Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pkiCert provies wrong certificate if two certificates with different common_name are requested #1607

Closed
Mic92 opened this issue Jul 27, 2022 · 3 comments · Fixed by #1611
Closed

pkiCert provies wrong certificate if two certificates with different common_name are requested #1607

Mic92 opened this issue Jul 27, 2022 · 3 comments · Fixed by #1611
Labels
bug
Milestone
v0.29.2

Comments

@Mic92
Copy link

Mic92 commented Jul 27, 2022

Consul Template version

vault-1.11.1 -> consul template v0.29.1 according to hashicorp/vault@2aabd4a

Configuration

I use the following vault configuration:

"template": [
  {
    "contents": "{{ with pkiCert \"consul-pki/issue/consul\" \"common_name=server.dc1.consul\" }}{{ .CA }}{{ end }}",
    "destination": "/tmp/detsys-vault/CA",
    "perms": "0400"
  },
  {
    "contents": "{{ with pkiCert \"consul-pki/issue/consul\" \"common_name=server.dc1.consul\" }}{{ .Cert }}{{ end }}",
    "destination": "/tmp/detsys-vault/Cert",
    "perms": "0400"
  },
  {
    "contents": "{{ with pkiCert \"consul-pki/issue/consul\" \"common_name=server.dc1.consul\" }}{{ .Key }}{{ end }}",
    "destination": "/tmp/detsys-vault/Key",
    "perms": "0400"
  },
  {
    "contents": "{{ with pkiCert \"consul-pki/issue/consul\" \"common_name=consul-00.<censored>\" }}{{ .CA }}{{ end }}",
    "destination": "/tmp/detsys-vault/https-CA",
    "perms": "0400"
  },
  {
    "contents": "{{ with pkiCert \"consul-pki/issue/consul\" \"common_name=consul-00.<censored>\" }}{{ .Cert }}{{ end }}",
    "destination": "/tmp/detsys-vault/https-Cert",
    "perms": "0400"
  },
  {
    "contents": "{{ with pkiCert \"consul-pki/issue/consul\" \"common_name=consul-00.<censored>\" }}{{ .Key }}{{ end }}",
    "destination": "/tmp/detsys-vault/https-Key",
    "perms": "0400"
  }
],

Debug output

Provide a link to a GitHub Gist containing the complete debug
output by running with -log-level=trace.

^ Not done at this time, if you need more debugging information let me know. At the time I believe you should be able to reproduce this.

Expected behavior

/tmp/detsys-vault/https-Cert is valid for for consul-00.<censored>

Actual behavior

/tmp/detsys-vault/https-Cert is valid for for server.dc1.consul. The certificate is exactly the same as /tmp/detsys-vault/Cert

cfssl -- certinfo -cert /tmp/detsys-vault/https-Cert 
{
  "subject": {
    "common_name": "server.dc1.consul",
    "names": [
      "server.dc1.consul"
    ]
  },
  "issuer": {
    <censored>
  },
  "serial_number": "151587801229279134109395322450715100718759815213",
  "sans": [
    "server.dc1.consul"
  ],
  "not_before": "2022-07-27T14:40:14Z",
  "not_after": "2022-08-10T14:40:44Z",
  "sigalg": "ECDSAWithSHA384",
  "authority_key_id": "F4:D8:05:B4:AB:91:78:DC:0F:9D:8B:F5:E7:62:02:6D:77:D6:65:6A",
  "subject_key_id": "CB:66:2D:96:45:C2:FB:07:3D:5C:0D:B6:94:46:54:B2:A3:BF:7B:20",
  "pem": "<censored>"
}
$ cfssl -- certinfo -cert /tmp/detsys-vault/Cert
{
  "subject": {
    "common_name": "server.dc1.consul",
    "names": [
      "server.dc1.consul"
    ]
  },
  "issuer": {
    <censored>
  },
  "serial_number": "151587801229279134109395322450715100718759815213",
  "sans": [
    "server.dc1.consul"
  ],
  "not_before": "2022-07-27T14:40:14Z",
  "not_after": "2022-08-10T14:40:44Z",
  "sigalg": "ECDSAWithSHA384",
  "authority_key_id": "F4:D8:05:B4:AB:91:78:DC:0F:9D:8B:F5:E7:62:02:6D:77:D6:65:6A",
  "subject_key_id": "CB:66:2D:96:45:C2:FB:07:3D:5C:0D:B6:94:46:54:B2:A3:BF:7B:20",
  "pem": "<censored>"
}

Steps to reproduce

  1. Create two certificates in the same vault agent with different common names and the same path
  2. One of the certificate is incorrect

My current workaround is to use the secret function to request the second certificate in which case I get a correct certificate.
@Inotsacred
Copy link

same story happens today. trying to use several templates to one pki path and rendering only first common_name.

didnt met it before cuz in previous case use different pki role. but today try to render 2 certificates and receive this problem.

@eikenb eikenb added the bug label Jul 28, 2022
@eikenb
Copy link
Contributor

eikenb commented Aug 1, 2022
edited
Loading

Found/reproduced the issue. A fix will be coming in 0.29.2.

The issue was a classic cut-n-paste error. I based the PKI code on the existing vault secret code and missed the fact that the ID of the pkiCert will be identical for all certs pulled form the same PKI role path. I'm going to adjust the ID to be composed of the pki role path + the destination path. That should be unique per use case as the destination path must be unique per Cert.

@eikenb eikenb added this to the v0.29.2 milestone Aug 1, 2022
@eikenb eikenb mentioned this issue Aug 1, 2022
Merged
@Mic92
Copy link
Author

Mic92 commented Aug 2, 2022

Thank you so much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
v0.29.2
Development

Successfully merging a pull request may close this issue.

make sure pki IDs are unique hashicorp/consul-template
3 participants
@Mic92 @eikenb @Inotsacred