Help to install Libresign on nexcloud without docker

[Alexis-M51]

Hello I am trying to install libresign but I have a problem when I am in the settings of libresign to create a root certificate, it tells me impossible to create the certificate.

Could you help me?

also I have this error when I open the API links {"success":false,"result":null,"errors":[{"code":405,"message":"Method is not allowed:\"GET\""}],"messages":[]}

[donty]

I too have had problems piecing together how to install this without docker on an Ubuntu install. So far following Bolli84 progress from this thread https://github.com/LibreSign/libresign/issues/120 I get to:

Install go, java, build-essential, cfssl
apt install build-essential git golang default-jre golang-cfssl

Create and switch to a directory outside the web root eg: /opt/nextcloud/libresign

Set perms to web user and then install cfssl go get -u github.com/cloudflare/cfssl/cmd/cfssl

Create a Cert Request file: nano csr.json

Content: { "CN": "nextcloud", "names": [ { "C": "UK", "L": "UK", "O": "Us", "OU": "Them", "ST": "" } ] }

Create initial root keys from the request so we can start service cfssl genkey -initca csr.json | cfssljson -bare ca

Move the certs/keys to a subdir /certs and then start the cfssl service cfssl serve -ca=/opt/nextcloud/libresign/cert/ca.pem -ca-key=/opt/nextcloud/libresign/cert/ca-key.pem -address=127.0.0.1&

So cfssl is running on: http://127.0.0.1:8888

config set to /opt/nextcloud/libresign

However after the Libresign settings are entered on Nextcloud settings as above I still get the 'Could not Generate Certificate' error.

What am I missing? Is the config path setting something else pointing back to the Libresign app directory or is there something further?

Seems close but not there yet.

Look like the project has moved to gitlabs https://gitlab.com/librecodecoop/libresign/libresign but no docs or wiki there either. Will see about registering there and trying to post again.

[Alexis-M51]

by searching the code I could see that it is necessary to add the configuration file to the server

cfssl serve -address=0.0.0.0 -ca-key ca-key.pem -ca ca.pem -config config_server.json

also I took in configuration file what nexcloud does

but it still doesn't work for me

[vitormattos]

@donty the setting page of LibreSign generate the config file to cfssl when you click on "generate certificate" button.

The PHP need write permission on cfssl config folder that you specified on Config path. Normally changing the owner of folder to www-data or the user used to run http server, you will give success to write.

When PHP write the config file, is necessary follow the instructions specified on script https://github.com/LibreSign/libresign/blob/main/cfssl/entrypoint.sh, after this, the cfssl server will be up.

Immediately after the PHP save the config file, the LibreSign will wait 1 second to check with cfssl server is up, if isn't up, will show error and stop config. No problem, run the instructions of entrypoint.sh and click again on "generate certificate".

@Alexis-M51 I believe you are getting this error because you are using a old version of cfssl server on setup without docker. Work fine on version 1.6.1, this version is installed when setup using the official cfssl image.

I believe that the error you are getting is on you click on generate certificate and the LibreSign try to do a get to health check url of cfssl. Old versions of cfssl don't have this endpoint. https://github.com/cloudflare/cfssl/blob/master/doc/api/endpoint_health.txt

[Iwios]

@Alexis-M51 Have you find a solution to work with CFSSL outside of docker ?

[Alexis-M51]

@Iwios no, I am no longer working on this project at the moment I will resume in a few days and I will keep you posted

[Iwios]

@Alexis-M51 Thank for tour answer. How it's possible cloudflare doesn't write a better doc for this product.

Libresign seems to be a very good product but using another software like CFSSL more difficult to install without Docker.

I have try with Docker, and it's not more easy :/

[upultfs]

@donty I'm having the same issues did you manage to get work on the "generate certificate" error?

[vitormattos]

Hi @Iwios

I want to remove the dependency from CFSSL and replace by OpenSSL but I need pay the engineers to do this.

Checklist:

• LibreSign have access to write on path that you want to put the CFSSL config file. You can define the path on settings > admin > LibreSign. For example: chown www-data /cfssl/
• Check if the setup of CFSSL follow the steps described on this file https://github.com/LibreSign/libresign/blob/main/cfssl/entrypoint.sh Attention: The user of PHP need have write permission on folder /cfssl/
• Check the version of CFSSL is >= 1.6.1, if not, don't will work.
• Start CFSSL server
• Check if CFSSL is up doing a request to health endpoint <domainOrIpOfCfssl>:<portWithNecessary>/api/v1/cfssl/health
• click on "Generate certificate" on settings > admin > LibreSign and check on tab Network on developer tools of your browser to see if you will receive any error message. At this time the PHP will write the settings on folder /cfssl/ and after you will need start the CFSSL server

[upultfs]

@vitormattos I'm also trying to try to install Libresign on Nextcloud and I'm following this documentation https://gitlab.com/librecodecoop/libresign/libresign but without Docker option.

• And I did the same @donty and got CFSLL run on http://127.0.0.1:8888
• I used to install CFSSL prebuilt binaries that are available (https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64)
• And did this click on "Generate Certificate" on settings > admin > LibreSign and setting got in /cfssl?/ too.
• Validation page: I'm using apache do you have directives for apache?

I think I'm nearly there after this bit

[Iwios]

@vitormattos Thanks you very much to take time to try to help us.

This is what I make :

1. I have install cfssl with this commands :

• apt install build-essential
• apt install golang-go
• apt install git
• go get -u github.com/cloudflare/cfssl/cmd/...
• apt-get install golang-cfssl

2. I have generate basi files :

• cfssl print-defaults config > ca-config.json
• cfssl print-defaults csr > ca-csr.json

3. I have launched the command to generate my CA

   • cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

4. Generate Server certificate :

   • nano csr.json
   • I pull in this file this lines (I change CN and host with the FQDN of my Nextcloud):

{ "CN": "-.", "hosts": [ "-." ], "key": { "algo": "rsa", "size": 2048 } }

• cfssl gencert -config ca-config.json -ca ca.pem -ca-key ca-key.pem -profile www csr.json |cfssljson -bare server
• cfssl serve -address=0.0.0.0 -ca-key ca-key.pem -ca ca.pem -config config_server.json

And I have this return in my ssh console:

2021/11/19 09:42:33 [INFO] Initializing signer 2021/11/19 09:42:33 [WARNING] couldn't initialize ocsp signer: open : no such file or directory 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/sign' endpoint 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/authsign' endpoint 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/newkey' endpoint 2021/11/19 09:42:33 [INFO] setting up key / CSR generator 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/scaninfo' endpoint 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/revoke' endpoint 2021/11/19 09:42:33 [WARNING] endpoint '/api/v1/cfssl/revoke' is disabled: cert db not configured (missing -db-config) 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/info' endpoint 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/gencrl' endpoint 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/scan' endpoint 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/certinfo' endpoint 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/ocspsign' endpoint 2021/11/19 09:42:33 [WARNING] endpoint '/api/v1/cfssl/ocspsign' is disabled: signer not initialized 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/bundle' endpoint 2021/11/19 09:42:33 [INFO] bundler API ready 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/init_ca' endpoint 2021/11/19 09:42:33 [INFO] Setting up '/' endpoint 2021/11/19 09:42:33 [WARNING] endpoint '/' is disabled: could not locate box "static" 2021/11/19 09:42:33 [INFO] Setting up '/api/v1/cfssl/newcert' endpoint 2021/11/19 09:42:33 [INFO] Handler set up complete. 2021/11/19 09:42:33 [INFO] Now listening on 0.0.0.0:8888

Which step I have missed ?

[vitormattos]

Is it returning an error for you?

[Iwios]

I have an error on nextcloud: GET http://0.0.0.0:8888/api/v1/cfssl/healthresulted in a404 Not Found` response:404 page not found

It's seem cfssl API not work, but why ? this is what I can to try to understand but this tools was not very easy to use

[vitormattos]

I believe this is because the version of CFSSL that you are using don't have the endpoint /health

When I start my CFSSL I see endpoint '/api/v1/cfssl/health' is enabled, look:

cfssl_1      | 2021/11/19 11:59:46 [INFO] Initializing signer
cfssl_1      | 2021/11/19 11:59:46 [WARNING] couldn't initialize ocsp signer: open : no such file or directory
cfssl_1      | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/info' is enabled
cfssl_1      | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/crl' is enabled
cfssl_1      | 2021/11/19 11:59:46 [INFO] bundler API ready
cfssl_1      | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/bundle' is enabled
cfssl_1      | 2021/11/19 11:59:46 [WARNING] endpoint 'ocspsign' is disabled: signer not initialized
cfssl_1      | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/health' is enabled
cfssl_1      | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/authsign' is enabled
cfssl_1      | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/scaninfo' is enabled
cfssl_1      | 2021/11/19 11:59:46 [INFO] endpoint '/' is enabled
cfssl_1      | 2021/11/19 11:59:46 [INFO] setting up key / CSR generator
cfssl_1      | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/newkey' is enabled
cfssl_1      | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/gencrl' is enabled
cfssl_1      | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/newcert' is enabled
cfssl_1      | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/init_ca' is enabled
cfssl_1      | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/scan' is enabled
cfssl_1      | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/certinfo' is enabled
cfssl_1      | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/revoke' is enabled
cfssl_1      | 2021/11/19 11:59:46 [INFO] endpoint '/api/v1/cfssl/sign' is enabled
cfssl_1      | 2021/11/19 11:59:46 [INFO] Handler set up complete.
cfssl_1      | 2021/11/19 11:59:46 [INFO] Now listening on 0.0.0.0:8888

When I run cfssl version on my environment using the version of cfssl provided by Docker image, I receive:

Version: 1.5.0
Runtime: go1.14.1

Looking the code of CFSSL I see: https://github.com/cloudflare/cfssl/blob/6dd12c2d4cf9471540566d3758ac744a4cdfd943/cli/serve/serve.go#L270-L286 If the endpoint don't exists, you don't will see anything about /health, if exists, you need see or enabled or disabled.

The for iterate on: https://github.com/cloudflare/cfssl/blob/6dd12c2d4cf9471540566d3758ac744a4cdfd943/cli/serve/serve.go#L252

Can you do a test using cfssl on a container?

[Iwios]

My apologize.... I used an old cfssl version.... But with the good version is not OK :/

The problem now is when I type my password to sign I have an Internal error.

[Iwios]

Ok, I have installed Jsign2.0 and in my apache log I see an error (Libresign want use Jsign1.6)

[vitormattos]

About version of JSignPDF:

With JSignPDF 2.0 don't will work with this version because the success message of JSignPDF 2.0 is different of 1.6 versoin.

LibreSign will use the default version of JSignPDF defined on code or if you define the version to use on configuration of LibreSign, Will use the version that you defined.

The version is defined by path of .jar file on this location:

https://github.com/LibreSign/libresign/blob/edd1498aa9d677b7189ab590309b216bbf9ae4bd/lib/Handler/JSignPdfHandler.php#L50

If the return of follow command is empty, LibreSign will use the jar file located on default path.

occ config:app:get libresign jsignpdf_jar_path

At this moment don't exist a frontend place to define the path of JSignPDF and if you need define other place you will need run:

occ config:app:set libresign jsignpdf_jar_path --value=/the/new/path/JSignPDF.jar

I bumped the version of JSignPDF on main branch only and the next version of LibreSign will need the version 2.0 of JSignPDF.

[vitormattos]

You received success when do a request to endpoint /health ?

[vitormattos]

To identify internal errors is necessary see the log of Nextcloud.

Can you check this?

You can found on data/nextcloud.log

If you find an error message of LibreSign on nextcloud.log after you do the request that returned internal error, share here to I check the message.

[Iwios]

Finally I have decided to buil a new nextcloud test instance. With the rights Jsign and cfssl everything seems to be ok.

Thank you for all information and for you time. I'm going to your patreon :)

A last question : The final was signed with a valid cert ? It's possible to sign the pdf with a CA recognized by coputer (like let's encrypt )?

[vitormattos]

Yes, you can download the PDF and validate locally. I recommend to use the validation page.

If you define the validation URL on settings of LibreSign, when the user sign the document will write a footer on the PDF with a qrcode and an url of validation page. You can use the suggestion to generate a small url and a small qrcode or put on URL field the full base path of validation route. (the path before file uuid)

[Iwios]

I d'ont udenrstand. How I can sign the pdf locally on my computer ?

[vitormattos]

No!

I did that you can sign using the LibreSign and after you can download the signed file and validate on a PDF reader that can read signatures, for example Okular

And I recommend to define the validation URL on settings > administration > LibreSign because when exist a validation URL, the LibreSign will put a footer on PDF with qrcode and URL to validate the document.

[Iwios]

It's a misunderstood :)

I have sign my PDF with libresign and my CA autogenerate. Because the CA was mine, on my pdf a warning appear.

Like an autosign certificate for a wesite for example

[vitormattos]

No problem! English isn't my primary language, maybe I explained wrong.

Because this problem I strong recommend to validate documents using the link on footer of signed PDF.

I think that this can be solved implementing a OCSP server and put the OCSP URL on pfx file, but I need validate. The CFSSL have OCSP server.

[Iwios]

Can you explain this ?

Because this problem I strong recommend to validate documents using the link on footer of signed PDF.`

[upultfs]

@vitormattos

ubuntu@ip-172-31-27-129:~$ cfssl serve 2021/11/21 22:29:58 [INFO] Initializing signer 2021/11/21 22:29:58 [WARNING] couldn't initialize signer: {"code":2000,"message":"Unknown private key error"} 2021/11/21 22:29:58 [WARNING] couldn't initialize ocsp signer: open : no such file or directory 2021/11/21 22:29:58 [WARNING] endpoint 'gencrl' is disabled: signer not initialized 2021/11/21 22:29:58 [INFO] endpoint '/api/v1/cfssl/scan' is enabled 2021/11/21 22:29:58 [INFO] endpoint '/api/v1/cfssl/scaninfo' is enabled 2021/11/21 22:29:58 [INFO] endpoint '/api/v1/cfssl/certadd' is enabled 2021/11/21 22:29:58 [WARNING] endpoint 'sign' is disabled: signer not initialized 2021/11/21 22:29:58 [WARNING] endpoint 'crl' is disabled: signer not initialized 2021/11/21 22:29:58 [INFO] endpoint '/api/v1/cfssl/certinfo' is enabled 2021/11/21 22:29:58 [WARNING] endpoint 'revoke' is disabled: cert db not configured (missing -db-config) 2021/11/21 22:29:58 [INFO] endpoint '/api/v1/cfssl/health' is enabled 2021/11/21 22:29:58 [WARNING] endpoint 'authsign' is disabled: signer not initialized 2021/11/21 22:29:58 [WARNING] endpoint 'info' is disabled: signer not initialized 2021/11/21 22:29:58 [WARNING] endpoint 'newcert' is disabled: signer not initialized 2021/11/21 22:29:58 [INFO] bundler API ready 2021/11/21 22:29:58 [INFO] endpoint '/api/v1/cfssl/bundle' is enabled 2021/11/21 22:29:58 [INFO] setting up key / CSR generator 2021/11/21 22:29:58 [INFO] endpoint '/api/v1/cfssl/newkey' is enabled 2021/11/21 22:29:58 [INFO] endpoint '/api/v1/cfssl/init_ca' is enabled 2021/11/21 22:29:58 [WARNING] endpoint 'ocspsign' is disabled: signer not initialized 2021/11/21 22:29:58 [INFO] endpoint '/' is enabled 2021/11/21 22:29:58 [INFO] Handler set up complete. 2021/11/21 22:29:58 [INFO] Now listening on 127.0.0.1:8888

can you help me to find what I missed

[Iwios]

@upultfs your error come from CFSSL not from libresign.

Have you a ca-key.pem in the directory where you launch the command : cfssl serve ?

[upultfs]

@Iwios

Yes. I launch cfssl serve on (/home/ubuntu) and ca-key.pem was there in the same location

[upultfs]

@Iwios and i'm using

ubuntu@ip-172-31-27-129:~$ cfssl version Version: 1.6.1 Runtime: go1.12.12

[Iwios]

@Iwios

Yes. I launch cfssl serve on (/home/ubuntu) and ca-key.pem was there in the same location

Try with this :

​cfssl serve -address=127.0.0.1 -ca-key ca-key.pem -ca ca.pem -config config_server.json

[upultfs]

Yes. got up and run

2021/11/21 23:28:05 [INFO] Initializing signer 2021/11/21 23:28:05 [WARNING] couldn't initialize ocsp signer: open : no such file or directory 2021/11/21 23:28:05 [INFO] endpoint '/' is enabled 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/sign' is enabled 2021/11/21 23:28:05 [WARNING] endpoint 'crl' is disabled: cert db not configured (missing -db-config) 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/scaninfo' is enabled 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/certadd' is enabled 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/authsign' is enabled 2021/11/21 23:28:05 [WARNING] endpoint 'ocspsign' is disabled: signer not initialized 2021/11/21 23:28:05 [WARNING] endpoint 'revoke' is disabled: cert db not configured (missing -db-config) 2021/11/21 23:28:05 [INFO] setting up key / CSR generator 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/newkey' is enabled 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/certinfo' is enabled 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/health' is enabled 2021/11/21 23:28:05 [INFO] bundler API ready 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/bundle' is enabled 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/init_ca' is enabled 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/scan' is enabled 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/info' is enabled 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/gencrl' is enabled 2021/11/21 23:28:05 [INFO] endpoint '/api/v1/cfssl/newcert' is enabled 2021/11/21 23:28:05 [INFO] Handler set up complete. 2021/11/21 23:28:05 [INFO] Now listening on 127.0.0.1:8888

thanks for your help. config_server.json in the wrong directory. thanks heaps

[upultfs]

@Iwios One more help. I'm using apache. are you on apache? I'm trying to set up the Validation page. let me know if you have done this. thank you

[Iwios]

No. I work with nginx.

AT this Time i haven't configured thé validation page.

[upultfs]

@Iwios Thanks for quick replay and your help

[Alexis-M51]

hello, I went back to libreign I managed to create a certificate the problem is that I cannot create a password to sign the document and it asks me to contact the admin, I followed the above steps but nothing has done I even installed version 1.6.4

[vitormattos]

You need give more data make possible help you.

What you receive on response of the API on network tap of developer tools of your browser? What is the body of response and for that URL?

You checked the Nextcloud log when u do the request? What can you see on nextcloud.log file about the LibreSign?

[Alexis-M51]

@vitormattos Here are the errors I have

on the error report of nextcloud: [no app in context] Warning: Host 127.0.1.1 was not connected to because it violates local access rules GET /index.php/core/preview?fileId=495&x=32&y=32 from 89.159.236.94 by pirouettor361 at 2021-11-23T08:10:51+00:00

on the network interface:

URL de la demande: https://''''''''''''/index.php/apps/libresign/api/0.1/account/signature Méthode de demande: POST Code d’état: 401 Unauthorized Adresse distante: ''''.''''.''.'':443 Stratégie de point d’accès: no-referrer

I also had this error there yesterday:

Error | PHP | Error: foreach() argument must be of type array|object, null given at /var/www/nextcloud/apps/libresign/lib/Controller/LibreSignFileController.php#99

Error | PHP | Error: Trying to access array offset on value of type null at /var/www/nextcloud/apps/libresign/lib/Db/FileUserMapper.php#104 |

Error | PHP | Error: Undefined array key "fileId" at /var/www/nextcloud/apps/libresign/lib/Db/FileUserMapper.php#104

[vitormattos]

The error on Nextcloud log don't is generated by LibreSign.

I checked the code on row that you informed but I only think on a case to trigger this error: you defined the signers, removed and after, clicked on link to sign the document. I will try to reproduce this case, prevent the error and return a best feedback on api.

Can you test to submit a new document, define the signer and sign?

[Alexis-M51]

ok, it seems to work, is it possible to try the server for the certificate on

[Alexis-M51]

there is an error that says the password is not good for signing, but it signs as the same

[Alexis-M51]

also when i validate the document it tells me that the document is validated but in the libresign interface it does not notice that the document is validated

[no app in context] Warning: Host 127.0.1.1 was not connected to because it violates local access rules

GET /index.php/core/preview?fileId=1144&x=32&y=32 from 81.'''''''''' by p'''''''' at 2021-11-23T09:53:26+00:00

[Iwios]

@Alexis-M51 Warning you have a mistake in your local IP address for your API.

You listen on 127.0.1.1 it's wrong, try with 127.0.0.1

[Alexis-M51]

yes I noticed that, I will make changes on my server and I will come back to tell you

[Alexis-M51]

I pointed with the correct ip but the error appears with the new ip which is 127.0.0.1

[Iwios]

Can you share the cfssl serve command you launch?

[Alexis-M51]

cfssl serve -address=0.0.0.0 -ca-key ca-key.pem -ca ca.pem -config config_server.json

[Iwios]

cfssl serve -address=0.0.0.0 -ca-key ca-key.pem -ca ca.pem -config config_server.json

You launch tour API on 0.0.0.0 and you tell to libresign to listen for API on 127.0.0.1.

Change your IP adress on cfssl command and put 127.0.0.1 in place of 0.0.0.0

[Alexis-M51]

I have already done them maybe I have to redo a new certificate?

[Iwios]

I have already done them maybe I have to redo a new certificate?

No. Juste relaunch yoir cfssl serve command with th 127.0.0.1 IP adress.

Chexk on your libresign config on Nextcloud you have http://127.0.0.1:8888/api/v1/cfssl/

[Alexis-M51]

yes everything is good, I just noticed that it does not come from libreign, as soon as I make a file on nextcloud it gives me my error, I do not know why