search

cloudflare / cfssl

CFSSL: Cloudflare's PKI and TLS toolkit
https://cfssl.org/
BSD 2-Clause "Simplified" License
8.78k stars 1.11k forks source link

[WARNING] endpoint 'sign' is disabled: {"code":5200,"message":"Invalid or unknown policy" #1178

Open hitendrac opened 3 years ago

hitendrac commented 3 years ago

I have exactly followed following documentation to run my own CA

https://blog.cloudflare.com/how-to-build-your-own-public-key-infrastructure/

However I am not able to issue certificate because following error [causer@linux-05 ~]$ cfssl gencert -config config_client.json csr_client.json | cfssljson -bare db 2021/03/04 13:48:34 [INFO] generate received request 2021/03/04 13:48:34 [INFO] received CSR 2021/03/04 13:48:34 [INFO] generating key: rsa-2048 2021/03/04 13:48:35 [INFO] encoded CSR 2021/03/04 13:48:35 [ERROR] bad url: parse 192.168.56.106:8888: first path segment in URL cannot contain colon {"code":5300,"message":"failed to connect to remote"} Failed to parse input: unexpected end of JSON input

CA server is running with following logging [causer@linux-05 ca-data]$ cfssl serve -ca-key ca-key.pem -ca ca.pem -config config_ca.json 2021/03/04 13:43:23 [INFO] Initializing signer 2021/03/04 13:43:23 [WARNING] couldn't initialize ocsp signer: open : no such file or directory 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/authsign' is enabled 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/gencrl' is enabled 2021/03/04 13:43:23 [INFO] bundler API ready 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/bundle' is enabled 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/scaninfo' is enabled 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/info' is enabled 2021/03/04 13:43:23 [WARNING] endpoint 'ocspsign' is disabled: signer not initialized 2021/03/04 13:43:23 [WARNING] endpoint 'revoke' is disabled: cert db not configured (missing -db-config) **2021/03/04 13:43:23 [WARNING] endpoint 'sign' is disabled: {"code":5200,"message":"Invalid or unknown policy"}** 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/newcert' is enabled 2021/03/04 13:43:23 [INFO] setting up key / CSR generator 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/newkey' is enabled 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/certinfo' is enabled 2021/03/04 13:43:23 [WARNING] endpoint 'crl' is disabled: cert db not configured (missing -db-config) 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/init_ca' is enabled 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/scan' is enabled 2021/03/04 13:43:23 [INFO] endpoint '/' is enabled 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/health' is enabled 2021/03/04 13:43:23 [INFO] Handler set up complete. 2021/03/04 13:43:23 [INFO] Now listening on 127.0.0.1:8888

arpan57 commented 3 years ago

Hi @hitendrac ,

Did you manage to solve it? I could sign certs via cfssl command line, but when I start the server, I hit a similar error.

2021/11/03 17:32:09 [WARNING] endpoint 'sign' is disabled: {"code":5200,"message":"Invalid or unknown policy"}

Not sure what did I miss.

Thanks, Arpan

ShanxSoftware commented 2 years ago

This is an issue I'm also having

ShanxSoftware commented 2 years ago

I did three things to get it "working"

  1. in the config_ca.json file I removed everything from the signing dictionary (this causes cfssl to use default settings in the source code and enables endpoint sign.) following the blog tutorial caused error 5200 invalid or unknown policy.
  2. I made sure the firewall ports were open because it still wasn't issuing certificates
  3. I used localhost instead of a different server name. Using 127.0.0.1 caused an error, I had to use localhost. Now to add settings until I break it again.
delaballe commented 2 years ago

Hi here,

i send an answer cause i had the same issue since a long time

i've foud this in the cfssl repo :

https://github.com/cloudflare/cfssl/blob/master/config/testdata/valid_config.json

and if i add

... 
"profiles": {
  "CA": {
    "usages": ["cert sign"],
    "expiry": "720h"
  },
  "email": {
     "usages": ["s/mime"],
     "expiry": "720h"
  }
....

in my config.json

then i have all endpoints working

2022/06/30 15:42:49 [INFO] Initializing signer 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/scan' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/revoke' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/health' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/sign' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/gencrl' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/info' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/scaninfo' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/ocspsign' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/' is enabled 2022/06/30 15:42:49 [INFO] bundler API ready 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/bundle' is enabled 2022/06/30 15:42:49 [INFO] setting up key / CSR generator 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/newkey' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/newcert' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/init_ca' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/certinfo' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/authsign' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/crl' is enabled 2022/06/30 15:42:49 [INFO] Handler set up complete. 2022/06/30 15:42:49 [INFO] Now listening on 0.0.0.0:8888