search

cloudflare / certmgr

Automated certificate management using a CFSSL CA.
BSD 2-Clause "Simplified" License
218 stars 40 forks source link

cert: no CA file provided, won't write to disk #32

Closed jordiclariana closed 6 years ago

jordiclariana commented 6 years ago

After successfully configured cfssl serve I configured certmgr like this:

{
    "service": "nginx",
    "action": "restart",
    "request": {
        "CN": "www.example.net",
        "hosts": [
            "example.net",
            "www.example.net"
        ],
        "key": {
            "algo": "ecdsa",
            "size": 521
        },
        "names": [
            {
                "C": "US",
                "ST": "CA",
                "L": "San Francisco",
                "O": "Example, LLC"
            }
        ]
    },
    "private_key": {
        "path": "/etc/ssl/private/www.key",
        "mode": "0600"
    },
    "certificate": {
        "path": "/home/kyle/tmp/certmgr/certs/test1.pem"
    },
    "authority": {
        "remote": "localhost:8888",
        "auth_key": "0123456789ABCDEF0123456789ABCDEF",
        "profile": "server"
    }
}

All settings are correct, but when I try to exec this ./certmgr-linux-amd64-v1.4.2 check I get this message:

2017/11/09 15:28:21 [INFO] certmgr: loading from config file /etc/certmgr/certmgr.yaml
2017/11/09 15:28:21 [INFO] manager: loading certificates from/etc/certmgr.d
2017/11/09 15:28:21 [INFO] manager: loading spec from /etc/certmgr.d/test.json
2017/11/09 15:28:21 [INFO] cert: no CA file provided, won't write to disk
2017/11/09 15:28:21 [INFO] manager: watching 1 certificates
OK

After searching the code for cert: no CA file provided, won't write to disk I figured out that I have to include a "file": "<something>" in the authority section, but when I do I always get a format error:

Failed: json: cannot unmarshal string into Go struct field CA.file of type cert.File

This is not documented and I can't figure out what value should I set there. Is that really necessary?

kisom commented 6 years ago

You don't have to. It's an informational message, but it's poorly written (it won't write the CA file to disk, but it will write the certificate and key to disk). I'll release an update shortly.

kisom commented 6 years ago

Also, I have a PR underway with the README updated for this; it was an internal feature we were testing.

jordiclariana commented 6 years ago

Cool, thanks