Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Key rotation leads to "Could not fetch private signing key for OpenID Connect" #1026

Closed
anon6789 opened this issue Sep 10, 2018 · 3 comments · Fixed by #1129
Closed

Key rotation leads to "Could not fetch private signing key for OpenID Connect" #1026

anon6789 opened this issue Sep 10, 2018 · 3 comments · Fixed by #1129
Assignees
@aeneasr
Labels
package/cli
Milestone
v1.0.0-rc.1

Comments

@anon6789
Copy link

Hi,

I tested the new system key rotation feature of hydra v1.0.0-beta.9-alpine and it sees there is a bug.

First I start the hydra migration:

hydra migrate sql -e

Starting hydra:

SYSTEM_SECRET=system_secret_1 COOKIE_SECRET=cookie_secret_1 hydra serve all

Hydra is running normally.

Now I try to rotate the SYSTEM_SECRET. I use the new migrate secret command:

OLD_SYSTEM_SECRET=system_secret_1 NEW_SYSTEM_SECRET=system_secret_2 hydra migrate secret $DATABASE_URL

This generates the following log message:

Rotating encryption keys for JSON Web Key storage...
Error "unexpected end of JSON input" occurred while trying to rotate the JSON Web Key storage. All changes have been reverted.Rotating encryption keys for JSON Web Key storage completed successfully!
You may now run ORY Hydra with the new system secret. [...]

Then i run Hydra with the new secret:

SYSTEM_SECRET=system_secret_2 COOKIE_SECRET=cookie_secret_1 hydra serve all

This generates an error:

{"level":"info","msg":"Connecting with postgres://*:*@127.0.0.1:5432/hydra?sslmode=disable","time":"2018-09-10T06:59:54Z"}
{"level":"info","msg":"Connected to SQL!","time":"2018-09-10T06:59:54Z"}
{"level":"warning","msg":"Expected system secret to be at least 32 characters long, got 0 characters.","time":"2018-09-10T06:59:54Z"}
{"level":"info","msg":"Generating a random system secret...","time":"2018-09-10T06:59:54Z"}
{"level":"info","msg":"Generated system secret: _7~QDXr6u0lqmJ1KjFGxtn47udToKXFo","time":"2018-09-10T06:59:54Z"}
{"level":"warning","msg":"WARNING: DO NOT generate system secrets in production. The secret will be leaked to the logs.","time":"2018-09-10T06:59:54Z"}
{"error":"unexpected end of JSON input","level":"fatal","msg":"Could not fetch private signing key for OpenID Connect - did you forget to run \"hydra migrate sql\" or forget to set the SYSTEM_SECRET?","time":"2018-09-10T06:59:54Z"}

When I try to start hydra with the old SYSTEM_SECRET the same error appears.
Running hydra with the environment variable ROTATED_SYSTEM_SECRET gives the same error message as well:

SYSTEM_SECRET=system_secret_2 COOKIE_SECRET=cookie_secret_1 ROTATED_SYSTEM_SECRET=system_secret_2 hydra serve all

I would expect hydra to start normal with the new system secret.

All used secrets are 32 alphanumerics.
@aeneasr
Copy link
Member

aeneasr commented Sep 11, 2018

Thanks! I’ll investigate this over the weekend!

@aeneasr aeneasr added the bug Something is not working. label Sep 14, 2018
@aeneasr aeneasr self-assigned this Sep 14, 2018
@aeneasr aeneasr added package/cli investigate and removed bug Something is not working. labels Sep 14, 2018
@aeneasr aeneasr added this to the v1.0.0-rc.1 milestone Sep 14, 2018
@aeneasr
Copy link
Member

aeneasr commented Oct 9, 2018

Ok so this is actually a mixture of bad CLI error messages and mistaken assumptions:

All used secrets are 32 alphanumerics.

No they're not, SYSTEM_SECRET=system_secret_2 and SYSTEM_SECRET=system_secret_1 are each only 16 characters long.

I'll fix the broken error messages but the root cause of this issue is misconfiguration. Thank you for reporting!

aeneasr pushed a commit that referenced this issue Oct 9, 2018
cli: Improve migrate error messages
ca190e7 
Closes #1026

Signed-off-by: arekkas <aeneas@ory.am>
aeneasr pushed a commit that referenced this issue Oct 9, 2018
cli: Improve migrate error messages
0b56cac 
Closes #1026

Signed-off-by: arekkas <aeneas@ory.am>
@aeneasr aeneasr closed this as completed in 57378ed Oct 9, 2018
@aeneasr
Copy link
Member

aeneasr commented Oct 26, 2018

Reopening for investigation following discussion on discord

@aeneasr aeneasr reopened this Oct 26, 2018
aeneasr pushed a commit that referenced this issue Oct 26, 2018
cmd: Resolve issues with secret migration
45ca5bf 
This patch resolves an issue which made it impossible to rotate secrets because an un-hashed version was used.

Closes #1026

Signed-off-by: arekkas <aeneas@ory.am>
@aeneasr aeneasr mentioned this issue Oct 26, 2018
Merged
aeneasr added a commit that referenced this issue Oct 26, 2018
@aeneasr
cmd: Resolve issues with secret migration (#1129)
c8104f4 
This patch resolves an issue which made it impossible to rotate secrets because an un-hashed version was used.

Closes #1026

Signed-off-by: arekkas <aeneas@ory.am>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aeneasr aeneasr

Labels
package/cli
Projects
None yet
Milestone
v1.0.0-rc.1
Development

Successfully merging a pull request may close this issue.

cmd: Resolve issues with secret migration ory/hydra
2 participants
@aeneasr @anon6789