step ca health Forbidden

[alphaDev23]

I receive the Forbidden error below when attempting to verify the ca's health remotely. On the host that runs the docker image smallstep/step-ca:latest (as of today), executing 'step ca health' returns 'OK'.

Executing the same remotely, I receive the error below. The fingerprintt in both default.json files are the same. Is there a configuration variable that needs to be set on the ca?

STEPDEBUG=1 step ca health
Get "https:///health": Forbidden
client.Health; client GET https:///health failed
github.com/smallstep/certificates/errs.Wrapf
/home/travis/gopath/pkg/mod/github.com/smallstep/[email protected]/errs/error.go:122
github.com/smallstep/certificates/ca.(*Client).Health
/home/travis/gopath/pkg/mod/github.com/smallstep/[email protected]/ca/client.go:513
github.com/smallstep/cli/command/ca.healthAction
/home/travis/gopath/src/github.com/smallstep/cli/command/ca/health.go:78
github.com/urfave/cli.HandleAction
/home/travis/gopath/pkg/mod/github.com/urfave/[email protected]/app.go:523
github.com/urfave/cli.Command.Run
/home/travis/gopath/pkg/mod/github.com/urfave/[email protected]/command.go:174
github.com/urfave/cli.(*App).RunAsSubcommand
/home/travis/gopath/pkg/mod/github.com/urfave/[email protected]/app.go:404
github.com/urfave/cli.Command.startApp
/home/travis/gopath/pkg/mod/github.com/urfave/[email protected]/command.go:373
github.com/urfave/cli.Command.Run
/home/travis/gopath/pkg/mod/github.com/urfave/[email protected]/command.go:102
github.com/urfave/cli.(*App).Run
/home/travis/gopath/pkg/mod/github.com/urfave/[email protected]/app.go:276
main.main
/home/travis/gopath/src/github.com/smallstep/cli/cmd/step/main.go:93
runtime.main
/home/travis/.gimme/versions/go1.14.7.linux.amd64/src/runtime/proc.go:203
runtime.goexit
/home/travis/.gimme/versions/go1.14.7.linux.amd64/src/runtime/asm_amd64.s:1373

[dopey]

Hey @alphaDev23, what do the logs from the CA side when you make the Forbidden health request?

I just tried making a step ca health request with an incorrect root and I get:

 $> STEPDEBUG=1 STEP_ROOT=./cli/root.crt step ca health
Get "https://ca.smallstep.com:8080/health": x509: certificate signed by unknown authority
client.Health; client GET https://ca.smallstep.com:8080/health failed
github.com/smallstep/certificates/errs.Wrapf
	/Users/max/pkg/mod/github.com/smallstep/[email protected]/errs/error.go:122
github.com/smallstep/certificates/ca.(*Client).Health
	/Users/max/pkg/mod/github.com/smallstep/[email protected]/ca/client.go:513
github.com/smallstep/cli/command/ca.healthAction
	/Users/max/src/github.com/smallstep/cli/command/ca/health.go:79
github.com/urfave/cli.HandleAction
	/Users/max/pkg/mod/github.com/urfave/[email protected]/app.go:523
github.com/urfave/cli.Command.Run
	/Users/max/pkg/mod/github.com/urfave/[email protected]/command.go:174
github.com/urfave/cli.(*App).RunAsSubcommand
	/Users/max/pkg/mod/github.com/urfave/[email protected]/app.go:404
github.com/urfave/cli.Command.startApp
	/Users/max/pkg/mod/github.com/urfave/[email protected]/command.go:373
github.com/urfave/cli.Command.Run
	/Users/max/pkg/mod/github.com/urfave/[email protected]/command.go:102
github.com/urfave/cli.(*App).Run
	/Users/max/pkg/mod/github.com/urfave/[email protected]/app.go:276
main.main
	/Users/max/src/github.com/smallstep/cli/cmd/step/main.go:93
runtime.main
	/usr/local/Cellar/go/1.15/libexec/src/runtime/proc.go:204
runtime.goexit
	/usr/local/Cellar/go/1.15/libexec/src/runtime/asm_amd64.s:1374

The certificate authority encountered an Internal Server Error. Please see the certificate authority logs for more info.%

So I don't think the root is the problem.

One thing that sticks out to me is the address that step-ca is trying to request -- https:///health, that doesn't seem right.

When you configured your client did you use step ca bootstrap?

[alphaDev23]

Thank you for the quick reply. Issue was that the connection to the ca was erroneously being routed through a proxy via environment variables set in the shell. The issue can be closed.