search

Keyfactor / ejbca-vault-pki-engine

EJBCA PKI Engine and Backend for HashiCorp Vault. Used to issue, sign, and revoke certificates using the EJBCA CA.
Apache License 2.0
5 stars 2 forks source link

Enhance CA chain logging and error handling #19

Open Syoc opened 1 month ago

Syoc commented 1 month ago

I'm having issues troubleshooting 404 issues with the cert/ca endpoint. Vault returns "Failed to fetch CA list from EJBCA" and a 404 request to "https://my-domain.com/ejbca/ejbca-rest-api/v1/ca//certificate/download". Reading the code makes it look like the caName match here never hits.

More logging with results from the ListCas endpoint would make this issue easier to debug.

I also makes more sense to me to error out if the for loop completes without a caName match instead of requesting a certificate for empty string.

Running vault version 1.16.3 and plugin version 1.4.0.

svenska-primekey commented 1 month ago

The caName needs to match the friendly name created in EJBCA. If the CA name is ManagementCA you would use ManagementCA for the EJBCA vault config.

Thank you for the feedback. We will take a look and see what we can do.