Closed NathanBowdish closed 4 months ago
Hi @NathanBowdish. Thanks for reporting and for posting your first issue :)
Can you tell me a bit about your certificate in addition to how it was created, ask or csr? Is it current and active? You can confirm the status and version with Get-VcCertificate -ID $certificateId
.
Can you also run the command with -verbose
and provide the (sanitized) output?
Greg,
Thank you for the work you are doing on this.
The Cert was created in Venafi Cloud no CSR from the server if that’s what you mean.
This is piggybacking on what AprajitaPriya had posted - Invoke-VcCertificateAction -Renew not working #262 You fixed that issue and did PR to Main, I downloaded Main that is what I’m currently trying to use
Here is the Output
encryptionType : RSA keyStrength : 2048 subjectKeyIdentifierHash : 8B27B27171BD99D1EE5EB906F26152472F917D5A authorityKeyIdentifierHash : 3E14D0A517AA292F27288024AE39931E4189F9D1 serialNumber : 4B00000C1EEBE1B041484AE42B000000000C1E subjectDN : cn= voyagerxxx.xxx.xxx,ou=Cybersecurity,o=xxx,c=US,st=Washington,l=XXXX subjectCN : {voyagerxxx.xxx.xxx} subjectO : XXXX subjectOU : {Cybersecurity} subjectST : Washington subjectL : XXXX subjectC : US subjectAlternativeNamesByType : @{otherName=System.Object[]; rfc822Name=System.Object[]; dNSName=System.Object[]; x400Address=System.Object[]; directoryName=System.Object[]; ediPartyName=System.Object[]; uniformResourceIdentifier=System.Object[]; iPAddress=System.Object[]; registeredID=System.Object[]} subjectAlternativeNameDns : { voyagerxxx.xxx.xxx } issuerDN : cn=XXXXINTERNALCA03,0.9.2342.19200300.100.1.25=org,0.9.2342.19200300.100.1.25=XXXX,0.9. 2342.19200300.100.1.25=inside issuerCN : {XXXXXXXXX} keyUsage : {digitalSignature, keyEncipherment} extendedKeyUsage : {1.3.6.1.5.5.7.3.1} ocspNoCheck : False versionType : CURRENT serialNumber=390000002252DF3476DB729ABD000000000022; subjectDN=cn=XXXXINTERNALCA03,0.9. 2342.19200300.100.1.25=org,0.9.2342.19200300.100.1.25=XXXX,0.9.2342.19200300.100.1.25=i nside; subjectCN=System.Object[]; subjectAlternativeNamesByType=; issuerDN=cn=XXXXROOTCA; issuerCN=System.Object[]; keyUsage=System.Object[]; pathLength=0; ocspNoCheck=False; versionType=CURRENT; totalInstanceCount=1; totalActiveInstanceCount=0; instances=System.Object[]; ownership=}, @{id=ab5f9110-a3f7-11ed-b8ed-2d0416e4af6b; companyId=85d375a0-8038-11e5-bf87-317fe88bb23a; managedCertificateId=ab7c67e0-a3f7-11ed-b373-f1e3707d3405; fingerprint=F1B4E184462621F66F60A00FBE34CCD6A048DEB3; certificateName=XXXXX; issuerCertificateIds=System.Object[]; certificateStatus=ACTIVE; modificationDate=2024-02-29T16:44:34.519+00:00; validityStart=2016-10-24T19:12:30.000+00:00; validityEnd=2036-10-24T19:16:59.000+00:00; selfSigned=True; signatureAlgorithm=SHA256_WITH_RSA_ENCRYPTION; signatureHashAlgorithm=SHA256; encryptionType=RSA; keyStrength=2048; subjectKeyIdentifierHash=FD7E9A4265AC381BC97F7F45EBB67ABF382AEAA7; serialNumber=1582A981D841FFAD45B931214E952784; subjectDN=cn=XXXXROOTCA; subjectCN=System.Object[]; subjectAlternativeNamesByType=; issuerDN=cn=XXXXROOTCA; issuerCN=System.Object[]; keyUsage=System.Object[]; pathLength=1; ocspNoCheck=False; versionType=CURRENT; totalInstanceCount=1; totalActiveInstanceCount=0; instances=System.Object[]; ownership=}} VERBOSE: Using script session VERBOSE: {"ContentType":"application/json","Method":"Get","Headers":{"tppl-api-key":"hidden"},"UseBasicParsing":true,"Uri" :"https://api.venafi.cloud/outagedetection/v1/certificates/44491930-b60f-11ee-bf75-9798121d6e8d?ownershipTree=true"}https://api.venafi.cloud/outagedetection/v1/certificates/44491930-b60f-11ee-bf75-9798121d6e8d?ownershipTree=true%22%7d VERBOSE: GET https://api.venafi.cloud/outagedetection/v1/certificates/44491930-b60f-11ee-bf75-9798121d6e8d?ownershipTree=true with 0-byte payload VERBOSE: received 5853-byte response of content type application/json VERBOSE: Using script session VERBOSE: {"ContentType":"application/json","Method":"Get","Headers":{"tppl-api-key":"hidden"},"UseBasicParsing":true,"Uri" :"https://api.venafi.cloud/outagedetection/v1/applications/90522f70-25a9-11ee-8e58-c9df4e72279d"}https://api.venafi.cloud/outagedetection/v1/applications/90522f70-25a9-11ee-8e58-c9df4e72279d%22%7D VERBOSE: GET https://api.venafi.cloud/outagedetection/v1/applications/90522f70-25a9-11ee-8e58-c9df4e72279d with 0-byte payload VERBOSE: received 873-byte response of content type application/json VERBOSE: Using script session VERBOSE: {"ContentType":"application/json","Method":"Get","Headers":{"tppl-api-key":"hidden"},"UseBasicParsing":true,"Uri" :"https://api.venafi.cloud/outagedetection/v1/certificaterequests/428681a0-b60f-11ee-8d31-e1cabc53f9a0"}https://api.venafi.cloud/outagedetection/v1/certificaterequests/428681a0-b60f-11ee-8d31-e1cabc53f9a0%22%7D VERBOSE: GET https://api.venafi.cloud/outagedetection/v1/certificaterequests/428681a0-b60f-11ee-8d31-e1cabc53f9a0 with 0-byte payload VERBOSE: received 2156-byte response of content type application/json VERBOSE: Using script session VERBOSE: {"UseBasicParsing":true,"Method":"Post","Uri":"https://api.venafi.cloud/outagedetection/v1/certificaterequests","Body"https://api.venafi.cloud/outagedetection/v1/certificaterequests%22,%22Body%22: {"existingCertificateId":"44491930-b60f-11ee-bf75-9798121d6e8d","applicationId":"90522f70-25a9-11ee-8e58-c9df4e72279d", "reuseCSR":true,"certificateIssuingTemplateId":"871a4960-20f4-11ee-a6ac-b3f7f9dc765a"},"ContentType":"application/json" ,"Headers":{"tppl-api-key":"hidden"}} VERBOSE: Response status code 412 CertificateID : 44491930-b60f-11ee-bf75-9798121d6e8d Success : False Error : The remote server returned an error: (412) Precondition Failed.
From: Greg Brownstein @.> Sent: Thursday, February 29, 2024 4:13 PM To: Venafi/VenafiPS @.> Cc: Nathan Bowdish @.>; Mention @.> Subject: [EXTERNAL] Re: [Venafi/VenafiPS] Invoke-VcCertificateAction -Renew New Issue (Issue #264)
You don't often get email from @.**@.>. Learn why this is importanthttps://aka.ms/LearnAboutSenderIdentification EXTERNAL MESSAGE!
Caution: This message originated outside of XXXX. Please do not open attachments or click links from an unknown or suspicious source. Report suspicious emails by clicking on the Report Email button.
Hi @NathanBowdishhttps://github.com/NathanBowdish. Thanks for reporting and for posting your first issue :)
Can you tell me a bit about your certificate in addition to how it was created, ask or csr? Is it current and active? You can confirm the status and version with Get-VcCertificate -ID $certificateId.
Can you also run the command with -verbose and provide the (sanitized) output?
— Reply to this email directly, view it on GitHubhttps://github.com/Venafi/VenafiPS/issues/264#issuecomment-1972189626, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BGSGCRE6EKRDQUKJV27VN3TYV7BYVAVCNFSM6AAAAABEAYYD5SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNZSGE4DSNRSGY. You are receiving this because you were mentioned.Message ID: @.**@.>>
NOTICE: This communication and any attachments may contain privileged or otherwise confidential information. If you are not the intended recipient or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received without printing, copying, re-transmitting, disseminating, or otherwise using the information. Thank you.
Assuming you didn't change any of the uuids, can you please try the following and let me know the output?
$body = @{
existingCertificateId = '44491930-b60f-11ee-bf75-9798121d6e8d'
certificateIssuingTemplateId = '871a4960-20f4-11ee-a6ac-b3f7f9dc765a'
applicationId = '90522f70-25a9-11ee-8e58-c9df4e72279d'
reuseCSR = $true
}
Invoke-WebRequest -Headers @{'tppl-api-key' = $VenafiSession.Key.GetNetworkCredential().password } -Uri 'https://api.venafi.cloud/outagedetection/v1/certificaterequests' -Method Post -Body ($body | ConvertTo-Json) -ContentType 'application/json'
Invoke-WebRequest : {"errors":[{"code":10746,"message":"Key reuse is not allowed","args":[]}]} At C:\agent3_work\35\s\NathanTest\Pipelines\Renew-CertVenafi.ps1:52 char:1
From: Greg Brownstein @.> Sent: Friday, March 1, 2024 6:40 AM To: Venafi/VenafiPS @.> Cc: Nathan Bowdish @.>; Mention @.> Subject: [EXTERNAL] Re: [Venafi/VenafiPS] Invoke-VcCertificateAction -Renew New Issue (Issue #264)
You don't often get email from @.**@.>. Learn why this is importanthttps://aka.ms/LearnAboutSenderIdentification EXTERNAL MESSAGE!
Caution: This message originated outside of BECU. Please do not open attachments or click links from an unknown or suspicious source. Report suspicious emails by clicking on the Report Email button.
Assuming you didn't change any of the uuids, can you please try the following and let me know the output?
$body = @{
existingCertificateId = '44491930-b60f-11ee-bf75-9798121d6e8d'
certificateIssuingTemplateId = '871a4960-20f4-11ee-a6ac-b3f7f9dc765a'
applicationId = '90522f70-25a9-11ee-8e58-c9df4e72279d'
reuseCSR = $true
}
Invoke-WebRequest -Headers @{'tppl-api-key' = $VenafiSession.Key.GetNetworkCredential().password } -Uri 'https://api.venafi.cloud/outagedetection/v1/certificaterequests' -Method Post -Body ($body | ConvertTo-Json) -ContentType 'application/json'
— Reply to this email directly, view it on GitHubhttps://github.com/Venafi/VenafiPS/issues/264#issuecomment-1973320795, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BGSGCRCIHAHLN4UOZSIGVIDYWCHNTAVCNFSM6AAAAABEAYYD5SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNZTGMZDANZZGU. You are receiving this because you were mentioned.Message ID: @.**@.>>
NOTICE: This communication and any attachments may contain privileged or otherwise confidential information. If you are not the intended recipient or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received without printing, copying, re-transmitting, disseminating, or otherwise using the information. Thank you.
Thanks! Looks like you haven't turned on key reuse with your issuing template. Go to your Issuing Template, scroll to the bottom, and turn this option on.
If you have any questions on this feature, please reach out to support.
I will work on ensuring this additional information is captured in the error VenafiPS provides.
How do we use VenafiPS to renew certificate with new private key because key reuse is not allowed
From: Greg Brownstein @.> Sent: Friday, March 1, 2024 11:33 AM To: Venafi/VenafiPS @.> Cc: Nathan Bowdish @.>; Mention @.> Subject: [EXTERNAL] Re: [Venafi/VenafiPS] Invoke-VcCertificateAction -Renew New Issue (Issue #264)
You don't often get email from @.**@.>. Learn why this is importanthttps://aka.ms/LearnAboutSenderIdentification EXTERNAL MESSAGE!
Caution: This message originated outside of BECU. Please do not open attachments or click links from an unknown or suspicious source. Report suspicious emails by clicking on the Report Email button.
Thanks! Looks like you haven't turned on key reuse with your issuing template. Go to your Issuing Template, scroll to the bottom, and turn this option on.
image.png (view on web)https://github.com/Venafi/VenafiPS/assets/11862024/12d808d3-a6f8-493a-b08c-1cc1795f72b3
If you have any questions on this feature, please reach out to support.
I will work on ensuring this additional information is captured in the error VenafiPS provides.
— Reply to this email directly, view it on GitHubhttps://github.com/Venafi/VenafiPS/issues/264#issuecomment-1973796966, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BGSGCRHZJRQBUGURBWI4X4TYWDJXTAVCNFSM6AAAAABEAYYD5SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNZTG44TMOJWGY. You are receiving this because you were mentioned.Message ID: @.**@.>>
NOTICE: This communication and any attachments may contain privileged or otherwise confidential information. If you are not the intended recipient or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received without printing, copying, re-transmitting, disseminating, or otherwise using the information. Thank you.
@NathanBowdish can you give this a go? https://github.com/Venafi/VenafiPS/tree/renew-without-key-reuse
@gdbarron Hello Greg, im another Engineer from BECU that also is following this issue. I have tried your new branch and encountered an issue with it. in VenafiPS/Public/Invoke-VcCertificateAction.ps1 its missing a required csrAttribute 'SubjectCN' in the switch starting on line 176. You will also have to cast the SubjectCN to a string to make it work since the return object of SubjectCN in $thisCert = Get-VcCertificate -ID $ID is an array and the CertificateRequest Endpoint seems to only accept a string for the subjectCN CSR attributes. My local branch is currently working with this.
switch ($thisCert.PSObject.Properties.Name) {
'subjectCN' { $renewParams.csrAttributes.commonName = [string]$thisCert.subjectCN }
...
Thanks Connor, I appreciate you pointing this out. I've added this, but instead of converting to string, I'm selecting the first item in the array since converting multiple items to string would be an issue. I've also added a check for multiple CNs and -Force
switch to override default behavior.
Great call on the -force
, much cleaner than my suggestion. Your update works for me, at least for a basic SSL certificate.
Great, thanks for confirming.
Hi @gdbarron I tried out the latest main branch. Cert Renewal works but I need to pass the applicationId to the Invoke-VcCertificateAction Command otherwise it throws below error. While the cert is tagged to single application.
PS E:\Certs\VenafiPS-main\VenafiPS-main\VenafiPS> $result = Invoke-VcCertificateAction -ID $certificateId -Renew
PS E:\Certs\VenafiPS-main\VenafiPS-main\VenafiPS> $result.Error Multiple applications associated, APP-ITBSR (90522f70-25a9-11ee-8e58-c9df4e72279d). Only 1 application can be renewed at a time. Rerun Invoke-VcCertificateAction and add '-AdditionalParameter @{'Application'='applicati on id'}' and provide the actual id you would like to renew._
Thanks @aprajitapriya. I see the issue and given both Connor and I tested, I'm not sure how it got past. Please use the workaround for now and I'll get a fix out shortly.
@aprajitapriya v.6.2.1 has the fix.
Environment
Steps to reproduce
Invoke-VcCertificateAction -ID $certificateId -Renew
Expected behavior
Certificate successfully renewed
Actual behavior
The remote server returned an error: (412) Precondition Failed.