Error writing data to venafi-pki/sign/tpp-backend: Error making API request.

[sfortuna]

Error writing data to venafi-pki/sign/tpp-backend: Error making API request.

Code: 404. Errors:

• 1 error occurred:
  • unsupported path

[tr1ck3r]

@sfortuna did you execute vault secrets enable and, if so, did you specify -path=venafi-pki when you did? https://www.vaultproject.io/docs/commands/secrets/enable.html

[sfortuna]

Yes, I was able to complete steps 1-10 in the quickstart guide. The error occurs when running this command in step 11: vault write venafi-pki/sign/tpp-backend csr=@myserver.csr

https://github.com/Venafi/vault-pki-backend-venafi

[arykalin]

Hi @sfortuna on what platform you're running venafi-pki? Could you share vault logs?

[sfortuna]

RHEL

2019-07-26T12:50:11.028-0400 [TRACE] secrets.venafi-pki-backend.venafi-pki-backend_28bddf70.venafi-pki-backend: handle existence check: transport=gRPC path=sign/tpp-backend status=started 2019-07-26T12:50:11.029-0400 [TRACE] secrets.venafi-pki-backend.venafi-pki-backend_28bddf70.venafi-pki-backend: handle existence check: transport=gRPC path=sign/tpp-backend status=finished err="unsupported path" took=906.75µs 2019-07-26T12:50:11.029-0400 [TRACE] secrets.venafi-pki-backend.venafi-pki-backend_28bddf70.venafi-pki-backend: handle request: transport=gRPC path=sign/tpp-backend status=started 2019-07-26T12:50:11.030-0400 [TRACE] secrets.venafi-pki-backend.venafi-pki-backend_28bddf70.venafi-pki-backend: handle request: transport=gRPC path=sign/tpp-backend status=finished err="unsupported path" took=993.667µs

[tr1ck3r]

@sfortuna would you please send the full sequence of commands you executed for steps 1-10 and your vault config file to opensource@venafi.com so we can attempt to reproduce the issue in our lab? Please redact any sensitive information and also confirm that you are using Vault version 0.12 with version 0.5.1 of the vault-pki-backend-venafi plugin.

[sfortuna]

We are using vault v 1.1.1 and venafi 0.4.1

[sfortuna]

Here are the commands with personal information removed:

1. Unzip venafi-pki-backend_0.4.1+385_linux86.zip
2. mv venafi-pki-backend /path/to/vault/vault_plugins
3. vi vault_server_config.json
4. export VAULT_ADDR=https://{fqdn}:8200
5. SHA256=$(shasum -a 256 /path/to/vault/vault_plugins/venafi-pki-backend| cut -d' ' -f1)
6. vault write sys/plugins/catalog/secret/venafi-pki-backend sha_256="${SHA256}" command="venafi-pki-backend"
7. vault secrets enable -path=venafi-pki -plugin-name=venafi-pki-backend plugin
8. vault write venafi-pki/roles/tpp-backend \ tpp_url="https://tpp.venafi.example:443/vedsdk" \ tpp_user="admin" \ tpp_password="password" \ zone="DevOps\Vault Backend" \ trust_bundle_file="/opt/venafi/bundle.pem" \ generate_lease=true store_by_cn=true store_pkey=true store_by_serial=true ttl=1h max_ttl=1h \ allowed_domains=example.com \ allow_subdomains=true
9. vault write venafi-pki/issue/tpp-backend common_name="test.example.com" cat < csr.conf [req] default_bits = 4096 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn

[ dn ] CN = test-csr-32313131.vfidev.com

[ req_ext ] subjectAltName = @alt_names

[ alt_names ] DNS.1 = alt1-test-csr-32313131.vfidev.com DNS.2 = alt2-test-csr-32313131.vfidev.com

EOF openssl req -new -config csr.conf -keyout myserver.key -out myserver.csr -passin pass:somepassword -passout pass:anotherpassword

10. vault write venafi-pki/sign/tpp-backend csr=@myserver.csr

[tr1ck3r]

Thank you @sfortuna We first added support for signing CSRs in version 0.4.2 of our plugin so that's most likely the source of your problem. Any version higher than the one you are using should work but we recommend the latest (0.5.1).

[sfortuna]

@tr1ck3r Thanks, we've updated to version 0.5.1 but are still experiencing the same issue. We are still able complete steps 1-10 in the guide but not 11

[sfortuna]

Hello this was an issue with our CA configuration. Thanks