Skip to content

/ aws-cli

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: acm-pca issue-certiicate doesn't accept CSRs in any format #5011

Open
tashian opened this issue Feb 26, 2020 · 5 comments
Open

bug: acm-pca issue-certiicate doesn't accept CSRs in any format #5011

tashian opened this issue Feb 26, 2020 · 5 comments
Labels
documentation

Comments

@tashian
Copy link

@tashian tashian commented Feb 26, 2020

ISSUE TYPE

  • Bug Report

COMPONENT NAME

aws acm-pca

AWS-CLI VERSION

aws-cli/2.0.0 Python/3.7.4 Darwin/19.3.0 botocore/2.0.0dev4

CONFIGURATION

Nothing specific to report on this.

OS / ENVIRONMENT

macOS Catalina 10.15.3

SUMMARY

aws acm-pca issue-certificate requires a Certificate Signing Request (CSR) supplied in the --csr flag. There appears to be no value that can be used for this flag to actually issue a certificate via the AWS API.

More specifically, it seems as though aws-cli tries to validate the CSR input as pure base64, while the AWS IssueCertificate API endpoint validates the CSR input using a regular expression that expects a standard CSR header and footer.

STEPS TO REPRODUCE

  1. Try it with a normal CSR:
$ export csr="-----BEGIN CERTIFICATE REQUEST-----
MIIBDDCBswIBADAfMR0wGwYDVQQDExRJbnRlcm1lZGlhdGUgQ0EgTmFtZTBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABMniBAWtXf32Fel1ZepOlM/WErM535he/yMR
cALMlbdFyg3cnsJ5UxihMNgvcQOGgdcTnYMdmOihdn0gdEzfh+SgMjAwBgkqhkiG
9w0BCQ4xIzAhMB8GA1UdEQQYMBaCFEludGVybWVkaWF0ZSBDQSBOYW1lMAoGCCqG
SM49BAMCA0gAMEUCIQCbLwcDUkOS+DwgqoroFYaz3GpjSPhdSn72VLmEDnmK1wIg
JqIwtFQZEQvfVBVxIr7HEHeWA2K/uuJaA/2Yy48c6/U=
-----END CERTIFICATE REQUEST-----"
$ aws acm-pca issue-certificate \
            --certificate-authority-arn "[AWS_PRIVATE_CA_ARN]" \
            --csr "$csr" \
            --signing-algorithm "SHA256WITHRSA" \
            --validity  Value=365,Type="DAYS" \
            --template-arn "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1/V1"

Result:

Invalid base64: "-----BEGIN CERTIFICATE REQUEST-----
MIIBDDCBswIBADAfMR0wGwYDVQQDExRJbnRlcm1lZGlhdGUgQ0EgTmFtZTBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABMniBAWtXf32Fel1ZepOlM/WErM535he/yMR
cALMlbdFyg3cnsJ5UxihMNgvcQOGgdcTnYMdmOihdn0gdEzfh+SgMjAwBgkqhkiG
9w0BCQ4xIzAhMB8GA1UdEQQYMBaCFEludGVybWVkaWF0ZSBDQSBOYW1lMAoGCCqG
SM49BAMCA0gAMEUCIQCbLwcDUkOS+DwgqoroFYaz3GpjSPhdSn72VLmEDnmK1wIg
JqIwtFQZEQvfVBVxIr7HEHeWA2K/uuJaA/2Yy48c6/U=
-----END CERTIFICATE REQUEST-----"

To get past this error, try stripping the header, footer, and newlines from the CSR:

$ export csr="MIIBDDCBswIBADAfMR0wGwYDVQQDExRJbnRlcm1lZGlhdGUgQ0EgTmFtZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMniBAWtXf32Fel1ZepOlM/WErM535he/yMRcALMlbdFyg3cnsJ5UxihMNgvcQOGgdcTnYMdmOihdn0gdEzfh+SgMjAwBgkqhkiG9w0BCQ4xIzAhMB8GA1UdEQQYMBaCFEludGVybWVkaWF0ZSBDQSBOYW1lMAoGCCqGSM49BAMCA0gAMEUCIQCbLwcDUkOS+DwgqoroFYaz3GpjSPhdSn72VLmEDnmK1wIgJqIwtFQZEQvfVBVxIr7HEHeWA2K/uuJaA/2Yy48c6/U="
$ aws acm-pca issue-certificate \
            --certificate-authority-arn "[AWS_PRIVATE_CA_ARN]" \
            --csr "$csr" \
            --signing-algorithm "SHA256WITHRSA" \
            --validity  Value=365,Type="DAYS" \
            --template-arn "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1/V1"

Result:

An error occurred (ValidationException) when calling the IssueCertificate operation: 1 validation error detected: Value at 'csr' failed to satisfy constraint: Member must satisfy regular expression pattern: -----BEGIN CERTIFICATE REQUEST-----\r?\n([A-Za-z0-9/+]{64}\r?\n)*[A-Za-z0-9/+]{1,64}={0,2}\r?\n-----END CERTIFICATE REQUEST-----(\r?\n)?.

If the CSR is supplied as a file:// URI, the same issue is present.

EXPECTED RESULT

Certificate issued.
@KaibaLopez
Copy link
Contributor

@KaibaLopez KaibaLopez commented Feb 27, 2020

Hi @tashian ,
Thanks for pointing this out, we'll take a look at it.
@KaibaLopez KaibaLopez added the bug label Feb 27, 2020
@stealthycoin
Copy link
Contributor

@stealthycoin stealthycoin commented Feb 27, 2020

This is due to changes in how cli V2 handles binary by default, to enable round tripping of values in the default case. This is outlined in our upgrade guide here: https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration.html#cliv2-migration-binaryparam. Since --csr this is modeled as a blob it is affected by this change.

You have three options based on your above approach. base64 encode the raw value you are providing on the command line. (This is why we made this change. If the value was a binary blob that was not representable in the command line input, you now have a way to actually provide it without using the fileb:// workaround by base64 encoding it.)

So for example this modification of your first example would work.

aws acm-pca issue-certificate \
            --certificate-authority-arn "[AWS_PRIVATE_CA_ARN]" \
            --csr $(echo $csr | base64) \
            --signing-algorithm "SHA256WITHRSA" \
            --validity  Value=365,Type="DAYS" \
            --template-arn "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1/V1"

You can also use fileb:// instead of file://. Or you can revert to the previous behavior with this config: cli_binary_format=raw-in-base64-out.
@stealthycoin stealthycoin added closing-soon and removed bug labels Feb 27, 2020
@tashian
Copy link
Author

@tashian tashian commented Feb 28, 2020

Thanks @stealthycoin for the clarification.

Just to be clear, because the IssueCertificate endpoint expects the Csr parameter to be base64 encoded binary (with a plain text header and footer), does your example here effectively double-base64-encode the CSR for aws-cli?

In my case it sounds like the fileb:// approach is the best option, as I can just provide the original CSR filename.
@klaytaybai klaytaybai mentioned this issue Mar 11, 2020
Closed
@Igor-Toropov
Copy link

@Igor-Toropov Igor-Toropov commented Mar 18, 2020

MSK documentation was not updated with this braking changes in AWS CLI:
https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html

The "--csr file://",,, results in "Invalid base64: "-----BEGIN"... error.
@darakian
Copy link

@darakian darakian commented Apr 15, 2020

You should also make a note in the cli documentation. I'm using openssl to generate my csr and this issue is not mentioned at all in the documentation.

https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
@tashian @stealthycoin @darakian @KaibaLopez @Igor-Toropov
You can’t perform that action at this time.