Aws-cli: bug: acm-pca issue-certiicate doesn't accept CSRs in any format

Created on 26 Feb 2020 · 5Comments · Source: aws/aws-cli

ISSUE TYPE

Bug Report

COMPONENT NAME

aws acm-pca

AWS-CLI VERSION

aws-cli/2.0.0 Python/3.7.4 Darwin/19.3.0 botocore/2.0.0dev4

CONFIGURATION

Nothing specific to report on this.

OS / ENVIRONMENT

macOS Catalina 10.15.3

SUMMARY

aws acm-pca issue-certificate requires a Certificate Signing Request (CSR) supplied in the --csr flag. There appears to be no value that can be used for this flag to actually issue a certificate via the AWS API.

More specifically, it seems as though aws-cli tries to validate the CSR input as pure base64, while the AWS IssueCertificate API endpoint validates the CSR input using a regular expression that expects a standard CSR header and footer.

STEPS TO REPRODUCE

Try it with a normal CSR:

$ export csr="-----BEGIN CERTIFICATE REQUEST-----
MIIBDDCBswIBADAfMR0wGwYDVQQDExRJbnRlcm1lZGlhdGUgQ0EgTmFtZTBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABMniBAWtXf32Fel1ZepOlM/WErM535he/yMR
cALMlbdFyg3cnsJ5UxihMNgvcQOGgdcTnYMdmOihdn0gdEzfh+SgMjAwBgkqhkiG
9w0BCQ4xIzAhMB8GA1UdEQQYMBaCFEludGVybWVkaWF0ZSBDQSBOYW1lMAoGCCqG
SM49BAMCA0gAMEUCIQCbLwcDUkOS+DwgqoroFYaz3GpjSPhdSn72VLmEDnmK1wIg
JqIwtFQZEQvfVBVxIr7HEHeWA2K/uuJaA/2Yy48c6/U=
-----END CERTIFICATE REQUEST-----"
$ aws acm-pca issue-certificate \
            --certificate-authority-arn "[AWS_PRIVATE_CA_ARN]" \
            --csr "$csr" \
            --signing-algorithm "SHA256WITHRSA" \
            --validity  Value=365,Type="DAYS" \
            --template-arn "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1/V1"

Result:

Invalid base64: "-----BEGIN CERTIFICATE REQUEST-----
MIIBDDCBswIBADAfMR0wGwYDVQQDExRJbnRlcm1lZGlhdGUgQ0EgTmFtZTBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABMniBAWtXf32Fel1ZepOlM/WErM535he/yMR
cALMlbdFyg3cnsJ5UxihMNgvcQOGgdcTnYMdmOihdn0gdEzfh+SgMjAwBgkqhkiG
9w0BCQ4xIzAhMB8GA1UdEQQYMBaCFEludGVybWVkaWF0ZSBDQSBOYW1lMAoGCCqG
SM49BAMCA0gAMEUCIQCbLwcDUkOS+DwgqoroFYaz3GpjSPhdSn72VLmEDnmK1wIg
JqIwtFQZEQvfVBVxIr7HEHeWA2K/uuJaA/2Yy48c6/U=
-----END CERTIFICATE REQUEST-----"

To get past this error, try stripping the header, footer, and newlines from the CSR:

$ export csr="MIIBDDCBswIBADAfMR0wGwYDVQQDExRJbnRlcm1lZGlhdGUgQ0EgTmFtZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMniBAWtXf32Fel1ZepOlM/WErM535he/yMRcALMlbdFyg3cnsJ5UxihMNgvcQOGgdcTnYMdmOihdn0gdEzfh+SgMjAwBgkqhkiG9w0BCQ4xIzAhMB8GA1UdEQQYMBaCFEludGVybWVkaWF0ZSBDQSBOYW1lMAoGCCqGSM49BAMCA0gAMEUCIQCbLwcDUkOS+DwgqoroFYaz3GpjSPhdSn72VLmEDnmK1wIgJqIwtFQZEQvfVBVxIr7HEHeWA2K/uuJaA/2Yy48c6/U="
$ aws acm-pca issue-certificate \
            --certificate-authority-arn "[AWS_PRIVATE_CA_ARN]" \
            --csr "$csr" \
            --signing-algorithm "SHA256WITHRSA" \
            --validity  Value=365,Type="DAYS" \
            --template-arn "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1/V1"

Result:

An error occurred (ValidationException) when calling the IssueCertificate operation: 1 validation error detected: Value at 'csr' failed to satisfy constraint: Member must satisfy regular expression pattern: -----BEGIN CERTIFICATE REQUEST-----\r?\n([A-Za-z0-9/+]{64}\r?\n)*[A-Za-z0-9/+]{1,64}={0,2}\r?\n-----END CERTIFICATE REQUEST-----(\r?\n)?.

If the CSR is supplied as a file:// URI, the same issue is present.

EXPECTED RESULT

Certificate issued.

documentation

Source

tashian

👍7

Most helpful comment

MSK documentation was not updated with this braking changes in AWS CLI:
https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html

The "--csr file://",,, results in "Invalid base64: "-----BEGIN"... error.

Igor-Toropov on 18 Mar 2020

👍2

All 5 comments

Hi @tashian ,
Thanks for pointing this out, we'll take a look at it.

KaibaLopez on 27 Feb 2020

This is due to changes in how cli V2 handles binary by default, to enable round tripping of values in the default case. This is outlined in our upgrade guide here: https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration.html#cliv2-migration-binaryparam. Since --csr this is modeled as a blob it is affected by this change.

You have three options based on your above approach. base64 encode the raw value you are providing on the command line. (This is why we made this change. If the value was a binary blob that was not representable in the command line input, you now have a way to actually provide it without using the fileb:// workaround by base64 encoding it.)

So for example this modification of your first example would work.

aws acm-pca issue-certificate \
            --certificate-authority-arn "[AWS_PRIVATE_CA_ARN]" \
            --csr $(echo $csr | base64) \
            --signing-algorithm "SHA256WITHRSA" \
            --validity  Value=365,Type="DAYS" \
            --template-arn "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1/V1"

You can also use fileb:// instead of file://. Or you can revert to the previous behavior with this config: cli_binary_format=raw-in-base64-out.

stealthycoin on 28 Feb 2020

👍2

Thanks @stealthycoin for the clarification.

Just to be clear, because the IssueCertificate endpoint expects the Csr parameter to be base64 encoded binary (with a plain text header and footer), does your example here effectively double-base64-encode the CSR for aws-cli?

In my case it sounds like the fileb:// approach is the best option, as I can just provide the original CSR filename.

tashian on 28 Feb 2020

👍2

MSK documentation was not updated with this braking changes in AWS CLI:
https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html

The "--csr file://",,, results in "Invalid base64: "-----BEGIN"... error.

Igor-Toropov on 18 Mar 2020

👍2

You should also make a note in the cli documentation. I'm using openssl to generate my csr and this issue is not mentioned at all in the documentation.

https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html