policy: "authority.Authorize: authority.authorizeSign: token already used"

[juju4]

from journalctl -u step-ca --since "1 hour ago" -l --no-pager
"Feb 03 12:34:08 certca.internal step-ca[27742]: time="2025-02-03T21:45:08Z" level=warning duration=1.843368ms duration-ns=1843368 error="authority.Authorize: authority.authorizeSign: token already used" fields.time="2025-02-03T12:34:08Z" method=POST name=ca ott=[...] path=/sign protocol=HTTP/2.0 referer= remote-address=192.168.12.34 request-id=7454e455-2f05-4d02-836c-7fef1f70af79 size=144 status=401 user-agent="Smallstep CLI/0.28.2 (linux/amd64)" user-id="

If I define a policy, I get the above error when issuing certificate locally
If I remove policy, certificate is issued as expected
Tried also with a simpler policy

  {
    "x509": {
      "allow": {
        "dns": ["*.internal"],
        "ip": ["127.0.0.1", "10.1.0.0/24", "10.2.0.0/24", "192.168.12.0/24"]
      },
      "allowWildcardNames": false,
    }
  }

And same

where is the problem?
else, error message could be improved too.

Thanks

note: setup with https://github.com/juju4/ansible-role-smallstep-ca/tree/devel-policy

[hslatman]

Is Remote Management enabled? If so, try adding step to the allowed dns names.

[juju4]

No, Remote Management (https://smallstep.com/docs/step-ca/provisioners/index.html#remote-provisioner-management) is not enabled