vitormattos
commented
3 years ago Some questions to try to help:
Is the CFSSL service API working? Did you enter the API URL in the LibreSign settings? Are you setting up without containers?
Closed timowevel1 closed 3 years ago
vitormattos
commented
3 years ago Some questions to try to help:
Is the CFSSL service API working? Did you enter the API URL in the LibreSign settings? Are you setting up without containers?
timowevel1
commented
3 years ago Hey,
I am running cfssl inside docker on the same host now.
Creating cfssl_cfssl_1 ... done Attaching to cfssl_cfssl_1 cfssl_1 | no csr_server.json or config_server.json detected!
Is there anything else I have to do?
What I would do now is http://127.0.0.1:8888/api/v1/cfssl/ as the API Url. Is this correct?
I dont got running Netxcloud as Docker. I created the cfssl directory inside the nextcloud directory, where also the docker-compose.yml is inside. Do I have to configure anything else?
timowevel1
commented
3 years ago I got it running on another server as reverse proxy. When I access http://cfssl.XXX.com/api/v1/cfssl/scaninfo I get
{"success":true,"result":{"Broad":{"description":"Large scale scans of TLS hosts","scanners":{"IntermediateCAs":{"description":"Scans a CIDR IP range for unknown Intermediate CAs"}}},"Connectivity":{"description":"Scans for basic connectivity with the host through DNS and TCP/TLS dials","scanners":{"CloudFlareStatus":{"description":"Host is on CloudFlare"},"DNSLookup":{"description":"Host can be resolved through DNS"},"TCPDial":{"description":"Host accepts TCP connection"},"TLSDial":{"description":"Host can perform TLS handshake"}}},"PKI":{"description":"Scans for the Public Key Infrastructure","scanners":{"ChainExpiration":{"description":"Host's chain hasn't expired and won't expire in the next 30 days"},"ChainValidation":{"description":"All certificates in host's chain are valid"},"MultipleCerts":{"description":"Host serves same certificate chain across all IPs"}}},"TLSHandshake":{"description":"Scans for host's SSL/TLS version and cipher suite negotiation","scanners":{"CertsByCiphers":{"description":"Determines host's certificate signature algorithm matching client's accepted ciphers"},"CertsBySigAlgs":{"description":"Determines host's certificate signature algorithm matching client's accepted signature and hash algorithms"},"CipherSuite":{"description":"Determines host's cipher suites accepted and prefered order"},"ECCurves":{"description":"Determines the host's ec curve support for TLS 1.2"},"SigAlgs":{"description":"Determines host's accepted signature and hash algorithms"}}},"TLSSession":{"description":"Scans host's implementation of TLS session resumption using session tickets/session IDs","scanners":{"SessionResume":{"description":"Host is able to resume sessions across all addresses"}}}},"errors":[],"messages":[]}
But when I use the same URl in nextcloud without the scaninfo, I get the error that it cannot be generated.
vitormattos
commented
3 years ago The API URL in LibreSign settings in your case should be: http://cfssl.XXX.com/api/v1/cfssl/
timowevel1
commented
3 years ago Yes of course, it is.
I checked the nextcloud logs: {"Exception":"Error","Message":"file_put_contents(/cfssl/csr_server.json): failed to open stream: No such file or directory at ....
"message":{"Exception":"Error","Message":"file_put_contents(/cfssl/csr_server.json): failed to open stream: No such file or directory at /home/ctrlalt/centralhub/apps/libresign/lib/Handler/CfsslServerHandler.php#53","Code":0,"Trace":[{"function":"onError","class":"OC\\Log\\ErrorHandler","type":"::"},{"file":"/home/ctrlalt/centralhub/apps/libresign/lib/Handler/CfsslServerHandler.php","line":53,"function":"file_put_c
timowevel1
commented
3 years ago Did I miss any steps? Nextcloud is in /home/nextlcoud. cfssl is running on another host behind a reverse proxy. I enter the cfssl Api Url in nextcloud, but should there be any steps before that?
vitormattos
commented
3 years ago Set a path for cfssl that the Nextcloud http service user has write permission to pass this step.
LibreSign will write the CFSSL configuration files in the folder you enter.
vitormattos
commented
3 years ago You can enter any folder. This folder is just for storing the CFSSL service configuration files.
When executed via container, this entrypoint is used for the CFSSL service:
https://github.com/LibreSign/libresign/blob/main/cfssl/entrypoint.sh
This entrypoint uses the configuration files that are saved by LibreSign in this folder. You can use the same json files on your server.
timowevel1
commented
3 years ago It is really weird. The server_config and csr file gets generated, I still get the Error that the Cert cannot be generated. No error message inside the log
vitormattos
commented
3 years ago CFSSL API needs to be accessible by Nextcloud server.
timowevel1
commented
3 years ago What does that mean? I entered http://cfssl.cityofglacol.com/api/v1/cfssl/ there. You can check it, it should be working http://cfssl.cityofglacol.com/api/v1/cfssl/scaninfo.
timowevel1
commented
3 years ago I am running cfssl with "cfssl serve -address=77.68.114.37"
Thank you for helping me!
vitormattos
commented
3 years ago The flow after saving LibreSign settings is:
vitormattos
commented
3 years ago I believe that following the .sh steps should work correctly.
timowevel1
commented
3 years ago I generated them manually with the entrypoint.sh. Can I just paste them into the cfssl folder?
vitormattos
commented
3 years ago The folder is only used for entrypoint to get the configuration files, after saving it is no longer necessary.
In the flow with Docker the CFSSL service entrypoint.sh file reads these files and starts the API.
Running the service without a container, if the CFSSL api is up and the health endpoint is responding successfully, saving LibreSign settings should be successful.
timowevel1
commented
3 years ago What is the URL to the health endpoint?
timowevel1
commented
3 years ago Because in my cfssl console it doesnt say that a health endpoint is spinned up.
vitormattos
commented
3 years ago In your environment it should be http://cfssl.cityofglacol.com/api/v1/cfssl/health
timowevel1
commented
3 years ago 2021/06/05 18:20:22 [INFO] Initializing signer 2021/06/05 18:20:22 [WARNING] couldn't initialize signer: {"code":2000,"message" :"Unknown private key error"} 2021/06/05 18:20:22 [WARNING] couldn't initialize ocsp signer: open : no such fi le or directory 2021/06/05 18:20:22 [INFO] Setting up '/api/v1/cfssl/sign' endpoint 2021/06/05 18:20:22 [WARNING] endpoint '/api/v1/cfssl/sign' is disabled: signer not initialized 2021/06/05 18:20:22 [INFO] Setting up '/api/v1/cfssl/scaninfo' endpoint 2021/06/05 18:20:22 [INFO] Setting up '/' endpoint 2021/06/05 18:20:22 [WARNING] endpoint '/' is disabled: could not locate box "st atic" 2021/06/05 18:20:22 [INFO] Setting up '/api/v1/cfssl/authsign' endpoint 2021/06/05 18:20:22 [WARNING] endpoint '/api/v1/cfssl/authsign' is disabled: sig ner not initialized 2021/06/05 18:20:22 [INFO] Setting up '/api/v1/cfssl/info' endpoint 2021/06/05 18:20:22 [WARNING] endpoint '/api/v1/cfssl/info' is disabled: signer not initialized 2021/06/05 18:20:22 [INFO] Setting up '/api/v1/cfssl/gencrl' endpoint 2021/06/05 18:20:22 [WARNING] endpoint '/api/v1/cfssl/gencrl' is disabled: signe r not initialized 2021/06/05 18:20:22 [INFO] Setting up '/api/v1/cfssl/bundle' endpoint 2021/06/05 18:20:22 [INFO] bundler API ready 2021/06/05 18:20:22 [INFO] Setting up '/api/v1/cfssl/newkey' endpoint 2021/06/05 18:20:22 [INFO] setting up key / CSR generator 2021/06/05 18:20:22 [INFO] Setting up '/api/v1/cfssl/init_ca' endpoint 2021/06/05 18:20:22 [INFO] Setting up '/api/v1/cfssl/scan' endpoint 2021/06/05 18:20:22 [INFO] Setting up '/api/v1/cfssl/newcert' endpoint 2021/06/05 18:20:22 [WARNING] endpoint '/api/v1/cfssl/newcert' is disabled: sign er not initialized 2021/06/05 18:20:22 [INFO] Setting up '/api/v1/cfssl/certinfo' endpoint 2021/06/05 18:20:22 [INFO] Setting up '/api/v1/cfssl/ocspsign' endpoint 2021/06/05 18:20:22 [WARNING] endpoint '/api/v1/cfssl/ocspsign' is disabled: sig ner not initialized 2021/06/05 18:20:22 [INFO] Setting up '/api/v1/cfssl/revoke' endpoint 2021/06/05 18:20:22 [WARNING] endpoint '/api/v1/cfssl/revoke' is disabled: cert db not configured (missing -db-config) 2021/06/05 18:20:22 [INFO] Handler set up complete. 2021/06/05 18:20:22 [INFO] Now listening on 77.68.114.37:8888
vitormattos
commented
3 years ago I saw that you got a warning:
Unknown private key errorDid you correctly generate the cfssl server keys?
cfssl genkey -initca=true csr_server.json | cfssljson -bare ca;After running this command with the correct path to the configuration file, you should see the file:
ca-key.pemAfter this you should start the CFSSL server
cfssl serve -address=0.0.0.0 -ca-key ca-key.pem -ca ca.pem -config config_server.jsonIf you prefer, you can set another IP address.
The /health endpoint needs to be accessed by the Nextcloud server returning success.
timowevel1
commented
3 years ago 2021/06/05 19:09:07 [INFO] Initializing signer 2021/06/05 19:09:07 [WARNING] couldn't initialize ocsp signer: open : no such file or directory
Health endpoint still not working, I am desperating
vitormattos
commented
3 years ago Is this log from the cfssl service?
vitormattos
commented
3 years ago Did you manage to generate the pen file? Are the arguments to start the cfssl service correct?
timowevel1
commented
3 years ago Yes, I got it running. But the health endpoint wasnt working still. Yes, this was the cfssl output
vitormattos
commented
3 years ago Doesn't work when accessed from anywhere?
Try putting 0.0.0.0 in the address.
It appears that the pem file (ca-key and ca arguments) is not in the correct location or the config file is not found.
In the repository of the CFSSL project they might have information that could help.
timowevel1
commented
3 years ago All files are in the folder where I executed the command. I will take a look.
timowevel1
commented
3 years ago Enabled debug mode.
2021/06/05 21:46:35 [DEBUG] loading configuration file from config_server.json 2021/06/05 21:46:35 [DEBUG] no default given: using default config 2021/06/05 21:46:35 [DEBUG] parse expiry in profile 2021/06/05 21:46:35 [DEBUG] expiry is valid 2021/06/05 21:46:35 [DEBUG] match auth key in profile to auth_keys section 2021/06/05 21:46:35 [DEBUG] validating configuration 2021/06/05 21:46:35 [DEBUG] validate local profile 2021/06/05 21:46:35 [DEBUG] profile is valid 2021/06/05 21:46:35 [DEBUG] validate local profile 2021/06/05 21:46:35 [DEBUG] profile is valid 2021/06/05 21:46:35 [DEBUG] configuration ok 2021/06/05 21:46:35 [INFO] Initializing signer 2021/06/05 21:46:35 [DEBUG] validating configuration 2021/06/05 21:46:35 [DEBUG] validate local profile 2021/06/05 21:46:35 [DEBUG] profile is valid 2021/06/05 21:46:35 [DEBUG] validate local profile 2021/06/05 21:46:35 [DEBUG] profile is valid 2021/06/05 21:46:35 [DEBUG] Loading CA: ca.pem 2021/06/05 21:46:35 [DEBUG] Loading CA key: ca-key.pem 2021/06/05 21:46:35 [DEBUG] validating configuration 2021/06/05 21:46:35 [DEBUG] validate local profile 2021/06/05 21:46:35 [DEBUG] profile is valid 2021/06/05 21:46:35 [DEBUG] validate local profile 2021/06/05 21:46:35 [DEBUG] profile is valid 2021/06/05 21:46:35 [DEBUG] Loading issuer cert: ca.pem 2021/06/05 21:46:35 [DEBUG] Loading responder cert: 2021/06/05 21:46:35 [WARNING] couldn't initialize ocsp signer: open : no such file or directory 2021/06/05 21:46:35 [INFO] Setting up '/' endpoint 2021/06/05 21:46:35 [WARNING] endpoint '/' is disabled: could not locate box "static" 2021/06/05 21:46:35 [INFO] Setting up '/api/v1/cfssl/authsign' endpoint 2021/06/05 21:46:35 [INFO] Setting up '/api/v1/cfssl/newcert' endpoint 2021/06/05 21:46:35 [INFO] Setting up '/api/v1/cfssl/certinfo' endpoint 2021/06/05 21:46:35 [INFO] Setting up '/api/v1/cfssl/ocspsign' endpoint 2021/06/05 21:46:35 [WARNING] endpoint '/api/v1/cfssl/ocspsign' is disabled: signer not initialized 2021/06/05 21:46:35 [INFO] Setting up '/api/v1/cfssl/info' endpoint 2021/06/05 21:46:35 [INFO] Setting up '/api/v1/cfssl/gencrl' endpoint 2021/06/05 21:46:35 [INFO] Setting up '/api/v1/cfssl/scan' endpoint 2021/06/05 21:46:35 [INFO] Setting up '/api/v1/cfssl/sign' endpoint 2021/06/05 21:46:35 [INFO] Setting up '/api/v1/cfssl/bundle' endpoint 2021/06/05 21:46:35 [DEBUG] parsing root certificates from PEM 2021/06/05 21:46:35 [DEBUG] parse intermediate certificates from PEM 2021/06/05 21:46:35 [DEBUG] building certificate pools 2021/06/05 21:46:35 [DEBUG] bundler set up 2021/06/05 21:46:35 [INFO] bundler API ready 2021/06/05 21:46:35 [INFO] Setting up '/api/v1/cfssl/newkey' endpoint 2021/06/05 21:46:35 [INFO] setting up key / CSR generator 2021/06/05 21:46:35 [INFO] Setting up '/api/v1/cfssl/init_ca' endpoint 2021/06/05 21:46:35 [INFO] Setting up '/api/v1/cfssl/scaninfo' endpoint 2021/06/05 21:46:35 [INFO] Setting up '/api/v1/cfssl/revoke' endpoint 2021/06/05 21:46:35 [WARNING] endpoint '/api/v1/cfssl/revoke' is disabled: cert db not configured (missing -db-config) 2021/06/05 21:46:35 [INFO] Handler set up complete. 2021/06/05 21:46:35 [INFO] Now listening on 0.0.0.0:8888
vitormattos
commented
3 years ago And can't access the API on port 8888?
timowevel1
commented
3 years ago I can, but as you can see from the output the health endpoint doesnt get spinned up.
vitormattos
commented
3 years ago Task closed for not having interactions in the last few days
Hey!
I know, a stupid question, but I really dont get it running. I am currently setting up cfssl and it tells me it runs on port 8888. When I try to use it in Nextcloud to generate the root certificate, it doesnt work. When I do curl locally and try to output whats behind that, "404 not found". Maybe there is a comprehensive setup guide anywhere?
Thank you.