search

smallstep / certificates

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
https://smallstep.com/certificates
Apache License 2.0
6.38k stars 417 forks source link

[Bug]: Insecure HTTP server is not available after enabling CRL endpoint #1750

Closed bergerst closed 4 months ago

bergerst commented 4 months ago

Steps to Reproduce

  1. Start a step-ca v0.25.2 docker container
  2. Change the config like below
  3. Restart the container
  4. Enter the container with docker exec -it step-ca /bin/bash
  5. Run curl http://localhost:8000/crl

Config:

{
        "root": "/home/step/certs/root_ca.crt",
        "federatedRoots": null,
        "crt": "/home/step/certs/intermediate_ca.crt",
        "key": "/home/step/secrets/intermediate_ca_key",
        "address": ":9000",
        "insecureAddress": "8000",
        "commonName": "localhost",
        "dnsNames": [
                "localhost",
        ],
        "logger": {
                "format": "text"
        },
        "db": {
                "type": "badgerv2",
                "dataSource": "/home/step/db",
                "badgerFileLoadingMode": ""
        },
        "authority": {
                "provisioners": [
                        {
                                "type": "ACME",
                                "name": "acme",
                                "claims": {
                                        "enableSSHCA": true,
                                        "disableRenewal": false,
                                        "allowRenewalAfterExpiry": false
                                },
                                "options": {
                                        "x509": {},
                                        "ssh": {}
                                }
                        }
                ],
                "template": {},
                "claims": {
                        "minTLSCertDuration": "5m0s",
                        "maxTLSCertDuration": "87600h0m0s",
                        "defaultTLSCertDuration": "8760h0m0s"
                },
                "backdate": "1m0s"
        },
        "tls": {
                "cipherSuites": [
                        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
                        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
                ],
                "minVersion": 1.2,
                "maxVersion": 1.3,
                "renegotiation": false
        },
        "crl": {
                "enabled": true,
                "generateOnRevoke": true,
                "cacheDuration": "24h0m0s",
                "idpURL": "http://localhost:8000/1.0/crl"
        }
}

Your Environment

Expected Behavior

Insecure endpoint is started and offers the CRL endpoint

Actual Behavior

The connection is refused

Additional Context

The insecure CRL feature was added through https://github.com/smallstep/certificates/pull/1372 but doesn't seem to work.

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

hslatman commented 4 months ago

Hey @bergerst,

Try adding the colon to the address: "insecureAddress": ":8000",. If it didn't result in an error with your current configuration (I suspect it might print an error after quitting the server), we probably need to improve that.

bergerst commented 4 months ago

Adding the : fixed the error but as you said, I didn't ever see any error and the step-ca started normally.

hslatman commented 4 months ago

I've opened https://github.com/smallstep/certificates/pull/1751 to make the CA stop operation if it fails to start one of the servers.