bug: acm-pca issue-certiicate doesn't accept CSRs in any format

[tashian]

ISSUE TYPE

• Bug Report

COMPONENT NAME

aws acm-pca

AWS-CLI VERSION

aws-cli/2.0.0 Python/3.7.4 Darwin/19.3.0 botocore/2.0.0dev4

CONFIGURATION

Nothing specific to report on this.

OS / ENVIRONMENT

macOS Catalina 10.15.3

SUMMARY

aws acm-pca issue-certificate requires a Certificate Signing Request (CSR) supplied in the --csr flag. There appears to be no value that can be used for this flag to actually issue a certificate via the AWS API.

More specifically, it seems as though aws-cli tries to validate the CSR input as pure base64, while the AWS IssueCertificate API endpoint validates the CSR input using a regular expression that expects a standard CSR header and footer.

STEPS TO REPRODUCE

1. Try it with a normal CSR:

$ export csr="-----BEGIN CERTIFICATE REQUEST-----
MIIBDDCBswIBADAfMR0wGwYDVQQDExRJbnRlcm1lZGlhdGUgQ0EgTmFtZTBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABMniBAWtXf32Fel1ZepOlM/WErM535he/yMR
cALMlbdFyg3cnsJ5UxihMNgvcQOGgdcTnYMdmOihdn0gdEzfh+SgMjAwBgkqhkiG
9w0BCQ4xIzAhMB8GA1UdEQQYMBaCFEludGVybWVkaWF0ZSBDQSBOYW1lMAoGCCqG
SM49BAMCA0gAMEUCIQCbLwcDUkOS+DwgqoroFYaz3GpjSPhdSn72VLmEDnmK1wIg
JqIwtFQZEQvfVBVxIr7HEHeWA2K/uuJaA/2Yy48c6/U=
-----END CERTIFICATE REQUEST-----"
$ aws acm-pca issue-certificate \
            --certificate-authority-arn "[AWS_PRIVATE_CA_ARN]" \
            --csr "$csr" \
            --signing-algorithm "SHA256WITHRSA" \
            --validity  Value=365,Type="DAYS" \
            --template-arn "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1/V1"

Result:

Invalid base64: "-----BEGIN CERTIFICATE REQUEST-----
MIIBDDCBswIBADAfMR0wGwYDVQQDExRJbnRlcm1lZGlhdGUgQ0EgTmFtZTBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABMniBAWtXf32Fel1ZepOlM/WErM535he/yMR
cALMlbdFyg3cnsJ5UxihMNgvcQOGgdcTnYMdmOihdn0gdEzfh+SgMjAwBgkqhkiG
9w0BCQ4xIzAhMB8GA1UdEQQYMBaCFEludGVybWVkaWF0ZSBDQSBOYW1lMAoGCCqG
SM49BAMCA0gAMEUCIQCbLwcDUkOS+DwgqoroFYaz3GpjSPhdSn72VLmEDnmK1wIg
JqIwtFQZEQvfVBVxIr7HEHeWA2K/uuJaA/2Yy48c6/U=
-----END CERTIFICATE REQUEST-----"

To get past this error, try stripping the header, footer, and newlines from the CSR:

$ export csr="MIIBDDCBswIBADAfMR0wGwYDVQQDExRJbnRlcm1lZGlhdGUgQ0EgTmFtZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMniBAWtXf32Fel1ZepOlM/WErM535he/yMRcALMlbdFyg3cnsJ5UxihMNgvcQOGgdcTnYMdmOihdn0gdEzfh+SgMjAwBgkqhkiG9w0BCQ4xIzAhMB8GA1UdEQQYMBaCFEludGVybWVkaWF0ZSBDQSBOYW1lMAoGCCqGSM49BAMCA0gAMEUCIQCbLwcDUkOS+DwgqoroFYaz3GpjSPhdSn72VLmEDnmK1wIgJqIwtFQZEQvfVBVxIr7HEHeWA2K/uuJaA/2Yy48c6/U="
$ aws acm-pca issue-certificate \
            --certificate-authority-arn "[AWS_PRIVATE_CA_ARN]" \
            --csr "$csr" \
            --signing-algorithm "SHA256WITHRSA" \
            --validity  Value=365,Type="DAYS" \
            --template-arn "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1/V1"

Result:

An error occurred (ValidationException) when calling the IssueCertificate operation: 1 validation error detected: Value at 'csr' failed to satisfy constraint: Member must satisfy regular expression pattern: -----BEGIN CERTIFICATE REQUEST-----\r?\n([A-Za-z0-9/+]{64}\r?\n)*[A-Za-z0-9/+]{1,64}={0,2}\r?\n-----END CERTIFICATE REQUEST-----(\r?\n)?.

If the CSR is supplied as a file:// URI, the same issue is present.

EXPECTED RESULT

Certificate issued.

[KaibaLopez]

Hi @tashian ,
Thanks for pointing this out, we'll take a look at it.

[stealthycoin]

This is due to changes in how cli V2 handles binary by default, to enable round tripping of values in the default case. This is outlined in our upgrade guide here: https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration.html#cliv2-migration-binaryparam. Since --csr this is modeled as a blob it is affected by this change.

You have three options based on your above approach. base64 encode the raw value you are providing on the command line. (This is why we made this change. If the value was a binary blob that was not representable in the command line input, you now have a way to actually provide it without using the fileb:// workaround by base64 encoding it.)

So for example this modification of your first example would work.

aws acm-pca issue-certificate \
            --certificate-authority-arn "[AWS_PRIVATE_CA_ARN]" \
            --csr $(echo $csr | base64) \
            --signing-algorithm "SHA256WITHRSA" \
            --validity  Value=365,Type="DAYS" \
            --template-arn "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1/V1"

You can also use fileb:// instead of file://. Or you can revert to the previous behavior with this config: cli_binary_format=raw-in-base64-out.

[tashian]

Thanks @stealthycoin for the clarification.

Just to be clear, because the IssueCertificate endpoint expects the Csr parameter to be base64 encoded binary (with a plain text header and footer), does your example here effectively double-base64-encode the CSR for aws-cli?

In my case it sounds like the fileb:// approach is the best option, as I can just provide the original CSR filename.

[Igor-Toropov]

MSK documentation was not updated with this braking changes in AWS CLI:
https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html

The "--csr file://",,, results in "Invalid base64: "-----BEGIN"... error.

[darakian]

You should also make a note in the cli documentation. I'm using openssl to generate my csr and this issue is not mentioned at all in the documentation.

https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html

[afirth]

just another hour of my life wasted by old AWS bugs that don't get fixed...
https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ug.pdf and https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html#examples both omit fileb
TL;DR: replace file with fileb to double b64 encode the csr

[nateprewitt]

Hi @afirth,

This should actually be resolved, as I believe it was addressed last year. The current CLI v2 documentation includes the example with fileb. This should apply for all binary blob parameters in the CLI v2 as documented in the migration guide. Please let us know if you're having other issues.

We'll resolve this for now since the documentation has already been updated.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.