-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug: acm-pca issue-certiicate doesn't accept CSRs in any format #5011
Comments
Hi @tashian , |
This is due to changes in how cli V2 handles binary by default, to enable round tripping of values in the default case. This is outlined in our upgrade guide here: https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration.html#cliv2-migration-binaryparam. Since You have three options based on your above approach. base64 encode the raw value you are providing on the command line. (This is why we made this change. If the value was a binary blob that was not representable in the command line input, you now have a way to actually provide it without using the fileb:// workaround by base64 encoding it.) So for example this modification of your first example would work.
You can also use |
Thanks @stealthycoin for the clarification. Just to be clear, because the In my case it sounds like the |
MSK documentation was not updated with this braking changes in AWS CLI: The "--csr file://",,, results in "Invalid base64: "-----BEGIN"... error. |
You should also make a note in the cli documentation. I'm using openssl to generate my csr and this issue is not mentioned at all in the documentation. https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html |
just another hour of my life wasted by old AWS bugs that don't get fixed... |
Hi @afirth, This should actually be resolved, as I believe it was addressed last year. The current CLI v2 documentation includes the example with We'll resolve this for now since the documentation has already been updated. |
|
ISSUE TYPE
COMPONENT NAME
aws acm-pca
AWS-CLI VERSION
aws-cli/2.0.0 Python/3.7.4 Darwin/19.3.0 botocore/2.0.0dev4
CONFIGURATION
Nothing specific to report on this.
OS / ENVIRONMENT
macOS Catalina 10.15.3
SUMMARY
aws acm-pca issue-certificate
requires a Certificate Signing Request (CSR) supplied in the--csr
flag. There appears to be no value that can be used for this flag to actually issue a certificate via the AWS API.More specifically, it seems as though
aws-cli
tries to validate the CSR input as pure base64, while the AWSIssueCertificate
API endpoint validates the CSR input using a regular expression that expects a standard CSR header and footer.STEPS TO REPRODUCE
Result:
To get past this error, try stripping the header, footer, and newlines from the CSR:
Result:
If the CSR is supplied as a file:// URI, the same issue is present.
EXPECTED RESULT
Certificate issued.
The text was updated successfully, but these errors were encountered: