cfssl - Invalid version. Expected: 1.6.3, actual:

[MaitreCake]

Hello,

I tried to activate libresign.
I had an error involving xz on XXinstaller.php (I did some reboot and I have no more access to my logs sorry)
Following the github given the terminal did not help.

I tried to add extension=xz in my cli/php.ini and the system told me that xz was already loaded. I restored a backup of cli/php.ini. Rebooted.
Now : occ libresign:install --cfssl give me
in the terminal : PHP Warning: Module "xz" is already loaded in Unknown on line 0 but looks to work.

But the admin page diplays as state for cfssl error Invalid version. Expected: 1.6.3, actual:

Any help is more than welcome.
Any HowTo to make a libresign remove purge may help as well. I reinstalled the app but once installed again andreactivated, the admin page is at the same state.

apache2 php8.0 NC26 ubuntu18.04

[MaitreCake]

I did erase every setting :

sudo -u www-data  php occ config:app:delete libresign cfssl_bin 
sudo -u www-data  php occ config:app:delete libresign collect_metadata
sudo -u www-data  php occ config:app:delete libresign default_user_folder
sudo -u www-data  php occ config:app:delete libresign enabled
sudo -u www-data  php occ config:app:delete libresign identification_documents
sudo -u www-data  php occ config:app:delete libresign installed_version
sudo -u www-data  php occ config:app:delete libresign java_path
sudo -u www-data  php occ config:app:delete libresign jsignpdf_jar_path
sudo -u www-data  php occ config:app:delete libresign legal_information
sudo -u www-data  php occ config:app:delete libresign types

Except for imagick every item is on error and blank on the state of installation..
When I do a sudo -u www-data php occ libresign:install --cfssl , it looks like working on the terminal but the ``Invalid version. Expected: 1.6.3, actual: " pop again.

:-(

[vitormattos]

LibreSign don't use the extension xz. If when you run an occ command return every time this warning, you need to fix this first.

LibreSign run the CFSSL using the cli tool and to check the version, run the command cfssl version using the absolute path to cfssl binary that stay inside libresign bin directory on appdata folder. Then, at PHP side use the output of this command to check if contains the string with the expected version number (1.6.3) and if haven't will throw an error.

The expected output is:

Version: 1.6.3
Runtime: go1.18

I think that the warning from extension is affecting the execution of command. You will need to do more tests to check what happening.

I can't reproduce your problem, to verify with more details, I will need your help to do the follow tasks at your environment:

PS: Pay attention about the user to use the occ script.

Run the follow command and send here the output:

occ config:app:get libresign cfssl_bin

Get the path of cfssl binary and run the follow command replacing the by the path that you got with the previous command and send at this issue the output:

<cfsslPath> version

Create the file cfssl_test.php at root of your nextcloud folder with the follow content:

<?php

if (!array_key_exists(1, $argv)) {
	die("You need to run this script sending the full path of cfssl binary as argument\n");
}

$binary = $argv[1];
if (!file_exists($binary)) {
	printf("The file %s didn't exists.\n", $binary);
	die();
}

if (!is_executable($binary)) {
	printf("The file %s haven't execution permission.\n", $binary);
	die();
}

echo "Current date: ";
\exec('date', $output);
var_dump($output);

echo "Output of command $binary:\n";
var_dump(`$binary version`);

$version = str_replace("\n", ', ', trim(`$binary version`));
echo "Output without line break: \"$version\"\n";

echo "Position of cfssl verison inside string:\n";
var_dump(strpos($version, '1.6.3'));

And run the command:

php java_test.php `./occ config:app:get libresign cfssl_bin`

Send here the output.

This is to check if all necessary to run the cfssl binary is ok on your environment.

[MaitreCake]

Thx for your reply.
I decided to upgrade my ubuntu in the meantime. It takes some time

For your information, I found in my browser history the error I had, on a beautiful red background, on my first attempt of the cfssl install :
"In InstallService.php line 443: Error to extract xz file. Install xz. Read more: https://github.com/codemasher/php-ext-xz"
At that stage there was no displayed exception.

I hope it helps. I ll keep you informed.

[MaitreCake]

So, I am now on ubuntu 20.04.
I have no warning left.

• When you say pay attention at the occ user, your speaking about using the www-data user, aren't you ?

• When I do

ubuntu@ubuntu:/var/www/html/NCFoldere$ sudo -u www-data php occ libresign:install --cfssl
It returns

In InstallService.php line 443:                                                                                         
  Error to extract xz file. Install xz. Read more: https://github.com/codemasher/php-ext-xz                                                                                     
libresign:install [--all] [--jsignpdf] [--cfssl] [--java]

• cfssl version in the NC folder returns

Version: 1.2.0
Revision: dev
Runtime: go1.8.1

sudo -u www-data php occ config:app:get libresign cfssl_bin nothing returns

About the script have you got an idea of the full path of the cfssl binaries? I am lost.

[MaitreCake]

Sorry @vitormattos , if I overpost but I prefer to document a maximum.

I cliked on "Download the binaries" again. The "cfssl - Invalid version. Expected: 1.6.3, actual:"disappeared but the
" In InstallService.php line 443:
Error to extract xz file. Install xz. Read more: https://github.com/codemasher/php-ext-xz
libresign:install [--all] [--jsignpdf] [--cfssl] [--java]" still there in the terminal

[MaitreCake]

Regarding the cfssl version. I desinstalled --purge golang-cfssl. (1.2)
Nothing pop up anymore when I ask for a version.

To find the "absolute path to cfssl binary that stay inside libresign bin directory on appdata folder" I do a locate cfssl it goes to usr/bin. but not in the libresign folder on NC
Edit I did sudo locate and I know what folder you are speaking about. However, my terminal does not allow me to cd (sudo or not), in the NC data folder.

So I do not know how the cfssl version or how to pass the argument to teh script (locate give me a cfssl-1.6.3-1-aarch64.pkg.tar.xz)

By the way, I believe CFSSL is not installed anymore regarding the error in red on the previous post...

Thkx

[vitormattos]

The CFSSL binary is downloaded internally by LibreSign, isn't used from operational system anymore. At the past we used from operational system but did a lot of problem of compatibility between different versions of cfssl and the features of this project that we use. To solve your problem you need to use the binary from LibreSign project that is donloaded by libresign:install --cfssl or libresign:install --all or at wep interface that request to run the --all command at server side.

Looking the last print I think that I understood your problem.

You are using an ARM processor and I never had access to this processor to validate this instalation flow and I implemented this blinded. The code that I implemented uses this project to download the cfssl: http://de5.mirror.archlinuxarm.org/aarch64/community/ and will download this file: http://de5.mirror.archlinuxarm.org/aarch64/community/cfssl-1.6.3-1-aarch64.pkg.tar.xz

The binary of CFSSL is inside a .tar.xz file and your PHP need to have support to handle this kind of file. Again, I never did this because I haven't an ARM machine to test this flow. I recommend to solve the problem about the extension that was reported on the error message to solve the problem or.... other way, is to put the cfssl file handmade at the expected place, also extract to the expected place, run the occ scan command and create the config key. This will solve but temporally, wen the version of cfssl will be bumped, you will need to do hand made. I suggest to you to setup the required extension at your environment, will be best.

As a follow up of LibreSign side we can do the possible changes:

• Check if PHP have support to tar.xz files, if not, check if the command tar -xf will work fine to extract the .tar.xz file
• Remove the dependency from CFSSL and implement the generation of root cert and user cert using the openssl extension native from PHP.

To the both way we need time and for now the development of this project is totally voluntary, then, or you will wait for a definitively solution or you also can help us checking how you can provide more funding to maintain the project

[MaitreCake]

Thank you for this detailed reply.

I will try to find a way around. For ARM/Ubuntu, it looks like the last version of cfssl is 1.2.
Once I installed the necessary libraries to "untar" the file, I have the message, which is the title to this thread.

Being a rooky, it may be a bit complicated for me, but if I go further, I will leave another message here to document.

Is the expected place you are speaking about is system, NC or LibresSign wide?
Do you think working with docker will solve this architecture dependency ?

I will have a look on the ways to found the project this week.

Thanks again.

[MaitreCake]

FYI, thanks to pacapt I have been able to install the good version of cfssl system wide.
It did not change the "fssl - Invalid version. Expected: 1.6.3, actual:" message.

cfssl version output is

Version: 1.6.3-1
Runtime: go1.19.2

My ubuntu version is now 22.04

[MaitreCake]

Went on the same issues on a docker based on debian 11 :-(

[exomarty]

i have similar issue
but the url http://mirror.archlinuxarm.org/aarch64/community/cfssl-1.6.3-1-aarch64.pkg.tar.xz
show as 404 not found

[MaitreCake]

Well, I decided to install ArchLinux on my raspi Server to make it work. I am still stuck with the 64 bit OS installation. It is the way linux work....

@exomarty : regarding your issue, the archive change on the reposoteries : it should be cfssl-1.6.4-1-aarch64.pkg.tar.xz now.

[exomarty]

Well, I decided to install ArchLinux on my raspi Server to make it work. I am still stuck with the 64 bit OS installation. It is the way linux work....

@exomarty : regarding your issue, the archive change on the reposoteries : it should be cfssl-1.6.4-1-aarch64.pkg.tar.xz now.

hello
yes i know 1.6.4 is the current version but the occ command installer tries to install the old version which its no more on the repository
i dont know how to install it manually

[MaitreCake]

Hi @exomarty,
At the end of the day (or the month?), I manage to start my Rpi4 on Aarch64 64 bit OS and I find myself stuck on the same (new) issue than you.
I did download previously the 1.6.3 tarball (https://leclaude.septentriontours.com/index.php/s/x5f9GtdSdRELzW6).
I uploaded it in my NC Datafile /appdataXXXXXX/libresign/cfssl/
I did a chown http:http (according to your sever user) and I went further. I am now on the xz error. I need to solve it on archlinux which is another story because I am not used to it at all.
Edit : I installed the php-ext-ext module, and I am back at the cfssl - "Invalid version. Expected: 1.6.3, actual: " that gives the title of this thread :(
It does not look to be an arch or debian issue

If it helps...

@vitormattos :
the outpout of {cfssl path}/usr/bin/cfssl version is
Version: 1.6.3-1
Runtime: go1.19.2

the php cfssl_test.php ./occ config:app:get libresign cfssl_bin run as sudo or su http send me a ./occ: Permission denied

However if I put the path by hand ie sudo -u http php-legacy cfssl_test.php /NCDataFolder/appdata_XXXXXX/libresign/cfssl/usr/bin/cfssl the output is as follows :

Current date: array(1) {
  [0]=>
  string(28) "Sat May 20 21:58:17 UTC 2023"
}
Output of command /NCDataFolder/appdata_XXXXX/libresign/cfssl/usr/bin/cfssl:
string(35) "Version: 1.6.3-1
Runtime: go1.19.2
"
Output without line break: "Version: 1.6.3-1, Runtime: go1.19.2"
Position of cfssl verison inside string:
int(9)

On the frontend of NC (Libresign settings ) it shows :

error | Invalid version. Expected: 1.6.3, actual: | cfssl | Run occ libresign:install --cfssl

Thx again

[asxzy]

I've encounter the same issue. The error comes from the path of the cfssl.

libresign/lib/Service/ConfigureCheckService.php

Line 263 in 633e1e5

'cfssl';

which should be the same as the configuration

libresign/lib/Service/InstallService.php

Line 447 in 633e1e5

'cfssl/usr/bin/cfssl';

You can manually change it from 'cfssl' to 'cfssl/usr/bin/cfssl'

[vitormattos]

I created a new release of LibreSign, could you check if this issue was solved?

The CFSSL version now is: 1.6.4

Now also is possible to use OpenSSL to generate root certificate.

PS: If you like this app, don't hesitate to help us to maintain the development sponsoring by GitHub sponsor https://github.com/sponsors/LibreSign or also contacting us to have Enterprise support: https://libresign.coop