Comments (6)
Hi @diver90,
Thank you for the background information. The Security Server can be registered in one X-Road instance and the instance cannot be changed afterwards. As your Security Server has been originally registered to ee-dev
instance, you must use CAs approved in that instance. In practice, you must apply certificates to ee-dev
instance from RIA. The easiest way forward with ee-dev
instance is to create a new auth key and apply a new auth cert from RIA.
In case you want to join ee-test
instance, you need to install a new Security Server, create new sign and auth keys, and apply certificates for them from SK. This means that you cannot use the SK certificates that you already have, because they were issued to the private keys of the first Security Server. The Security Server does not provide a feature that enables exporting/importing private keys from one Security Server to another.
I'd recommend you to contact RIA's help desk ([email protected]
) for more detailed information on X-tee related questions.
Best regards,
Petteri
from x-road-development.
Here is the log of signer.log:
2020-01-15 17:48:43,849 ERROR [Signer-akka.actor.default-dispatcher-1272283] e.r.x.s.p.h.ImportCertRequestHandler - Failed to import certificate
ee.ria.xroad.common.CodedException: CannotCreateCertPath.InternalError: Certificate is not issued by approved certification service provider.
And there some errors from proxy.log:
2020-01-16 10:34:31,095 [qtp1011920203-545] INFO ee.ria.xroad.common.util.AdminPort - Admin request: /timestampstatus
2020-01-16 10:34:31,095 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - /timestampstatus
2020-01-16 10:34:31,105 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - Checking timestamp server status for url http://tsa-demo.ria.ee/
2020-01-16 10:34:31,151 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - Checking timestamp server con sun.net.www.protocol.http.HttpURLConnection:http://tsa-demo.ria.ee/
2020-01-16 10:34:31,188 [qtp1011920203-545] WARN ee.ria.xroad.proxy.ProxyMain - Timestamp check received HTTP error: 400 - Bad Request. Might still be ok
2020-01-16 10:34:31,188 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - Checking timestamp server status for url http://demo.sk.ee/tsa/
2020-01-16 10:34:31,231 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - Checking timestamp server con sun.net.www.protocol.http.HttpURLConnection:http://demo.sk.ee/tsa/
2020-01-16 10:34:31,237 [qtp1011920203-545] WARN ee.ria.xroad.proxy.ProxyMain - Timestamp check received HTTP error: 400 - Bad Request. Might still be ok
2020-01-16 10:34:31,237 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - Checking timestamp server status for url http://demo.sk.ee/tsa/
2020-01-16 10:34:31,242 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - Checking timestamp server con sun.net.www.protocol.http.HttpURLConnection:http://demo.sk.ee/tsa/
2020-01-16 10:34:31,438 [qtp1011920203-545] WARN ee.ria.xroad.proxy.ProxyMain - Timestamp check received HTTP error: 400 - Bad Request. Might still be ok
2020-01-16 10:34:31,438 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - result {http://tsa-demo.ria.ee/=DiagnosticsStatus(returnCode=0, prevUpdate=10:34:31.188, nextUpdate=null, description=http://tsa-demo.ria.ee/), http://demo.sk.ee/tsa/=DiagnosticsStatus(returnCode=0, prevUpdate=10:34:31.438, nextUpdate=null, description=http://demo.sk.ee/tsa/)}
2020-01-16 10:34:31,439 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - statusFromLogManager {}
I am running Security Server version 6.16.0-0.20171128173309git05cf71f
from x-road-development.
Hi @diver90,
Based on the error message (Certificate is not issued by approved certification service provider.
) the certificate is signed using a CA certificate that has not been defined trusted in the X-tee test environment. When you requested the certificate from SK, did you specify that the certificate is for the X-tee test environment? Issuing the certificate using SK's production CA would explain the problem and the error message.
The INFO
and WARN
entries in the proxy.log
are related to the diagnostics view. They can be ignored.
You're running a very old version of the Security Server that does not receive updates anymore. Officially supported versions are 6.22, 6.21 and 6.20. You should upgrade your Security Server to a newer version.
Best regards,
Petteri
from x-road-development.
Hi @petkivim,
Maybe you can help me in this situation?
I will tell you from the very beginning.
I received a server from a past programmer, in this state:
- server installed
- configured ee-dev instance
- generated auth and sign CSR for ria.ee
- successful imported ee-dev sign cert from ria.ee (for X-tee dev)
- failed import auth cert from ria.ee, because someone deleted auth key
- generated auth and sign CSR for SK
And now we are trying to import SK test certificates. Am I right that we need to install another server (an ee-test instance) for these certificates?
from x-road-development.
Here is CA certificates from server.
from x-road-development.
Hi @petkivim
Thank you very much for helping me understand this situation!
Best regards,
Mykhailo
from x-road-development.
Related Issues (15)
- Creation of X-Road data service and client based on WSDL (on Java platform) HOT 2
- Xroad 6.19.0 binaries HOT 4
- XRoad Installation with EJbca Server and SignServer? HOT 7
- adding 3rd security server in the Ubuntu X-Road HOT 2
- Security Server Installation Issue HOT 2
- Security Server Installation Error HOT 4
- CSR Structure issue on Security Server HOT 5
- X-ROAD refusing connections when trying to access a REST endpoint HOT 1
- Sign-up on jira.niis.org doesn't work HOT 2
- Cannot start SS services HOT 6
- Cannot register subsystem HOT 2
- Install SS without internet HOT 2
- x road security server installation not working HOT 38
- Where the CA certificate file is located in? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from x-road-development.