Closed Alexis-M51 closed 2 years ago
I too have had problems piecing together how to install this without docker on an Ubuntu install. So far following Bolli84 progress from this thread https://github.com/LibreSign/libresign/issues/120 I get to:
Install go, java, build-essential, cfssl
apt install build-essential git golang default-jre golang-cfssl
Create and switch to a directory outside the web root eg: /opt/nextcloud/libresign
Set perms to web user and then install cfssl go get -u github.com/cloudflare/cfssl/cmd/cfssl
Create a Cert Request file: nano csr.json
Content: { "CN": "nextcloud", "names": [ { "C": "UK", "L": "UK", "O": "Us", "OU": "Them", "ST": "" } ] }
Create initial root keys from the request so we can start service cfssl genkey -initca csr.json | cfssljson -bare ca
Move the certs/keys to a subdir /certs and then start the cfssl service cfssl serve -ca=/opt/nextcloud/libresign/cert/ca.pem -ca-key=/opt/nextcloud/libresign/cert/ca-key.pem -address=127.0.0.1&
So cfssl is running on: http://127.0.0.1:8888
config set to /opt/nextcloud/libresign
However after the Libresign settings are entered on Nextcloud settings as above I still get the 'Could not Generate Certificate' error.
What am I missing? Is the config path setting something else pointing back to the Libresign app directory or is there something further?
Seems close but not there yet.
Look like the project has moved to gitlabs https://gitlab.com/librecodecoop/libresign/libresign but no docs or wiki there either. Will see about registering there and trying to post again.
by searching the code I could see that it is necessary to add the configuration file to the server
cfssl serve -address=0.0.0.0 -ca-key ca-key.pem -ca ca.pem -config config_server.json
also I took in configuration file what nexcloud does
but it still doesn't work for me
@donty the setting page of LibreSign generate the config file to cfssl when you click on "generate certificate" button.
The PHP need write permission on cfssl config folder that you specified on Config path
. Normally changing the owner of folder to www-data
or the user used to run http server, you will give success to write.
When PHP write the config file, is necessary follow the instructions specified on script https://github.com/LibreSign/libresign/blob/main/cfssl/entrypoint.sh, after this, the cfssl server will be up.
Immediately after the PHP save the config file, the LibreSign will wait 1 second to check with cfssl server is up, if isn't up, will show error and stop config. No problem, run the instructions of entrypoint.sh and click again on "generate certificate".
@Alexis-M51 I believe you are getting this error because you are using a old version of cfssl server on setup without docker. Work fine on version 1.6.1, this version is installed when setup using the official cfssl image.
I believe that the error you are getting is on you click on generate certificate
and the LibreSign try to do a get to health check url of cfssl. Old versions of cfssl don't have this endpoint. https://github.com/cloudflare/cfssl/blob/master/doc/api/endpoint_health.txt
@Alexis-M51 Have you find a solution to work with CFSSL outside of docker ?
@Iwios no, I am no longer working on this project at the moment I will resume in a few days and I will keep you posted
@Alexis-M51 Thank for tour answer. How it's possible cloudflare doesn't write a better doc for this product.
Libresign seems to be a very good product but using another software like CFSSL more difficult to install without Docker.
I have try with Docker, and it's not more easy :/
@donty I'm having the same issues did you manage to get work on the "generate certificate" error?
Hi @Iwios
I want to remove the dependency from CFSSL and replace by OpenSSL but I need pay the engineers to do this.
Checklist:
settings > admin > LibreSign
. For example: chown www-data /cfssl/
/cfssl/
<domainOrIpOfCfssl>:<portWithNecessary>/api/v1/cfssl/health
settings > admin > LibreSign
and check on tab Network on developer tools of your browser to see if you will receive any error message. At this time the PHP will write the settings on folder /cfssl/
and after you will need start the CFSSL server@vitormattos I'm also trying to try to install Libresign on Nextcloud and I'm following this documentation https://gitlab.com/librecodecoop/libresign/libresign but without Docker option.
I think I'm nearly there after this bit
@vitormattos Thanks you very much to take time to try to help us.
This is what I make :
I have launched the command to generate my CA
Generate Server certificate :
{
"CN": "
And I have this return in my ssh console:
2021/11/19 09:42:33 [INFO] Initializing signer 2021/11/19 09:42:33 [WARNING] couldn't initialize ocsp signer: open : no such file or directory 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/sign' endpoint 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/authsign' endpoint 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/newkey' endpoint 2021/11/19 09:42:33 [INFO] setting up key / CSR generator 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/scaninfo' endpoint 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/revoke' endpoint 2021/11/19 09:42:33 [WARNING] endpoint '/api/v1/cfssl/revoke' is disabled: cert db not configured (missing -db-config) 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/info' endpoint 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/gencrl' endpoint 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/scan' endpoint 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/certinfo' endpoint 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/ocspsign' endpoint 2021/11/19 09:42:33 [WARNING] endpoint '/api/v1/cfssl/ocspsign' is disabled: signer not initialized 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/bundle' endpoint 2021/11/19 09:42:33 [INFO] bundler API ready 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/init_ca' endpoint 2021/11/19 09:42:33 [INFO] Setting up '/' endpoint 2021/11/19 09:42:33 [WARNING] endpoint '/' is disabled: could not locate box "static" 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/newcert' endpoint 2021/11/19 09:42:33 [INFO] Handler set up complete. 2021/11/19 09:42:33 [INFO] Now listening on 0.0.0.0:8888
Which step I have missed ?
Is it returning an error for you?
I have an error on nextcloud:
GET http://0.0.0.0:8888/api/v1/cfssl/healthresulted in a
404 Not Found` response:404 page not found
It's seem cfssl API not work, but why ? this is what I can to try to understand but this tools was not very easy to use
I believe this is because the version of CFSSL that you are using don't have the endpoint /health
When I start my CFSSL I see endpoint '/api/v1/cfssl/health' is enabled
, look:
cfssl_1 | 2021/11/19 11:59:46 [INFO] Initializing signer
cfssl_1 | 2021/11/19 11:59:46 [WARNING] couldn't initialize ocsp signer: open : no such file or directory
cfssl_1 | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/info' is enabled
cfssl_1 | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/crl' is enabled
cfssl_1 | 2021/11/19 11:59:46 [INFO] bundler API ready
cfssl_1 | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/bundle' is enabled
cfssl_1 | 2021/11/19 11:59:46 [WARNING] endpoint 'ocspsign' is disabled: signer not initialized
cfssl_1 | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/health' is enabled
cfssl_1 | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/authsign' is enabled
cfssl_1 | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/scaninfo' is enabled
cfssl_1 | 2021/11/19 11:59:46 [INFO] endpoint '/' is enabled
cfssl_1 | 2021/11/19 11:59:46 [INFO] setting up key / CSR generator
cfssl_1 | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/newkey' is enabled
cfssl_1 | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/gencrl' is enabled
cfssl_1 | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/newcert' is enabled
cfssl_1 | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/init_ca' is enabled
cfssl_1 | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/scan' is enabled
cfssl_1 | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/certinfo' is enabled
cfssl_1 | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/revoke' is enabled
cfssl_1 | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/sign' is enabled
cfssl_1 | 2021/11/19 11:59:46 [INFO] Handler set up complete.
cfssl_1 | 2021/11/19 11:59:46 [INFO] Now listening on 0.0.0.0:8888
When I run cfssl version
on my environment using the version of cfssl provided by Docker image, I receive:
Version: 1.5.0
Runtime: go1.14.1
Looking the code of CFSSL I see:
https://github.com/cloudflare/cfssl/blob/6dd12c2d4cf9471540566d3758ac744a4cdfd943/cli/serve/serve.go#L270-L286
If the endpoint don't exists, you don't will see anything about /health
, if exists, you need see or enabled or disabled.
The for
iterate on:
https://github.com/cloudflare/cfssl/blob/6dd12c2d4cf9471540566d3758ac744a4cdfd943/cli/serve/serve.go#L252
Can you do a test using cfssl on a container?
My apologize.... I used an old cfssl version.... But with the good version is not OK :/
The problem now is when I type my password to sign I have an Internal error.
Ok, I have installed Jsign2.0 and in my apache log I see an error (Libresign want use Jsign1.6)
About version of JSignPDF:
With JSignPDF 2.0 don't will work with this version because the success message of JSignPDF 2.0 is different of 1.6 versoin.
LibreSign will use the default version of JSignPDF defined on code or if you define the version to use on configuration of LibreSign, Will use the version that you defined.
The version is defined by path of .jar
file on this location:
If the return of follow command is empty, LibreSign will use the jar file located on default path.
occ config:app:get libresign jsignpdf_jar_path
At this moment don't exist a frontend place to define the path of JSignPDF and if you need define other place you will need run:
occ config:app:set libresign jsignpdf_jar_path --value=/the/new/path/JSignPDF.jar
I bumped the version of JSignPDF on main branch only and the next version of LibreSign will need the version 2.0 of JSignPDF.
You received success when do a request to endpoint /health
?
To identify internal errors is necessary see the log of Nextcloud.
Can you check this?
You can found on data/nextcloud.log
If you find an error message of LibreSign on nextcloud.log
after you do the request that returned internal error
, share here to I check the message.
Finally I have decided to buil a new nextcloud test instance. With the rights Jsign and cfssl everything seems to be ok.
Thank you for all information and for you time. I'm going to your patreon :)
A last question : The final was signed with a valid cert ? It's possible to sign the pdf with a CA recognized by coputer (like let's encrypt )?
Yes, you can download the PDF and validate locally. I recommend to use the validation page.
If you define the validation URL on settings of LibreSign, when the user sign the document will write a footer on the PDF with a qrcode and an url of validation page. You can use the suggestion to generate a small url and a small qrcode or put on URL field the full base path of validation route. (the path before file uuid)
I d'ont udenrstand. How I can sign the pdf locally on my computer ?
No!
I did that you can sign using the LibreSign and after you can download the signed file and validate on a PDF reader that can read signatures, for example Okular
And I recommend to define the validation URL on settings > administration > LibreSign
because when exist a validation URL, the LibreSign will put a footer on PDF with qrcode and URL to validate the document.
It's a misunderstood :)
I have sign my PDF with libresign and my CA autogenerate. Because the CA was mine, on my pdf a warning appear.
Like an autosign certificate for a wesite for example
No problem! English isn't my primary language, maybe I explained wrong.
Because this problem I strong recommend to validate documents using the link on footer of signed PDF.
I think that this can be solved implementing a OCSP server and put the OCSP URL on pfx file, but I need validate. The CFSSL have OCSP server.
Can you explain this ?
Because this problem I strong recommend to validate documents using the link on footer of signed PDF.`
@vitormattos
ubuntu@ip-172-31-27-129:~$ cfssl serve 2021/11/21 22:29:58 [INFO] Initializing signer 2021/11/21 22:29:58 [WARNING] couldn't initialize signer: {"code":2000,"message":"Unknown private key error"} 2021/11/21 22:29:58 [WARNING] couldn't initialize ocsp signer: open : no such file or directory 2021/11/21 22:29:58 [WARNING] endpoint 'gencrl' is disabled: signer not initialized 2021/11/21 22:29:58 [INFO] endpoint '/api/v1/cfssl/scan' is enabled 2021/11/21 22:29:58 [INFO] endpoint '/api/v1/cfssl/scaninfo' is enabled 2021/11/21 22:29:58 [INFO] endpoint '/api/v1/cfssl/certadd' is enabled 2021/11/21 22:29:58 [WARNING] endpoint 'sign' is disabled: signer not initialized 2021/11/21 22:29:58 [WARNING] endpoint 'crl' is disabled: signer not initialized 2021/11/21 22:29:58 [INFO] endpoint '/api/v1/cfssl/certinfo' is enabled 2021/11/21 22:29:58 [WARNING] endpoint 'revoke' is disabled: cert db not configured (missing -db-config) 2021/11/21 22:29:58 [INFO] endpoint '/api/v1/cfssl/health' is enabled 2021/11/21 22:29:58 [WARNING] endpoint 'authsign' is disabled: signer not initialized 2021/11/21 22:29:58 [WARNING] endpoint 'info' is disabled: signer not initialized 2021/11/21 22:29:58 [WARNING] endpoint 'newcert' is disabled: signer not initialized 2021/11/21 22:29:58 [INFO] bundler API ready 2021/11/21 22:29:58 [INFO] endpoint '/api/v1/cfssl/bundle' is enabled 2021/11/21 22:29:58 [INFO] setting up key / CSR generator 2021/11/21 22:29:58 [INFO] endpoint '/api/v1/cfssl/newkey' is enabled 2021/11/21 22:29:58 [INFO] endpoint '/api/v1/cfssl/init_ca' is enabled 2021/11/21 22:29:58 [WARNING] endpoint 'ocspsign' is disabled: signer not initialized 2021/11/21 22:29:58 [INFO] endpoint '/' is enabled 2021/11/21 22:29:58 [INFO] Handler set up complete. 2021/11/21 22:29:58 [INFO] Now listening on 127.0.0.1:8888
can you help me to find what I missed
@upultfs your error come from CFSSL not from libresign.
Have you a ca-key.pem in the directory where you launch the command : cfssl serve ?
@Iwios
Yes. I launch cfssl serve on (/home/ubuntu) and ca-key.pem was there in the same location
@Iwios and i'm using
ubuntu@ip-172-31-27-129:~$ cfssl version Version: 1.6.1 Runtime: go1.12.12
@Iwios
Yes. I launch cfssl serve on (/home/ubuntu) and ca-key.pem was there in the same location
Try with this :
cfssl serve -address=127.0.0.1 -ca-key ca-key.pem -ca ca.pem -config config_server.json
Yes. got up and run
2021/11/21 23:28:05 [INFO] Initializing signer 2021/11/21 23:28:05 [WARNING] couldn't initialize ocsp signer: open : no such file or directory 2021/11/21 23:28:05 [INFO] endpoint '/' is enabled 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/sign' is enabled 2021/11/21 23:28:05 [WARNING] endpoint 'crl' is disabled: cert db not configured (missing -db-config) 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/scaninfo' is enabled 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/certadd' is enabled 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/authsign' is enabled 2021/11/21 23:28:05 [WARNING] endpoint 'ocspsign' is disabled: signer not initialized 2021/11/21 23:28:05 [WARNING] endpoint 'revoke' is disabled: cert db not configured (missing -db-config) 2021/11/21 23:28:05 [INFO] setting up key / CSR generator 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/newkey' is enabled 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/certinfo' is enabled 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/health' is enabled 2021/11/21 23:28:05 [INFO] bundler API ready 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/bundle' is enabled 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/init_ca' is enabled 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/scan' is enabled 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/info' is enabled 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/gencrl' is enabled 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/newcert' is enabled 2021/11/21 23:28:05 [INFO] Handler set up complete. 2021/11/21 23:28:05 [INFO] Now listening on 127.0.0.1:8888
thanks for your help. config_server.json in the wrong directory. thanks heaps
@Iwios One more help. I'm using apache. are you on apache? I'm trying to set up the Validation page. let me know if you have done this. thank you
No. I work with nginx.
AT this Time i haven't configured thé validation page.
@Iwios Thanks for quick replay and your help
hello, I went back to libreign I managed to create a certificate the problem is that I cannot create a password to sign the document and it asks me to contact the admin, I followed the above steps but nothing has done I even installed version 1.6.4
You need give more data make possible help you.
What you receive on response of the API on network tap of developer tools of your browser? What is the body of response and for that URL?
You checked the Nextcloud log when u do the request? What can you see on nextcloud.log file about the LibreSign?
@vitormattos Here are the errors I have
on the error report of nextcloud:
[no app in context] Warning: Host 127.0.1.1 was not connected to because it violates local access rules GET /index.php/core/preview?fileId=495&x=32&y=32 from 89.159.236.94 by pirouettor361 at 2021-11-23T08:10:51+00:00
on the network interface:
URL de la demande: https://''''''''''''/index.php/apps/libresign/api/0.1/account/signature Méthode de demande: POST Code d’état: 401 Unauthorized Adresse distante: ''''.''''.''.'':443 Stratégie de point d’accès: no-referrer
I also had this error there yesterday:
Error | PHP | Error: foreach() argument must be of type array|object, null given at /var/www/nextcloud/apps/libresign/lib/Controller/LibreSignFileController.php#99
Error | PHP | Error: Trying to access array offset on value of type null at /var/www/nextcloud/apps/libresign/lib/Db/FileUserMapper.php#104 |
Error | PHP | Error: Undefined array key "fileId" at /var/www/nextcloud/apps/libresign/lib/Db/FileUserMapper.php#104
The error on Nextcloud log don't is generated by LibreSign.
I checked the code on row that you informed but I only think on a case to trigger this error: you defined the signers, removed and after, clicked on link to sign the document. I will try to reproduce this case, prevent the error and return a best feedback on api.
Can you test to submit a new document, define the signer and sign?
ok, it seems to work, is it possible to try the server for the certificate on
there is an error that says the password is not good for signing, but it signs as the same
also when i validate the document it tells me that the document is validated but in the libresign interface it does not notice that the document is validated
[no app in context] Warning: Host 127.0.1.1 was not connected to because it violates local access rules
GET /index.php/core/preview?fileId=1144&x=32&y=32 from 81.'''''''''' by p'''''''' at 2021-11-23T09:53:26+00:00
@Alexis-M51 Warning you have a mistake in your local IP address for your API.
You listen on 127.0.1.1 it's wrong, try with 127.0.0.1
yes I noticed that, I will make changes on my server and I will come back to tell you
I pointed with the correct ip but the error appears with the new ip which is 127.0.0.1
Can you share the cfssl serve command you launch?
cfssl serve -address=0.0.0.0 -ca-key ca-key.pem -ca ca.pem -config config_server.json
cfssl serve -address=0.0.0.0 -ca-key ca-key.pem -ca ca.pem -config config_server.json
You launch tour API on 0.0.0.0 and you tell to libresign to listen for API on 127.0.0.1.
Change your IP adress on cfssl command and put 127.0.0.1 in place of 0.0.0.0
I have already done them maybe I have to redo a new certificate?
I have already done them maybe I have to redo a new certificate?
No. Juste relaunch yoir cfssl serve command with th 127.0.0.1 IP adress.
Chexk on your libresign config on Nextcloud you have http://127.0.0.1:8888/api/v1/cfssl/
yes everything is good, I just noticed that it does not come from libreign, as soon as I make a file on nextcloud it gives me my error, I do not know why
Hello I am trying to install libresign but I have a problem when I am in the settings of libresign to create a root certificate, it tells me impossible to create the certificate.
Could you help me?
also I have this error when I open the API links {"success":false,"result":null,"errors":[{"code":405,"message":"Method is not allowed:\"GET\""}],"messages":[]}