search

PaloAltoNetworks / terraform-provider-panos

Terraform Panos provider
https://www.terraform.io/docs/providers/panos/
Mozilla Public License 2.0
87 stars 70 forks source link

Error using panos_certificate_import on panorama #329

Closed jon-larsen closed 1 year ago

jon-larsen commented 2 years ago

Describe the bug

I'm using "panos_certificate_import" on several firewalls, but when I use it on a panorama device I get an error.

Expected behavior

Same behavior on Panorama and Palo Alto devices.

Current behavior

Error message when Terraform try to import the certificate: Error: Import of panorama.domain.com failed. Failed to extract certificate

The certificate is uploaded, but there is no key on the uploaded certificate.

I get no error when I upload the same certificate and key file manually through the panorama web interface.

Possible solution

Maybe panorama needs some extra parameters I am missing in my TF file...?

Steps to reproduce

resource "panos_certificate_import" "cert-panorama" {
    provider = panos.panorama
    name = "panorama.domain.com"
    pem {
        certificate = file("panorama.domain.com.cer")
        private_key = file("panorama.domain.com.key")
        passphrase = "secret"
    }
}
  # panos_certificate_import.cert-panorama will be created
  + resource "panos_certificate_import" "cert-panorama" {
      + algorithm          = (known after apply)
      + ca                 = (known after apply)
      + cert_format        = (known after apply)
      + cert_passphrase    = (sensitive value)
      + cert_public_key    = (known after apply)
      + common_name        = (known after apply)
      + csr                = (known after apply)
      + expiry_epoch       = (known after apply)
      + id                 = (known after apply)
      + issuer             = (known after apply)
      + issuer_hash        = (known after apply)
      + name               = "panorama.domain.com"
      + not_valid_after    = (known after apply)
      + not_valid_before   = (known after apply)
      + private_key        = (sensitive value)
      + private_key_on_hsm = (known after apply)
      + public_key         = (known after apply)
      + revoke_date_epoch  = (known after apply)
      + status             = (known after apply)
      + subject            = (known after apply)
      + subject_hash       = (known after apply)
      + vsys               = "shared"

      + pem {
          + certificate          = <<-EOT
                -----BEGIN CERTIFICATE-----
                ...
                -----END CERTIFICATE-----
            EOT
          + certificate_filename = "cert.pem"
          + passphrase           = (sensitive value)
          + private_key          = (sensitive value)
          + private_key_filename = "key.pem"
        }
    }

╷
│ Error: Import of panorama.domain.com failed. Failed to extract certificate
│ 
│   with panos_certificate_import.cert-panorama,
│   on panos-cert-upload.tf line 1, in resource "panos_certificate_import" "cert-panorama":
│    1: resource "panos_certificate_import" "cert-panorama" {
│ 
╵
Error: Process completed with exit code 1.

Context

I want to upload certificate to the panorama device to use on a ssl profile for the management interface.

Your Environment

jdelforno commented 1 year ago

I ran into the same issue using acme_certificate, it'll upload manually via GUI but attempting to import it - even from an Azure Keyvault - fails.

I thought it had something to do with being byte64 encoded though

piotrszlenk commented 1 year ago

Did anyone find any workaround to this issue? It fails with Letsencrypt certs too.

jon-larsen commented 1 year ago

My workaround is to manually update the certificate.

fh-graines commented 1 year ago

Same issue here. GUI works, TF fails and throws Failed to extract certificate

fh-dfarrar commented 1 year ago

Got this fixed for PEM keys in our lab, there was a typo in the pango/dev/certificate/pano.go file that referenced the public certificate instead of the private key (fw.go was correct, hence why it worked on firewalls). I have a static version published on registry.terraform.io for DEV purposes (unmaintained) until a new version includes the fix.

shinmog commented 1 year ago

Fixed by 1.11.1