search

Venafi / terraform-provider-venafi

HashiCorp Terraform provider that uses Venafi to streamline machine identity (certificate and key) acquisition.
https://www.terraform.io/docs/providers/venafi/
Mozilla Public License 2.0
16 stars 20 forks source link

"pkcs8: only PKCS #5 v2.0 supported" error occurs during `terraform plan` #89

Closed fcatacut closed 2 years ago

fcatacut commented 2 years ago

PROBLEM SUMMARY

I'm not sure if there is a mis-configuration of Venafi on our end, but upgrading from v0.14.0 to v0.15.x results in the following error during terraform plan for an existing certificate:

Error: pkcs8: only PKCS #5 v2.0 supported

+ resource "venafi_certificate" "this" {
    + algorithm         = "RSA"
    + certificate       = (known after apply)
    + certificate_dn    = (known after apply)
    + chain             = (known after apply)
    + common_name       = "venafi-test.mydomain.com"
    + csr_origin        = "local"
    + csr_pem           = (known after apply)
    + ecdsa_curve       = "P521"
    + expiration_window = 72
    + id                = (known after apply)
    + key_password      = (sensitive value)
    + pkcs12            = (known after apply)
    + private_key_pem   = (sensitive value)
    + rsa_bits          = 2048
    + san_dns           = [
        + "venafi-test.mydomain.com",
      ]
    + valid_days        = 365
  }

STEPS TO REPRODUCE

  1. Create a cert using v0.14.0.
  2. Run terraform -upgrade to upgrade to v0.15.x.
  3. Run terraform plan.

EXPECTED RESULTS

Plan should indicate no changes.

ACTUAL RESULTS

ENVIRONMENT DETAILS

Upgrading from

Terraform v1.0.5
on darwin_amd64
+ provider registry.terraform.io/venafi/venafi v0.14.0

to

Terraform v1.0.5
on darwin_amd64
+ provider registry.terraform.io/venafi/venafi v0.15.4

COMMENTS/WORKAROUNDS

luispresuelVenafi commented 2 years ago

Hi @fcatacut, thank you for reaching out. More than a bug, this is missing information in our documentation. This is expected behavior between the two versions, since we are not giving support to PKCS#1 format generated keys (on latest VCert versions), which may probably be in your terraform state for the older version. We believe we can enhance this situation within our provider in order to prevent to store PKCS#1 and re-add them a PKCS#8, but that would be an enhancement we are still looking into

luispresuelVenafi commented 2 years ago

@fcatacut We are handling this as a bug in backward compatibility, we are soon to fix for this issue in PR: #90

fcatacut commented 2 years ago

@fcatacut We are handling this as a bug in backward compatibility, we are soon to fix for this issue in PR: #90

I confirmed that v0.15.5 resolves the issue.

luispresuelVenafi commented 2 years ago

This have been addressed in release v0.15.5