Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug: acm-pca issue-certiicate doesn't accept CSRs in any format #5011

Closed
tashian opened this issue Feb 26, 2020 · 8 comments
Closed

bug: acm-pca issue-certiicate doesn't accept CSRs in any format #5011

tashian opened this issue Feb 26, 2020 · 8 comments
Labels
documentation This is a problem with documentation.

Comments

@tashian
Copy link

tashian commented Feb 26, 2020

ISSUE TYPE

  • Bug Report

COMPONENT NAME

aws acm-pca

AWS-CLI VERSION

aws-cli/2.0.0 Python/3.7.4 Darwin/19.3.0 botocore/2.0.0dev4

CONFIGURATION

Nothing specific to report on this.

OS / ENVIRONMENT

macOS Catalina 10.15.3

SUMMARY

aws acm-pca issue-certificate requires a Certificate Signing Request (CSR) supplied in the --csr flag. There appears to be no value that can be used for this flag to actually issue a certificate via the AWS API.

More specifically, it seems as though aws-cli tries to validate the CSR input as pure base64, while the AWS IssueCertificate API endpoint validates the CSR input using a regular expression that expects a standard CSR header and footer.

STEPS TO REPRODUCE

  1. Try it with a normal CSR:
$ export csr="-----BEGIN CERTIFICATE REQUEST-----
MIIBDDCBswIBADAfMR0wGwYDVQQDExRJbnRlcm1lZGlhdGUgQ0EgTmFtZTBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABMniBAWtXf32Fel1ZepOlM/WErM535he/yMR
cALMlbdFyg3cnsJ5UxihMNgvcQOGgdcTnYMdmOihdn0gdEzfh+SgMjAwBgkqhkiG
9w0BCQ4xIzAhMB8GA1UdEQQYMBaCFEludGVybWVkaWF0ZSBDQSBOYW1lMAoGCCqG
SM49BAMCA0gAMEUCIQCbLwcDUkOS+DwgqoroFYaz3GpjSPhdSn72VLmEDnmK1wIg
JqIwtFQZEQvfVBVxIr7HEHeWA2K/uuJaA/2Yy48c6/U=
-----END CERTIFICATE REQUEST-----"
$ aws acm-pca issue-certificate \
            --certificate-authority-arn "[AWS_PRIVATE_CA_ARN]" \
            --csr "$csr" \
            --signing-algorithm "SHA256WITHRSA" \
            --validity  Value=365,Type="DAYS" \
            --template-arn "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1/V1"

Result:

Invalid base64: "-----BEGIN CERTIFICATE REQUEST-----
MIIBDDCBswIBADAfMR0wGwYDVQQDExRJbnRlcm1lZGlhdGUgQ0EgTmFtZTBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABMniBAWtXf32Fel1ZepOlM/WErM535he/yMR
cALMlbdFyg3cnsJ5UxihMNgvcQOGgdcTnYMdmOihdn0gdEzfh+SgMjAwBgkqhkiG
9w0BCQ4xIzAhMB8GA1UdEQQYMBaCFEludGVybWVkaWF0ZSBDQSBOYW1lMAoGCCqG
SM49BAMCA0gAMEUCIQCbLwcDUkOS+DwgqoroFYaz3GpjSPhdSn72VLmEDnmK1wIg
JqIwtFQZEQvfVBVxIr7HEHeWA2K/uuJaA/2Yy48c6/U=
-----END CERTIFICATE REQUEST-----"

To get past this error, try stripping the header, footer, and newlines from the CSR:

$ export csr="MIIBDDCBswIBADAfMR0wGwYDVQQDExRJbnRlcm1lZGlhdGUgQ0EgTmFtZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMniBAWtXf32Fel1ZepOlM/WErM535he/yMRcALMlbdFyg3cnsJ5UxihMNgvcQOGgdcTnYMdmOihdn0gdEzfh+SgMjAwBgkqhkiG9w0BCQ4xIzAhMB8GA1UdEQQYMBaCFEludGVybWVkaWF0ZSBDQSBOYW1lMAoGCCqGSM49BAMCA0gAMEUCIQCbLwcDUkOS+DwgqoroFYaz3GpjSPhdSn72VLmEDnmK1wIgJqIwtFQZEQvfVBVxIr7HEHeWA2K/uuJaA/2Yy48c6/U="
$ aws acm-pca issue-certificate \
            --certificate-authority-arn "[AWS_PRIVATE_CA_ARN]" \
            --csr "$csr" \
            --signing-algorithm "SHA256WITHRSA" \
            --validity  Value=365,Type="DAYS" \
            --template-arn "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1/V1"

Result:

An error occurred (ValidationException) when calling the IssueCertificate operation: 1 validation error detected: Value at 'csr' failed to satisfy constraint: Member must satisfy regular expression pattern: -----BEGIN CERTIFICATE REQUEST-----\r?\n([A-Za-z0-9/+]{64}\r?\n)*[A-Za-z0-9/+]{1,64}={0,2}\r?\n-----END CERTIFICATE REQUEST-----(\r?\n)?.

If the CSR is supplied as a file:// URI, the same issue is present.

EXPECTED RESULT

Certificate issued.

@KaibaLopez
Copy link
Contributor

Hi @tashian ,
Thanks for pointing this out, we'll take a look at it.

@KaibaLopez KaibaLopez added the bug This issue is a bug. label Feb 27, 2020
@stealthycoin
Copy link
Contributor

This is due to changes in how cli V2 handles binary by default, to enable round tripping of values in the default case. This is outlined in our upgrade guide here: https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration.html#cliv2-migration-binaryparam. Since --csr this is modeled as a blob it is affected by this change.

You have three options based on your above approach. base64 encode the raw value you are providing on the command line. (This is why we made this change. If the value was a binary blob that was not representable in the command line input, you now have a way to actually provide it without using the fileb:// workaround by base64 encoding it.)

So for example this modification of your first example would work.

aws acm-pca issue-certificate \
            --certificate-authority-arn "[AWS_PRIVATE_CA_ARN]" \
            --csr $(echo $csr | base64) \
            --signing-algorithm "SHA256WITHRSA" \
            --validity  Value=365,Type="DAYS" \
            --template-arn "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1/V1"

You can also use fileb:// instead of file://. Or you can revert to the previous behavior with this config: cli_binary_format=raw-in-base64-out.

@stealthycoin stealthycoin added closing-soon This issue will automatically close in 4 days unless further comments are made. and removed bug This issue is a bug. labels Feb 27, 2020
@tashian
Copy link
Author

tashian commented Feb 28, 2020

Thanks @stealthycoin for the clarification.

Just to be clear, because the IssueCertificate endpoint expects the Csr parameter to be base64 encoded binary (with a plain text header and footer), does your example here effectively double-base64-encode the CSR for aws-cli?

In my case it sounds like the fileb:// approach is the best option, as I can just provide the original CSR filename.

@Igor-Toropov
Copy link

MSK documentation was not updated with this braking changes in AWS CLI:
https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html

The "--csr file://",,, results in "Invalid base64: "-----BEGIN"... error.

@KaibaLopez KaibaLopez added documentation This is a problem with documentation. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Mar 18, 2020
@darakian
Copy link

You should also make a note in the cli documentation. I'm using openssl to generate my csr and this issue is not mentioned at all in the documentation.

https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html

@afirth
Copy link

afirth commented Aug 3, 2021

just another hour of my life wasted by old AWS bugs that don't get fixed...
https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ug.pdf and https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html#examples both omit fileb
TL;DR: replace file with fileb to double b64 encode the csr

@nateprewitt
Copy link
Member

Hi @afirth,

This should actually be resolved, as I believe it was addressed last year. The current CLI v2 documentation includes the example with fileb. This should apply for all binary blob parameters in the CLI v2 as documented in the migration guide. Please let us know if you're having other issues.

We'll resolve this for now since the documentation has already been updated.

@github-actions
Copy link

github-actions bot commented Aug 3, 2021

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation This is a problem with documentation.
Projects
None yet
Development

No branches or pull requests

7 participants