search

cloudflare / cfssl

CFSSL: Cloudflare's PKI and TLS toolkit
https://cfssl.org/
BSD 2-Clause "Simplified" License
8.76k stars 1.11k forks source link

steps in bootstrap.txt not working #566

Closed raarts closed 5 years ago

raarts commented 8 years ago

Hi,

I'm trying to setup an internal CA using CFSSL. Started experimenting. Followed bootstrap.txt, the build and install all went fine, I created a ca.json file, and ended up with a ca.pem and ca-key.pem file. I moved them into /etc/cfssl, but when I started cfssl server it throws a lot of errors starting with this:

2016/03/29 09:58:23 [INFO] Initializing signer
2016/03/29 09:58:23 [WARNING] couldn't initialize signer: {"code":2000,"message":"Unknown private key error"}
2016/03/29 09:58:23 [WARNING] couldn't initialize ocsp signer: open : no such file or directory
2016/03/29 09:58:23 [INFO] Setting up '/api/v1/cfssl/newkey' endpoint
2016/03/29 09:58:23 [INFO] setting up key / CSR generator
2016/03/29 09:58:23 [INFO] Setting up '/api/v1/cfssl/ocspsign' endpoint
2016/03/29 09:58:23 [WARNING] endpoint '/api/v1/cfssl/ocspsign' is disabled: signer not initialized
... more like this ...
kisom commented 8 years ago

It should be documented better, but those warnings are normal if you're not using an OCSP signer. You should see a /api/v1/cfssl/sign endpoint successfully set up. (The -responder and -responder-key provide the keys for the OCSP responder.)

minrwhite commented 8 years ago

@kisom - Not sure the ocsp signer is the issue - the problem seems to be the first warning: 

2016/03/29 09:58:23 [WARNING] couldn't initialize signer: {"code":2000,"message":"Unknown private key error"}

I found a problem matching this (without using an OCSP signing key) when trying to put the location of ca and ca-key config values in the config JSON file rather than on the command line. When I put the locations on the command line instead, it appears to work fine, without the first warning above.

I assume that cfssl serve not accepting these paths in the config is a bug.

minrwhite commented 8 years ago

This seems to be the case for all certificate/private-key pairs (after trying with tls-key/tls-cert) - specifying in the config is invalid, but on the command line works.

If this is an intentional design decision, I'd be interested to know what the thoughts are behind it.

I'd also point out that it might be a good idea to flag up any config options that are specified that are not going to have any effect, when the person running may expect them to.

kisom commented 8 years ago

cfssl.txt is where we documented the configuration file, which should help understand what the config.json should/may contain. As it stands, the config file doesn't have a 1:1 correspondence with the command line options as a consequence of the way we use it here.

As far as noting unused config options, the Go JSON decoder makes that somewhat difficult, and isn't a trivial fix. If you file a separate issue for this, it'll keep it on our radar.

For completeness, do you have a (probably sanitised) version of the config file you tried to use?

minrwhite commented 8 years ago

This gist has a sanitized version with all the config keys that I have attempted to use at some point.

Additionally, note that in each of the profiles I have had to specify the auth_key value, as the default auth_key does not seem to propagate to the individual profiles, resulting in a "no authentication profile" bad request message when attempting to sign via the authsign api.

kisom commented 8 years ago

Thanks for the gist! Can you file a second issue about the auth_key issue as well? Thanks!

minrwhite commented 8 years ago

Done; you're welcome :+1:

devx commented 8 years ago

I was able to get pass the message:

2016/04/19 09:18:46 [WARNING] endpoint '/api/v1/cfssl/sign' is disabled: {"code":5200,"message":"Invalid or unknown policy"}

By adding "CA" to the config.json file like the one found here https://github.com/cloudflare/cfssl/blob/master/config/testdata/valid_config.json#L4-L7

kisom commented 8 years ago

We'll want to reverify that bootstrap.txt is correct for the upcoming 1.3 release.

ThomasDotCodes commented 8 years ago

Just to chime-in, even using the valid_config.json as mentioned by @devx above, I get an error message when trying to follow the rest of the steps:

cfssl gencert -config config_client.json csr_client.json | cfssljson -bare db

results with

{"code":7400,"message":"{\"success\":false,\"result\":null,\"errors\":[{\"code\":400,\"message\":\"authentication required\"}],\"messages\":[]}\n"}

Not sure what I'm doing wrong, or how to fix it -- especially since I've been following the steps in bootstrap.txt along with the guide at https://blog.cloudflare.com/how-to-build-your-own-public-key-infrastructure/

The only deviation I've made so far, was adding the "profiles/CA" block as aforementioned, which was the only way to get the /sign api endpoint to be setup.

serranos commented 8 years ago

@producerism That last error you got is probably related to #581. Since the key is not propagated to the profiles, when you added the CA profile, you also needed to add the key to that profile.

Iulian7 commented 8 years ago

I am having the same problem and have not yet resolved this. Is there a valid configuration that works? I tried everything outlined above and I still get {"code":5200,"message":"Invalid or unknown policy"}.

I am using the following files:

csr_ca.json
{
    "CN": "My CA",
  "hosts": [
    "my.host.com"
  ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
  "names": [
    {
      "C": "DE",
      "L": "Hannover",
      "O": "Graphmasters",
      "OU": "CA Services",
      "ST": ""
    }
  ]
}
config_ca.json
{
  "signing": {
    "profiles": {
      "CA": {
        "auth_key": "key1",
        "usages": ["cert sign"],
        "expiry": "720h"
      }
    },
    "default": {
      "auth_key": "key1",
      "expiry": "720h",
      "usages": [
         "signing",
         "key encipherment",
         "server auth"
       ]
     }
  },
  "auth_keys": {
    "key1": {
      "key": "CFD0F71279D67A0E4B826A2528FE7487",
      "type": "standard"
    }
  }
}
$ cfssl serve -ca-key ca-key.pem -ca ca.pem -config config_ca.json
2016/11/11 18:31:29 [INFO] Initializing signer
2016/11/11 18:31:30 [WARNING] couldn't initialize ocsp signer: open : no such file or directory
2016/11/11 18:31:30 [INFO] Setting up '/api/v1/cfssl/bundle' endpoint
2016/11/11 18:31:30 [INFO] bundler API ready
2016/11/11 18:31:30 [INFO] Setting up '/api/v1/cfssl/newkey' endpoint
2016/11/11 18:31:30 [INFO] setting up key / CSR generator
2016/11/11 18:31:30 [INFO] Setting up '/api/v1/cfssl/revoke' endpoint
2016/11/11 18:31:30 [WARNING] endpoint '/api/v1/cfssl/revoke' is disabled: cert db not configured (missing -db-config)
2016/11/11 18:31:30 [INFO] Setting up '/api/v1/cfssl/gencrl' endpoint
2016/11/11 18:31:30 [INFO] Setting up '/api/v1/cfssl/newcert' endpoint
2016/11/11 18:31:30 [INFO] Setting up '/' endpoint
2016/11/11 18:31:30 [INFO] Setting up '/api/v1/cfssl/sign' endpoint
2016/11/11 18:31:30 [WARNING] endpoint '/api/v1/cfssl/sign' is disabled: {"code":5200,"message":"Invalid or unknown policy"}
2016/11/11 18:31:30 [INFO] Setting up '/api/v1/cfssl/authsign' endpoint
2016/11/11 18:31:30 [INFO] Setting up '/api/v1/cfssl/init_ca' endpoint
2016/11/11 18:31:30 [INFO] Setting up '/api/v1/cfssl/scaninfo' endpoint
2016/11/11 18:31:30 [INFO] Setting up '/api/v1/cfssl/info' endpoint
2016/11/11 18:31:30 [INFO] Setting up '/api/v1/cfssl/scan' endpoint
2016/11/11 18:31:30 [INFO] Setting up '/api/v1/cfssl/certinfo' endpoint
2016/11/11 18:31:30 [INFO] Setting up '/api/v1/cfssl/ocspsign' endpoint
2016/11/11 18:31:30 [WARNING] endpoint '/api/v1/cfssl/ocspsign' is disabled: signer not initialized
2016/11/11 18:31:30 [INFO] Handler set up complete.
2016/11/11 18:31:30 [INFO] Now listening on 127.0.0.1:8888

I have been looking at https://github.com/cloudflare/cfssl/blob/master/doc/bootstrap.txt and https://blog.cloudflare.com/how-to-build-your-own-public-key-infrastructure/.

Any help appreciated. Perhaps some example files that work might shed some light on this.

quixoten commented 7 years ago

Figured this out. The endpoint '/api/v1/cfssl/sign' is disabled is a bit of a red herring. That's actually the desired behavior. The sign endpoint does not need to be enabled if all the profiles in the server config use an auth_key, which will be directed at the authsign endpoint rather than the sign endpoint. The issue is that some of the examples in the documentation use an incorrect way of specifying the auth_key in the client config. Here's the configs that worked for me:

server-config.json

{
   "auth_keys" : {
      "sand" : {
         "type" : "standard",
         "key" : "[REDACTED]"
      }
   },
   "signing" : {
      "default" : {
         "expiry" : "43830h",
         "auth_key" : "sand",
         "usages" : [
            "signing",
            "key encipherment",
            "client auth",
            "server auth"
         ],
         "name_whitelist" : "\\.sand\\.example.com$"
      }
   }
}

client-config.json

{           
   "auth_keys" : {
      "sand" : {
         "type" : "standard",
         "key" : "[REDACTED]"
      }
   },
   "signing" : {
      "default" : {
         "auth_remote" : {
            "remote" : "sand",
            "auth_key" : "sand"
         }
      }
   },
   "remotes" : {
      "sand" : "127.0.0.1:8888"
   }
}

Notice, the client config uses the auth_remote in the default profile. This is a bit different than the example I was following.