send enrollment request, no reply from server

[kaitaklam]

I run, no reply from server - using https://github.com/Keyfactor/keyfactorcommunity/blob/main/apps-integration/ejbca-rest-api/README.md

curl -X POST -vvv --cacert ManagementCA.pem --cert-type P12 --cert SuperAdmin.p12:foo123 -H 'Content-Type: application/json' --data '{
"certificate_request": "-----BEGIN CERTIFICATE REQUEST-----\nMIIC5TCCAc0CAQAwVDELMAkGA1UEBhMCU0UxHjAcBgNVBAoMFVByaW1lS2V5IFNv\nbHV0aW9ucyBBQjEOMAwGA1UECwwFSW5mcmExFTATBgNVBAMMDHByaW1la2V5LmNv\nbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ03o7m+MBxtyYkmvZj\nsrASbn+xtCBnWFK3cAMRE+uDRZpUeU5pUNgEE7Ed5VbDLcigG1rxIFxa6b/akLzO\nXK8TXafhBZpBxev6x0CpRSrVm8/QS7v9cD8U6kJIIGCwqTJ5I1Cxvf5xAGLQf7AJ\n42Z3TrxVZKWPEwqZKgr4pd/yZSlYvLWPHu25LZeYEMh4T1vdxQFSxVwdgeas67HQ\nyG4uVWc0mfrvtJfx9QMaVtP9cY8xSVh2av9+xd6JDu8cQHw4X3RzR2/MJrY34pxF\n6/OavD4Mr2aFdC7SqkZmbwfb3xWXxPbP1+G97LVo1aC4BJrbUZUhrbilMFwPK3gf\ne+8CAwEAAaBMMEoGCSqGSIb3DQEJDjE9MDswCwYDVR0PBAQDAgWgMBMGA1UdJQQM\nMAoGCCsGAQUFBwMBMBcGA1UdEQQQMA6CDHByaW1la2V5LmNvbTANBgkqhkiG9w0B\nAQsFAAOCAQEAsQyRaf79Ur9eU1n5QYpx7gH08h4ixnLAkAMXSPlkZtF6aHvv+neD\nBNEJ/+wQulghWfjuDJXgSwzd4Uoz1cXbXi16mXfOovqO/HdxQwvByoPg6rVTvskf\nv8iY0pYGZEGSo7iFM7xDPIbcNqISG6ZYSF+BtsctdoNL+QDrkwEsX3zbNJAW4T5p\nroW+jDJOoeX2iNa4de7sxk3rOvMq4R/9VPg6IqtYu/KdQkVTCqXRzbEprrcgnJi2\nwuNJSi6/VW82rhK8HXZpYGoT0MAtZ+9Jz8ropZsgrcBjzYWLRqTuG7NaLPoG7e+f\nblfDqg04Of/oxz2Bq2zwnzqjouRpxIRQgQ==\n-----END CERTIFICATE REQUEST-----",
"certificate_profile_name": "TLS Server Profile",
"end_entity_profile_name": "TLS Server Profile",
"certificate_authority_name": "MyPKISubCA-G1",
"username": "server",
"password": "foo123"
}' https://ejbca-node1/ejbca/ejbca-rest-api/v1/certificate/pkcs10enroll
Note: Unnecessary use of -X or --request, POST is already inferred.

• Uses proxy env variable no_proxy == 'localhost,127.0.0.1,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12,.intinfra.com,cz.intinfra.com,10.231.0.0/16'
• Trying 127.0.0.1...
• TCP_NODELAY set
• Connected to ejbca-node1 (127.0.0.1) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: ManagementCA.pem
  CApath: none
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS handshake, [no content] (0):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Request CERT (13):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
• TLSv1.3 (IN), TLS handshake, Finished (20):
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (OUT), TLS handshake, [no content] (0):
• TLSv1.3 (OUT), TLS handshake, Certificate (11):
• TLSv1.3 (OUT), TLS handshake, [no content] (0):
• TLSv1.3 (OUT), TLS handshake, CERT verify (15):
• TLSv1.3 (OUT), TLS handshake, [no content] (0):
• TLSv1.3 (OUT), TLS handshake, Finished (20):
• SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
• ALPN, server did not agree to a protocol
• Server certificate:
• subject: UID=c-0uyt79oq9c2fldb3z; CN=ejbca-node1; O=EJBCA Container Quickstart
• start date: Jul 17 12:14:54 2023 GMT
• expire date: Jul 16 12:05:32 2025 GMT
• subjectAltName: host "ejbca-node1" matched cert's "ejbca-node1"
• issuer: UID=c-0uyt79oq9c2fldb3z; CN=ManagementCA; O=EJBCA Container Quickstart
• SSL certificate verify ok.
• TLSv1.3 (OUT), TLS app data, [no content] (0):

POST /ejbca/ejbca-rest-api/v1/certificate/pkcs10enroll HTTP/1.1
Host: ejbca-node1
User-Agent: curl/7.61.1
Accept: /
Content-Type: application/json
Content-Length: 1329
Expect: 100-continue

• Empty reply from server
• Connection #0 to host ejbca-node1 left intact
  curl: (52) Empty reply from server

On tcpdump, I do see message is delivered.
On docker-compose logs -f: no log entry

Try to experiment a bit - send iwithout client cert -I do see logging
curl -X POST -vvv --cacert ManagementCA.pem -H 'Content-Type: application/json' --data '{
"certificate_request": "-----BEGIN CERTIFICATE REQUEST-----\nMIIC5TCCAc0CAQAwVDELMAkGA1UEBhMCU0UxHjAcBgNVBAoMFVByaW1lS2V5IFNv\nbHV0aW9ucyBBQjEOMAwGA1UECwwFSW5mcmExFTATBgNVBAMMDHByaW1la2V5LmNv\nbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ03o7m+MBxtyYkmvZj\nsrASbn+xtCBnWFK3cAMRE+uDRZpUeU5pUNgEE7Ed5VbDLcigG1rxIFxa6b/akLzO\nXK8TXafhBZpBxev6x0CpRSrVm8/QS7v9cD8U6kJIIGCwqTJ5I1Cxvf5xAGLQf7AJ\n42Z3TrxVZKWPEwqZKgr4pd/yZSlYvLWPHu25LZeYEMh4T1vdxQFSxVwdgeas67HQ\nyG4uVWc0mfrvtJfx9QMaVtP9cY8xSVh2av9+xd6JDu8cQHw4X3RzR2/MJrY34pxF\n6/OavD4Mr2aFdC7SqkZmbwfb3xWXxPbP1+G97LVo1aC4BJrbUZUhrbilMFwPK3gf\ne+8CAwEAAaBMMEoGCSqGSIb3DQEJDjE9MDswCwYDVR0PBAQDAgWgMBMGA1UdJQQM\nMAoGCCsGAQUFBwMBMBcGA1UdEQQQMA6CDHByaW1la2V5LmNvbTANBgkqhkiG9w0B\nAQsFAAOCAQEAsQyRaf79Ur9eU1n5QYpx7gH08h4ixnLAkAMXSPlkZtF6aHvv+neD\nBNEJ/+wQulghWfjuDJXgSwzd4Uoz1cXbXi16mXfOovqO/HdxQwvByoPg6rVTvskf\nv8iY0pYGZEGSo7iFM7xDPIbcNqISG6ZYSF+BtsctdoNL+QDrkwEsX3zbNJAW4T5p\nroW+jDJOoeX2iNa4de7sxk3rOvMq4R/9VPg6IqtYu/KdQkVTCqXRzbEprrcgnJi2\nwuNJSi6/VW82rhK8HXZpYGoT0MAtZ+9Jz8ropZsgrcBjzYWLRqTuG7NaLPoG7e+f\nblfDqg04Of/oxz2Bq2zwnzqjouRpxIRQgQ==\n-----END CERTIFICATE REQUEST-----",
"certificate_profile_name": "TLS Server Profile",
"end_entity_profile_name": "TLS Server Profile",
"certificate_authority_name": "MyPKISubCA-G1",
"username": "server",
"password": "foo123"
}' https://ejbca-node1/ejbca/ejbca-rest-api/v1/certificate/pkcs10enroll
Note: Unnecessary use of -X or --request, POST is already inferred.

• Uses proxy env variable no_proxy == 'localhost,127.0.0.1,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12,.intinfra.com,cz.intinfra.com,10.231.0.0/16'
• Trying 127.0.0.1...
• TCP_NODELAY set
• Connected to ejbca-node1 (127.0.0.1) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: ManagementCA.pem
  CApath: none
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS handshake, [no content] (0):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Request CERT (13):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
• TLSv1.3 (IN), TLS handshake, Finished (20):
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (OUT), TLS handshake, [no content] (0):
• TLSv1.3 (OUT), TLS handshake, Certificate (11):
• TLSv1.3 (OUT), TLS handshake, [no content] (0):
• TLSv1.3 (OUT), TLS handshake, Finished (20):
• SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
• ALPN, server did not agree to a protocol
• Server certificate:
• subject: UID=c-0uyt79oq9c2fldb3z; CN=ejbca-node1; O=EJBCA Container Quickstart
• start date: Jul 17 12:14:54 2023 GMT
• expire date: Jul 16 12:05:32 2025 GMT
• subjectAltName: host "ejbca-node1" matched cert's "ejbca-node1"
• issuer: UID=c-0uyt79oq9c2fldb3z; CN=ManagementCA; O=EJBCA Container Quickstart
• SSL certificate verify ok.
• TLSv1.3 (OUT), TLS app data, [no content] (0):

POST /ejbca/ejbca-rest-api/v1/certificate/pkcs10enroll HTTP/1.1
Host: ejbca-node1
User-Agent: curl/7.61.1
Accept: /
Content-Type: application/json
Content-Length: 1329
Expect: 100-continue

• TLSv1.3 (IN), TLS handshake, [no content] (0):
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• TLSv1.3 (IN), TLS app data, [no content] (0):
  < HTTP/1.1 100 Continue
• TLSv1.3 (OUT), TLS app data, [no content] (0):
• We are completely uploaded and fine
• TLSv1.3 (IN), TLS app data, [no content] (0):
  < HTTP/1.1 403 Forbidden
  < X-XSS-Protection: 1
  < X-Frame-Options: SAMEORIGIN
  < Content-Security-Policy: default-src https:
  < Date: Thu, 20 Jul 2023 09:10:13 GMT
  < Connection: keep-alive
  < X-Content-Type-Options: nosniff
  < Strict-Transport-Security: max-age=31536000
  < Content-Type: application/json
  < Content-Length: 108
  <
• Connection #0 to host ejbca-node1 left intact
  {"error_code":403,"error_message":"Error no client certificate or OAuth token received for authentication."}

logging:
ejbca | 2023-07-20 09:10:13,182+0000 INFO [org.ejbca.ui.web.rest.api.config.RestLoggingFilter] (default task-2) POST https://ejbca-node1/ejbca/ejbca-rest-api/v1/certificate/pkcs10enroll received from 172.21.0.1 X-Forwarded-For: null

Any idea, why it is not working?

[kaitaklam]

I get it working, but now I got a reply:
{"error_code":403,"error_message":"Administrator is not authorized to resource /administrator. Msg: ."}
My client-certs lacks prmission.

[primetomas]

Client cert permissions is something you configure in "Roles" in EJBCA.

[kaitaklam]

You can close the issue. I have fixed issue by enabling the allow /administrator in the Role and allow the cert to use the role.

[primetomas]

Thanks.