Closed Roydon closed 4 years ago
I am getting endpoint 'sign' is disabled: {"code":5200,"message":"Invalid or unknown policy"} in CFSSL logs.
endpoint 'sign' is disabled: {"code":5200,"message":"Invalid or unknown policy"}
I followed tutorial part1 & part2 for setting up CFSSL using v1.4.1
Dockerfile :
FROM golang:1.13.3@sha256:6a693fbaba7dd8d816f6afce049fb92b280c588e0a677c4c8db26645e613fc15 COPY ./cfssl /cfssl WORKDIR /cfssl RUN git clone https://github.com/cloudflare/cfssl_trust.git /etc/cfssl && \ make clean && \ make bin/rice && ./bin/rice embed-go -i=./cli/serve && \ make all && cp bin/* /usr/bin/ EXPOSE 8888 8889 ENTRYPOINT ["cfssl"] CMD ["serve", "-db-config=/config/db-connect.json", "-ca=/cert/server.pem", "-ca-key=/cert/server-key.pem", "-config=/config/config.json", "-responder=/cert/ocsp.pem", "-responder-key=/cert/ocsp-key.pem", "-address=0.0.0.0"]
config.json :
{ "signing": { "default": { "auth_key": "key1", "ocsp_url": "http://localhost:8889", "crl_url": "http://localhost:8888/crl", "expiry": "26280h" }, "profiles": { "intermediate": { "auth_key": "key1", "expiry": "43800h", "usages": [ "signing", "key encipherment", "cert sign", "crl sign" ], "ca_constraint": { "is_ca": true, "max_path_len": 1 } }, "ocsp": { "auth_key": "key1", "usages": [ "digital signature", "ocsp signing" ], "expiry": "26280h" }, "CA": { "auth_key": "key1", "expiry": "43800h", "usages": [ "signing", "key encipherment", "server auth", "cert sign", "crl sign" ] }, "server": { "auth_key": "key1", "expiry": "43800h", "usages": [ "signing", "key encipherment", "server auth" ] }, "client": { "auth_key": "key1", "expiry": "43800h", "usages": [ "signing", "key encipherment", "client auth", "email protection" ] } } }, "auth_keys": { "key1": { "key": "3e6cb001c374c886fe61a276ecbb72ff", "type": "standard" } } }
This is what I see in the log file
2020/04/14 19:23:25 [INFO] Initializing signer 2020/04/14 19:23:25 [INFO] endpoint '/api/v1/cfssl/scan' is enabled 2020/04/14 19:23:25 [INFO] endpoint '/api/v1/cfssl/ocspsign' is enabled 2020/04/14 19:23:25 [INFO] setting up key / CSR generator 2020/04/14 19:23:25 [INFO] endpoint '/api/v1/cfssl/newkey' is enabled 2020/04/14 19:23:25 [INFO] endpoint '/api/v1/cfssl/init_ca' is enabled 2020/04/14 19:23:25 [INFO] endpoint '/api/v1/cfssl/revoke' is enabled 2020/04/14 19:23:25 [INFO] endpoint '/api/v1/cfssl/health' is enabled 2020/04/14 19:23:25 [INFO] bundler API ready 2020/04/14 19:23:25 [INFO] endpoint '/api/v1/cfssl/bundle' is enabled 2020/04/14 19:23:25 [INFO] endpoint '/api/v1/cfssl/certinfo' is enabled 2020/04/14 19:23:25 [INFO] endpoint '/api/v1/cfssl/crl' is enabled 2020/04/14 19:23:25 [INFO] endpoint '/api/v1/cfssl/newcert' is enabled 2020/04/14 19:23:25 [WARNING] endpoint 'sign' is disabled: {"code":5200,"message":"Invalid or unknown policy"} 2020/04/14 19:23:25 [INFO] endpoint '/api/v1/cfssl/authsign' is enabled 2020/04/14 19:23:25 [INFO] endpoint '/api/v1/cfssl/scaninfo' is enabled 2020/04/14 19:23:25 [INFO] endpoint '/' is enabled 2020/04/14 19:23:25 [INFO] endpoint '/api/v1/cfssl/info' is enabled 2020/04/14 19:23:25 [INFO] endpoint '/api/v1/cfssl/gencrl' is enabled 2020/04/14 19:23:25 [INFO] Handler set up complete. 2020/04/14 19:23:25 [INFO] Now listening on 0.0.0.0:8888
How did you managed to resolve this?
I am getting
endpoint 'sign' is disabled: {"code":5200,"message":"Invalid or unknown policy"}
in CFSSL logs.I followed tutorial part1 & part2 for setting up CFSSL using v1.4.1
Dockerfile :
config.json :
This is what I see in the log file