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > File > > "/etc/privacyidea/privacyideaapp.wsgi", line > 3, in > > <module> > > [Tue Jun 07 09:53:37.922265 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > from > > privacyidea.app import create_app > > [Tue Jun 07 09:53:37.922359 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/app.py", > > line 28, in <module> > > [Tue Jun 07 09:53:37.922952 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > import > > privacyidea.api.before_after > > [Tue Jun 07 09:53:37.923097 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > File > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py”, line
29, in> > [Tue Jun 07 09:53:37.923599 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > > from ..lib.user import get_user_from_param > > [Tue Jun 07 09:53:37.923697 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", > line 55, in <module> > > [Tue Jun 07 09:53:37.924472 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > > from .resolver import (get_resolver_object, > > [Tue Jun 07 09:53:37.924585 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py",line 47, in
> > [Tue Jun 07 09:53:37.925108 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > from > > config import (get_resolver_types, > > [Tue Jun 07 09:53:37.925207 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", > line 47, in <module> > > [Tue Jun 07 09:53:37.926073 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > > from .caconnectors.localca import > BaseCAConnector > > [Tue Jun 07 09:53:37.926233 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > File > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173> > [Tue Jun 07 09:53:37.926344 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > > csr_extensions = csr_obj.get_extensions() > > [Tue Jun 07 09:53:37.926499 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > ^ > > [Tue Jun 07 09:53:37.926583 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > > IndentationError: unexpected indent > > > > > > > > > > I think I'm gonna reinstall from > scratch ... > > > > On Monday, June 6, 2016 at 11:36:09 PM UTC +2, Cornelius Kölbel wrote: > > The CSR extensions are not used at > the > > moment. > > > > So we could as well remove this line > and then > > python-openssl 0.14 would > > work fine, again. > > > > Kind regards > > Cornelius > > > > Am Montag, den 06.06.2016, 13:20 0700 schrieb > > Michael Muenz: > > > ii openssl > 1.0.1t-1 > > +deb8u2 amd64 > > > Secure Sockets Layer > toolkit - > > cryptographic utility > > > ii python-openssl > 0.14-1 > > all > > > Python 2 wrapper around the > OpenSSL > > library > > > > > > > > > > > > > > > [2016-06-06 > > > > > >22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > user u'mimu' found in resolver > u'maxadmins' > > > [2016-06-06 > > > > > >22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > userid resolved to > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > [2016-06-06 > > > > > >22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > user u'mimu' found in resolver > u'maxadmins' > > > [2016-06-06 > > > > > >22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > userid resolved to > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > [2016-06-06 > > > > > >22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > user u'mimu' found in resolver > u'maxadmins' > > > [2016-06-06 > > > > > >22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > userid resolved to > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > [2016-06-06 > > > > > >22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > user u'mimu' found in resolver > u'maxadmins' > > > [2016-06-06 > > > > > >22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > userid resolved to > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > [2016-06-06 > > > > > >22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > user u'mimu' found in resolver > u'maxadmins' > > > [2016-06-06 > > > > > >22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > userid resolved to > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > [2016-06-06 > > > > > >22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > user u'mimu' found in resolver > u'maxadmins' > > > [2016-06-06 > > > > > >22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > userid resolved to > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > [2016-06-06 > > > > > >22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > user u'mimu' found in resolver > u'maxadmins' > > > [2016-06-06 > > > > > >22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > userid resolved to > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > [2016-06-06 > > > > > >22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423]
> > > Exception on /token/init [POST] > > > Traceback (most recent call > last): > > > File > > > "/usr/lib/python2.7/dist-packages/flask/app.py", line 1817, > in > > > wsgi_app > > > response = > self.full_dispatch_request() > > > File > > > "/usr/lib/python2.7/dist-packages/flask/app.py", line 1477, > in > > > full_dispatch_request > > > rv = > self.handle_user_exception(e) > > > File > > > "/usr/lib/python2.7/dist-packages/flask/app.py", line 1381, > in > > > handle_user_exception > > > reraise(exc_type, exc_value, > tb) > > > File > > > "/usr/lib/python2.7/dist-packages/flask/app.py", line 1475, > in > > > full_dispatch_request > > > rv = self.dispatch_request() > > > File > > > "/usr/lib/python2.7/dist-packages/flask/app.py", line 1461, > in > > > dispatch_request > > > return > > > self.view_functions[rule.endpoint](**req.view_args) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py", > > > line 57, in event_wrapper > > > f_result = func(*args, > **kwds) > > > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", > line > > > 180, in log_wrapper > > > f_result = func(*args, > **kwds) > > > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/token.py", > > > line 186, in init > > > tokenrealms=tokenrealms) > > > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", > line > > > 180, in log_wrapper > > > f_result = func(*args, > **kwds) > > > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", > > > line 912, in init_token > > > > tokenobject.update(upd_params) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py”,
line 218, in update> > > crypto.FILETYPE_PEM, req)) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173, in sign_request> > > csr_extensions = > > csr_obj.get_extensions() > > > AttributeError: 'X509Req' object > has no > > attribute 'get_extensions' > > > > > > > > > > > > > > > > > > > > > > > > On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote: > > > Hi, > > > > > > can you please post your > > privacyidea.log? > > > There should be a > traceback. > > > > > > Which version of pyopenssl > and which > > version of openssl are > > > you using? > > > > > > Kind regards > > > Cornelius > > > > > > Am Montag, den 06.06.2016, > 06:33 > > -0700 schrieb Michael Muenz: > > > > Hi, > > > > > > > > > > > > I've set up the WebCA as > described > > in > > > > > > > > > >5.4. CA Connectors — privacyIDEA 3.8 documentation
> > > > > > > > > > > > > > > > When I try to roll out a > new > > certificate I get: > > > > 'X509Req' object has no > attribute > > 'get_extensions' > > > > > > > > > > > > > > > > There's no certificate > but the > > token will be displayed > > > within the > > > > token view. > > > > > > > > > > > > Google tells me about > some "wont > > fixes" with PyOpenSSL. > > > > > > > > > > > > I'm using Debian 8 with > latest > > packages from Trusty build. > > > > > > > > > > > > > > > > > > > > Any ideas? > > > > > > > > > > > > Thanks > > > > Michael > > > > -- > > > > Please read the blog > post about > > getting help > > > > > > > https://www.privacyidea.org/getting-help/. > > > > > > > > For professional > services and > > consultancy regarding two > > > factor > > > > authentication please > visit > > > > > > > https://netknights.it/en/leistungen/one-time-services/ > > > > > > > > In an enterprise > environment you > > should get a SERVICE LEVEL > > > AGREEMENT > > > > which suites your needs > for > > SECURITY, AVAILABILITY and > > > LIABILITY: > > > > > > > > > > https://netknights.it/en/leistungen/service-level-agreements/ > > > > --- > > > > You received this > message because > > you are subscribed to the > > > Google > > > > Groups "privacyidea" > group. > > > > To unsubscribe from this > group and > > stop receiving emails > > > from it, send > > > > an email to > > privacyidea...@googlegroups.com. > > > > To post to this group, > send email > > to > > > > priva...@googlegroups.com. > > > > Visit this group at > > > > > > https://groups.google.com/group/privacyidea. > > > > To view this discussion > on the web > > visit > > > > > > > > > >> > > > For more options, visit > > https://groups.google.com/d/optout. > > > > > > -- > > > Cornelius Kölbel > > > corneliu...@netknights.it > > > +49 151 2960 1417 > > > > > > NetKnights GmbH > > > http://www.netknights.it > > > Landgraf-Karl-Str. 19, > 34131 Kassel, > > Germany > > > Tel: +49 561 3166797, Fax: > +49 561 > > 3166798 > > > > > > Amtsgericht Kassel, HRB > 16405 > > > Geschäftsführer: Cornelius > Kölbel > > > > > > > > > -- > > > Please read the blog post about > getting > > help > > > > https://www.privacyidea.org/getting-help/. > > > > > > For professional services and > consultancy > > regarding two factor > > > authentication please visit > > > > > > https://netknights.it/en/leistungen/one-time-services/ > > > > > > In an enterprise environment you > should get > > a SERVICE LEVEL AGREEMENT > > > which suites your needs for > SECURITY, > > AVAILABILITY and LIABILITY: > > > > > > https://netknights.it/en/leistungen/service-level-agreements/ > > > --- > > > You received this message because > you are > > subscribed to the Google > > > Groups "privacyidea" group. > > > To unsubscribe from this group and > stop > > receiving emails from it, send > > > an email to > > privacyidea...@googlegroups.com. > > > To post to this group, send email > to > > priva...@googlegroups.com. > > > Visit this group at > > > https://groups.google.com/group/privacyidea. > > > To view this discussion on the web > visit > > > > > >> > > For more options, visit > > https://groups.google.com/d/optout. > > > > -- > > Cornelius Kölbel > > corneliu...@netknights.it > > +49 151 2960 1417 > > > > NetKnights GmbH > > http://www.netknights.it > > Landgraf-Karl-Str. 19, 34131 Kassel, > Germany > > Tel: +49 561 3166797, Fax: +49 561 > 3166798 > > > > Amtsgericht Kassel, HRB 16405 > > Geschäftsführer: Cornelius Kölbel > > > > > > > > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > Please read the blog post about getting help > https://www.privacyidea.org/getting-help/. > > For professional services and consultancy regarding two factor > authentication please visit > https://netknights.it/en/leistungen/one-time-services/ > > In an enterprise environment you should get a SERVICE LEVEL AGREEMENT > which suites your needs for SECURITY, AVAILABILITY and LIABILITY: > https://netknights.it/en/leistungen/service-level-agreements/ > --- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > Visit this group at https://groups.google.com/group/privacyidea. > To view this discussion on the web visit >> For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
I copied the pkcs12 to the otp machine and exported the CA Cert but it’s
empty.
There seems to be something wrong, but I’m not sure if it’s my fault. 
root@otp1:~# openssl pkcs12 -in CRT000032EE.p12 -cacerts -nokeys -out
cacert.pem
Enter Import Password:
MAC verified OK
root@otp1:~# cat cacert.pem
root@otp1:~#
Did the same with an existing .p12 created for another project and the
corret root ca was exported.Am Mittwoch, 13. Juli 2016 13:25:22 UTC+2 schrieb Michael Muenz:
Hm, I followed now:
5.4. CA Connectors — privacyIDEA 3.8 documentation
http://www.google.com/url?q=http%3A%2F%2Fprivacyidea.readthedocs.io%2Fen%2Flatest%2Fconfiguration%2Fcaconnectors.html&sa=D&sntz=1&usg=AFQjCNE2YGHa26p_SdTwuiZ1zsgC-AHgTAmkdir /etc/privacyidea/CA
cp
/opt/privacyidea/lib/python2.7/site-packages/tests/testdata/ca/openssl.cnf
/etc/privacyidea/CA/openssl req -days 3650 -new -x509 -keyout /etc/privacyidea/CA/ca.key
-out /etc/privacyidea/CA/ca.crt
-config /etc/privacyidea/CA/openssl.cnf
chmod 0600 /etc/privacyidea/CA/ca.key
touch /etc/privacyidea/CA/index.txt
echo 01 > /etc/privacyidea/CA/serial
openssl rsa -in ca.key -out ca-nopw.key
mv ca-nopw.key ca.key
chown -R privacyidea /etc/privacyidea/CAI enroll a certificate and set a PW in the PIN field, but I can import it
successfully with my W10Am Mittwoch, 13. Juli 2016 12:50:38 UTC+2 schrieb Cornelius Kölbel:
You should clearly state HOW you created the user certificate.
Especially HOW you created the keypair!Am Mittwoch, den 13.07.2016, 03:39 -0700 schrieb Michael Muenz:
No, I removed the password after our last discussion (for the testing
system)The certificates get created and I can import them, but they don’t
have a password.Am Mittwoch, 13. Juli 2016 12:38:14 UTC+2 schrieb Cornelius Kölbel:
To avoid confusion:The private key of the CA is not password protected! Kind regards Cornelius Am Mittwoch, den 13.07.2016, 03:37 -0700 schrieb Michael Muenz: > Hi, > > > doesn't work for me. > > > Hm, with my first setup I remember that it was working, but now when > importing an existing CA there are no import pw's. > > > Will try again with a CA from scratch. > > > > Am Mittwoch, 13. Juli 2016 12:16:14 UTC+2 schrieb Cornelius Kölbel: > Hi Michael, > > this already can be done. > When setting the token PIN, this will be the password for the > pkcs12 > file. > > Kind regards > Cornelius > > Am Mittwoch, den 13.07.2016, 02:45 -0700 schrieb Michael > Muenz: > > Hi, > > > > > > Again playing around with the CA connector. > > Are there any plans for setting an import password for the > generated > > PKCS12 files? > > > > > > Thanks > > Michael > > > > Am Dienstag, 7. Juni 2016 10:15:14 UTC+2 schrieb Cornelius > Kölbel: > > Hi Michael, > > > > > > I was thinking the passphrase on the ca key. > > In my opinion having a passphtase only makes limited > sense. > > The passphrase would be encrypted in the database. > Encrypted > > with the encryption key, which is probably only > protected by > > file access. So you can protect the ca key with file > access in > > the first place. > > > > > > Think of the local ca as a working proof of concept > :-) > > Any feedback and input is appreciated. > > > > > > Kind regards > > Cornelius > > > > > > > > > > > > > > Cornelius Kölbel > > +49 151 2960 1417 > > > > NetKnights GmbH > > Http://NetKnights <http://NetKnights>. It > > +49 561 3166 797 > > > > > > > > > > -------- Ursprüngliche Nachricht -------- > > Von: Michael Muenz <m.m...@gmail.com> > > Datum: 07.06.16 10:04 (GMT+01:00) > > An: privacyidea <priva...@googlegroups.com> > > Betreff: Re: [privacyidea] CA Connector can't > create > > certificate > > > > > > Ok, removed the line and it works again. > > Now I can download the PKCS12. > > > > > > But I had to remove the password from the ca.key ... > will this > > be the final version or do you plan some fields in > the UI to > > enter the password for the root-ca? > > > > > > Michael > > > > On Tuesday, June 7, 2016 at 9:59:06 AM UTC +2, Michael Muenz wrote: > > I added the Jessie-Backports since they > deliver 0.15, > > but when I wanted to install it, it greps > > python-pyopenssl from the trusty ppa and > brokes :) > > After that I forced it with aptitude -t > > jessie-backports and now I get a Internal > Server Error > > when accessing the startpage > > > > > > > > > > [Tue Jun 07 09:53:37.895043 2016] > [wsgi:error] [pid > > 489:tid > > > 139726979172096]/usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning:
Unicode column received non-unicode default value.> > [Tue Jun 07 09:53:37.895273 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] > > default="/etc/privacyidea/dictionary") > > [Tue Jun 07 09:53:37.921642 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > mod_wsgi > > (pid=489): Target WSGI script > > '/etc/privacyidea/privacyideaapp.wsgi' > cannot be > > loaded as Python module. > > [Tue Jun 07 09:53:37.921834 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > mod_wsgi > > (pid=489): Exception occurred processing > WSGI script > > '/etc/privacyidea/privacyideaapp.wsgi'. > > [Tue Jun 07 09:53:37.921948 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > Traceback > > (most recent call last): > > [Tue Jun 07 09:53:37.922116 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > File > > "/etc/privacyidea/privacyideaapp.wsgi", line > 3, in > > <module> > > [Tue Jun 07 09:53:37.922265 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > from > > privacyidea.app import create_app > > [Tue Jun 07 09:53:37.922359 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/app.py", > > line 28, in <module> > > [Tue Jun 07 09:53:37.922952 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > import > > privacyidea.api.before_after > > [Tue Jun 07 09:53:37.923097 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > File > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py”, line
29, in> > [Tue Jun 07 09:53:37.923599 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > > from ..lib.user import get_user_from_param > > [Tue Jun 07 09:53:37.923697 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", > line 55, in <module> > > [Tue Jun 07 09:53:37.924472 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > > from .resolver import (get_resolver_object, > > [Tue Jun 07 09:53:37.924585 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py",line 47, in
> > [Tue Jun 07 09:53:37.925108 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > from > > config import (get_resolver_types, > > [Tue Jun 07 09:53:37.925207 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", > line 47, in <module> > > [Tue Jun 07 09:53:37.926073 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > > from .caconnectors.localca import > BaseCAConnector > > [Tue Jun 07 09:53:37.926233 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > File > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173> > [Tue Jun 07 09:53:37.926344 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > > csr_extensions = csr_obj.get_extensions() > > [Tue Jun 07 09:53:37.926499 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > ^ > > [Tue Jun 07 09:53:37.926583 2016] > [wsgi:error] [pid > > 489:tid 139726979172096] [remote X:512] > > IndentationError: unexpected indent > > > > > > > > > > I think I'm gonna reinstall from > scratch ... > > > > On Monday, June 6, 2016 at 11:36:09 PM UTC +2, Cornelius Kölbel wrote: > > The CSR extensions are not used at > the > > moment. > > > > So we could as well remove this line > and then > > python-openssl 0.14 would > > work fine, again. > > > > Kind regards > > Cornelius > > > > Am Montag, den 06.06.2016, 13:20 0700 schrieb > > Michael Muenz: > > > ii openssl > 1.0.1t-1 > > +deb8u2 amd64 > > > Secure Sockets Layer > toolkit - > > cryptographic utility > > > ii python-openssl > 0.14-1 > > all > > > Python 2 wrapper around the > OpenSSL > > library > > > > > > > > > > > > > > > [2016-06-06 > > > > > >22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > user u'mimu' found in resolver > u'maxadmins' > > > [2016-06-06 > > > > > >22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > userid resolved to > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > [2016-06-06 > > > > > >22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > user u'mimu' found in resolver > u'maxadmins' > > > [2016-06-06 > > > > > >22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > userid resolved to > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > [2016-06-06 > > > > > >22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > user u'mimu' found in resolver > u'maxadmins' > > > [2016-06-06 > > > > > >22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > userid resolved to > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > [2016-06-06 > > > > > >22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > user u'mimu' found in resolver > u'maxadmins' > > > [2016-06-06 > > > > > >22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > userid resolved to > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > [2016-06-06 > > > > > >22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > user u'mimu' found in resolver > u'maxadmins' > > > [2016-06-06 > > > > > >22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > userid resolved to > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > [2016-06-06 > > > > > >22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > user u'mimu' found in resolver > u'maxadmins' > > > [2016-06-06 > > > > > >22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > userid resolved to > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > [2016-06-06 > > > > > >22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > user u'mimu' found in resolver > u'maxadmins' > > > [2016-06-06 > > > > > >22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > userid resolved to > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > [2016-06-06 > > > > > >22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423]
> > > Exception on /token/init [POST] > > > Traceback (most recent call > last): > > > File > > > "/usr/lib/python2.7/dist-packages/flask/app.py", line 1817, > in > > > wsgi_app > > > response = > self.full_dispatch_request() > > > File > > > "/usr/lib/python2.7/dist-packages/flask/app.py", line 1477, > in > > > full_dispatch_request > > > rv = > self.handle_user_exception(e) > > > File > > > "/usr/lib/python2.7/dist-packages/flask/app.py", line 1381, > in > > > handle_user_exception > > > reraise(exc_type, exc_value, > tb) > > > File > > > "/usr/lib/python2.7/dist-packages/flask/app.py", line 1475, > in > > > full_dispatch_request > > > rv = self.dispatch_request() > > > File > > > "/usr/lib/python2.7/dist-packages/flask/app.py", line 1461, > in > > > dispatch_request > > > return > > > self.view_functions[rule.endpoint](**req.view_args) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > line 104, in policy_wrapper > > > return wrapped_function(*args, > **kwds) > > > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py", > > > line 57, in event_wrapper > > > f_result = func(*args, > **kwds) > > > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", > line > > > 180, in log_wrapper > > > f_result = func(*args, > **kwds) > > > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/token.py", > > > line 186, in init > > > tokenrealms=tokenrealms) > > > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", > line > > > 180, in log_wrapper > > > f_result = func(*args, > **kwds) > > > File > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", > > > line 912, in init_token > > > > tokenobject.update(upd_params) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py”,
line 218, in update> > > crypto.FILETYPE_PEM, req)) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173, in sign_request> > > csr_extensions = > > csr_obj.get_extensions() > > > AttributeError: 'X509Req' object > has no > > attribute 'get_extensions' > > > > > > > > > > > > > > > > > > > > > > > > On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote: > > > Hi, > > > > > > can you please post your > > privacyidea.log? > > > There should be a > traceback. > > > > > > Which version of pyopenssl > and which > > version of openssl are > > > you using? > > > > > > Kind regards > > > Cornelius > > > > > > Am Montag, den 06.06.2016, > 06:33 > > -0700 schrieb Michael Muenz: > > > > Hi, > > > > > > > > > > > > I've set up the WebCA as > described > > in > > > > > > > > > >5.4. CA Connectors — privacyIDEA 3.8 documentation
> > > > > > > > > > > > > > > > When I try to roll out a > new > > certificate I get: > > > > 'X509Req' object has no > attribute > > 'get_extensions' > > > > > > > > > > > > > > > > There's no certificate > but the > > token will be displayed > > > within the > > > > token view. > > > > > > > > > > > > Google tells me about > some "wont > > fixes" with PyOpenSSL. > > > > > > > > > > > > I'm using Debian 8 with > latest > > packages from Trusty build. > > > > > > > > > > > > > > > > > > > > Any ideas? > > > > > > > > > > > > Thanks > > > > Michael > > > > -- > > > > Please read the blog > post about > > getting help > > > > > > > https://www.privacyidea.org/getting-help/. > > > > > > > > For professional > services and > > consultancy regarding two > > > factor > > > > authentication please > visit > > > > > > > https://netknights.it/en/leistungen/one-time-services/ > > > > > > > > In an enterprise > environment you > > should get a SERVICE LEVEL > > > AGREEMENT > > > > which suites your needs > for > > SECURITY, AVAILABILITY and > > > LIABILITY: > > > > > > > > > > https://netknights.it/en/leistungen/service-level-agreements/ > > > > --- > > > > You received this > message because > > you are subscribed to the > > > Google > > > > Groups "privacyidea" > group. > > > > To unsubscribe from this > group and > > stop receiving emails > > > from it, send > > > > an email to > > privacyidea...@googlegroups.com. > > > > To post to this group, > send email > > to > > > > priva...@googlegroups.com. > > > > Visit this group at > > > > > > https://groups.google.com/group/privacyidea. > > > > To view this discussion > on the web > > visit > > > > > > > > > >> > > > For more options, visit > > https://groups.google.com/d/optout. > > > > > > -- > > > Cornelius Kölbel > > > corneliu...@netknights.it > > > +49 151 2960 1417 > > > > > > NetKnights GmbH > > > http://www.netknights.it > > > Landgraf-Karl-Str. 19, > 34131 Kassel, > > Germany > > > Tel: +49 561 3166797, Fax: > +49 561 > > 3166798 > > > > > > Amtsgericht Kassel, HRB > 16405 > > > Geschäftsführer: Cornelius > Kölbel > > > > > > > > > -- > > > Please read the blog post about > getting > > help > > > > https://www.privacyidea.org/getting-help/. > > > > > > For professional services and > consultancy > > regarding two factor > > > authentication please visit > > > > > > https://netknights.it/en/leistungen/one-time-services/ > > > > > > In an enterprise environment you > should get > > a SERVICE LEVEL AGREEMENT > > > which suites your needs for > SECURITY, > > AVAILABILITY and LIABILITY: > > > > > > https://netknights.it/en/leistungen/service-level-agreements/ > > > --- > > > You received this message because > you are > > subscribed to the Google > > > Groups "privacyidea" group. > > > To unsubscribe from this group and > stop > > receiving emails from it, send > > > an email to > > privacyidea...@googlegroups.com. > > > To post to this group, send email > to > > priva...@googlegroups.com. > > > Visit this group at > > >…
Cornelius,
I’ll definitely order some hours when the first server goes into
production, but for now I’m evaluating all features internally here.
So, I created the CA as documented before and enrolled a certificate token
for user e.g. mimu.
Now I can download the certificate as PKCS12. Normally this file should
include certificate, key and root cert.
With a doubleclick I can install the certificate (PKCS12) but when asked
for a import pw only a empty password works.
Now, when opening the mmc snapin I can see the certificate unter Own
Certificates. But there’s no root ca installed.
That’s why I tried to extract the root ca from the pkcs12 via openssl, but
it’s empty.
I’m quite sure that with a first test machine with Ubuntu ppa version 2.12
it worked.
Now I’m using PiP 2.13
MichaelAm Mittwoch, 13. Juli 2016 18:23:27 UTC+2 schrieb Cornelius Kölbel:
The below mentioned link does not contain any pkcs12.
5.4. CA Connectors — privacyIDEA 3.8 documentation
I am really not sure what you mean here.
Are you talking about the CA certificate, this is the certificate
signing the others?
Or are you talking about a “certificate token”, i.e. a user certificate.Which PKCS12 did you copy, export CA certificate?
This all makes no sense to me.But no problem, I also provide great PKI workshops:
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungPlease note: Certificates is a topic it is very important you understand
the underlying processes, rules and crytpography.
privacyIDEA has very basic certificate management capabilities.
But I am happy, if you help to improve the software.Kind regards
CorneliusAm Mittwoch, den 13.07.2016, 04:44 -0700 schrieb Michael Muenz:
I copied the pkcs12 to the otp machine and exported the CA Cert but
it’s empty.
There seems to be something wrong, but I’m not sure if it’s my
fault.root@otp1:~# openssl pkcs12 -in CRT000032EE.p12 -cacerts -nokeys -out
cacert.pem
Enter Import Password:
MAC verified OK
root@otp1:~# cat cacert.pem
root@otp1:~#Did the same with an existing .p12 created for another project and the
corret root ca was exported.Am Mittwoch, 13. Juli 2016 13:25:22 UTC+2 schrieb Michael Muenz:
Hm, I followed
now:
5.4. CA Connectors — privacyIDEA 3.8 documentationmkdir /etc/privacyidea/CA cp/opt/privacyidea/lib/python2.7/site-packages/tests/testdata/ca/openssl.cnf
/etc/privacyidea/CA/openssl req -days 3650 -new -x509 -keyout /etc/privacyidea/CA/ca.key \ -out /etc/privacyidea/CA/ca.crt \ -config /etc/privacyidea/CA/openssl.cnf chmod 0600 /etc/privacyidea/CA/ca.key touch /etc/privacyidea/CA/index.txt echo 01 > /etc/privacyidea/CA/serial openssl rsa -in ca.key -out ca-nopw.key mv ca-nopw.key ca.key chown -R privacyidea /etc/privacyidea/CA I enroll a certificate and set a PW in the PIN field, but I can import it successfully with my W10 Am Mittwoch, 13. Juli 2016 12:50:38 UTC+2 schrieb Cornelius Kölbel: You should clearly state HOW you created the user certificate. Especially HOW you created the keypair! Am Mittwoch, den 13.07.2016, 03:39 -0700 schrieb Michael Muenz: > :) > > > No, I removed the password after our last discussion (for the testing > system) > > > The certificates get created and I can import them, but they don't > have a password. > > > Am Mittwoch, 13. Juli 2016 12:38:14 UTC+2 schrieb Cornelius Kölbel: > To avoid confusion: > > The private key of the CA is not password protected! > > Kind regards > Cornelius > > Am Mittwoch, den 13.07.2016, 03:37 -0700 schrieb Michael > Muenz: > > Hi, > > > > > > doesn't work for me. > > > > > > Hm, with my first setup I remember that it was working, but > now when > > importing an existing CA there are no import pw's. > > > > > > Will try again with a CA from scratch. > > > > > > > > Am Mittwoch, 13. Juli 2016 12:16:14 UTC+2 schrieb Cornelius > Kölbel: > > Hi Michael, > > > > this already can be done. > > When setting the token PIN, this will be the > password for the > > pkcs12 > > file. > > > > Kind regards > > Cornelius > > > > Am Mittwoch, den 13.07.2016, 02:45 0700 schrieb > Michael > > Muenz: > > > Hi, > > > > > > > > > Again playing around with the CA connector. > > > Are there any plans for setting an import password > for the > > generated > > > PKCS12 files? > > > > > > > > > Thanks > > > Michael > > > > > > Am Dienstag, 7. Juni 2016 10:15:14 UTC+2 schrieb > Cornelius > > Kölbel: > > > Hi Michael, > > > > > > > > > I was thinking the passphrase on the ca > key. > > > In my opinion having a passphtase only > makes limited > > sense. > > > The passphrase would be encrypted in the > database. > > Encrypted > > > with the encryption key, which is probably > only > > protected by > > > file access. So you can protect the ca key > with file > > access in > > > the first place. > > > > > > > > > Think of the local ca as a working proof > of concept > > :-) > > > Any feedback and input is appreciated. > > > > > > > > > Kind regards > > > Cornelius > > > > > > > > > > > > > > > > > > > > > Cornelius Kölbel > > > +49 151 2960 1417 > > > > > > NetKnights GmbH > > > Http://NetKnights. It > > > +49 561 3166 797 > > > > > > > > > > > > > > > -------- Ursprüngliche Nachricht -------- > > > Von: Michael Muenz <m.m...@gmail.com> > > > Datum: 07.06.16 10:04 (GMT+01:00) > > > An: privacyidea > <priva...@googlegroups.com> > > > Betreff: Re: [privacyidea] CA Connector > can't > > create > > > certificate > > > > > > > > > Ok, removed the line and it works again. > > > Now I can download the PKCS12. > > > > > > > > > But I had to remove the password from the > ca.key ... > > will this > > > be the final version or do you plan some > fields in > > the UI to > > > enter the password for the root-ca? > > > > > > > > > Michael > > > > > > On Tuesday, June 7, 2016 at 9:59:06 AM UTC +2, Michael Muenz wrote: > > > I added the Jessie-Backports since > they > > deliver 0.15, > > > but when I wanted to install it, > it greps > > > python-pyopenssl from the trusty > ppa and > > brokes :) > > > After that I forced it with > aptitude -t > > > jessie-backports and now I get a > Internal > > Server Error > > > when accessing the startpage > > > > > > > > > > > > > > > [Tue Jun 07 09:53:37.895043 2016] > > [wsgi:error] [pid > > > 489:tid > > > > > > 139726979172096]/usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning:
Unicode column received non-unicode default value.> > > [Tue Jun 07 09:53:37.895273 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] > > > > default="/etc/privacyidea/dictionary") > > > [Tue Jun 07 09:53:37.921642 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > mod_wsgi > > > (pid=489): Target WSGI script > > > > '/etc/privacyidea/privacyideaapp.wsgi' > > cannot be > > > loaded as Python module. > > > [Tue Jun 07 09:53:37.921834 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > mod_wsgi > > > (pid=489): Exception occurred > processing > > WSGI script > > > > '/etc/privacyidea/privacyideaapp.wsgi'. > > > [Tue Jun 07 09:53:37.921948 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > Traceback > > > (most recent call last): > > > [Tue Jun 07 09:53:37.922116 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > File > > > > "/etc/privacyidea/privacyideaapp.wsgi", line > > 3, in > > > <module> > > > [Tue Jun 07 09:53:37.922265 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > from > > > privacyidea.app import create_app > > > [Tue Jun 07 09:53:37.922359 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/app.py", > > > line 28, in <module> > > > [Tue Jun 07 09:53:37.922952 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > import > > > privacyidea.api.before_after > > > [Tue Jun 07 09:53:37.923097 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py”, line
29, in> > > [Tue Jun 07 09:53:37.923599 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > > from ..lib.user import > get_user_from_param > > > [Tue Jun 07 09:53:37.923697 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py”,
> > line 55, in <module> > > > [Tue Jun 07 09:53:37.924472 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > > from .resolver import > (get_resolver_object, > > > [Tue Jun 07 09:53:37.924585 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py”, line 47, in
> > > [Tue Jun 07 09:53:37.925108 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > from > > > config import > (get_resolver_types, > > > [Tue Jun 07 09:53:37.925207 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py”,
> > line 47, in <module> > > > [Tue Jun 07 09:53:37.926073 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > > from .caconnectors.localca import > > BaseCAConnector > > > [Tue Jun 07 09:53:37.926233 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173> > > [Tue Jun 07 09:53:37.926344 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > > csr_extensions = > csr_obj.get_extensions() > > > [Tue Jun 07 09:53:37.926499 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > ^ > > > [Tue Jun 07 09:53:37.926583 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > > IndentationError: unexpected > indent > > > > > > > > > > > > > > > I think I'm gonna reinstall from > > scratch ... > > > > > > On Monday, June 6, 2016 at 11:36:09 PM UTC +2, Cornelius Kölbel wrote: > > > The CSR extensions are not > used at > > the > > > moment. > > > > > > So we could as well remove > this line > > and then > > > python-openssl 0.14 would > > > work fine, again. > > > > > > Kind regards > > > Cornelius > > > > > > Am Montag, den 06.06.2016, 13:20 0700 schrieb > > > Michael Muenz: > > > > ii openssl > > 1.0.1t-1 > > > +deb8u2 amd64 > > > > Secure Sockets > Layer > > toolkit - > > > cryptographic utility > > > > ii python-openssl > > 0.14-1 > > > all > > > > Python 2 wrapper > around the > > OpenSSL > > > library > > > > > > > > > > > > > > > > > > > > [2016-06-06 > > > > > > > > > >22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > > user u'mimu' found in > resolver > > u'maxadmins' > > > > [2016-06-06 > > > > > > > > > >22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > > userid resolved to > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > [2016-06-06 > > > > > > > > > >22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > > user u'mimu' found in > resolver > > u'maxadmins' > > > > [2016-06-06 > > > > > > > > > >22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > > userid resolved to > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > [2016-06-06 > > > > > > > > > >22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > > user u'mimu' found in > resolver > > u'maxadmins' > > > > [2016-06-06 > > > > > > > > > >22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > > userid resolved to > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > [2016-06-06 > > > > > > > > > >22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > > user u'mimu' found in > resolver > > u'maxadmins' > > > > [2016-06-06 > > > > > > > > > >22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > > userid resolved to > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > [2016-06-06 > > > > > > > > > >22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > > user u'mimu' found in > resolver > > u'maxadmins' > > > > [2016-06-06 > > > > > > > > > >22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > > userid resolved to > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > [2016-06-06 > > > > > > > > > >22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > > user u'mimu' found in > resolver > > u'maxadmins' > > > > [2016-06-06 > > > > > > > > > >22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > > userid resolved to > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > [2016-06-06 > > > > > > > > > >22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > > user u'mimu' found in > resolver > > u'maxadmins' > > > > [2016-06-06 > > > > > > > > > >22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > > userid resolved to > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > [2016-06-06 > > > > > > > > > >22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423]
> > > > Exception on /token/init > [POST] > > > > Traceback (most recent > call > > last): > > > > File > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > line 1817, > > in > > > > wsgi_app > > > > response = > > self.full_dispatch_request() > > > > File > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > line 1477, > > in > > > > full_dispatch_request > > > > rv = > > self.handle_user_exception(e) > > > > File > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > line 1381, > > in > > > > handle_user_exception > > > > reraise(exc_type, > exc_value, > > tb) > > > > File > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > line 1475, > > in > > > > full_dispatch_request > > > > rv = > self.dispatch_request() > > > > File > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > line 1461, > > in > > > > dispatch_request > > > > return > > > > > self.view_functions[rule.endpoint](**req.view_args) > > > > File > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > line 104, in > policy_wrapper > > > > return > wrapped_function(*args, > > **kwds) > > > > File > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > line 104, in > policy_wrapper > > > > return > wrapped_function(*args, > > **kwds) > > > > File > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > line 104, in > policy_wrapper > > > > return > wrapped_function(*args, > > **kwds) > > > > File > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > line 104, in > policy_wrapper > > > > return > wrapped_function(*args, > > **kwds) > > > > File > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > line 104, in > policy_wrapper > > > > return > wrapped_function(*args, > > **kwds) > > > > File > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > line 104, in > policy_wrapper > > > > return > wrapped_function(*args, > > **kwds) > > > > File > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > line 104, in > policy_wrapper > > > > return > wrapped_function(*args, > > **kwds) > > > > File > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > line 104, in > policy_wrapper > > > > return > wrapped_function(*args, > > **kwds) > > > > File > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > line 104, in > policy_wrapper > > > > return > wrapped_function(*args, > > **kwds) > > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py”,
> > > > line 57, in > event_wrapper > > > > f_result = > func(*args, > > **kwds) > > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”,
> > line > > > > 180, in log_wrapper > > > > f_result = > func(*args, > > **kwds) > > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/token.py”,
> > > > line 186, in init > > > > > tokenrealms=tokenrealms) > > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”,
> > line > > > > 180, in log_wrapper > > > > f_result = > func(*args, > > **kwds) > > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,
> > > > line 912, in init_token > > > > > > tokenobject.update(upd_params) > > > > File > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py”,
line 218, in update> > > > crypto.FILETYPE_PEM, > req)) > > > > File > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173, in sign_request> > > > csr_extensions = > > > csr_obj.get_extensions() > > > > AttributeError: > 'X509Req' object > > has no > > > attribute > 'get_extensions' > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote: > > > > Hi, > > > > > > > > can you please > post your > > > privacyidea.log? > > > > There should be > a > > traceback. > > > > > > > > Which version of > pyopenssl > > and which > > > version of openssl are > > > > you using? > > > > > > > > Kind regards > > > > Cornelius > > > > > > > > Am Montag, den > 06.06.2016, > > 06:33 > > > -0700 schrieb Michael > Muenz: > > > > > Hi, > > > > > > > > > > > > > > > I've set up > the WebCA as > > described > > > in > > > > > > > > > > > > > > >5.4. CA Connectors — privacyIDEA 3.8 documentation
> > > > > > > > > > > > > > > > > > > > When I try to > roll out a > > new > > > certificate I get: > > > > > 'X509Req' > object has no > > attribute > > > 'get_extensions' > > > > > > > > > > > > > > > > > > > > There's no > certificate > > but the > > > token will be displayed > > > > within the > > > > > token view. > > > > > > > > > > > > > > > Google tells > me about > > some "wont > > > fixes" with PyOpenSSL. > > > > > > > > > > > > > > > I'm using > Debian 8 with > > latest > > > packages from Trusty > build. > > > > > > > > > > > > > > > > > > > > > > > > > Any ideas? > > > > > > > > > > > > > > > Thanks > > > > > Michael > > > > > -- > > > > > Please read > the blog > > post about > > > getting help > > > > > > > > > > https://www.privacyidea.org/getting-help/. > > > > > > > > > > For > professional > > services and > > > consultancy regarding two > > > > factor > > > > > authentication > please > > visit > > > > > > > > > > > https://netknights.it/en/leistungen/one-time-services/ > > > > > > > > > > In an > enterprise > > environment you > > > should get a SERVICE > LEVEL > > > > AGREEMENT > > > > > which suites > your needs > > for > > > SECURITY, AVAILABILITY > and > > > > LIABILITY: > > > > > > > > > > > > > > >> > > > > --- > > > > > You received > this > > message because > > > you are subscribed to the > > > > Google > > > > > Groups > "privacyidea" > > group. > > > > > To unsubscribe > from this > > group and > > > stop receiving emails > > > > from it, send > > > > > an email to > > > > privacyidea...@googlegroups.com. > > > > > To post to > this group, > > send email > > > to > > > > > > priva...@googlegroups.com. > > > > > Visit this > group at > > > > > > > > > https://groups.google.com/group/privacyidea. > > > > > To view this > discussion > > on the web > > > visit > > > > > > > > > > > > > > >> > > > > For more > options, visit > > > > https://groups.google.com/d/optout. > > > > > > > > -- > > > > Cornelius > Kölbel > > > > > corneliu...@netknights.it > > > > +49 151 2960 > 1417 > > > > > > > > NetKnights GmbH > > > > > http://www.netknights.it > > > > > Landgraf-Karl-Str. 19, > > 34131 Kassel, > > > Germany > > > > Tel: +49 561 > 3166797, Fax: > > +49 561 > > > 3166798 > > > > > > > > Amtsgericht > Kassel, HRB > > 16405 > > > > Geschäftsführer: > Cornelius > > Kölbel > > > > > > > > > > > > -- > > > > Please read the blog > post about > > getting > > > help > > > > > > https://www.privacyidea.org/getting-help/. > > > > > > > > For professional > services and > > consultancy > > > regarding two factor > > > > authentication please > visit > > > > > > > > > > https://netknights.it/en/leistungen/one-time-services/ > > > > > > > > In an enterprise > environment you > > should get > > > a SERVICE LEVEL AGREEMENT > > > > which suites your needs > for > > SECURITY, > > > AVAILABILITY and > LIABILITY: > > > > > > > > > >> > > > --- > > > > You received this > message because > > you are > > > subscribed to the Google > > > > Groups "privacyidea" > group. > > > > To unsubscribe from this > group and > > stop > > > receiving emails from it, > send > > > > an email to > > > > privacyidea...@googlegroups.com. > > > > To post to this group, > send email > > to > > > > priva...@googlegroups.com. > > > > Visit this group at > > > > > ...–
Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Hello Michael,
Please explain to me: In the moment you need to MOST help, you refuse to
get help. You try with a lot of effort to do everything on your own.
Why?
Because I’m not the one in the company who decides to spend money for
This will be the internal systems, so there’s no money to earn.
When we are so far to sell services, we’ll also order some consultancy to
check if everything is setup correctly.
Also, when the CA stuff doesn’t work the way we want, we’ll just don’t use
it and use CLI (as before), but the way PI does it, it’s a good way to roll
them out to the user.
So, I created the CA as documented before and enrolled a certificate
token for user e.g. mimu.STOP. You say a complicated process very lightly in half a sentence?
Please think about it yourself: How did you enroll the certificate
token? There are many different ways to do so. This is important
information - also to you!This is really what makes it very challenging for me to act on the
mailing list. Because most people to not take a look at what they are
doing.
OK, I setup a small article with some pictures, hopefully you can follow me
now, sorry for not beeing clear enough:
http://www.routerperformance.net/howtos/debug-certificates-in-privacyidea/
I checked the privacyidea.log, no traceback (the certificate token gets
created mostly perfect) and apache log is also quit.
Thanks
MichaelAm Mittwoch, 13. Juli 2016 19:06:14 UTC+2 schrieb Cornelius Kölbel:
Here probably is your problem. “You enrolled the certificate token”…
Did it ever came up to your mind, that the problem the certificate token
does not behave as expected is due to the fact, that the token was not
enrolled as you thought you would?
So the logical consequence would be, to take a deeper look at the token
enrollment process. And not only drop this topic in half a sentence.So again. How did you enroll the certificate token?
I very much recommend for all of you to study physics!
…to train your analytic skills…Kind regards
CorneliusNow I can download the certificate as PKCS12. Normally this file
should include certificate, key and root cert.
With a doubleclick I can install the certificate (PKCS12) but when
asked for a import pw only a empty password works.Now, when opening the mmc snapin I can see the certificate unter Own
Certificates. But there’s no root ca installed.
That’s why I tried to extract the root ca from the pkcs12 via openssl,
but it’s empty.I’m quite sure that with a first test machine with Ubuntu ppa version
2.12 it worked.
Now I’m using PiP 2.13Michael
Am Mittwoch, 13. Juli 2016 18:23:27 UTC+2 schrieb Cornelius Kölbel:
The below mentioned link does not contain any pkcs12.5.4. CA Connectors — privacyIDEA 3.8 documentation
I am really not sure what you mean here. Are you talking about the CA certificate, this is the certificate signing the others? Or are you talking about a "certificate token", i.e. a user certificate. Which PKCS12 did you copy, export CA certificate? This all makes no sense to me. But no problem, I also provide great PKI workshops: https://netknights.it/en/leistungen/one-time-services/ Please note: Certificates is a topic it is very important you understand the underlying processes, rules and crytpography. privacyIDEA has very basic certificate management capabilities. But I am happy, if you help to improve the software. Kind regards Cornelius Am Mittwoch, den 13.07.2016, 04:44 -0700 schrieb Michael Muenz: > I copied the pkcs12 to the otp machine and exported the CA Cert but > it's empty. > There seems to be something wrong, but I'm not sure if it's my > fault. :/ > > > root@otp1:~# openssl pkcs12 -in CRT000032EE.p12 -cacerts -nokeys -out > cacert.pem > Enter Import Password: > MAC verified OK > root@otp1:~# cat cacert.pem > root@otp1:~# > > > Did the same with an existing .p12 created for another project and the > corret root ca was exported. > > > > Am Mittwoch, 13. Juli 2016 13:25:22 UTC+2 schrieb Michael Muenz: > Hm, I followed > now:5.4. CA Connectors — privacyIDEA 3.8 documentation
> > > mkdir /etc/privacyidea/CA > cp/opt/privacyidea/lib/python2.7/site-packages/tests/testdata/ca/openssl.cnf
/etc/privacyidea/CA/> > > openssl req -days 3650 -new -x509 > -keyout /etc/privacyidea/CA/ca.key \ > -out /etc/privacyidea/CA/ca.crt \ > -config /etc/privacyidea/CA/openssl.cnf > > chmod 0600 /etc/privacyidea/CA/ca.key > touch /etc/privacyidea/CA/index.txt > echo 01 > /etc/privacyidea/CA/serial > openssl rsa -in ca.key -out ca-nopw.key > mv ca-nopw.key ca.key > chown -R privacyidea /etc/privacyidea/CA > > > > > > > I enroll a certificate and set a PW in the PIN field, but I > can import it successfully with my W10 > > > > > > > > Am Mittwoch, 13. Juli 2016 12:50:38 UTC+2 schrieb Cornelius > Kölbel: > You should clearly state HOW you created the user > certificate. > Especially HOW you created the keypair! > > Am Mittwoch, den 13.07.2016, 03:39 -0700 schrieb > Michael Muenz: > > :) > > > > > > No, I removed the password after our last discussion > (for the testing > > system) > > > > > > The certificates get created and I can import them, > but they don't > > have a password. > > > > > > Am Mittwoch, 13. Juli 2016 12:38:14 UTC+2 schrieb > Cornelius Kölbel: > > To avoid confusion: > > > > The private key of the CA is not password > protected! > > > > Kind regards > > Cornelius > > > > Am Mittwoch, den 13.07.2016, 03:37 -0700 > schrieb Michael > > Muenz: > > > Hi, > > > > > > > > > doesn't work for me. > > > > > > > > > Hm, with my first setup I remember that it > was working, but > > now when > > > importing an existing CA there are no > import pw's. > > > > > > > > > Will try again with a CA from scratch. > > > > > > > > > > > > Am Mittwoch, 13. Juli 2016 12:16:14 UTC+2 > schrieb Cornelius > > Kölbel: > > > Hi Michael, > > > > > > this already can be done. > > > When setting the token PIN, this > will be the > > password for the > > > pkcs12 > > > file. > > > > > > Kind regards > > > Cornelius > > > > > > Am Mittwoch, den 13.07.2016, 02:45 0700 schrieb > > Michael > > > Muenz: > > > > Hi, > > > > > > > > > > > > Again playing around with the CA > connector. > > > > Are there any plans for setting > an import password > > for the > > > generated > > > > PKCS12 files? > > > > > > > > > > > > Thanks > > > > Michael > > > > > > > > Am Dienstag, 7. Juni 2016 10:15:14 UTC+2 schrieb > > Cornelius > > > Kölbel: > > > > Hi Michael, > > > > > > > > > > > > I was thinking the > passphrase on the ca > > key. > > > > In my opinion having a > passphtase only > > makes limited > > > sense. > > > > The passphrase would be > encrypted in the > > database. > > > Encrypted > > > > with the encryption key, > which is probably > > only > > > protected by > > > > file access. So you can > protect the ca key > > with file > > > access in > > > > the first place. > > > > > > > > > > > > Think of the local ca as > a working proof > > of concept > > > :-) > > > > Any feedback and input > is appreciated. > > > > > > > > > > > > Kind regards > > > > Cornelius > > > > > > > > > > > > > > > > > > > > > > > > > > > > Cornelius Kölbel > > > > +49 151 2960 1417 > > > > > > > > NetKnights GmbH > > > > Http://NetKnights. It > > > > +49 561 3166 797 > > > > > > > > > > > > > > > > > > > > -------- Ursprüngliche > Nachricht -------- > > > > Von: Michael Muenz > <m.m...@gmail.com> > > > > Datum: 07.06.16 10:04 > (GMT+01:00) > > > > An: privacyidea > > <priva...@googlegroups.com> > > > > Betreff: Re: > [privacyidea] CA Connector > > can't > > > create > > > > certificate > > > > > > > > > > > > Ok, removed the line and > it works again. > > > > Now I can download the > PKCS12. > > > > > > > > > > > > But I had to remove the > password from the > > ca.key ... > > > will this > > > > be the final version or > do you plan some > > fields in > > > the UI to > > > > enter the password for > the root-ca? > > > > > > > > > > > > Michael > > > > > > > > On Tuesday, June 7, 2016 at 9:59:06 AM UTC +2, Michael Muenz wrote: > > > > I added the > Jessie-Backports since > > they > > > deliver 0.15, > > > > but when I > wanted to install it, > > it greps > > > > python-pyopenssl > from the trusty > > ppa and > > > brokes :) > > > > After that I > forced it with > > aptitude -t > > > > jessie-backports > and now I get a > > Internal > > > Server Error > > > > when accessing > the startpage > > > > > > > > > > > > > > > > > > > > [Tue Jun 07 > 09:53:37.895043 2016] > > > [wsgi:error] [pid > > > > 489:tid > > > > > > > > > > 139726979172096]/usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning:
Unicode column received non-unicode default value.> > > > [Tue Jun 07 > 09:53:37.895273 2016] > > > [wsgi:error] [pid > > > > 489:tid > 139726979172096] > > > > > > default="/etc/privacyidea/dictionary") > > > > [Tue Jun 07 > 09:53:37.921642 2016] > > > [wsgi:error] [pid > > > > 489:tid > 139726979172096] [remote > > X:512] > > > mod_wsgi > > > > (pid=489): > Target WSGI script > > > > > > '/etc/privacyidea/privacyideaapp.wsgi' > > > cannot be > > > > loaded as Python > module. > > > > [Tue Jun 07 > 09:53:37.921834 2016] > > > [wsgi:error] [pid > > > > 489:tid > 139726979172096] [remote > > X:512] > > > mod_wsgi > > > > (pid=489): > Exception occurred > > processing > > > WSGI script > > > > > > '/etc/privacyidea/privacyideaapp.wsgi'. > > > > [Tue Jun 07 > 09:53:37.921948 2016] > > > [wsgi:error] [pid > > > > 489:tid > 139726979172096] [remote > > X:512] > > > Traceback > > > > (most recent > call last): > > > > [Tue Jun 07 > 09:53:37.922116 2016] > > > [wsgi:error] [pid > > > > 489:tid > 139726979172096] [remote > > X:512] > > > File > > > > > > "/etc/privacyidea/privacyideaapp.wsgi", > line > > > 3, in > > > > <module> > > > > [Tue Jun 07 > 09:53:37.922265 2016] > > > [wsgi:error] [pid > > > > 489:tid > 139726979172096] [remote > > X:512] > > > from > > > > privacyidea.app > import create_app > > > > [Tue Jun 07 > 09:53:37.922359 2016] > > > [wsgi:error] [pid > > > > 489:tid > 139726979172096] [remote > > X:512] > > > File > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/app.py", > > > > line 28, in > <module> > > > > [Tue Jun 07 > 09:53:37.922952 2016] > > > [wsgi:error] [pid > > > > 489:tid > 139726979172096] [remote > > X:512] > > > import > > > > > privacyidea.api.before_after > > > > [Tue Jun 07 > 09:53:37.923097 2016] > > > [wsgi:error] [pid > > > > 489:tid > 139726979172096] [remote > > X:512] > > > File > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py”, line
29, in> > > > [Tue Jun 07 > 09:53:37.923599 2016] > > > [wsgi:error] [pid > > > > 489:tid > 139726979172096] [remote > > X:512] > > > > from ..lib.user > import > > get_user_from_param > > > > [Tue Jun 07 > 09:53:37.923697 2016] > > > [wsgi:error] [pid > > > > 489:tid > 139726979172096] [remote > > X:512] > > > File > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", > > > line 55, in <module> > > > > [Tue Jun 07 > 09:53:37.924472 2016] > > > [wsgi:error] [pid > > > > 489:tid > 139726979172096] [remote > > X:512] > > > > from .resolver > import > > (get_resolver_object, > > > > [Tue Jun 07 > 09:53:37.924585 2016] > > > [wsgi:error] [pid > > > > 489:tid > 139726979172096] [remote > > X:512] > > > File > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py",line 47, in
> > > > [Tue Jun 07 > 09:53:37.925108 2016] > > > [wsgi:error] [pid > > > > 489:tid > 139726979172096] [remote > > X:512] > > > from > > > > config import > > (get_resolver_types, > > > > [Tue Jun 07 > 09:53:37.925207 2016] > > > [wsgi:error] [pid > > > > 489:tid > 139726979172096] [remote > > X:512] > > > File > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", > > > line 47, in <module> > > > > [Tue Jun 07 > 09:53:37.926073 2016] > > > [wsgi:error] [pid > > > > 489:tid > 139726979172096] [remote > > X:512] > > > > > from .caconnectors.localca import > > > BaseCAConnector > > > > [Tue Jun 07 > 09:53:37.926233 2016] > > > [wsgi:error] [pid > > > > 489:tid > 139726979172096] [remote > > X:512] > > > File > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173> > > > [Tue Jun 07 > 09:53:37.926344 2016] > > > [wsgi:error] [pid > > > > 489:tid > 139726979172096] [remote > > X:512] > > > > csr_extensions > = > > csr_obj.get_extensions() > > > > [Tue Jun 07 > 09:53:37.926499 2016] > > > [wsgi:error] [pid > > > > 489:tid > 139726979172096] [remote > > X:512] > > > ^ > > > > [Tue Jun 07 > 09:53:37.926583 2016] > > > [wsgi:error] [pid > > > > 489:tid > 139726979172096] [remote > > X:512] > > > > > IndentationError: unexpected > > indent > > > > > > > > > > > > > > > > > > > > I think I'm > gonna reinstall from > > > scratch ... > > > > > > > > On Monday, June 6, 2016 at 11:36:09 PM UTC +2, Cornelius Kölbel wrote: > > > > The CSR > extensions are not > > used at > > > the > > > > moment. > > > > > > > > So we > could as well remove > > this line > > > and then > > > > > python-openssl 0.14 would > > > > work > fine, again. > > > > > > > > Kind > regards > > > > > Cornelius > > > > > > > > Am Montag, den 06.06.2016, 13:20 0700 schrieb > > > > Michael > Muenz: > > > > > ii > openssl > > > 1.0.1t-1 > > > > +deb8u2 > amd64 > > > > > > Secure Sockets > > Layer > > > toolkit - > > > > > cryptographic utility > > > > > ii > python-openssl > > > 0.14-1 > > > > > all > > > > > > Python 2 wrapper > > around the > > > OpenSSL > > > > library > > > > > > > > > > > > > > > > > > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > >22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > > > user > u'mimu' found in > > resolver > > > u'maxadmins' > > > > > > [2016-06-06 > > > > > > > > > > > > > > >22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > > > userid > resolved to > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > [2016-06-06 > > > > > > > > > > > > > > >22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > > > user > u'mimu' found in > > resolver > > > u'maxadmins' > > > > > > [2016-06-06 > > > > > > > > > > > > > > >22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > > > userid > resolved to > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > [2016-06-06 > > > > > > > > > > > > > > >22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > > > user > u'mimu' found in > > resolver > > > u'maxadmins' > > > > > > [2016-06-06 > > > > > > > > > > > > > > >22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > > > userid > resolved to > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > [2016-06-06 > > > > > > > > > > > > > > >22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > > > user > u'mimu' found in > > resolver > > > u'maxadmins' > > > > > > [2016-06-06 > > > > > > > > > > > > > > >22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > > > userid > resolved to > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > [2016-06-06 > > > > > > > > > > > > > > >22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > > > user > u'mimu' found in > > resolver > > > u'maxadmins' > > > > > > [2016-06-06 > > > > > > > > > > > > > > >22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > > > userid > resolved to > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > [2016-06-06 > > > > > > > > > > > > > > >22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > > > user > u'mimu' found in > > resolver > > > u'maxadmins' > > > > > > [2016-06-06 > > > > > > > > > > > > > > >22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > > > userid > resolved to > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > [2016-06-06 > > > > > > > > > > > > > > >22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > > > user > u'mimu' found in > > resolver > > > u'maxadmins' > > > > > > [2016-06-06 > > > > > > > > > > > > > > >22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > > > userid > resolved to > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > [2016-06-06 > > > > > > > > > > > > > > >22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423]
> > > > > > Exception on /token/init > > [POST] > > > > > > Traceback (most recent > > call > > > last): > > > > > > File > > > > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > > line 1817, > > > in > > > > > > wsgi_app > > > > > > response = > > > self.full_dispatch_request() > > > > > > File > > > > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > > line 1477, > > > in > > > > > > full_dispatch_request > > > > > rv > = > > > self.handle_user_exception(e) > > > > > > File > > > > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > > line 1381, > > > in > > > > > > handle_user_exception > > > > > > reraise(exc_type, > > exc_value, > > > tb) > > > > > > File > > > > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > > line 1475, > > > in > > > > > > full_dispatch_request > > > > > rv > = > > self.dispatch_request() > > > > > > File > > > > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > > line 1461, > > > in > > > > > > dispatch_request > > > > > > return > > > > > > > > self.view_functions[rule.endpoint](**req.view_args) > > > > > > File > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > > line > 104, in > > policy_wrapper > > > > > > return > > wrapped_function(*args, > > > **kwds) > > > > > > File > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > > line > 104, in > > policy_wrapper > > > > > > return > > wrapped_function(*args, > > > **kwds) > > > > > > File > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > > line > 104, in > > policy_wrapper > > > > > > return > > wrapped_function(*args, > > > **kwds) > > > > > > File > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > > line > 104, in > > policy_wrapper > > > > > > return > > wrapped_function(*args, > > > **kwds) > > > > > > File > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > > line > 104, in > > policy_wrapper > > > > > > return > > wrapped_function(*args, > > > **kwds) > > > > > > File > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > > line > 104, in > > policy_wrapper > > > > > > return > > wrapped_function(*args, > > > **kwds) > > > > > > File > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > > line > 104, in > > policy_wrapper > > > > > > return > > wrapped_function(*args, > > > **kwds) > > > > > > File > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > > line > 104, in > > policy_wrapper > > > > > > return > > wrapped_function(*args, > > > **kwds) > > > > > > File > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > > line > 104, in > > policy_wrapper > > > > > > return > > wrapped_function(*args, > > > **kwds) > > > > > > File > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py", > > > > > line > 57, in > > event_wrapper > > > > > > f_result = > > func(*args, > > > **kwds) > > > > > > File > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", > > > line > > > > > 180, > in log_wrapper > > > > > > f_result = > > func(*args, > > > **kwds) > > > > > > File > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/token.py", > > > > > line > 186, in init > > > > > > > tokenrealms=tokenrealms) > > > > > > File > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", > > > line > > > > > 180, > in log_wrapper > > > > > > f_result = > > func(*args, > > > **kwds) > > > > > > File > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", > > > > > line > 912, in init_token > > > > > > > > tokenobject.update(upd_params) > > > > > > File > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py”,
line 218, in update> > > > > > crypto.FILETYPE_PEM, > > req)) > > > > > > File > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173, in sign_request> > > > > > csr_extensions = > > > > > csr_obj.get_extensions() > > > > > > AttributeError: > > 'X509Req' object > > > has no > > > > > attribute > > 'get_extensions' > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote: > > > > > > Hi, > > > > > > > > > > > > can you please > > post your > > > > > privacyidea.log? > > > > > > There should be > > a > > > traceback. > > > > > > > > > > > > Which version of > > pyopenssl > > > and which > > > > version > of openssl are > > > > > > you using? > > > > > > > > > > > > Kind regards > > > > > > Cornelius > > > > > > > > > > > > Am Montag, den > > 06.06.2016, > > > 06:33 > > > > -0700 > schrieb Michael > > Muenz: > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > > I've set up > > the WebCA as > > > described > > > > in > > > > > > > > > > > > > > > > > > > > > >5.4. CA Connectors — privacyIDEA 3.8 documentation
> > > > > > > > > > > > > > > > > > > > > > > > > > > > When I try to > > roll out a > > > new > > > > > certificate I get: > > > > > > > 'X509Req' > > object has no > > > attribute > > > > > 'get_extensions' > > > > > > > > > > > > > > > > > > > > > > > > > > > > There's no > > certificate > > > but the > > > > token > will be displayed > > > > > > within the > > > > > > > token view. > > > > > > > > > > > > > > > > > > > > > Google tells > > me about > > > some "wont > > > > fixes" > with PyOpenSSL. > > > > > > > > > > > > > > > > > > > > > I'm using > > Debian 8 with > > > latest > > > > packages > from Trusty > > build. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any ideas? > > > > > > > > > > > > > > > > > > > > > Thanks > > > > > > > Michael > > > > > > > -- > > > > > > > Please read > > the blog > > > post about > > > > getting > help > > > > > > > > > > > > > > > https://www.privacyidea.org/getting-help/. > > > > > > > > > > > > > > For > > professional > > > services and > > > > > consultancy regarding two > > > > > > factor > > > > > > > authentication > > please > > > visit > > > > > > > > > > > > > > > > > https://netknights.it/en/leistungen/one-time-services/ > > > > > > > > > > > > > > In an > > enterprise > > > environment you > > > > should > get a SERVICE > > LEVEL > > > > > > AGREEMENT > > > > > > > which suites > > your needs > > > for > > > > > SECURITY, AVAILABILITY > > and > > > > > > LIABILITY: > > > > > > > > > > > > > > > > > > > > > > https://netknights.it/en/leistungen/service-level-agreements/ > > > > > > > --- > > > > > > > You received > > this > > > message because > > > > you are > subscribed to the > > > > > > Google > > > > > > > Groups > > "privacyidea" > > > group. > > > > > > > To unsubscribe > > from this > > > group and > > > > stop > receiving emails > > > > > > from it, send > > > > > > > an email to > > > > > > privacyidea...@googlegroups.com. > > > > > > > To post to > > this group, > > > send email > > > > to > > > > > > > > priva...@googlegroups.com. > > > > > > > Visit this > > group at > > > > > > > > > > > > > https://groups.google.com/group/privacyidea. > > > > > > > To view this > > discussion > > > on the web > > > > visit > > > > > > > > > > > > > > > > > > > > > >> > > > > > > For more > > options, visit > > > > > > https://groups.google.com/d/optout. > > > > > > > > > > > > -- > > > > > > Cornelius > > Kölbel > > > > > > > corneliu...@netknights.it > > > > > > +49 151 2960 > > 1417 > > > > > > > > > > > > NetKnights GmbH > > > > > > > http://www.netknights.it > > > > > > > Landgraf-Karl-Str. 19, > > > 34131 Kassel, > > > > Germany > > > > > > Tel: +49 561 > > 3166797, Fax: > > > +49 561 > > > > 3166798 > > > > > > > > > > > > Amtsgericht > > Kassel, HRB > > > 16405 > > > > > > Geschäftsführer: > > Cornelius > > > Kölbel > > > > > > > > > > > > > > > > > -- > > > > > Please > read the blog > > post about > > > getting > > > > help > > > > > > > > > https://www.privacyidea.org/getting-help/. > > > > > > > > > > For > professional > > services and > > > consultancy > > > > > regarding two factor > > > > > > authentication please > > visit > > > > > > > > > > > > > > > https://netknights.it/en/leistungen/one-time-services/ > > > > > > > > > > In an > enterprise > > environment you > > > should get > > > > a > SERVICE LEVEL AGREEMENT > > > > > which > suites your needs > > for > > > SECURITY, > > > > > AVAILABILITY and > > LIABILITY: > > > > > > > > > > > > > > > https://netknights.it/en/leistungen/service-level-agreements/ > > > > > --- > > > > > You > received this > > message because > > > you are > > > > > subscribed to the Google > > > > > Groups > "privacyidea" > > group. > > > > > To > unsubscribe from this > > group and > > > stop > > > > > receiving emails from it, > > send > > > > > an > email to > > > > > > privacyidea...@googlegroups.com. > > > > > To > post to this group, > > send email > > > to > > > > > > priva...@googlegroups.com. > > > > > Visit > this group at > > > > > > > > ... > -- > Please read the blog post about getting help > https://www.privacyidea.org/getting-help/. > > For professional services and consultancy regarding two factor > authentication please visit > https://netknights.it/en/leistungen/one-time-services/ > > In an enterprise environment you should get a SERVICE LEVEL AGREEMENT > which suites your needs for SECURITY, AVAILABILITY and LIABILITY: > https://netknights.it/en/leistungen/service-level-agreements/ > --- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > Visit this group at https://groups.google.com/group/privacyidea. > To view this discussion on the web visit >> For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Hi,
Again playing around with the CA connector.
Are there any plans for setting an import password for the generated PKCS12
files?
Thanks
MichaelAm Dienstag, 7. Juni 2016 10:15:14 UTC+2 schrieb Cornelius Kölbel:
Hi Michael,
I was thinking the passphrase on the ca key.
In my opinion having a passphtase only makes limited sense.
The passphrase would be encrypted in the database. Encrypted with the
encryption key, which is probably only protected by file access. So you can
protect the ca key with file access in the first place.Think of the local ca as a working proof of concept
Any feedback and input is appreciated.Kind regards
CorneliusCornelius Kölbel
+49 151 2960 1417NetKnights GmbH
Http://NetKnights. It
+49 561 3166 797-------- Ursprüngliche Nachricht --------
Von: Michael Muenz <m.m...@gmail.com <javascript:>>
Datum: 07.06.16 10:04 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com <javascript:>>
Betreff: Re: [privacyidea] CA Connector can’t create certificateOk, removed the line and it works again.
Now I can download the PKCS12.But I had to remove the password from the ca.key … will this be the
final version or do you plan some fields in the UI to enter the password
for the root-ca?Michael
On Tuesday, June 7, 2016 at 9:59:06 AM UTC+2, Michael Muenz wrote:
I added the Jessie-Backports since they deliver 0.15, but when I wanted
to install it, it greps python-pyopenssl from the trusty ppa and brokes
After that I forced it with aptitude -t jessie-backports and now I get a
Internal Server Error when accessing the startpage[Tue Jun 07 09:53:37.895043 2016] [wsgi:error] [pid 489:tid
139726979172096]
/usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning:
Unicode column received non-unicode default value.
[Tue Jun 07 09:53:37.895273 2016] [wsgi:error] [pid 489:tid
139726979172096] default=“/etc/privacyidea/dictionary”)
[Tue Jun 07 09:53:37.921642 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] mod_wsgi (pid=489): Target WSGI script
‘/etc/privacyidea/privacyideaapp.wsgi’ cannot be loaded as Python module.
[Tue Jun 07 09:53:37.921834 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] mod_wsgi (pid=489): Exception occurred
processing WSGI script ‘/etc/privacyidea/privacyideaapp.wsgi’.
[Tue Jun 07 09:53:37.921948 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] Traceback (most recent call last):
[Tue Jun 07 09:53:37.922116 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
“/etc/privacyidea/privacyideaapp.wsgi”, line 3, in
[Tue Jun 07 09:53:37.922265 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from privacyidea.app import create_app
[Tue Jun 07 09:53:37.922359 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
“/usr/lib/python2.7/dist-packages/privacyidea/app.py”, line 28, in
[Tue Jun 07 09:53:37.922952 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] import privacyidea.api.before_after
[Tue Jun 07 09:53:37.923097 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
“/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py”, line
29, in
[Tue Jun 07 09:53:37.923599 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from …lib.user import
get_user_from_param
[Tue Jun 07 09:53:37.923697 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py”, line 55, in
[Tue Jun 07 09:53:37.924472 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from .resolver import
(get_resolver_object,
[Tue Jun 07 09:53:37.924585 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py”, line 47, in
[Tue Jun 07 09:53:37.925108 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from config import (get_resolver_types,
[Tue Jun 07 09:53:37.925207 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py”, line 47, in
[Tue Jun 07 09:53:37.926073 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from .caconnectors.localca import
BaseCAConnector
[Tue Jun 07 09:53:37.926233 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173
[Tue Jun 07 09:53:37.926344 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] csr_extensions =
csr_obj.get_extensions()
[Tue Jun 07 09:53:37.926499 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] ^
[Tue Jun 07 09:53:37.926583 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] IndentationError: unexpected indentI think I’m gonna reinstall from scratch …
On Monday, June 6, 2016 at 11:36:09 PM UTC+2, Cornelius Kölbel wrote:
The CSR extensions are not used at the moment.
So we could as well remove this line and then python-openssl 0.14 would
work fine, again.Kind regards
CorneliusAm Montag, den 06.06.2016, 13:20 -0700 schrieb Michael Muenz:
ii openssl 1.0.1t-1+deb8u2 amd64
Secure Sockets Layer toolkit - cryptographic utility
ii python-openssl 0.14-1 all
Python 2 wrapper around the OpenSSL library[2016-06-06
22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423]
Exception on /token/init [POST]
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py”,
line 57, in event_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
180, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/token.py”,
line 186, in init
tokenrealms=tokenrealms)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
180, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,
line 912, in init_token
tokenobject.update(upd_params)
File“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py”,
line 218, in updatecrypto.FILETYPE_PEM, req))File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173, in sign_requestcsr_extensions = csr_obj.get_extensions()AttributeError: ‘X509Req’ object has no attribute ‘get_extensions’
On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote:
Hi,can you please post your privacyidea.log? There should be a traceback. Which version of pyopenssl and which version of openssl are you using? Kind regards Cornelius Am Montag, den 06.06.2016, 06:33 -0700 schrieb Michael Muenz: > Hi, > > > I've set up the WebCA as described in >5.4. CA Connectors — privacyIDEA 3.8 documentation
> > > > When I try to roll out a new certificate I get: > 'X509Req' object has no attribute 'get_extensions' > > > > There's no certificate but the token will be displayed within the > token view. > > > Google tells me about some "wont fixes" with PyOpenSSL. > > > I'm using Debian 8 with latest packages from Trusty build. > > > > > Any ideas? > > > Thanks > Michael > -- > Please read the blog post about getting help > https://www.privacyidea.org/getting-help/. > > For professional services and consultancy regarding two factor > authentication please visit > https://netknights.it/en/leistungen/one-time-services/ > > In an enterprise environment you should get a SERVICE LEVEL AGREEMENT > which suites your needs for SECURITY, AVAILABILITY and LIABILITY: > https://netknights.it/en/leistungen/service-level-agreements/ > --- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > Visit this group at https://groups.google.com/group/privacyidea. > To view this discussion on the web visit >> For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel–
Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google Groups
“privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/fda5957c-bbd1-41b7-b1c2-71ba7b4b79b1%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/fda5957c-bbd1-41b7-b1c2-71ba7b4b79b1%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.
The below mentioned link does not contain any pkcs12.
http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html
I am really not sure what you mean here.
Are you talking about the CA certificate, this is the certificate
signing the others?
Or are you talking about a “certificate token”, i.e. a user certificate.
Which PKCS12 did you copy, export CA certificate?
This all makes no sense to me.
But no problem, I also provide great PKI workshops:
https://netknights.it/en/leistungen/one-time-services/
Please note: Certificates is a topic it is very important you understand
the underlying processes, rules and crytpography.
privacyIDEA has very basic certificate management capabilities.
But I am happy, if you help to improve the software.
Kind regards
CorneliusAm Mittwoch, den 13.07.2016, 04:44 -0700 schrieb Michael Muenz:
I copied the pkcs12 to the otp machine and exported the CA Cert but
it’s empty.
There seems to be something wrong, but I’m not sure if it’s my
fault.root@otp1:~# openssl pkcs12 -in CRT000032EE.p12 -cacerts -nokeys -out
cacert.pem
Enter Import Password:
MAC verified OK
root@otp1:~# cat cacert.pem
root@otp1:~#Did the same with an existing .p12 created for another project and the
corret root ca was exported.Am Mittwoch, 13. Juli 2016 13:25:22 UTC+2 schrieb Michael Muenz:
Hm, I followed
now: 5.4. CA Connectors — privacyIDEA 3.8 documentationmkdir /etc/privacyidea/CA cp /opt/privacyidea/lib/python2.7/site-packages/tests/testdata/ca/openssl.cnf /etc/privacyidea/CA/ openssl req -days 3650 -new -x509 -keyout /etc/privacyidea/CA/ca.key \ -out /etc/privacyidea/CA/ca.crt \ -config /etc/privacyidea/CA/openssl.cnf chmod 0600 /etc/privacyidea/CA/ca.key touch /etc/privacyidea/CA/index.txt echo 01 > /etc/privacyidea/CA/serial openssl rsa -in ca.key -out ca-nopw.key mv ca-nopw.key ca.key chown -R privacyidea /etc/privacyidea/CA I enroll a certificate and set a PW in the PIN field, but I can import it successfully with my W10 Am Mittwoch, 13. Juli 2016 12:50:38 UTC+2 schrieb Cornelius Kölbel: You should clearly state HOW you created the user certificate. Especially HOW you created the keypair! Am Mittwoch, den 13.07.2016, 03:39 -0700 schrieb Michael Muenz: > :) > > > No, I removed the password after our last discussion (for the testing > system) > > > The certificates get created and I can import them, but they don't > have a password. > > > Am Mittwoch, 13. Juli 2016 12:38:14 UTC+2 schrieb Cornelius Kölbel: > To avoid confusion: > > The private key of the CA is not password protected! > > Kind regards > Cornelius > > Am Mittwoch, den 13.07.2016, 03:37 -0700 schrieb Michael > Muenz: > > Hi, > > > > > > doesn't work for me. > > > > > > Hm, with my first setup I remember that it was working, but > now when > > importing an existing CA there are no import pw's. > > > > > > Will try again with a CA from scratch. > > > > > > > > Am Mittwoch, 13. Juli 2016 12:16:14 UTC+2 schrieb Cornelius > Kölbel: > > Hi Michael, > > > > this already can be done. > > When setting the token PIN, this will be the > password for the > > pkcs12 > > file. > > > > Kind regards > > Cornelius > > > > Am Mittwoch, den 13.07.2016, 02:45 0700 schrieb > Michael > > Muenz: > > > Hi, > > > > > > > > > Again playing around with the CA connector. > > > Are there any plans for setting an import password > for the > > generated > > > PKCS12 files? > > > > > > > > > Thanks > > > Michael > > > > > > Am Dienstag, 7. Juni 2016 10:15:14 UTC+2 schrieb > Cornelius > > Kölbel: > > > Hi Michael, > > > > > > > > > I was thinking the passphrase on the ca > key. > > > In my opinion having a passphtase only > makes limited > > sense. > > > The passphrase would be encrypted in the > database. > > Encrypted > > > with the encryption key, which is probably > only > > protected by > > > file access. So you can protect the ca key > with file > > access in > > > the first place. > > > > > > > > > Think of the local ca as a working proof > of concept > > :-) > > > Any feedback and input is appreciated. > > > > > > > > > Kind regards > > > Cornelius > > > > > > > > > > > > > > > > > > > > > Cornelius Kölbel > > > +49 151 2960 1417 > > > > > > NetKnights GmbH > > > Http://NetKnights. It > > > +49 561 3166 797 > > > > > > > > > > > > > > > -------- Ursprüngliche Nachricht -------- > > > Von: Michael Muenz <m.m...@gmail.com> > > > Datum: 07.06.16 10:04 (GMT+01:00) > > > An: privacyidea > <priva...@googlegroups.com> > > > Betreff: Re: [privacyidea] CA Connector > can't > > create > > > certificate > > > > > > > > > Ok, removed the line and it works again. > > > Now I can download the PKCS12. > > > > > > > > > But I had to remove the password from the > ca.key ... > > will this > > > be the final version or do you plan some > fields in > > the UI to > > > enter the password for the root-ca? > > > > > > > > > Michael > > > > > > On Tuesday, June 7, 2016 at 9:59:06 AM UTC +2, Michael Muenz wrote: > > > I added the Jessie-Backports since > they > > deliver 0.15, > > > but when I wanted to install it, > it greps > > > python-pyopenssl from the trusty > ppa and > > brokes :) > > > After that I forced it with > aptitude -t > > > jessie-backports and now I get a > Internal > > Server Error > > > when accessing the startpage > > > > > > > > > > > > > > > [Tue Jun 07 09:53:37.895043 2016] > > [wsgi:error] [pid > > > 489:tid > > > > > > 139726979172096] /usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning: Unicode column received non-unicode default value. > > > [Tue Jun 07 09:53:37.895273 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] > > > > default="/etc/privacyidea/dictionary") > > > [Tue Jun 07 09:53:37.921642 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > mod_wsgi > > > (pid=489): Target WSGI script > > > > '/etc/privacyidea/privacyideaapp.wsgi' > > cannot be > > > loaded as Python module. > > > [Tue Jun 07 09:53:37.921834 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > mod_wsgi > > > (pid=489): Exception occurred > processing > > WSGI script > > > > '/etc/privacyidea/privacyideaapp.wsgi'. > > > [Tue Jun 07 09:53:37.921948 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > Traceback > > > (most recent call last): > > > [Tue Jun 07 09:53:37.922116 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > File > > > > "/etc/privacyidea/privacyideaapp.wsgi", line > > 3, in > > > <module> > > > [Tue Jun 07 09:53:37.922265 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > from > > > privacyidea.app import create_app > > > [Tue Jun 07 09:53:37.922359 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/app.py", > > > line 28, in <module> > > > [Tue Jun 07 09:53:37.922952 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > import > > > privacyidea.api.before_after > > > [Tue Jun 07 09:53:37.923097 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py", line 29, in <module> > > > [Tue Jun 07 09:53:37.923599 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > > from ..lib.user import > get_user_from_param > > > [Tue Jun 07 09:53:37.923697 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", > > line 55, in <module> > > > [Tue Jun 07 09:53:37.924472 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > > from .resolver import > (get_resolver_object, > > > [Tue Jun 07 09:53:37.924585 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py", line 47, in <module> > > > [Tue Jun 07 09:53:37.925108 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > from > > > config import > (get_resolver_types, > > > [Tue Jun 07 09:53:37.925207 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", > > line 47, in <module> > > > [Tue Jun 07 09:53:37.926073 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > > from .caconnectors.localca import > > BaseCAConnector > > > [Tue Jun 07 09:53:37.926233 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173 > > > [Tue Jun 07 09:53:37.926344 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > > csr_extensions = > csr_obj.get_extensions() > > > [Tue Jun 07 09:53:37.926499 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > ^ > > > [Tue Jun 07 09:53:37.926583 2016] > > [wsgi:error] [pid > > > 489:tid 139726979172096] [remote > X:512] > > > IndentationError: unexpected > indent > > > > > > > > > > > > > > > I think I'm gonna reinstall from > > scratch ... > > > > > > On Monday, June 6, 2016 at 11:36:09 PM UTC +2, Cornelius Kölbel wrote: > > > The CSR extensions are not > used at > > the > > > moment. > > > > > > So we could as well remove > this line > > and then > > > python-openssl 0.14 would > > > work fine, again. > > > > > > Kind regards > > > Cornelius > > > > > > Am Montag, den 06.06.2016, 13:20 0700 schrieb > > > Michael Muenz: > > > > ii openssl > > 1.0.1t-1 > > > +deb8u2 amd64 > > > > Secure Sockets > Layer > > toolkit - > > > cryptographic utility > > > > ii python-openssl > > 0.14-1 > > > all > > > > Python 2 wrapper > around the > > OpenSSL > > > library > > > > > > > > > > > > > > > > > > > > [2016-06-06 > > > > > > > > > > 22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > > user u'mimu' found in > resolver > > u'maxadmins' > > > > [2016-06-06 > > > > > > > > > > 22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > > userid resolved to > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > [2016-06-06 > > > > > > > > > > 22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > > user u'mimu' found in > resolver > > u'maxadmins' > > > > [2016-06-06 > > > > > > > > > > 22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > > userid resolved to > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > [2016-06-06 > > > > > > > > > > 22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > > user u'mimu' found in > resolver > > u'maxadmins' > > > > [2016-06-06 > > > > > > > > > > 22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > > userid resolved to > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > [2016-06-06 > > > > > > > > > > 22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > > user u'mimu' found in > resolver > > u'maxadmins' > > > > [2016-06-06 > > > > > > > > > > 22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > > userid resolved to > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > [2016-06-06 > > > > > > > > > > 22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > > user u'mimu' found in > resolver > > u'maxadmins' > > > > [2016-06-06 > > > > > > > > > > 22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > > userid resolved to > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > [2016-06-06 > > > > > > > > > > 22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > > user u'mimu' found in > resolver > > u'maxadmins' > > > > [2016-06-06 > > > > > > > > > > 22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > > userid resolved to > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > [2016-06-06 > > > > > > > > > > 22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > > user u'mimu' found in > resolver > > u'maxadmins' > > > > [2016-06-06 > > > > > > > > > > 22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > > userid resolved to > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > [2016-06-06 > > > > > > > > > > 22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423] > > > > Exception on /token/init > [POST] > > > > Traceback (most recent > call > > last): > > > > File > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > line 1817, > > in > > > > wsgi_app > > > > response = > > self.full_dispatch_request() > > > > File > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > line 1477, > > in > > > > full_dispatch_request > > > > rv = > > self.handle_user_exception(e) > > > > File > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > line 1381, > > in > > > > handle_user_exception > > > > reraise(exc_type, > exc_value, > > tb) > > > > File > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > line 1475, > > in > > > > full_dispatch_request > > > > rv = > self.dispatch_request() > > > > File > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > line 1461, > > in > > > > dispatch_request > > > > return > > > > > self.view_functions[rule.endpoint](**req.view_args) > > > > File > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > line 104, in > policy_wrapper > > > > return > wrapped_function(*args, > > **kwds) > > > > File > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > line 104, in > policy_wrapper > > > > return > wrapped_function(*args, > > **kwds) > > > > File > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > line 104, in > policy_wrapper > > > > return > wrapped_function(*args, > > **kwds) > > > > File > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > line 104, in > policy_wrapper > > > > return > wrapped_function(*args, > > **kwds) > > > > File > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > line 104, in > policy_wrapper > > > > return > wrapped_function(*args, > > **kwds) > > > > File > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > line 104, in > policy_wrapper > > > > return > wrapped_function(*args, > > **kwds) > > > > File > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > line 104, in > policy_wrapper > > > > return > wrapped_function(*args, > > **kwds) > > > > File > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > line 104, in > policy_wrapper > > > > return > wrapped_function(*args, > > **kwds) > > > > File > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > line 104, in > policy_wrapper > > > > return > wrapped_function(*args, > > **kwds) > > > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py", > > > > line 57, in > event_wrapper > > > > f_result = > func(*args, > > **kwds) > > > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", > > line > > > > 180, in log_wrapper > > > > f_result = > func(*args, > > **kwds) > > > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/token.py", > > > > line 186, in init > > > > > tokenrealms=tokenrealms) > > > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", > > line > > > > 180, in log_wrapper > > > > f_result = > func(*args, > > **kwds) > > > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", > > > > line 912, in init_token > > > > > > tokenobject.update(upd_params) > > > > File > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py", line 218, in update > > > > crypto.FILETYPE_PEM, > req)) > > > > File > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173, in sign_request > > > > csr_extensions = > > > csr_obj.get_extensions() > > > > AttributeError: > 'X509Req' object > > has no > > > attribute > 'get_extensions' > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote: > > > > Hi, > > > > > > > > can you please > post your > > > privacyidea.log? > > > > There should be > a > > traceback. > > > > > > > > Which version of > pyopenssl > > and which > > > version of openssl are > > > > you using? > > > > > > > > Kind regards > > > > Cornelius > > > > > > > > Am Montag, den > 06.06.2016, > > 06:33 > > > -0700 schrieb Michael > Muenz: > > > > > Hi, > > > > > > > > > > > > > > > I've set up > the WebCA as > > described > > > in > > > > > > > > > > > > > > > http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html > > > > > > > > > > > > > > > > > > > > When I try to > roll out a > > new > > > certificate I get: > > > > > 'X509Req' > object has no > > attribute > > > 'get_extensions' > > > > > > > > > > > > > > > > > > > > There's no > certificate > > but the > > > token will be displayed > > > > within the > > > > > token view. > > > > > > > > > > > > > > > Google tells > me about > > some "wont > > > fixes" with PyOpenSSL. > > > > > > > > > > > > > > > I'm using > Debian 8 with > > latest > > > packages from Trusty > build. > > > > > > > > > > > > > > > > > > > > > > > > > Any ideas? > > > > > > > > > > > > > > > Thanks > > > > > Michael > > > > > -- > > > > > Please read > the blog > > post about > > > getting help > > > > > > > > > > https://www.privacyidea.org/getting-help/. > > > > > > > > > > For > professional > > services and > > > consultancy regarding two > > > > factor > > > > > authentication > please > > visit > > > > > > > > > > > https://netknights.it/en/leistungen/one-time-services/ > > > > > > > > > > In an > enterprise > > environment you > > > should get a SERVICE > LEVEL > > > > AGREEMENT > > > > > which suites > your needs > > for > > > SECURITY, AVAILABILITY > and > > > > LIABILITY: > > > > > > > > > > > > > > > https://netknights.it/en/leistungen/service-level-agreements/ > > > > > --- > > > > > You received > this > > message because > > > you are subscribed to the > > > > Google > > > > > Groups > "privacyidea" > > group. > > > > > To unsubscribe > from this > > group and > > > stop receiving emails > > > > from it, send > > > > > an email to > > > > privacyidea...@googlegroups.com. > > > > > To post to > this group, > > send email > > > to > > > > > > priva...@googlegroups.com. > > > > > Visit this > group at > > > > > > > > > https://groups.google.com/group/privacyidea. > > > > > To view this > discussion > > on the web > > > visit > > > > > > > > > > > > > > > https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com. > > > > > For more > options, visit > > > > https://groups.google.com/d/optout. > > > > > > > > -- > > > > Cornelius > Kölbel > > > > > corneliu...@netknights.it > > > > +49 151 2960 > 1417 > > > > > > > > NetKnights GmbH > > > > > http://www.netknights.it > > > > > Landgraf-Karl-Str. 19, > > 34131 Kassel, > > > Germany > > > > Tel: +49 561 > 3166797, Fax: > > +49 561 > > > 3166798 > > > > > > > > Amtsgericht > Kassel, HRB > > 16405 > > > > Geschäftsführer: > Cornelius > > Kölbel > > > > > > > > > > > > -- > > > > Please read the blog > post about > > getting > > > help > > > > > > https://www.privacyidea.org/getting-help/. > > > > > > > > For professional > services and > > consultancy > > > regarding two factor > > > > authentication please > visit > > > > > > > > > > https://netknights.it/en/leistungen/one-time-services/ > > > > > > > > In an enterprise > environment you > > should get > > > a SERVICE LEVEL AGREEMENT > > > > which suites your needs > for > > SECURITY, > > > AVAILABILITY and > LIABILITY: > > > > > > > > > > https://netknights.it/en/leistungen/service-level-agreements/ > > > > --- > > > > You received this > message because > > you are > > > subscribed to the Google > > > > Groups "privacyidea" > group. > > > > To unsubscribe from this > group and > > stop > > > receiving emails from it, > send > > > > an email to > > > > privacyidea...@googlegroups.com. > > > > To post to this group, > send email > > to > > > > priva...@googlegroups.com. > > > > Visit this group at > > > > > ...–
Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/91212e60-bed1-45dc-8e3b-45ee56faa34b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)
Anyways: The PIN is not correctly set during the enrollment of the
token.
You need to
- set the PIN on the token details and then
- reload the the token details.
Then you can download the PKCS12 PIN protected.
Yay, you’re right. When I set the PIN again and reload it’s in there.
Shall I create an issue in github?
PKCS12 does not require to contain a CA certificate.
But why don’t you do that? The Root CA has to be specified within the UI,
so the filename is clear.
Then you have a clean path from Root to User CA when checking the
certificate.Am Mittwoch, 13. Juli 2016 22:23:30 UTC+2 schrieb Cornelius Kölbel:
Kind regards
Cornelius> So, I created the CA as documented before and enrolled a certificate > token for user e.g. mimu. STOP. You say a complicated process very lightly in half a sentence? Please think about it yourself: How did you enroll the certificate token? There are many different ways to do so. This is important information - also to you! This is really what makes it very challenging for me to act on the mailing list. Because most people to not take a look at what they are doing.OK, I setup a small article with some pictures, hopefully you can
follow me now, sorry for not beeing clear enough:Debug Certificates in privacyIDEA – Routerperformance
I checked the privacyidea.log, no traceback (the certificate token
gets created mostly perfect) and apache log is also quit.Thanks
MichaelHere probably is your problem. "You enrolled the certificate token"... Did it ever came up to your mind, that the problem the certificate token does not behave as expected is due to the fact, that the token was not enrolled as you thought you would? So the logical consequence would be, to take a deeper look at the token enrollment process. And not only drop this topic in half a sentence. So again. How did you enroll the certificate token? I very much recommend for all of you to study physics! ...to train your analytic skills... Kind regards Cornelius > Now I can download the certificate as PKCS12. Normally this file > should include certificate, key and root cert. > With a doubleclick I can install the certificate (PKCS12) but when > asked for a import pw only a empty password works. > > > Now, when opening the mmc snapin I can see the certificate unter Own > Certificates. But there's no root ca installed. > That's why I tried to extract the root ca from the pkcs12 via openssl, > but it's empty. > > > I'm quite sure that with a first test machine with Ubuntu ppa version > 2.12 it worked. > Now I'm using PiP 2.13 > > > Michael > > > > Am Mittwoch, 13. Juli 2016 18:23:27 UTC+2 schrieb Cornelius Kölbel: > The below mentioned link does not contain any pkcs12. > >5.4. CA Connectors — privacyIDEA 3.8 documentation
> > I am really not sure what you mean here. > > Are you talking about the CA certificate, this is the > certificate > signing the others? > Or are you talking about a "certificate token", i.e. a user > certificate. > > Which PKCS12 did you copy, export CA certificate? > This all makes no sense to me. > > But no problem, I also provide great PKI workshops: > https://netknights.it/en/leistungen/one-time-services/ > > Please note: Certificates is a topic it is very important you > understand > the underlying processes, rules and crytpography. > privacyIDEA has very basic certificate management > capabilities. > But I am happy, if you help to improve the software. > > Kind regards > Cornelius > > Am Mittwoch, den 13.07.2016, 04:44 -0700 schrieb Michael > Muenz: > > I copied the pkcs12 to the otp machine and exported the CA > Cert but > > it's empty. > > There seems to be something wrong, but I'm not sure if it's > my > > fault. :/ > > > > > > root@otp1:~# openssl pkcs12 -in CRT000032EE.p12 -cacerts > -nokeys -out > > cacert.pem > > Enter Import Password: > > MAC verified OK > > root@otp1:~# cat cacert.pem > > root@otp1:~# > > > > > > Did the same with an existing .p12 created for another > project and the > > corret root ca was exported. > > > > > > > > Am Mittwoch, 13. Juli 2016 13:25:22 UTC+2 schrieb Michael > Muenz: > > Hm, I followed > > now: >5.4. CA Connectors — privacyIDEA 3.8 documentation
> > > > > > mkdir /etc/privacyidea/CA > > > cp/opt/privacyidea/lib/python2.7/site-packages/tests/testdata/ca/openssl.cnf
/etc/privacyidea/CA/> > > > > > openssl req -days 3650 -new -x509 > > -keyout /etc/privacyidea/CA/ca.key \ > > -out /etc/privacyidea/CA/ca.crt \ > > -config /etc/privacyidea/CA/openssl.cnf > > > > chmod 0600 /etc/privacyidea/CA/ca.key > > touch /etc/privacyidea/CA/index.txt > > echo 01 > /etc/privacyidea/CA/serial > > openssl rsa -in ca.key -out ca-nopw.key > > mv ca-nopw.key ca.key > > chown -R privacyidea /etc/privacyidea/CA > > > > > > > > > > > > > > I enroll a certificate and set a PW in the PIN > field, but I > > can import it successfully with my W10 > > > > > > > > > > > > > > > > Am Mittwoch, 13. Juli 2016 12:50:38 UTC+2 schrieb > Cornelius > > Kölbel: > > You should clearly state HOW you created the > user > > certificate. > > Especially HOW you created the keypair! > > > > Am Mittwoch, den 13.07.2016, 03:39 0700 schrieb > > Michael Muenz: > > > :) > > > > > > > > > No, I removed the password after our last > discussion > > (for the testing > > > system) > > > > > > > > > The certificates get created and I can > import them, > > but they don't > > > have a password. > > > > > > > > > Am Mittwoch, 13. Juli 2016 12:38:14 UTC+2 schrieb > > Cornelius Kölbel: > > > To avoid confusion: > > > > > > The private key of the CA is not > password > > protected! > > > > > > Kind regards > > > Cornelius > > > > > > Am Mittwoch, den 13.07.2016, 03:37 > -0700 > > schrieb Michael > > > Muenz: > > > > Hi, > > > > > > > > > > > > doesn't work for me. > > > > > > > > > > > > Hm, with my first setup I > remember that it > > was working, but > > > now when > > > > importing an existing CA there > are no > > import pw's. > > > > > > > > > > > > Will try again with a CA from > scratch. > > > > > > > > > > > > > > > > Am Mittwoch, 13. Juli 2016 > 12:16:14 UTC+2 > > schrieb Cornelius > > > Kölbel: > > > > Hi Michael, > > > > > > > > this already can be > done. > > > > When setting the token > PIN, this > > will be the > > > password for the > > > > pkcs12 > > > > file. > > > > > > > > Kind regards > > > > Cornelius > > > > > > > > Am Mittwoch, den 13.07.2016, 02:45 0700 schrieb > > > Michael > > > > Muenz: > > > > > Hi, > > > > > > > > > > > > > > > Again playing around > with the CA > > connector. > > > > > Are there any plans > for setting > > an import password > > > for the > > > > generated > > > > > PKCS12 files? > > > > > > > > > > > > > > > Thanks > > > > > Michael > > > > > > > > > > Am Dienstag, 7. Juni 2016 10:15:14 UTC+2 schrieb > > > Cornelius > > > > Kölbel: > > > > > Hi Michael, > > > > > > > > > > > > > > > I was thinking > the > > passphrase on the ca > > > key. > > > > > In my opinion > having a > > passphtase only > > > makes limited > > > > sense. > > > > > The passphrase > would be > > encrypted in the > > > database. > > > > Encrypted > > > > > with the > encryption key, > > which is probably > > > only > > > > protected by > > > > > file access. > So you can > > protect the ca key > > > with file > > > > access in > > > > > the first > place. > > > > > > > > > > > > > > > Think of the > local ca as > > a working proof > > > of concept > > > > :-) > > > > > Any feedback > and input > > is appreciated. > > > > > > > > > > > > > > > Kind regards > > > > > Cornelius > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Cornelius > Kölbel > > > > > +49 151 2960 > 1417 > > > > > > > > > > NetKnights > GmbH > > > > > > Http://NetKnights. It > > > > > +49 561 3166 > 797 > > > > > > > > > > > > > > > > > > > > > > > > > -------- > Ursprüngliche > > Nachricht -------- > > > > > Von: Michael > Muenz > > <m.m...@gmail.com> > > > > > Datum: > 07.06.16 10:04 > > (GMT+01:00) > > > > > An: > privacyidea > > > <priva...@googlegroups.com> > > > > > Betreff: Re: > > [privacyidea] CA Connector > > > can't > > > > create > > > > > certificate > > > > > > > > > > > > > > > Ok, removed > the line and > > it works again. > > > > > Now I can > download the > > PKCS12. > > > > > > > > > > > > > > > But I had to > remove the > > password from the > > > ca.key ... > > > > will this > > > > > be the final > version or > > do you plan some > > > fields in > > > > the UI to > > > > > enter the > password for > > the root-ca? > > > > > > > > > > > > > > > Michael > > > > > > > > > > On Tuesday, June 7, 2016 at 9:59:06 AM UTC +2, Michael Muenz wrote: > > > > > I > added the > > Jessie-Backports since > > > they > > > > deliver 0.15, > > > > > but > when I > > wanted to install it, > > > it greps > > > > > > python-pyopenssl > > from the trusty > > > ppa and > > > > brokes :) > > > > > After > that I > > forced it with > > > aptitude -t > > > > > > jessie-backports > > and now I get a > > > Internal > > > > Server Error > > > > > when > accessing > > the startpage > > > > > > > > > > > > > > > > > > > > > > > > > [Tue > Jun 07 > > 09:53:37.895043 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > > > > > > > > > > > > > > 139726979172096]/usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning:
Unicode column received non-unicode default value.> > > > > [Tue > Jun 07 > > 09:53:37.895273 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] > > > > > > > > > default="/etc/privacyidea/dictionary") > > > > > [Tue > Jun 07 > > 09:53:37.921642 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > mod_wsgi > > > > > > (pid=489): > > Target WSGI script > > > > > > > > > '/etc/privacyidea/privacyideaapp.wsgi' > > > > cannot be > > > > > loaded > as Python > > module. > > > > > [Tue > Jun 07 > > 09:53:37.921834 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > mod_wsgi > > > > > > (pid=489): > > Exception occurred > > > processing > > > > WSGI script > > > > > > > > > '/etc/privacyidea/privacyideaapp.wsgi'. > > > > > [Tue > Jun 07 > > 09:53:37.921948 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > Traceback > > > > > (most > recent > > call last): > > > > > [Tue > Jun 07 > > 09:53:37.922116 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > File > > > > > > > > > "/etc/privacyidea/privacyideaapp.wsgi", > > line > > > > 3, in > > > > > > <module> > > > > > [Tue > Jun 07 > > 09:53:37.922265 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > from > > > > > > privacyidea.app > > import create_app > > > > > [Tue > Jun 07 > > 09:53:37.922359 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/app.py", > > > > > line > 28, in > > <module> > > > > > [Tue > Jun 07 > > 09:53:37.922952 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > import > > > > > > > privacyidea.api.before_after > > > > > [Tue > Jun 07 > > 09:53:37.923097 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > File > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py”, line
29, in> > > > > [Tue > Jun 07 > > 09:53:37.923599 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > > > from ..lib.user > > import > > > get_user_from_param > > > > > [Tue > Jun 07 > > 09:53:37.923697 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", > > > > line 55, in <module> > > > > > [Tue > Jun 07 > > 09:53:37.924472 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > > > from .resolver > > import > > > (get_resolver_object, > > > > > [Tue > Jun 07 > > 09:53:37.924585 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py",line 47, in
> > > > > [Tue > Jun 07 > > 09:53:37.925108 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > from > > > > > config > import > > > (get_resolver_types, > > > > > [Tue > Jun 07 > > 09:53:37.925207 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", > > > > line 47, in <module> > > > > > [Tue > Jun 07 > > 09:53:37.926073 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > > > > from .caconnectors.localca import > > > > BaseCAConnector > > > > > [Tue > Jun 07 > > 09:53:37.926233 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > File > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173> > > > > [Tue > Jun 07 > > 09:53:37.926344 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > > > csr_extensions > > = > > > csr_obj.get_extensions() > > > > > [Tue > Jun 07 > > 09:53:37.926499 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > ^ > > > > > [Tue > Jun 07 > > 09:53:37.926583 2016] > > > > [wsgi:error] [pid > > > > > > 489:tid > > 139726979172096] [remote > > > X:512] > > > > > > > IndentationError: unexpected > > > indent > > > > > > > > > > > > > > > > > > > > > > > > > I > think I'm > > gonna reinstall from > > > > scratch ... > > > > > > > > > > On Monday, June 6, 2016 at 11:36:09 PM UTC +2, Cornelius Kölbel wrote: > > > > > > The CSR > > extensions are not > > > used at > > > > the > > > > > > moment. > > > > > > > > > > > > So we > > could as well remove > > > this line > > > > and then > > > > > > > python-openssl 0.14 would > > > > > > work > > fine, again. > > > > > > > > > > > > Kind > > regards > > > > > > > Cornelius > > > > > > > > > > > > Am Montag, den 06.06.2016, 13:20 0700 schrieb > > > > > > Michael > > Muenz: > > > > > > > ii > > openssl > > > > 1.0.1t-1 > > > > > > +deb8u2 > > amd64 > > > > > > > > > Secure Sockets > > > Layer > > > > toolkit - > > > > > > > cryptographic utility > > > > > > > ii > > python-openssl > > > > 0.14-1 > > > > > > > all > > > > > > > > > Python 2 wrapper > > > around the > > > > OpenSSL > > > > > > library > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > >22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > > > > > user > > u'mimu' found in > > > resolver > > > > u'maxadmins' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > >22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > > > > > userid > > resolved to > > > > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > >22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > > > > > user > > u'mimu' found in > > > resolver > > > > u'maxadmins' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > >22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > > > > > userid > > resolved to > > > > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > >22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > > > > > user > > u'mimu' found in > > > resolver > > > > u'maxadmins' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > >22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > > > > > userid > > resolved to > > > > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > >22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > > > > > user > > u'mimu' found in > > > resolver > > > > u'maxadmins' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > >22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > > > > > userid > > resolved to > > > > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > >22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > > > > > user > > u'mimu' found in > > > resolver > > > > u'maxadmins' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > >22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > > > > > userid > > resolved to > > > > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > >22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > > > > > user > > u'mimu' found in > > > resolver > > > > u'maxadmins' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > >22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > > > > > userid > > resolved to > > > > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > >22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187]
> > > > > > > user > > u'mimu' found in > > > resolver > > > > u'maxadmins' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > >22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188]
> > > > > > > userid > > resolved to > > > > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > >22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423]
> > > > > > > > > Exception on /token/init > > > [POST] > > > > > > > > > Traceback (most recent > > > call > > > > last): > > > > > > > > > File > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > > > line 1817, > > > > in > > > > > > > > > wsgi_app > > > > > > > > > response = > > > > > self.full_dispatch_request() > > > > > > > > > File > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > > > line 1477, > > > > in > > > > > > > > > full_dispatch_request > > > > > > > rv > > = > > > > > self.handle_user_exception(e) > > > > > > > > > File > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > > > line 1381, > > > > in > > > > > > > > > handle_user_exception > > > > > > > > > reraise(exc_type, > > > exc_value, > > > > tb) > > > > > > > > > File > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > > > line 1475, > > > > in > > > > > > > > > full_dispatch_request > > > > > > > rv > > = > > > self.dispatch_request() > > > > > > > > > File > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > > > line 1461, > > > > in > > > > > > > > > dispatch_request > > > > > > > > > return > > > > > > > > > > > > self.view_functions[rule.endpoint](**req.view_args) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > > > > line > > 104, in > > > policy_wrapper > > > > > > > > > return > > > wrapped_function(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > > > > line > > 104, in > > > policy_wrapper > > > > > > > > > return > > > wrapped_function(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > > > > line > > 104, in > > > policy_wrapper > > > > > > > > > return > > > wrapped_function(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > > > > line > > 104, in > > > policy_wrapper > > > > > > > > > return > > > wrapped_function(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > > > > line > > 104, in > > > policy_wrapper > > > > > > > > > return > > > wrapped_function(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > > > > line > > 104, in > > > policy_wrapper > > > > > > > > > return > > > wrapped_function(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > > > > line > > 104, in > > > policy_wrapper > > > > > > > > > return > > > wrapped_function(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > > > > line > > 104, in > > > policy_wrapper > > > > > > > > > return > > > wrapped_function(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
> > > > > > > line > > 104, in > > > policy_wrapper > > > > > > > > > return > > > wrapped_function(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py", > > > > > > > line > > 57, in > > > event_wrapper > > > > > > > > > f_result = > > > func(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", > > > > line > > > > > > > 180, > > in log_wrapper > > > > > > > > > f_result = > > > func(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/token.py", > > > > > > > line > > 186, in init > > > > > > > > > > tokenrealms=tokenrealms) > > > > > > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", > > > > line > > > > > > > 180, > > in log_wrapper > > > > > > > > > f_result = > > > func(*args, > > > > **kwds) > > > > > > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", > > > > > > > line > > 912, in init_token > > > > > > > > > > > > tokenobject.update(upd_params) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py”,
line 218, in update> > > > > > > > > crypto.FILETYPE_PEM, > > > req)) > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > >“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173, in sign_request> > > > > > > > > csr_extensions = > > > > > > > csr_obj.get_extensions() > > > > > > > > > AttributeError: > > > 'X509Req' object > > > > has no > > > > > > > attribute > > > 'get_extensions' > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote: > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > can you please > > > post your > > > > > > > privacyidea.log? > > > > > > > > > There should be > > > a > > > > traceback. > > > > > > > > > > > > > > > > > > Which version of > > > pyopenssl > > > > and which > > > > > > version > > of openssl are > > > > > > > > > you using? > > > > > > > > > > > > > > > > > > Kind regards > > > > > > > > > Cornelius > > > > > > > > > > > > > > > > > > Am Montag, den > > > 06.06.2016, > > > > 06:33 > > > > > > -0700 > > schrieb Michael > > > Muenz: > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I've set up > > > the WebCA as > > > > described > > > > > > in > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >5.4. CA Connectors — privacyIDEA 3.8 documentation
> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > When I try to > > > roll out a > > > > new > > > > > > > certificate I get: > > > > > > > > > > 'X509Req' > > > object has no > > > > attribute > > > > > > > 'get_extensions' > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > There's no > > > certificate > > > > but the > > > > > > token > > will be displayed > > > > > > > > > within the > > > > > > > > > > token view. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Google tells > > > me about > > > > some "wont > > > > > > fixes" > > with PyOpenSSL. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I'm using > > > Debian 8 with > > > > latest > > > > > > packages > > from Trusty > > > build. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any ideas? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks > > > > > > > > > > Michael > > > > > > > > > > -- > > > > > > > > > > Please read > > > the blog > > > > post about > > > > > > getting > > help > > > > > > > > > > > > > > > > > > > > > https://www.privacyidea.org/getting-help/. > > > > > > > > > > > > > > > > > > > > For > > > professional > > > > services and > > > > > > > consultancy regarding two > > > > > > > > > factor > > > > > > > > > > authentication > > > please > > > > visit > > > > > > > > > > > > > > > > > > > > > > > > > https://netknights.it/en/leistungen/one-time-services/ > > > > > > > > > > > > > > > > > > > > In an > > > enterprise > > > > environment you > > > > > > should > > get a SERVICE > > > LEVEL > > > > > > > > > AGREEMENT > > > > > > > > > > which suites > > > your needs > > > > for > > > > > > > SECURITY, AVAILABILITY > > > and > > > > > > > > > LIABILITY: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://netknights.it/en/leistungen/service-level-agreements/ > > > > > > > > > > --- > > > > > > > > > > You received > > > this > > > > message because > > > > > > you are > > subscribed to the > > > > > > > > > Google > > > > > > > > > > Groups > > > "privacyidea" > > > > group. > > > > > > > > > > To unsubscribe > > > from this > > > > group and > > > > > > stop > > receiving emails > > > > > > > > > from it, send > > > > > > > > > > an email to > > > > > > > > privacyidea...@googlegroups.com. > > > > > > > > > > To post to > > > this group, > > > > send email > > > > > > to > > > > > > > > > > > > priva...@googlegroups.com. > > > > > > > > > > Visit this > > > group at > > > > > > > > > > > > > > > > > > > https://groups.google.com/group/privacyidea. > > > > > > > > > > To view this > > > discussion > > > > on the web > > > > > > visit > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > For more > > > options, visit > > > > > > > > > https://groups.google.com/d/optout. > > > > > > > > > > > > > > > > > > -- > > > > > > > > > Cornelius > > > Kölbel > > > > > > > > > > corneliu...@netknights.it > > > > > > > > > +49 151 2960 > > > 1417 > > > > > > > > > > > > > > > > > > NetKnights GmbH > > > > > > > > > > http://www.netknights.it > > > > > > > > > > Landgraf-Karl-Str. 19, > > > > 34131 Kassel, > > > > > > Germany > > > > > > > > > Tel: +49 561 > > > 3166797, Fax: > > > > +49 561 > > > > > > 3166798 > > > > > > > > > > > > > > > > > > Amtsgericht > > > Kassel, HRB > > > > 16405 > > > > > > > > > Geschäftsführer: > > > Cornelius > > > > Kölbel > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Please > > read the blog > > > post about > > > > getting > > > > > > help > > > > > > > > > > > > > https://www.privacyidea.org/getting-help/. > > > > > > > > > > > > > > For > > professional > > > services and > > > > consultancy > > > > > > > regarding two factor > > > > > > > > > authentication please > > > visit > > > > > > > > > > > > > > > > > > > > > > https://netknights.it/en/leistungen/one-time-services/ > > > > > > > > > > > > > > In an > > enterprise > > > environment you > > > > should get > > > > > > a > > SERVICE LEVEL AGREEMENT > > > > > > > which > > suites your needs > > > for > > > > SECURITY, > > > > > > > AVAILABILITY and > > > LIABILITY: > > > > > > > > > > > > > > > > > > > > > > https://netknights.it/en/leistungen/service-level-agreements/ > > > > > > > --- > > > > > > > You > > received this > > > message because > > > > you are > > > > > > > subscribed to the Google > > > > > > > Groups > > "privacyidea" > > > group. > > > > > > > To > > unsubscribe from this > > > group and > > > > stop > > > > > > > receiving emails from it, > > > send > > > > > > > an > > email to > > > > > > > > privacyidea...@googlegroups.com. > > > > > > > To > > post to this group, > > > send email > > > > to > > > > > > > > priva...@googlegroups.com. > > > > > > > Visit > > this group at > > > > > > > > > > > ... > > -- > > Please read the blog post about getting help > > https://www.privacyidea.org/getting-help/. > > > > For professional services and consultancy regarding two > factor > > authentication please visit > > https://netknights.it/en/leistungen/one-time-services/ > > > > In an enterprise environment you should get a SERVICE LEVEL > AGREEMENT > > which suites your needs for SECURITY, AVAILABILITY and > LIABILITY: > > > https://netknights.it/en/leistungen/service-level-agreements/ > > --- > > You received this message because you are subscribed to the > Google > > Groups "privacyidea" group. > > To unsubscribe from this group and stop receiving emails > from it, send > > an email to privacyidea...@googlegroups.com. > > To post to this group, send email to > priva...@googlegroups.com. > > Visit this group at > https://groups.google.com/group/privacyidea. > > To view this discussion on the web visit > > >> > For more options, visit https://groups.google.com/d/optout. > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > Please read the blog post about getting help > https://www.privacyidea.org/getting-help/. > > For professional services and consultancy regarding two factor > authentication please visit > https://netknights.it/en/leistungen/one-time-services/ > > In an enterprise environment you should get a SERVICE LEVEL AGREEMENT > which suites your needs for SECURITY, AVAILABILITY and LIABILITY: > https://netknights.it/en/leistungen/service-level-agreements/ > --- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > Visit this group at https://groups.google.com/group/privacyidea. > To view this discussion on the web visit >> For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Anyways: The PIN is not correctly set during the enrollment of the token. You need to 1. set the PIN on the token details and then 2. reload the the token details. Then you can download the PKCS12 PIN protected.Yay, you’re right. When I set the PIN again and reload it’s in there.
Shall I create an issue in github?PKCS12 does not require to contain a CA certificate.But why don’t you do that?
Two hands?
24 hours?
You are free to issue and issue or a pull request or order this feature.
It sounds sensible to me.
Kind regards
CorneliusAm Mittwoch, den 13.07.2016, 13:42 -0700 schrieb Michael Muenz:
Am Mittwoch, 13. Juli 2016 22:23:30 UTC+2 schrieb Cornelius Kölbel:
The Root CA has to be specified within the UI, so the filename is
clear.
Then you have a clean path from Root to User CA when checking the
certificate.Kind regards Cornelius > > > > > > So, I created the CA as documented before and enrolled a > certificate > > token for user e.g. mimu. > > STOP. You say a complicated process very lightly in half a > sentence? > Please think about it yourself: How did you enroll the > certificate > token? There are many different ways to do so. This is > important > information - also to you! > > This is really what makes it very challenging for me to act on > the > mailing list. Because most people to not take a look at what > they are > doing. > > > OK, I setup a small article with some pictures, hopefully you can > follow me now, sorry for not beeing clear enough: > http://www.routerperformance.net/howtos/debug-certificates-in-privacyidea/ > > > > I checked the privacyidea.log, no traceback (the certificate token > gets created mostly perfect) and apache log is also quit. > > > Thanks > Michael > > > Here probably is your problem. "You enrolled the certificate > token"... > Did it ever came up to your mind, that the problem the > certificate token > does not behave as expected is due to the fact, that the token > was not > enrolled as you thought you would? > So the logical consequence would be, to take a deeper look at > the token > enrollment process. And not only drop this topic in half a > sentence. > > So again. How did you enroll the certificate token? > > I very much recommend for all of you to study physics! > ...to train your analytic skills... > > Kind regards > Cornelius > > > Now I can download the certificate as PKCS12. Normally this > file > > should include certificate, key and root cert. > > With a doubleclick I can install the certificate (PKCS12) > but when > > asked for a import pw only a empty password works. > > > > > > Now, when opening the mmc snapin I can see the certificate > unter Own > > Certificates. But there's no root ca installed. > > That's why I tried to extract the root ca from the pkcs12 > via openssl, > > but it's empty. > > > > > > I'm quite sure that with a first test machine with Ubuntu > ppa version > > 2.12 it worked. > > Now I'm using PiP 2.13 > > > > > > Michael > > > > > > > > Am Mittwoch, 13. Juli 2016 18:23:27 UTC+2 schrieb Cornelius > Kölbel: > > The below mentioned link does not contain any > pkcs12. > > > > > http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html > > > > I am really not sure what you mean here. > > > > Are you talking about the CA certificate, this is > the > > certificate > > signing the others? > > Or are you talking about a "certificate token", i.e. > a user > > certificate. > > > > Which PKCS12 did you copy, export CA certificate? > > This all makes no sense to me. > > > > But no problem, I also provide great PKI workshops: > > > https://netknights.it/en/leistungen/one-time-services/ > > > > Please note: Certificates is a topic it is very > important you > > understand > > the underlying processes, rules and crytpography. > > privacyIDEA has very basic certificate management > > capabilities. > > But I am happy, if you help to improve the > software. > > > > Kind regards > > Cornelius > > > > Am Mittwoch, den 13.07.2016, 04:44 -0700 schrieb > Michael > > Muenz: > > > I copied the pkcs12 to the otp machine and > exported the CA > > Cert but > > > it's empty. > > > There seems to be something wrong, but I'm not > sure if it's > > my > > > fault. :/ > > > > > > > > > root@otp1:~# openssl pkcs12 -in CRT000032EE.p12 > -cacerts > > -nokeys -out > > > cacert.pem > > > Enter Import Password: > > > MAC verified OK > > > root@otp1:~# cat cacert.pem > > > root@otp1:~# > > > > > > > > > Did the same with an existing .p12 created for > another > > project and the > > > corret root ca was exported. > > > > > > > > > > > > Am Mittwoch, 13. Juli 2016 13:25:22 UTC +2 schrieb > Michael > > Muenz: > > > Hm, I followed > > > now: > > > http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html > > > > > > > > > mkdir /etc/privacyidea/CA > > > > > > cp /opt/privacyidea/lib/python2.7/site-packages/tests/testdata/ca/openssl.cnf /etc/privacyidea/CA/ > > > > > > > > > openssl req -days 3650 -new -x509 > > > -keyout /etc/privacyidea/CA/ca.key \ > > > > -out /etc/privacyidea/CA/ca.crt \ > > > > -config /etc/privacyidea/CA/openssl.cnf > > > > > > chmod 0600 /etc/privacyidea/CA/ca.key > > > touch /etc/privacyidea/CA/index.txt > > > echo 01 > /etc/privacyidea/CA/serial > > > openssl rsa -in ca.key -out ca-nopw.key > > > mv ca-nopw.key ca.key > > > chown -R privacyidea /etc/privacyidea/CA > > > > > > > > > > > > > > > > > > > > > I enroll a certificate and set a PW in the > PIN > > field, but I > > > can import it successfully with my W10 > > > > > > > > > > > > > > > > > > > > > > > > Am Mittwoch, 13. Juli 2016 12:50:38 UTC+2 schrieb > > Cornelius > > > Kölbel: > > > You should clearly state HOW you > created the > > user > > > certificate. > > > Especially HOW you created the > keypair! > > > > > > Am Mittwoch, den 13.07.2016, 03:39 0700 schrieb > > > Michael Muenz: > > > > :) > > > > > > > > > > > > No, I removed the password after > our last > > discussion > > > (for the testing > > > > system) > > > > > > > > > > > > The certificates get created and > I can > > import them, > > > but they don't > > > > have a password. > > > > > > > > > > > > Am Mittwoch, 13. Juli 2016 12:38:14 UTC+2 schrieb > > > Cornelius Kölbel: > > > > To avoid confusion: > > > > > > > > The private key of the > CA is not > > password > > > protected! > > > > > > > > Kind regards > > > > Cornelius > > > > > > > > Am Mittwoch, den > 13.07.2016, 03:37 > > -0700 > > > schrieb Michael > > > > Muenz: > > > > > Hi, > > > > > > > > > > > > > > > doesn't work for me. > > > > > > > > > > > > > > > Hm, with my first > setup I > > remember that it > > > was working, but > > > > now when > > > > > importing an existing > CA there > > are no > > > import pw's. > > > > > > > > > > > > > > > Will try again with a > CA from > > scratch. > > > > > > > > > > > > > > > > > > > > Am Mittwoch, 13. Juli > 2016 > > 12:16:14 UTC+2 > > > schrieb Cornelius > > > > Kölbel: > > > > > Hi Michael, > > > > > > > > > > this already > can be > > done. > > > > > When setting > the token > > PIN, this > > > will be the > > > > password for the > > > > > pkcs12 > > > > > file. > > > > > > > > > > Kind regards > > > > > Cornelius > > > > > > > > > > Am Mittwoch, den 13.07.2016, 02:45 0700 schrieb > > > > Michael > > > > > Muenz: > > > > > > Hi, > > > > > > > > > > > > > > > > > > Again > playing around > > with the CA > > > connector. > > > > > > Are there > any plans > > for setting > > > an import password > > > > for the > > > > > generated > > > > > > PKCS12 > files? > > > > > > > > > > > > > > > > > > Thanks > > > > > > Michael > > > > > > > > > > > > Am Dienstag, 7. Juni 2016 10:15:14 UTC+2 schrieb > > > > Cornelius > > > > > Kölbel: > > > > > > Hi > Michael, > > > > > > > > > > > > > > > > > > I > was thinking > > the > > > passphrase on the ca > > > > key. > > > > > > In > my opinion > > having a > > > passphtase only > > > > makes limited > > > > > sense. > > > > > > The > passphrase > > would be > > > encrypted in the > > > > database. > > > > > Encrypted > > > > > > with > the > > encryption key, > > > which is probably > > > > only > > > > > protected by > > > > > > file > access. > > So you can > > > protect the ca key > > > > with file > > > > > access in > > > > > > the > first > > place. > > > > > > > > > > > > > > > > > > > Think of the > > local ca as > > > a working proof > > > > of concept > > > > > :-) > > > > > > Any > feedback > > and input > > > is appreciated. > > > > > > > > > > > > > > > > > > Kind > regards > > > > > > > Cornelius > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Cornelius > > Kölbel > > > > > > +49 > 151 2960 > > 1417 > > > > > > > > > > > > > NetKnights > > GmbH > > > > > > > > Http://NetKnights. It > > > > > > +49 > 561 3166 > > 797 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -------- > > Ursprüngliche > > > Nachricht -------- > > > > > > Von: > Michael > > Muenz > > > <m.m...@gmail.com> > > > > > > > Datum: > > 07.06.16 10:04 > > > (GMT+01:00) > > > > > > An: > > privacyidea > > > > > <priva...@googlegroups.com> > > > > > > > Betreff: Re: > > > [privacyidea] CA Connector > > > > can't > > > > > create > > > > > > > certificate > > > > > > > > > > > > > > > > > > Ok, > removed > > the line and > > > it works again. > > > > > > Now > I can > > download the > > > PKCS12. > > > > > > > > > > > > > > > > > > But > I had to > > remove the > > > password from the > > > > ca.key ... > > > > > will this > > > > > > be > the final > > version or > > > do you plan some > > > > fields in > > > > > the UI to > > > > > > > enter the > > password for > > > the root-ca? > > > > > > > > > > > > > > > > > > > Michael > > > > > > > > > > > > On Tuesday, June 7, 2016 at 9:59:06 AM UTC +2, Michael Muenz wrote: > > > > > > > I > > added the > > > Jessie-Backports since > > > > they > > > > > deliver 0.15, > > > > > > > but > > when I > > > wanted to install it, > > > > it greps > > > > > > > > python-pyopenssl > > > from the trusty > > > > ppa and > > > > > brokes :) > > > > > > > After > > that I > > > forced it with > > > > aptitude -t > > > > > > > > jessie-backports > > > and now I get a > > > > Internal > > > > > Server Error > > > > > > > when > > accessing > > > the startpage > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > [Tue > > Jun 07 > > > 09:53:37.895043 2016] > > > > > [wsgi:error] > [pid > > > > > > > > 489:tid > > > > > > > > > > > > > > > > > > > > > 139726979172096] /usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning: Unicode column received non-unicode default value. > > > > > > > [Tue > > Jun 07 > > > 09:53:37.895273 2016] > > > > > [wsgi:error] > [pid > > > > > > > > 489:tid > > > 139726979172096] > > > > > > > > > > > > default="/etc/privacyidea/dictionary") > > > > > > > [Tue > > Jun 07 > > > 09:53:37.921642 2016] > > > > > [wsgi:error] > [pid > > > > > > > > 489:tid > > > 139726979172096] [remote > > > > X:512] > > > > > mod_wsgi > > > > > > > > (pid=489): > > > Target WSGI script > > > > > > > > > > > > '/etc/privacyidea/privacyideaapp.wsgi' > > > > > cannot be > > > > > > > loaded > > as Python > > > module. > > > > > > > [Tue > > Jun 07 > > > 09:53:37.921834 2016] > > > > > [wsgi:error] > [pid > > > > > > > > 489:tid > > > 139726979172096] [remote > > > > X:512] > > > > > mod_wsgi > > > > > > > > (pid=489): > > > Exception occurred > > > > processing > > > > > WSGI script > > > > > > > > > > > > '/etc/privacyidea/privacyideaapp.wsgi'. > > > > > > > [Tue > > Jun 07 > > > 09:53:37.921948 2016] > > > > > [wsgi:error] > [pid > > > > > > > > 489:tid > > > 139726979172096] [remote > > > > X:512] > > > > > Traceback > > > > > > > (most > > recent > > > call last): > > > > > > > [Tue > > Jun 07 > > > 09:53:37.922116 2016] > > > > > [wsgi:error] > [pid > > > > > > > > 489:tid > > > 139726979172096] [remote > > > > X:512] > > > > > File > > > > > > > > > > > > "/etc/privacyidea/privacyideaapp.wsgi", > > > line > > > > > 3, in > > > > > > > > <module> > > > > > > > [Tue > > Jun 07 > > > 09:53:37.922265 2016] > > > > > [wsgi:error] > [pid > > > > > > > > 489:tid > > > 139726979172096] [remote > > > > X:512] > > > > > from > > > > > > > > privacyidea.app > > > import create_app > > > > > > > [Tue > > Jun 07 > > > 09:53:37.922359 2016] > > > > > [wsgi:error] > [pid > > > > > > > > 489:tid > > > 139726979172096] [remote > > > > X:512] > > > > > File > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/app.py", > > > > > > > line > > 28, in > > > <module> > > > > > > > [Tue > > Jun 07 > > > 09:53:37.922952 2016] > > > > > [wsgi:error] > [pid > > > > > > > > 489:tid > > > 139726979172096] [remote > > > > X:512] > > > > > import > > > > > > > > > privacyidea.api.before_after > > > > > > > [Tue > > Jun 07 > > > 09:53:37.923097 2016] > > > > > [wsgi:error] > [pid > > > > > > > > 489:tid > > > 139726979172096] [remote > > > > X:512] > > > > > File > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py", line 29, in <module> > > > > > > > [Tue > > Jun 07 > > > 09:53:37.923599 2016] > > > > > [wsgi:error] > [pid > > > > > > > > 489:tid > > > 139726979172096] [remote > > > > X:512] > > > > > > > > from ..lib.user > > > import > > > > get_user_from_param > > > > > > > [Tue > > Jun 07 > > > 09:53:37.923697 2016] > > > > > [wsgi:error] > [pid > > > > > > > > 489:tid > > > 139726979172096] [remote > > > > X:512] > > > > > File > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", > > > > > line 55, in > <module> > > > > > > > [Tue > > Jun 07 > > > 09:53:37.924472 2016] > > > > > [wsgi:error] > [pid > > > > > > > > 489:tid > > > 139726979172096] [remote > > > > X:512] > > > > > > > > from .resolver > > > import > > > > (get_resolver_object, > > > > > > > [Tue > > Jun 07 > > > 09:53:37.924585 2016] > > > > > [wsgi:error] > [pid > > > > > > > > 489:tid > > > 139726979172096] [remote > > > > X:512] > > > > > File > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py", line 47, in <module> > > > > > > > [Tue > > Jun 07 > > > 09:53:37.925108 2016] > > > > > [wsgi:error] > [pid > > > > > > > > 489:tid > > > 139726979172096] [remote > > > > X:512] > > > > > from > > > > > > > config > > import > > > > (get_resolver_types, > > > > > > > [Tue > > Jun 07 > > > 09:53:37.925207 2016] > > > > > [wsgi:error] > [pid > > > > > > > > 489:tid > > > 139726979172096] [remote > > > > X:512] > > > > > File > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", > > > > > line 47, in > <module> > > > > > > > [Tue > > Jun 07 > > > 09:53:37.926073 2016] > > > > > [wsgi:error] > [pid > > > > > > > > 489:tid > > > 139726979172096] [remote > > > > X:512] > > > > > > > > > from .caconnectors.localca import > > > > > > BaseCAConnector > > > > > > > [Tue > > Jun 07 > > > 09:53:37.926233 2016] > > > > > [wsgi:error] > [pid > > > > > > > > 489:tid > > > 139726979172096] [remote > > > > X:512] > > > > > File > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173 > > > > > > > [Tue > > Jun 07 > > > 09:53:37.926344 2016] > > > > > [wsgi:error] > [pid > > > > > > > > 489:tid > > > 139726979172096] [remote > > > > X:512] > > > > > > > > csr_extensions > > > = > > > > > csr_obj.get_extensions() > > > > > > > [Tue > > Jun 07 > > > 09:53:37.926499 2016] > > > > > [wsgi:error] > [pid > > > > > > > > 489:tid > > > 139726979172096] [remote > > > > X:512] > > > > > ^ > > > > > > > [Tue > > Jun 07 > > > 09:53:37.926583 2016] > > > > > [wsgi:error] > [pid > > > > > > > > 489:tid > > > 139726979172096] [remote > > > > X:512] > > > > > > > > > IndentationError: unexpected > > > > indent > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I > > think I'm > > > gonna reinstall from > > > > > scratch ... > > > > > > > > > > > > > > On Monday, June 6, 2016 at 11:36:09 PM UTC +2, Cornelius Kölbel wrote: > > > > > > > > The CSR > > > extensions are not > > > > used at > > > > > the > > > > > > > > moment. > > > > > > > > > > > > > > > > So we > > > could as well remove > > > > this line > > > > > and then > > > > > > > > > python-openssl 0.14 would > > > > > > > > work > > > fine, again. > > > > > > > > > > > > > > > > Kind > > > regards > > > > > > > > > Cornelius > > > > > > > > > > > > > > > > Am Montag, den 06.06.2016, 13:20 0700 schrieb > > > > > > > > Michael > > > Muenz: > > > > > > > > > ii > > > openssl > > > > > 1.0.1t-1 > > > > > > > > +deb8u2 > > > amd64 > > > > > > > > > > > > Secure Sockets > > > > Layer > > > > > toolkit - > > > > > > > > > cryptographic utility > > > > > > > > > ii > > > python-openssl > > > > > 0.14-1 > > > > > > > > > all > > > > > > > > > > > > Python 2 wrapper > > > > around the > > > > > OpenSSL > > > > > > > > library > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > > > > > > > user > > > u'mimu' found in > > > > resolver > > > > > u'maxadmins' > > > > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > > > > > > > userid > > > resolved to > > > > > > > > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > > > > > > > user > > > u'mimu' found in > > > > resolver > > > > > u'maxadmins' > > > > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > > > > > > > userid > > > resolved to > > > > > > > > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > > > > > > > user > > > u'mimu' found in > > > > resolver > > > > > u'maxadmins' > > > > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > > > > > > > userid > > > resolved to > > > > > > > > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > > > > > > > user > > > u'mimu' found in > > > > resolver > > > > > u'maxadmins' > > > > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > > > > > > > userid > > > resolved to > > > > > > > > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > > > > > > > user > > > u'mimu' found in > > > > resolver > > > > > u'maxadmins' > > > > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > > > > > > > userid > > > resolved to > > > > > > > > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > > > > > > > user > > > u'mimu' found in > > > > resolver > > > > > u'maxadmins' > > > > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > > > > > > > userid > > > resolved to > > > > > > > > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187] > > > > > > > > > user > > > u'mimu' found in > > > > resolver > > > > > u'maxadmins' > > > > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188] > > > > > > > > > userid > > > resolved to > > > > > > > > > > > > > > > u'6ce8f8fe-5848-1030-9368-cd33db809b50' > > > > > > > > > > > > [2016-06-06 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423] > > > > > > > > > > > > Exception on /token/init > > > > [POST] > > > > > > > > > > > > Traceback (most recent > > > > call > > > > > last): > > > > > > > > > > > > File > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > > > > line 1817, > > > > > in > > > > > > > > > > > > wsgi_app > > > > > > > > > > > > response = > > > > > > > self.full_dispatch_request() > > > > > > > > > > > > File > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > > > > line 1477, > > > > > in > > > > > > > > > > > > full_dispatch_request > > > > > > > > > rv > > > = > > > > > > > self.handle_user_exception(e) > > > > > > > > > > > > File > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > > > > line 1381, > > > > > in > > > > > > > > > > > > handle_user_exception > > > > > > > > > > > > reraise(exc_type, > > > > exc_value, > > > > > tb) > > > > > > > > > > > > File > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > > > > line 1475, > > > > > in > > > > > > > > > > > > full_dispatch_request > > > > > > > > > rv > > > = > > > > self.dispatch_request() > > > > > > > > > > > > File > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/flask/app.py", > > > > line 1461, > > > > > in > > > > > > > > > > > > dispatch_request > > > > > > > > > > > > return > > > > > > > > > > > > > > > > self.view_functions[rule.endpoint](**req.view_args) > > > > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > > > > > > line > > > 104, in > > > > policy_wrapper > > > > > > > > > > > > return > > > > wrapped_function(*args, > > > > > **kwds) > > > > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > > > > > > line > > > 104, in > > > > policy_wrapper > > > > > > > > > > > > return > > > > wrapped_function(*args, > > > > > **kwds) > > > > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > > > > > > line > > > 104, in > > > > policy_wrapper > > > > > > > > > > > > return > > > > wrapped_function(*args, > > > > > **kwds) > > > > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > > > > > > line > > > 104, in > > > > policy_wrapper > > > > > > > > > > > > return > > > > wrapped_function(*args, > > > > > **kwds) > > > > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > > > > > > line > > > 104, in > > > > policy_wrapper > > > > > > > > > > > > return > > > > wrapped_function(*args, > > > > > **kwds) > > > > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > > > > > > line > > > 104, in > > > > policy_wrapper > > > > > > > > > > > > return > > > > wrapped_function(*args, > > > > > **kwds) > > > > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > > > > > > line > > > 104, in > > > > policy_wrapper > > > > > > > > > > > > return > > > > wrapped_function(*args, > > > > > **kwds) > > > > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > > > > > > line > > > 104, in > > > > policy_wrapper > > > > > > > > > > > > return > > > > wrapped_function(*args, > > > > > **kwds) > > > > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", > > > > > > > > > line > > > 104, in > > > > policy_wrapper > > > > > > > > > > > > return > > > > wrapped_function(*args, > > > > > **kwds) > > > > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py", > > > > > > > > > line > > > 57, in > > > > event_wrapper > > > > > > > > > > > > f_result = > > > > func(*args, > > > > > **kwds) > > > > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", > > > > > line > > > > > > > > > 180, > > > in log_wrapper > > > > > > > > > > > > f_result = > > > > func(*args, > > > > > **kwds) > > > > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/api/token.py", > > > > > > > > > line > > > 186, in init > > > > > > > > > > > > > > tokenrealms=tokenrealms) > > > > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", > > > > > line > > > > > > > > > 180, > > > in log_wrapper > > > > > > > > > > > > f_result = > > > > func(*args, > > > > > **kwds) > > > > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", > > > > > > > > > line > > > 912, in init_token > > > > > > > > > > > > > > > > tokenobject.update(upd_params) > > > > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py", line 218, in update > > > > > > > > > > > > crypto.FILETYPE_PEM, > > > > req)) > > > > > > > > > > > > File > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173, in sign_request > > > > > > > > > > > > csr_extensions = > > > > > > > > > csr_obj.get_extensions() > > > > > > > > > > > > AttributeError: > > > > 'X509Req' object > > > > > has no > > > > > > > > > attribute > > > > 'get_extensions' > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote: > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > > > > > can you please > > > > post your > > > > > > > > > privacyidea.log? > > > > > > > > > > > > There should be > > > > a > > > > > traceback. > > > > > > > > > > > > > > > > > > > > > > > > Which version of > > > > pyopenssl > > > > > and which > > > > > > > > version > > > of openssl are > > > > > > > > > > > > you using? > > > > > > > > > > > > > > > > > > > > > > > > Kind regards > > > > > > > > > > > > Cornelius > > > > > > > > > > > > > > > > > > > > > > > > Am Montag, den > > > > 06.06.2016, > > > > > 06:33 > > > > > > > > -0700 > > > schrieb Michael > > > > Muenz: > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I've set up > > > > the WebCA as > > > > > described > > > > > > > > in > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > When I try to > > > > roll out a > > > > > new > > > > > > > > > certificate I get: > > > > > > > > > > > > > 'X509Req' > > > > object has no > > > > > attribute > > > > > > > > > 'get_extensions' > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > There's no > > > > certificate > > > > > but the > > > > > > > > token > > > will be displayed > > > > > > > > > > > > within the > > > > > > > > > > > > > token view. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Google tells > > > > me about > > > > > some "wont > > > > > > > > fixes" > > > with PyOpenSSL. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I'm using > > > > Debian 8 with > > > > > latest > > > > > > > > packages > > > from Trusty > > > > build. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any ideas? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks > > > > > > > > > > > > > Michael > > > > > > > > > > > > > -- > > > > > > > > > > > > > Please read > > > > the blog > > > > > post about > > > > > > > > getting > > > help > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://www.privacyidea.org/getting-help/. > > > > > > > > > > > > > > > > > > > > > > > > > > For > > > > professional > > > > > services and > > > > > > > > > consultancy regarding two > > > > > > > > > > > > factor > > > > > > > > > > > > > authentication > > > > please > > > > > visit > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://netknights.it/en/leistungen/one-time-services/ > > > > > > > > > > > > > > > > > > > > > > > > > > In an > > > > enterprise > > > > > environment > you > > > > > > > > should > > > get a SERVICE > > > > LEVEL > > > > > > > > > > > > AGREEMENT > > > > > > > > > > > > > which suites > > > > your needs > > > > > for > > > > > > > > > SECURITY, AVAILABILITY > > > > and > > > > > > > > > > > > LIABILITY: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://netknights.it/en/leistungen/service-level-agreements/ > > > > > > > > > > > > > --- > > > > > > > > > > > > > You received > > > > this > > > > > message > because > > > > > > > > you are > > > subscribed to the > > > > > > > > > > > > Google > > > > > > > > > > > > > Groups > > > > "privacyidea" > > > > > group. > > > > > > > > > > > > > To unsubscribe > > > > from this > > > > > group and > > > > > > > > stop > > > receiving emails > > > > > > > > > > > > from it, send > > > > > > > > > > > > > an email to > > > > > > > > > > > privacyidea...@googlegroups.com. > > > > > > > > > > > > > To post to > > > > this group, > > > > > send email > > > > > > > > to > > > > > > > > > > > > > > > > priva...@googlegroups.com. > > > > > > > > > > > > > Visit this > > > > group at > > > > > > > > > > > > > > > > > > > > > > > > > https://groups.google.com/group/privacyidea. > > > > > > > > > > > > > To view this > > > > discussion > > > > > on the web > > > > > > > > visit > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com. > > > > > > > > > > > > > For more > > > > options, visit > > > > > > > > > > > > https://groups.google.com/d/optout. > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > Cornelius > > > > Kölbel > > > > > > > > > > > > > > corneliu...@netknights.it > > > > > > > > > > > > +49 151 2960 > > > > 1417 > > > > > > > > > > > > > > > > > > > > > > > > NetKnights GmbH > > > > > > > > > > > > > > http://www.netknights.it > > > > > > > > > > > > > Landgraf-Karl-Str. 19, > > > > > 34131 Kassel, > > > > > > > > Germany > > > > > > > > > > > > Tel: +49 561 > > > > 3166797, Fax: > > > > > +49 561 > > > > > > > > 3166798 > > > > > > > > > > > > > > > > > > > > > > > > Amtsgericht > > > > Kassel, HRB > > > > > 16405 > > > > > > > > > > > > Geschäftsführer: > > > > Cornelius > > > > > Kölbel > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > Please > > > read the blog > > > > post about > > > > > getting > > > > > > > > help > > > > > > > > > > > > > > > > > > https://www.privacyidea.org/getting-help/. > > > > > > > > > > > > > > > > > > For > > > professional > > > > services and > > > > > consultancy > > > > > > > > > regarding two factor > > > > > > > > > > > > authentication please > > > > visit > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://netknights.it/en/leistungen/one-time-services/ > > > > > > > > > > > > > > > > > > In an > > > enterprise > > > > environment you > > > > > should get > > > > > > > > a > > > SERVICE LEVEL AGREEMENT > > > > > > > > > which > > > suites your needs > > > > for > > > > > SECURITY, > > > > > > > > > AVAILABILITY and > > > > LIABILITY: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://netknights.it/en/leistungen/service-level-agreements/ > > > > > > > > > --- > > > > > > > > > You > > > received this > > > > message because > > > > > you are > > > > > > > > > subscribed to the Google > > > > > > > > > Groups > > > "privacyidea" > > > > group. > > > > > > > > > To > > > unsubscribe from this > > > > group and > > > > > stop > > > > > > > > > receiving emails from it, > > > > send > > > > > > > > > an > > > email to > > > > > > > > > > > privacyidea...@googlegroups.com. > > > > > > > > > To > > > post to this group, > > > > send email > > > > > to > > > > > > > > > > > priva...@googlegroups.com. > > > > > > > > > Visit > > > this group at > > > > > > > > > > > > > > ... > > > -- > > > Please read the blog post about getting help > > > https://www.privacyidea.org/getting-help/. > > > > > > For professional services and consultancy > regarding two > > factor > > > authentication please visit > > > > https://netknights.it/en/leistungen/one-time-services/ > > > > > > In an enterprise environment you should get a > SERVICE LEVEL > > AGREEMENT > > > which suites your needs for SECURITY, AVAILABILITY > and > > LIABILITY: > > > > > > https://netknights.it/en/leistungen/service-level-agreements/ > > > --- > > > You received this message because you are > subscribed to the > > Google > > > Groups "privacyidea" group. > > > To unsubscribe from this group and stop receiving > emails > > from it, send > > > an email to privacyidea...@googlegroups.com. > > > To post to this group, send email to > > priva...@googlegroups.com. > > > Visit this group at > > https://groups.google.com/group/privacyidea. > > > To view this discussion on the web visit > > > > > > https://groups.google.com/d/msgid/privacyidea/91212e60-bed1-45dc-8e3b-45ee56faa34b%40googlegroups.com. > > > For more options, visit > https://groups.google.com/d/optout. > > > > -- > > Cornelius Kölbel > > corneliu...@netknights.it > > +49 151 2960 1417 > > > > NetKnights GmbH > > http://www.netknights.it > > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > > Tel: +49 561 3166797, Fax: +49 561 3166798 > > > > Amtsgericht Kassel, HRB 16405 > > Geschäftsführer: Cornelius Kölbel > > > > > > -- > > Please read the blog post about getting help > > https://www.privacyidea.org/getting-help/. > > > > For professional services and consultancy regarding two > factor > > authentication please visit > > https://netknights.it/en/leistungen/one-time-services/ > > > > In an enterprise environment you should get a SERVICE LEVEL > AGREEMENT > > which suites your needs for SECURITY, AVAILABILITY and > LIABILITY: > > > https://netknights.it/en/leistungen/service-level-agreements/ > > --- > > You received this message because you are subscribed to the > Google > > Groups "privacyidea" group. > > To unsubscribe from this group and stop receiving emails > from it, send > > an email to privacyidea...@googlegroups.com. > > To post to this group, send email to > priva...@googlegroups.com. > > Visit this group at > https://groups.google.com/group/privacyidea. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/privacyidea/df8a609c-66f5-4d1b-be20-27e7f0daaf32%40googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > Please read the blog post about getting help > https://www.privacyidea.org/getting-help/. > > For professional services and consultancy regarding two factor > authentication please visit > https://netknights.it/en/leistungen/one-time-services/ > > In an enterprise environment you should get a SERVICE LEVEL AGREEMENT > which suites your needs for SECURITY, AVAILABILITY and LIABILITY: > https://netknights.it/en/leistungen/service-level-agreements/ > --- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > Visit this group at https://groups.google.com/group/privacyidea. > To view this discussion on the web visit > https://groups.google.com/d/msgid/privacyidea/6366a308-d759-4698-b199-e5af5f13d6b8%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/5016be8e-c6f3-48fe-8af9-33f2367a39f2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)