[Bug]: json: cannot unmarshal number into Go value of type ca.AdminClientError - when listing admins

[kelvtech-co-uk]

Steps to Reproduce

Docker latest. Create container with 'DOCKER_STEPCA_INIT_REMOTE_MANAGEMENT: false'. From within the same step-ca container or when using a 2nd container for Step CLI; attempt a 'step ca admin list' and supplier the super admin creds. The above error message is then returned.

Alternatively following the same steps as above but with 'DOCKER_STEPCA_INIT_REMOTE_MANAGEMENT: true', the same admin list command works as expected.

Your Environment

6db8ad78447f:~$ step version
Smallstep CLI/0.25.0 (linux/amd64)
Release Date: 2023-09-27 05:35 UTC

step-ca:~$ step-ca version
Smallstep CA/0.25.0 (linux/amd64)
Release Date: 2023-09-27 06:17 UTC

Expected Behavior

'step ca admin list' should output a list of configured subjects, their provisioners and admin types.

Actual Behavior

"json: cannot unmarshal number into Go value of type ca.AdminClientError" is simply displayed instead.

Additional Context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[pegahnikbakht]

Is this solved?

[kelvtech-co-uk]

I ended up posting in the discord server for step-ca and I think it was @hslatman who responded their. I've lost the discussion now in discord so I cannot share the messages verbatim unfortunatly. If my memory serves it was something along the lines of a docker deployment means the CA instance is remote and so that env should be set to true.

[hslatman]

@KillerKelvUK that's correct. With Docker, there is in fact a network connection between step and the CA, both if step is used from the Docker host, or if step is in another container. When the CA is running locally, step can interact with its configuration locally too, but that's not the case with a Docker deployment, so that requires Remote Administration to be enabled, or the CA must be configured from within the CA container.

~I'll close this, as this is expected behavior. Thanks for the heads-up, @KillerKelvUK~

Actually, I'll keep it open, to ensure the error that is returned is clearer. I thought we already did something related to that, but I'm not sure. But it's still the expected behavior.

[pegahnikbakht]

@hslatman I'm not using docker, and I'm using the normal installation of step and step-ca, but when I try this command:

step ca admin list

I get the following error after entering password to decrypt the provisioner key:

json: cannot unmarshal number into Go value of type ca.AdminClientError

[mihneaCR]

Is there any update on this? also experiencing the behavior described by @pegahnikbakht with a bare-metal install.

[3ster]

step-cli seems to force admin authentication on some operations, like step ca acme eab add or step ca admin list, even if no admin authentication is enabled. This leads to a 404 because the admin API is not enabled:

step-ca-1  | WARN[0016] duration="16.502µs" duration-ns=16502 fields.time="2025-01-19T11:32:26Z" method=POST name=ca path=/admin/acme/eab/acme protocol=HTTP/2.0 referer= remote-address=127.0.0.1 request-id=cbdfe511-0153-4110-8adc-8f7e4618ed68 size=19 status=404 user-agent="Smallstep CLI/0.28.2 (linux/amd64)" user-id=
step-ca-1  | WARN[0229] duration="17.994µs" duration-ns=17994 fields.time="2025-01-19T11:35:58Z" method=GET name=ca path="/admin/admins?limit=100" protocol=HTTP/2.0 referer= remote-address=127.0.0.1 request-id=4fb67b14-eaea-4a3c-b9d1-0c4fec613223 size=19 status=404 user-agent="Smallstep CLI/0.28.2 (linux/amd64)" user-id=

Explicitly enabling the admin API via the enableAdmin option "fixes" this by creating a default admin, though that breaks any setup that's set up to use a domain-name-constrained intermediate signed by an external CA as the admin certificate issued to the hard-coded "step" admin user obviously does not match the constraints.

[svyatoslavratov]

Top. I have same problem

[BRShadow19]

Still seeing this issue on a bare-metal install on Rocky Linux 9.6, running Smallstep CLI/0.28.7 (linux/amd64). The CA has been configured according to the production considerations and runs as a systemd daemon. The issue occurs on anything requiring admin credentials. First noticed it when trying to add an x509 policy with step ca policy authority x509 deny dns "*.company.net", which resulted in this error:

error retrieving policy: error retrieving policy: json: cannot unmarshal number into Go value of type ca.AdminClientError

[kmahyyg]

same issue here, shall we have a DEBUG level logging of client to examine the request and response for more context to troubleshooting this issue?

edit: https://smallstep.com/docs/step-ca/provisioners/ this may be helpful if you want to enable Admin.

maybe an update to doc explaining users/admins stuff could also be helpful when user wanna try command that they are not that familiar with, such as ca step admin list.

[mthofmann]

I was also running into the json: cannot unmarshal number into Go value of type ca. error for a couple of nights. I finally found a solution that worked for my setup.

My fix was to enable remote admin management, which I found by chance in the documentation: [Enable remote provisioner management](https://smallstep.com/docs/step-ca/provisioners/#enable-remote-provisioner-management)

I added "enableAdmin": true to the authority section of my ca.json:

{
  "authority": {
    "enableAdmin": true
    // ... other settings
  }
}

After restarting step-ca, this automatically creates a SUPER_ADMIN user named step. After logging in with this step user, I was able to run all operations without getting the json: cannot unmarshal error.

---

After fixing that first error, I tried to add an ACME EAB key, which was my original goal. Unfortunately, it turns out this feature is not included in the open-source step-ca version and requires their paid Certificate Manager.

I'm posting the terminal output here in case it saves someone else the time. This is what happens when you try to add an EAB key:

~ $ step ca acme eab add acme traefik.service
No admin credentials found. You must login to execute admin commands.
✔ Please enter admin name/subject (e.g., [email protected]): step
✔ Provisioner: [email protected] (JWK) [kid: XXXXXXXXXXXXXXXXXXXXXXXXXXXX]
Please enter the password to decrypt the provisioner key:
error creating ACME EAB key: this functionality is currently only available in Certificate Manager: https://u.step.sm/cm 🚀 🤩

Hope this helps someone else!

[hslatman]

@mthofmann thank you for putting the example here 🙂

Because I see a bit more activity on this recently, I think it's good to put a few more remarks here:

• Some operations require the admin (also: remote administration) API to be enabled.
  • Listing CA admins is one of them. The reason for this is that "CA admins" are not something the CA stores in its database when remote administration is disabled. Without remote management, managing the CA is based on who is allowed and can update the configuration by writing to ca.json.
  • Others include ACME EAB and granular policy management.
• Some operations are supported without and without the admin API enabled. E.g. listing provisioners can be done through both.
• The admin API serves the endpoints defined in code here: https://github.com/smallstep/certificates/blob/master/authority/admin/api/handler.go#L41-L133.
• Admin users can use a different name. The step user is the default one created upon initialization or migration, but it is possible to change that using the --admin-subject flag when these operations are performed.

We haven't had time to (further) improve the error message here yet, unfortunately.