cfssl icon indicating copy to clipboard operation
cfssl copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

[WARNING] endpoint 'sign' is disabled: {"code":5200,"message":"Invalid or unknown policy"

Open hitendrac opened this issue 4 years ago • 4 comments

I have exactly followed following documentation to run my own CA

https://blog.cloudflare.com/how-to-build-your-own-public-key-infrastructure/

However I am not able to issue certificate because following error [causer@linux-05 ~]$ cfssl gencert -config config_client.json csr_client.json | cfssljson -bare db 2021/03/04 13:48:34 [INFO] generate received request 2021/03/04 13:48:34 [INFO] received CSR 2021/03/04 13:48:34 [INFO] generating key: rsa-2048 2021/03/04 13:48:35 [INFO] encoded CSR 2021/03/04 13:48:35 [ERROR] bad url: parse 192.168.56.106:8888: first path segment in URL cannot contain colon {"code":5300,"message":"failed to connect to remote"} Failed to parse input: unexpected end of JSON input

CA server is running with following logging [causer@linux-05 ca-data]$ cfssl serve -ca-key ca-key.pem -ca ca.pem -config config_ca.json 2021/03/04 13:43:23 [INFO] Initializing signer 2021/03/04 13:43:23 [WARNING] couldn't initialize ocsp signer: open : no such file or directory 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/authsign' is enabled 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/gencrl' is enabled 2021/03/04 13:43:23 [INFO] bundler API ready 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/bundle' is enabled 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/scaninfo' is enabled 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/info' is enabled 2021/03/04 13:43:23 [WARNING] endpoint 'ocspsign' is disabled: signer not initialized 2021/03/04 13:43:23 [WARNING] endpoint 'revoke' is disabled: cert db not configured (missing -db-config) **2021/03/04 13:43:23 [WARNING] endpoint 'sign' is disabled: {"code":5200,"message":"Invalid or unknown policy"}** 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/newcert' is enabled 2021/03/04 13:43:23 [INFO] setting up key / CSR generator 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/newkey' is enabled 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/certinfo' is enabled 2021/03/04 13:43:23 [WARNING] endpoint 'crl' is disabled: cert db not configured (missing -db-config) 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/init_ca' is enabled 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/scan' is enabled 2021/03/04 13:43:23 [INFO] endpoint '/' is enabled 2021/03/04 13:43:23 [INFO] endpoint '/api/v1/cfssl/health' is enabled 2021/03/04 13:43:23 [INFO] Handler set up complete. 2021/03/04 13:43:23 [INFO] Now listening on 127.0.0.1:8888

hitendrac avatar Mar 04 '21 12:03 hitendrac

Hi @hitendrac ,

Did you manage to solve it? I could sign certs via cfssl command line, but when I start the server, I hit a similar error.

2021/11/03 17:32:09 [WARNING] endpoint 'sign' is disabled: {"code":5200,"message":"Invalid or unknown policy"}

Not sure what did I miss.

Thanks, Arpan

arpan57 avatar Nov 03 '21 17:11 arpan57

This is an issue I'm also having

ShanxSoftware avatar Feb 14 '22 23:02 ShanxSoftware

I did three things to get it "working"

  1. in the config_ca.json file I removed everything from the signing dictionary (this causes cfssl to use default settings in the source code and enables endpoint sign.) following the blog tutorial caused error 5200 invalid or unknown policy.
  2. I made sure the firewall ports were open because it still wasn't issuing certificates
  3. I used localhost instead of a different server name. Using 127.0.0.1 caused an error, I had to use localhost. Now to add settings until I break it again.

ShanxSoftware avatar Feb 14 '22 23:02 ShanxSoftware

Hi here,

i send an answer cause i had the same issue since a long time

i've foud this in the cfssl repo :

https://github.com/cloudflare/cfssl/blob/master/config/testdata/valid_config.json

and if i add

... 
"profiles": {
  "CA": {
    "usages": ["cert sign"],
    "expiry": "720h"
  },
  "email": {
     "usages": ["s/mime"],
     "expiry": "720h"
  }
....

in my config.json

then i have all endpoints working

2022/06/30 15:42:49 [INFO] Initializing signer 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/scan' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/revoke' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/health' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/sign' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/gencrl' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/info' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/scaninfo' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/ocspsign' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/' is enabled 2022/06/30 15:42:49 [INFO] bundler API ready 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/bundle' is enabled 2022/06/30 15:42:49 [INFO] setting up key / CSR generator 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/newkey' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/newcert' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/init_ca' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/certinfo' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/authsign' is enabled 2022/06/30 15:42:49 [INFO] endpoint '/api/v1/cfssl/crl' is enabled 2022/06/30 15:42:49 [INFO] Handler set up complete. 2022/06/30 15:42:49 [INFO] Now listening on 0.0.0.0:8888

delaballe avatar Jun 30 '22 16:06 delaballe