vault generates PKI certificates that it cannot successfully parse

Created on 16 Mar 2018 · 5Comments · Source: hashicorp/vault

Please note this worked fine in 0.9.0 so a change in how certificates are encoded must have occurred since then.

I use one vault cluster to sign an intermediate CA certificate and then I set that intermediate CA as the issuing CA on the pki mount in another vault cluster.

So on vault A, I issue a write on path to pki/root/sign-intermediate. This returns a JSON document, where the certificate is located at .data.certificate. I then use jq to extract that certificate and pass that certificate to vault B. On Vault B, I do a vault write to pki/intermediate/set-signed. This results in the following error.

```
Error writing data to pki/intermediate/set-signed: Error making API request.

URL: PUT https://localhost:8200/v1/pki/intermediate/set-signed
Code: 400. Errors:

no data found in PEM block
````

The cause of this error is that JSON response that contains the certificate included a newline as the last character in the .data.certificate field. If that newline is removed, then vault is able to parse the certificate.

Environment:
Vault v0.9.5 ('36edb4d42380d89a897e7f633046423240b710d9')

Operating System/Architecture: Centos 7

Expected Behavior:
Any certificate that vault returns to me should be something vault can consume.

Actual Behavior:
Vault failed to process a certificate that it generated.

Source

jaloren

👍1

Most helpful comment

If you're stuck on this, running the pem file through:

sed -i '/^$/d' mine.pem

works around the issue.

james-atwill-hs on 26 Mar 2018

👍8

All 5 comments

For what its worth, It seems like vault's certificate parser does not comply with RFC7468.

 Furthermore, parsers SHOULD ignore whitespace and other non-base64 characters and MUST handle different newline conventions.

https://tools.ietf.org/html/rfc7468

jaloren on 16 Mar 2018

Our test suite creates lots of certificates that vault then parses as part of verification, so I'm not sure what the issue might be. Can you provide a repro script?

jefferai on 16 Mar 2018

Here you go. If you need examples of the json responses returned by vault, let me know and i can provide them.

# set vault addr and vault token env variables
# points to vault instance with a root CA.
vault write -format=json pki/root/sign-intermediate ttl=78840h csr=@/opt/vault/config/keys/intermediate.csr.pem use_csr_values=true format=pem_bundle > intermediate-bundle.json

# extract signed intermediate into a separate file using jq
# The last character in the .data.certificate field is a newline. 
# In vault 0.9.0, a new line character was NOT the last character in the field.
jq -r .data.certificate /opt/vault/config/keys/intermediate-bundle.json > intermediate.cert.pem

# set vault addr and vault token env variables
# points to vault instance with vault pki mount that still needs an issuing CA.
# attempt to set the intermediate CA as the issue CA on the PKI mount.
vault write pki/intermediate/set-signed [email protected]

jaloren on 17 Mar 2018

If you're stuck on this, running the pem file through:

sed -i '/^$/d' mine.pem

works around the issue.

james-atwill-hs on 26 Mar 2018

👍8

I confirm that any blank line in the PEM file will generate this error