cfssl
cfssl copied to clipboard
cloudflare
`Unknown private key error` when using a remote auth config
I have an issuing CA setup that I can issue default certificates from, but cannot get signing profiles to work. On the CA I'm using the following configuration:
{
"auth_keys": {
"server_auth": {
"type":"standard",
"key":"ABCDABCDABCDABCDABCDABCDABCDABCD"
}
},
"remotes": {
"localhost": "127.0.0.1:8888"
},
"signing": {
"profiles": {
"server": {
"usages": ["server auth, key encipherment, signing"],
"expiry": "2160h",
"remote":"localhost",
"auth_key": "server_auth"
}
},
"default": {
"usages": ["digital signature"],
"expiry": "8000h"
}
}
}
If I remove the remotes section, and try to use the following config, I get a {"code":5200,"message":"invalid configuration"} error:
{
"auth_keys": {
"server_auth": {
"type":"standard",
"key":"ABCDABCDABCDABCDABCDABCDABCDABCD"
}
},
"signing": {
"profiles": {
"server": {
"usages": ["server auth, key encipherment, signing"],
"expiry": "2160h",
"auth_key": "server_auth"
}
},
"default": {
"usages": ["digital signature"],
"expiry": "8000h"
}
}
}
On the server I'm trying to pull a certificate with, I've tried the following config (which I got from Issue #556 ), but it results in the {"code":2000,"message":"Unknown private key error"} mentioned in the title:
{
"auth_keys": {
"key1": {
"key": "ABCDABCDABCDABCDABCDABCDABCDABCD",
"type": "standard"
}
},
"remotes": {
"caserver": "10.7.29.4:8888"
},
"signing": {
"profiles" : {
"server": {
"auth_remote": {
"auth_key": "key1",
"remote": "caserver"
}
}
}
}
}
A -loglevel 0 flag on the gives me the following, so I'm not sure what I'm missing:
2016/06/30 13:44:07 [DEBUG] loading configuration file from config.json
2016/06/30 13:44:07 [DEBUG] no default given: using default config
2016/06/30 13:44:07 [DEBUG] match auth remote in profile to remotes section
2016/06/30 13:44:07 [DEBUG] match auth remote key in profile to auth_keys section
2016/06/30 13:44:07 [DEBUG] validating configuration
2016/06/30 13:44:07 [DEBUG] validate local profile
2016/06/30 13:44:07 [DEBUG] profile is valid
2016/06/30 13:44:07 [DEBUG] validate auth remote profile
2016/06/30 13:44:07 [DEBUG] profile is valid
2016/06/30 13:44:07 [DEBUG] configuration ok
2016/06/30 13:44:07 [INFO] generate received request
2016/06/30 13:44:07 [INFO] received CSR
2016/06/30 13:44:07 [INFO] generating key: rsa-2048
2016/06/30 13:44:07 [DEBUG] generate key from request: algo=rsa, size=2048
2016/06/30 13:44:07 [INFO] encoded CSR
2016/06/30 13:44:07 [DEBUG] validating configuration
2016/06/30 13:44:07 [DEBUG] validate local profile
2016/06/30 13:44:07 [DEBUG] profile is valid
2016/06/30 13:44:07 [DEBUG] validate auth remote profile
2016/06/30 13:44:07 [DEBUG] profile is valid
{"code":2000,"message":"Unknown private key error"}
Failed to parse input: unexpected end of JSON input
If I try to pull a certificate with a default cert instead of a signing profile, I can get a cert just fine. If I try to pull a signing profile without authentication, it fails. Really unsure what I'm missing here, and I've been going through making notes where the docs could be updated (should be submitting a PR for that at some point), but I just can't seem to get this working.
Just an update @cmrunton; I've been working on debugging this, but I haven't had a lot of time to poke at it. We are paying attention, though; hopefully this week I'll have some time to spend on it.
Thanks @kisom, much appreciated. I'm going to keep banging away at it, and if I make progress I'll share it here. Also, if you need any other config files, environment details, or whatever, just let me know.
Well, I found one error in my Issuing CA config:
"server": {
"usages": ["server auth, key encipherment, signing"], <- Missing double-quotes
"expiry": "2160h",
So I've fixed that, and now I don't get the {"code":5200,"message":"invalid configuration"} message when trying to start the server without using the remote section on the Issuing CA. Now that's sorted, with the following configuration on the Issuing CA:
{
"auth_keys": {
"default_auth": {
"type":"standard",
"key":"ABCDABCDABCDABCDABCDABCDABCDABCD"
},
"server_auth": {
"type":"standard",
"key":"ABCDABCDABCDABCDABCDABCDABCDABCD"
}
},
"signing": {
"default": {
"usages": ["digital signature"],
"expiry": "8000h",
"auth_key":"default_auth"
},
"profiles": {
"server": {
"usages": ["server auth","key encipherment","signing"],
"expiry": "2160h",
"auth_key": "server_auth"
}
}
}
}
I'm still thinking there's some problem on the client side though. Here, I've started the server and truncated the output somewhat:
root@test-issuing-ca:/opt/cfssl# cfssl serve -loglevel 0 -address 10.7.29.4 -ca issuing_ca_0101.pem -ca-key issuing_ca_0101-key.pem -config config_issuing_ca.json
...
2016/07/06 14:45:12 [INFO] Setting up '/' endpoint
2016/07/06 14:45:12 [INFO] Setting up '/api/v1/cfssl/authsign' endpoint
2016/07/06 14:45:12 [INFO] Setting up '/api/v1/cfssl/newcert' endpoint
2016/07/06 14:45:12 [INFO] Setting up '/api/v1/cfssl/scan' endpoint
2016/07/06 14:45:12 [INFO] Setting up '/api/v1/cfssl/certinfo' endpoint
2016/07/06 14:45:12 [INFO] Setting up '/api/v1/cfssl/revoke' endpoint
2016/07/06 14:45:12 [WARNING] endpoint '/api/v1/cfssl/revoke' is disabled: cert db not configured (missing -db-config)
2016/07/06 14:45:12 [INFO] Handler set up complete.
2016/07/06 14:45:12 [INFO] Now listening on 10.7.29.4:8888
Now, when I try to pull a certificate from the client system, I get the following on the client, but nothing on the Issuing CA:
root@test-client:/opt/cfssl# cfssl gencert -loglevel 0 -config config_client.json csr_client.json | cfssljson -bare server_client
2016/07/06 14:59:26 [DEBUG] loading configuration file from config_client.json
2016/07/06 14:59:26 [DEBUG] no default given: using default config
2016/07/06 14:59:26 [DEBUG] match auth remote in profile to remotes section
2016/07/06 14:59:26 [DEBUG] match auth remote key in profile to auth_keys section
2016/07/06 14:59:26 [DEBUG] validating configuration
2016/07/06 14:59:26 [DEBUG] validate local profile
2016/07/06 14:59:26 [DEBUG] profile is valid
2016/07/06 14:59:26 [DEBUG] validate auth remote profile
2016/07/06 14:59:26 [DEBUG] profile is valid
2016/07/06 14:59:26 [DEBUG] configuration ok
2016/07/06 14:59:26 [INFO] generate received request
2016/07/06 14:59:26 [INFO] received CSR
2016/07/06 14:59:26 [INFO] generating key: rsa-2048
2016/07/06 14:59:26 [DEBUG] generate key from request: algo=rsa, size=2048
2016/07/06 14:59:27 [INFO] encoded CSR
2016/07/06 14:59:27 [DEBUG] validating configuration
2016/07/06 14:59:27 [DEBUG] validate local profile
2016/07/06 14:59:27 [DEBUG] profile is valid
2016/07/06 14:59:27 [DEBUG] validate auth remote profile
2016/07/06 14:59:27 [DEBUG] profile is valid
{"code":2000,"message":"Unknown private key error"}
Failed to parse input: unexpected end of JSON input
However, if I do a curl -d '{}' 10.7.29.4:8888/api/v1/cfssl/authsign from the same client machine, then the Issuing CA records the connection attempt (nevermind the empty body) as such:
2016/07/06 14:49:03 [INFO] signature request received
2016/07/06 14:49:03 [ERROR] failed to unmarshal request from authenticated request: unexpected end of JSON input
2016/07/06 14:49:03 [INFO] 10.7.29.5:48050 - "POST /api/v1/cfssl/authsign" 400
I'm not sure if the debug message 2016/07/06 14:59:26 [DEBUG] no default given: using default config has anything to do with it. but on my client machine I'm using the following config_client.json:
{
"auth_keys": {
"key1": {
"key": "ABCDABCDABCDABCDABCDABCDABCDABCD",
"type": "standard"
}
},
"remotes": {
"caserver": "10.7.29.4:8888"
},
"signing": {
"profiles" : {
"server": {
"auth_remote": {
"auth_key": "key1",
"remote": "caserver"
}
}
}
}
}
Hopefully I'm getting closer to the actual issue.
Final comment for today, if I remove authentication from the server and the client configs, then I can get certificates to issue no problem. Below are the configs and commands I'm using now. Issuing CA config.json
{
"signing": {
"default": {
"usages": ["digital signature"],
"expiry": "8000h"
},
"profiles": {
"server": {
"usages": ["server auth","key encipherment","signing"],
"expiry": "2160h"
}
}
}
}
Requesting a cert on the client is successful
root@test-client:/opt/cfssl# cfssl gencert -remote 10.7.29.4:8888 -profile server csr_client.json | cfssljson -bare client
2016/07/06 15:34:18 [INFO] generate received request
2016/07/06 15:34:18 [INFO] received CSR
2016/07/06 15:34:18 [INFO] generating key: rsa-2048
2016/07/06 15:34:18 [INFO] encoded CSR
However, when I modify the config_client.json file to remove the auth_keys setting, I still get the same unkown private key error:
config_client.json
config_client.json
{
"remotes": {
"caserver": "10.7.29.4:8888"
},
"signing": {
"profiles" : {
"server": {
"remote": "caserver"
}
}
}
}
Output from cfssl gencert
root@test-client:/opt/cfssl# cfssl gencert -config config_client.json csr_client.json | cfssljson -bare client
2016/07/06 15:42:34 [INFO] generate received request
2016/07/06 15:42:34 [INFO] received CSR
2016/07/06 15:42:34 [INFO] generating key: rsa-2048
2016/07/06 15:42:34 [INFO] encoded CSR
{"code":2000,"message":"Unknown private key error"}
Failed to parse input: unexpected end of JSON input
I wanted to provide an update to the issue after some further troubleshooting that may point in the right direction. I can get remote auth to work, but only if I also pass the remote server as a parameter to the command line. So the following works:
cfssl gencert -remote 10.7.29.4:8888 -config config_auth.json csr_client.json | cfssljson -bare client_auth
But this does not, and generates the Unknown private key error message:
cfssl gencert -config config_auth.json csr_client.json | cfssljson -bare client_auth
I've included the relevant json configuration files below.
Issuing CA config
{
"signing": {
"default": {
"usages": ["digital signature"],
"expiry": "8000h"
},
"profiles": {
"server": {
"usages": ["server auth","key encipherment","signing"],
"expiry": "2160h",
"auth_key": "server_auth",
"name_whitelist":"^([^\\*]+)\\.(example-a|example-b)\\.(it|us|com)$"
}
}
},
"auth_keys": {
"server_auth": {
"type":"standard",
"key":"0123456789ABCDEF0123456789ABCDEF"
}
}
}
Requesting Client config
{
"auth_keys": {
"key1": {
"key": "0123456789ABCDEF0123456789ABCDEF",
"type": "standard"
}
},
"remotes": {
"caserver": "10.7.29.4:8888"
},
"signing": {
"profiles" : {
"server": {
"auth_remote": {
"auth_key": "key1",
"remote": "caserver"
}
}
}
}
}
For me it works when I additionally provide (e.g.) -remote=10.7.29.4:8888 on the CLI.
@cmrunton is right, the error is only thrown by https://github.com/cloudflare/cfssl/blob/master/signer/universal/universal.go#L81 , which, as the name implies, is a local signer, not a remote one.
For me the actual contents of the remote under remotes is irrelevant too; just the CLI arg gets passed on as API server
2016/07/06 14:49:03 [ERROR] failed to unmarshal request from authenticated request: unexpected end of JSON input
I fixed this error by putting brackets around the ip "caserver": ["10.7.29.4:8888"]
Where I'm getting stuck is how did you remove the authentication? I get the following error "code":7400,"message":"{"success":false,"result":null,"errors":[{"code":400,"message":"authentication required"}]
Hi, Today, I have the same issue, Just the CLI arg gets passed on as API server but the "remotes" section need to be present for using auth
{
"signing": {
"profiles": {
"server": {
"auth_remote": {
"auth_key": "key1",
"remote": "caserver"
}
}
}
},
"auth_keys": {
"key1": {
"key": "0123456789ABCDEF0123456789ABCDEF",
"type": "standard"
}
},
"remotes": {
"caserver": "BUG-not.used.but.need.to.be.present:8888"
}
}
To use remotes from the config instead of as CLI arg, remote must be present in the default section:
{
"remotes": {
"custom_CA_server": "https://some.other.domain.com:1234",
"default_CA_server": "localhost:1234"
},
"auth_keys": {
"node_auth_key": {
"key": "123456789",
"type": "standard"
}
},
"signing": {
"default": {
"remote": "default_CA_server"
},
"profiles": {
"node_profile": {
"auth_remote": {
"remote": "custom_CA_server",
"auth_key": "node_auth_key"
}
}
}
}
}
and then this works for me:
cfssl gencert -config request-config.json -profile node_profile -tls-remote-ca test-ca.pem request-csr.json
To use remotes from the config instead of as CLI arg, remote must be present in the default section:
[…]
and then this works for me:
cfssl gencert -config request-config.json -profile node_profile -tls-remote-ca test-ca.pem request-csr.json
Yes! I've had the exact same issue and adding my remote signer in the default section solved it. Thanks!
Not sure why the error message is so vague, though.
