Closed forevergenin closed 2 years ago
I tested and the certificate enrollment and pickup with csr
set to service
is working fine with vcert
version v4.18.2 as well.
Hi @forevergenin I just tested this with the following quick snippet:
terraform {
required_providers {
venafi = {
source = "venafi/venafi"
version = "0.15.5"
}
}
required_version = ">= 0.15"
}
provider "venafi" {
url = "https://<tpp_url>"
trust_bundle = file("path-ou-bundle")
access_token = "<access_token_with_cert_manage_scope>"
zone = "<zone_that_accepts_service_generated_keys>"
}
resource "venafi_certificate" "certificate" {
algorithm = "RSA"
rsa_bits = "2048"
common_name = "tls-tpp.venafi.example.com"
key_password = "<16-character-random-password>"
san_dns = [
"tls-tpp.venafi.example.com",
]
valid_days = 365
csr_origin = "service"
}
And our provider ran successfully:
I believe this error is indeed due to your environment, could you share more info about zone? Is your policy PBE (password-based encryption) algorithm configured for either "SHA1 3DES" or "SHA256 AES256"? I recall having the same error using "MD5 DES" which we no longer support in the TPP version you are currently using.
@luispresuelVenafi you are correct. While using vcert
, if I set the format
flag to pkcs12
I run into the below error. I will work with my administrator to update the PBE algorithm and test this out. Thanks for your time and effort !
vcert pickup --pickup-id "\\VED\\Policy\\@<redacted>" --key-password <random-password> --format pkcs12 --file $FQDN.pkcs12
vCert: 2022/04/27 17:30:38 Successfully connected to Trust Protection Platform
vCert: 2022/04/27 17:30:40 Successfully retrieved request for \VED\Policy\@<redacted>
vCert: 2022/04/27 17:30:40 ERROR: To continue, you must select either the SHA1 3DES or SHA256 AES256 private key PBE algorithm. In a web browser, log in to TLS Protect and go to Configuration > Folders, select your zone, then click Certificate Policy and expand Show Advanced Options to make the change.
I verified the PBE configuration. It is set to High security but low system compatibility (SHA256 AES256)
.
Hi @forevergenin can you please check the "Other Information" section of the Settings > Certificate tab of the policy folder that matches the zone you're specifying for Terraform or VCert? What you showed in your screenshot applies to the Adaptable Application driver which is an unrelated feature of TPP.
@tr1ck3r I checked the "Other Information" section. The PBE is configured as MD5 3DES.
@forevergenin you should be all set if you change that to "SHA1 3DES" or "SHA256 AES256" (both are stronger password based encryption than you currently have it configured).
Hi @forevergenin,
Were you able to solve your issue with the commented above?
@luispresuelVenafi @tr1ck3r thank you so much for your insights. Updated the PBE for the zone to "SHA256 AES256" and this resolved the issue. I have verified it using vcert
command line tool. I will soon verify it via terraform provider as well.
Thank you for your feedback @forevergenin ! I'll be closing the ticket now. Let us now if you encounter any other issues.
I am using terraform venafi provider v0.15.5. Below is the snippet I am trying out. The certificate generation is failing and I am getting
Error: pkcs8: only PBES2 supported
as error. I am running this against Venafi Trust Protection Platform version 21.4.0.4246.When I tried the same using vcert (version v4.17.1) command, I can enroll a new certificate get the json response back.
I digged this up to some extent and seems like the pkcs8 go library is the one responsible for the error message.
I am wondering if this issue is specific to my environment.
Update: I checked the certificate generation status on the portal. Looks like the certificate got generated but the pick-up by the terraform venafi provider failed.