Aws-cli: AWS CLI v2 - Cannot import certificate, certificate chain base64 not accepted, but valid

Created on 19 Feb 2020  路  3Comments  路  Source: aws/aws-cli

While trying to import a certificate to ACM using CLI v2, I get an error that my certificate chain contains invalid base64:

[nicolai@bastion client-vpn]$ aws --version
aws-cli/2.0.0 Python/3.7.3 Linux/4.14.152-127.182.amzn2.x86_64 botocore/2.0.0dev4
[nicolai@bastion client-vpn]$ aws acm import-certificate --certificate file://server.crt --private-key file://server.key --certificate-chain file://ca.crt --regio
n eu-west-1
Invalid base64: "-----BEGIN PRIVATE KEY-----
[BASE64-ENCODED PRIVATE KEY DISPLAYED HERE]
-----END PRIVATE KEY-----
"

However, importing the same ca.crt works fine with CLI v1:

[nicolai@bastion client-vpn]$ /usr/bin/aws --version
aws-cli/1.16.300 Python/2.7.16 Linux/4.14.152-127.182.amzn2.x86_64 botocore/1.13.36
[nicolai@bastion client-vpn]$ /usr/bin/aws acm import-certificate --certificate file://server.crt --private-key file://server.key --certificate-chain file://ca.cr
t --region eu-west-1
{
    "CertificateArn": "arn:aws:acm:eu-west-1:811065773072:certificate/f0ade5e2-902c-41f1-9653-ba4153f8e5ef"
}

ca.crt has been created using the latest easy-rsa from Github, on AL2.

closing-soon
Source
picture NicolaivdSmagt
👍9

Most helpful comment

This is due to how cli v2 changed processing binary inputs to support round tripping values by default. You can read about the change here: https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration.html#cliv2-migration-binaryparam and either update to using fileb:// instead, or revert to the previous behavior with the configuration option.

picture stealthycoin on 28 Feb 2020
👍11 😕3

All 3 comments

Ditto it looks like a python base64.py issue 

File "awscli/customizations/binaryformat.py", line 59, in _visit_scalar
  File "base64.py", line 87, in b64decode
binascii.Error: Incorrect padding
pjaol picture pjaol on 19 Feb 2020

Created a pull request #4981 - seems to work based on this gist
https://gist.github.com/perrygeo/ee7c65bb1541ff6ac770

pjaol picture pjaol on 19 Feb 2020

This is due to how cli v2 changed processing binary inputs to support round tripping values by default. You can read about the change here: https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration.html#cliv2-migration-binaryparam and either update to using fileb:// instead, or revert to the previous behavior with the configuration option.

stealthycoin picture stealthycoin on 28 Feb 2020
👍11 😕3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rahul003 picture rahul003  路  3Comments
ehammond picture ehammond  路  3Comments
KimberleySDU picture KimberleySDU  路  3Comments
ypant picture ypant  路  3Comments
DrStrangepork picture DrStrangepork  路  3Comments