Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] x509.certificate_managed - ca_server did not return a certificate #66284

Closed
nicholasmhughes opened this issue Mar 28, 2024 · 4 comments
Closed

[BUG] x509.certificate_managed - ca_server did not return a certificate #66284

nicholasmhughes opened this issue Mar 28, 2024 · 4 comments
Assignees
@nicholasmhughes
Labels
Bug broken, incorrect, or confusing behavior

Comments

@nicholasmhughes
Copy link
Collaborator

Description
When attempting to use the x509.certificate_managed state with the peer signing/issuer functionality show in the docs, an error is thrown stating that the server did not return a certificate.

          ID: Request certificate
    Function: x509.certificate_managed
        Name: /etc/pki/tls/certs/localhost.crt
      Result: False
     Comment: ca_server did not return a certificate: b64:MIIF6jCCA9KgAwIBAgIUHkYQ5opY8AXgK7RNSqUtMcltnqMwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1EMRMwEQYDVQQHDApTeWtlc3ZpbGxlMRgwFgYDVQQDDA9jYS5jZHguZWl0ci5kZXYwHhcNMjQwMzI3MTg0MzU0WhcNMjQwNDI2MTg0MzU0WjBLMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTUQxEzARBgNVBAcMClN5a2VzdmlsbGUxGjAYBgNVBAMMEW5pZmkuY2R4LmVpdHIuZGV2MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzEhNiCogpOdh6kK+wkh+rBe8/zyE6O0XjcWaEm+i/dhG35KU/c6zZhmkNObtrEwvrqIIKpca2h3IaRb6FAp2VpedGy4/bVihEVRymZOtGo8Yex74THmokkngTfnxyfyZdULc7YL7Pi/FPejcCy8lWypcnLzpTnw0qx2GmRmENyrXvqrB429LHzefZv/FCDPZixqkUuaK3iPqhJd83HXb9BOyi8BtF6b7qrnds0KlivIO/zCUZnfOn2610Dja82eSFASkgDbNJsJn37ktEhbHGtkkCVD6zBH0p0dgXnjQ8Ml0+QJIoSl8RBe2EkZ0ZIMKHIOfleOBOI6Cd2CYyDWjRxD3nFqcRnNGhLNBspm8s8C+3e1iyZQ224fy6BA5FHp3M0UX6ct1+M3JzxxLAbSuG8pc4MC3DLGDK4OlLbAnpFYqBAALs5OKTptxU4eEZqdFfj9PFNknU1lFVrqGFbaE/oRrORsznNFZm3gxRSIvNtDuBJOYUl4KsYHjOjM/G3jRzc1+1K7wVpMoO/kdjIo2zhMEbBTwLx0xrgBQzzVLLmsib4cFts8zELFkB5nGl1mv2+KSOjQ+gpQtn0lkYSY7iVfVSt13JRY7mIOTnmjHj5mRguvgbr3dNaVfQMCJD7pOMBaxO5O0aiwVE8KjNz9WEDqrzW0BG+ei3fLosDIvbIkCAwEAAaOBxzCBxDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUTOTqSBdqbMm4lLxIupUhsTeYPXMwgYQGA1UdIwR9MHuAFBN3hzb/2SCZZlBiHUIZYTJXQZIMoU2kSzBJMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTUQxEzARBgNVBAcMClN5a2VzdmlsbGUxGDAWBgNVBAMMD2NhLmNkeC5laXRyLmRldoIUDVzffz0J8C716U6jXZszcredC1owDQYJKoZIhvcNAQELBQADggIBAGSS/diai+Imm2559MzTYK5qvCVWCDaizAgH6JZeLZGf9Mk7IEZrS3I9UtjnVH9q4VON5KJtz+CvYU/t+el0AsEfns8Tw/FfMBTD7cBFBBPtIPxpYh0nzpEvxI8sxKkFt1vmDMuYiBGkPx1OTLwTbL6EbAJznooiWIg0n59Wd1Jn3U8Q4O6/yLy23xZA/xUSjgIbTXOctBzYC47FwNyjcaQ70gLZJC/pCd+hUoojBaAUHNfuzK0RqF7eP6W67nGVyA1h/B87FG0y6tmuRWWljwyAz/Nvjb2SXWkgxxkS4ZPZt6z+R8FsRSbMuIR5CeOyMeKUbQfc3hWvII9c7mZkZRYnxUuFqpwUlOWnNX1ufikBQEOOyta3n/Lbj59+QBmPU8ok+RBfyCEKDVw5DAhu95gj6rdxUeWrGLteR8o0O/n6JGnM0B5kJ7y2NnaLa06QYzJUmSs5/icBRwyGSL3Gw9GkkRpGNViRIMpcrqGvr5bYxFeNkQGqiB+0vxiD6s1DOz7djY4K03ZUGYLe3X73CKu+AxbhC95sz6hWURdotqO4CUb9Nd82sY2HCDBFPEFnT1RD+Xi6nkULvHkquhYVV3eHC4LtvhlHjF1LufZ7xOYoteScZL5WvumvrdNS9naI8BZkWtsTl98Z2GhuZPKpOQtMOPXC38qEuNc5UPJhb3Oa
     Started: 18:43:51.977830
    Duration: 2697.415 ms
     Changes:

Given the look of the return and the fact that it's preceded with b64:, I decoded the return and found that the ca_server is returning a certificate:

# echo MIIF6jCCA9KgAwIBAgIUHkYQ5opY8AXgK7RNSqUtMcltnqMwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1EMRMwEQYDVQQHDApTeWtlc3ZpbGxlMRgwFgYDVQQDDA9jYS5jZHguZWl0ci5kZXYwHhcNMjQwMzI3MTg0MzU0WhcNMjQwNDI2MTg0MzU0WjBLMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTUQxEzARBgNVBAcMClN5a2VzdmlsbGUxGjAYBgNVBAMMEW5pZmkuY2R4LmVpdHIuZGV2MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzEhNiCogpOdh6kK+wkh+rBe8/zyE6O0XjcWaEm+i/dhG35KU/c6zZhmkNObtrEwvrqIIKpca2h3IaRb6FAp2VpedGy4/bVihEVRymZOtGo8Yex74THmokkngTfnxyfyZdULc7YL7Pi/FPejcCy8lWypcnLzpTnw0qx2GmRmENyrXvqrB429LHzefZv/FCDPZixqkUuaK3iPqhJd83HXb9BOyi8BtF6b7qrnds0KlivIO/zCUZnfOn2610Dja82eSFASkgDbNJsJn37ktEhbHGtkkCVD6zBH0p0dgXnjQ8Ml0+QJIoSl8RBe2EkZ0ZIMKHIOfleOBOI6Cd2CYyDWjRxD3nFqcRnNGhLNBspm8s8C+3e1iyZQ224fy6BA5FHp3M0UX6ct1+M3JzxxLAbSuG8pc4MC3DLGDK4OlLbAnpFYqBAALs5OKTptxU4eEZqdFfj9PFNknU1lFVrqGFbaE/oRrORsznNFZm3gxRSIvNtDuBJOYUl4KsYHjOjM/G3jRzc1+1K7wVpMoO/kdjIo2zhMEbBTwLx0xrgBQzzVLLmsib4cFts8zELFkB5nGl1mv2+KSOjQ+gpQtn0lkYSY7iVfVSt13JRY7mIOTnmjHj5mRguvgbr3dNaVfQMCJD7pOMBaxO5O0aiwVE8KjNz9WEDqrzW0BG+ei3fLosDIvbIkCAwEAAaOBxzCBxDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUTOTqSBdqbMm4lLxIupUhsTeYPXMwgYQGA1UdIwR9MHuAFBN3hzb/2SCZZlBiHUIZYTJXQZIMoU2kSzBJMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTUQxEzARBgNVBAcMClN5a2VzdmlsbGUxGDAWBgNVBAMMD2NhLmNkeC5laXRyLmRldoIUDVzffz0J8C716U6jXZszcredC1owDQYJKoZIhvcNAQELBQADggIBAGSS/diai+Imm2559MzTYK5qvCVWCDaizAgH6JZeLZGf9Mk7IEZrS3I9UtjnVH9q4VON5KJtz+CvYU/t+el0AsEfns8Tw/FfMBTD7cBFBBPtIPxpYh0nzpEvxI8sxKkFt1vmDMuYiBGkPx1OTLwTbL6EbAJznooiWIg0n59Wd1Jn3U8Q4O6/yLy23xZA/xUSjgIbTXOctBzYC47FwNyjcaQ70gLZJC/pCd+hUoojBaAUHNfuzK0RqF7eP6W67nGVyA1h/B87FG0y6tmuRWWljwyAz/Nvjb2SXWkgxxkS4ZPZt6z+R8FsRSbMuIR5CeOyMeKUbQfc3hWvII9c7mZkZRYnxUuFqpwUlOWnNX1ufikBQEOOyta3n/Lbj59+QBmPU8ok+RBfyCEKDVw5DAhu95gj6rdxUeWrGLteR8o0O/n6JGnM0B5kJ7y2NnaLa06QYzJUmSs5/icBRwyGSL3Gw9GkkRpGNViRIMpcrqGvr5bYxFeNkQGqiB+0vxiD6s1DOz7djY4K03ZUGYLe3X73CKu+AxbhC95sz6hWURdotqO4CUb9Nd82sY2HCDBFPEFnT1RD+Xi6nkULvHkquhYVV3eHC4LtvhlHjF1LufZ7xOYoteScZL5WvumvrdNS9naI8BZkWtsTl98Z2GhuZPKpOQtMOPXC38qEuNc5UPJhb3Oa | base64 -d | openssl x509 -noout -subject -dates

subject=C = US, ST = MD, L = Sykesville, CN = nifi.cdx.eitr.dev
notBefore=Mar 27 18:43:54 2024 GMT
notAfter=Apr 26 18:43:54 2024 GMT

Tested on 3006.7 and 3007.0 minions with the same result. (It shouldn't matter, but the master is 3007.0)

Steps to Reproduce the behavior
Followed the example shown in the x509_v2 state docs pretty much verbatim (minion IDs were different)

Expected behavior
The state and execution module docs for x509_v2 state that base64 is supported, so I'd expect the base64-encoded certificate to be decoded and handled properly.

Versions Report

salt --versions-report (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) 
Salt Version:
             Salt: 3007.0
 
Python Version:
           Python: 3.10.13 (main, Feb 19 2024, 03:31:20) [GCC 11.2.0]
 
Dependency Versions:
             cffi: 1.16.0
         cherrypy: 18.8.0
         dateutil: 2.8.2
        docker-py: Not Installed
            gitdb: Not Installed
        gitpython: Not Installed
           Jinja2: 3.1.3
          libgit2: Not Installed
     looseversion: 1.3.0
         M2Crypto: Not Installed
             Mako: Not Installed
          msgpack: 1.0.7
     msgpack-pure: Not Installed
     mysql-python: Not Installed
        packaging: 23.1
        pycparser: 2.21
         pycrypto: Not Installed
     pycryptodome: 3.19.1
           pygit2: Not Installed
     python-gnupg: 0.5.2
           PyYAML: 6.0.1
            PyZMQ: 25.1.2
           relenv: 0.15.1
            smmap: Not Installed
          timelib: 0.3.0
          Tornado: 6.3.3
              ZMQ: 4.3.4
 
Salt Package Information:
     Package Type: onedir
 
System Versions:
             dist: rhel 9.2 Plow
           locale: utf-8
          machine: x86_64
          release: 5.14.0-284.30.1.el9_2.x86_64
           system: Linux
          version: Red Hat Enterprise Linux 9.2 Plow
Salt Version:
 Salt: 3006.7
 
Python Version:
 Python: 3.10.13 (main, Feb 19 2024, 03:31:20) [GCC 11.2.0]
 
Dependency Versions:
 cffi: 1.14.6
 cherrypy: 18.6.1
 dateutil: 2.8.1
 docker-py: Not Installed
 gitdb: Not Installed
 gitpython: Not Installed
 Jinja2: 3.1.3
 libgit2: Not Installed
 looseversion: 1.0.2
 M2Crypto: Not Installed
 Mako: Not Installed
 msgpack: 1.0.2
 msgpack-pure: Not Installed
 mysql-python: Not Installed
 packaging: 22.0
 pycparser: 2.21
 pycrypto: Not Installed
 pycryptodome: 3.19.1
 pygit2: Not Installed
 python-gnupg: 0.4.8
 PyYAML: 6.0.1
 PyZMQ: 23.2.0
 relenv: 0.15.1
 smmap: Not Installed
 timelib: 0.2.4
 Tornado: 4.5.3
 ZMQ: 4.3.4

 
System Versions:
 dist: rhel 9.2 Plow
 locale: utf-8
 machine: x86_64
 release: 5.14.0-284.30.1.el9_2.x86_64
 system: Linux
 version: Red Hat Enterprise Linux 9.2 Plow
@nicholasmhughes nicholasmhughes added the Bug broken, incorrect, or confusing behavior label Mar 28, 2024
@nicholasmhughes nicholasmhughes self-assigned this Mar 28, 2024
@lkubb
Copy link
Contributor

lkubb commented Mar 28, 2024
edited
Loading

@nicholasmhughes Is it a custom backend on the CA server? Asking because the inbuilt sign_remote_certificate returns DER-encoded bytes.

The issue is the b64: prefix, the module tries to decode the data as base64, which fails with this prefix. It correctly decodes without.

@nicholasmhughes
Copy link
Collaborator Author

No custom backends. I just followed the docs as I stated. I'll have a PR later.

@lkubb
Copy link
Contributor

lkubb commented Mar 28, 2024

Interesting, not sure where the returned bytes are encoded to base64 then.

I have read about some people having issues with byte returns anyways, so maybe the sign_remote_certificate function should just encode it itself. Thanks for taking care of the fix!

nicholasmhughes added a commit to nicholasmhughes/salt that referenced this issue Mar 28, 2024
@nicholasmhughes
fixes saltstack#66284 x509.certificate_managed - ca_server did not re…
b4dec8d 
…turn a certificate
@nicholasmhughes nicholasmhughes mentioned this issue Mar 28, 2024
Merged
3 tasks
s0undt3ch pushed a commit that referenced this issue Apr 1, 2024
@nicholasmhughes @s0undt3ch
fixes #66284 x509.certificate_managed - ca_server did not return a ce…
ed345d0 
…rtificate
@nicholasmhughes
Copy link
Collaborator Author

closed by #66286

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nicholasmhughes nicholasmhughes

Labels
Bug broken, incorrect, or confusing behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lkubb @nicholasmhughes