search

Venafi / vcert

Go client SDK and command line utility designed to simplify integrations by automating key generation and certificate enrollment using Venafi machine identity services.
https://support.venafi.com/hc/en-us/articles/217991528
Apache License 2.0
88 stars 64 forks source link

`--replace-instance` flag doesn't work with user-provided CSRs #423

Open paulternate opened 7 months ago

paulternate commented 7 months ago

PROBLEM SUMMARY Using the --replace-instance flag when enrolling a certificate by providing the CSR file does not work and instead returns the "ObjectAlreadyExists" error message which it is supposed to address. When using VCert or Service generated private keys, everything works as expected.

Looking at the VCert outputs below (comments section), it appears to be a problem when retrieving the GUID for the newly created certificate object.

STEPS TO REPRODUCE

  1. Create CSR locally.
  2. Use VCert to enroll a cert using the CSR. This will succeed but the output will be incorrect as noted above. (e.g. vcert enroll -u $tlspd_url -t $tlspd_token -z "Venafi Internal\Testing\VCert" --csr file:testB.csr --instance TestDevice:TestApp --key-password "Password123!")
  3. Use VCert to enroll again while specifying the --replace-instance flag. This will fail, likely due to the GUID issue described above. (e.g. vcert enroll -u $tlspd_url -t $tlspd_token -z "Venafi Internal\Testing\VCert" --csr file:testB.csr --instance TestDevice:TestApp --replace-instance --key-password "Password123!")

EXPECTED RESULTS Subsequent renewal operations should replace the existing Device/App objects. I would expect the behavior to be consistent when using any form of key generation.

ACTUAL RESULTS Subsequent renewal operations fail with "ObjectAlreadyExists."

ENVIRONMENT DETAILS TLS Protect Datacenter 23.1.3 VCert v5.1.1

COMMENTS/WORKAROUNDS

Successful subsequent renewal when Venafi generates private key and CSR:

vCert: 2024/02/08 14:45:31 Successfully connected to Trust Protection Platform
vCert: 2024/02/08 14:45:31 Successfully read zone configuration for Venafi Internal\\Testing\\VCert
vCert: 2024/02/08 14:45:31 Successfully created request for test-no-csr.venafidemo.com
vCert: 2024/02/08 14:45:31 Getting guid for object DN \VED\Policy\Venafi Internal\\Testing\\VCert\test-no-csr.venafidemo.com
vCert: 2024/02/08 14:45:31 Dissociating device \VED\Policy\Venafi Internal\Testing\VCert\PaulC\TestC
vCert: 2024/02/08 14:45:32 Successfully posted request for test-no-csr.venafidemo.com, will pick up by \VED\Policy\Venafi Internal\Testing\VCert\test-no-csr.venafidemo.com
vCert: 2024/02/08 14:45:36 Successfully retrieved request for \VED\Policy\Venafi Internal\Testing\VCert\test-no-csr.venafidemo.com

Failed subsequent renewal when user provides CSR (notice line 4 is missing the cert object after the initial zone):

vCert: 2024/02/08 14:33:08 Successfully connected to Trust Protection Platform
vCert: 2024/02/08 14:33:08 Successfully read zone configuration for Venafi Internal\\Testing\\VCert
vCert: 2024/02/08 14:33:08 Successfully created request for file:testB.csr
vCert: 2024/02/08 14:33:08 Getting guid for object DN \VED\Policy\Venafi Internal\\Testing\\VCert\
vCert: 2024/02/08 14:33:08 There were no instances associated with certificate \VED\Policy\Venafi Internal\\Testing\\VCert\
vCert: 2024/02/08 14:33:08 Unexpected status code on TPP Certificate Request.
 Status:
 400 Failed to create "\VED\Policy\Venafi Internal\Testing\VCert\PaulB\TestB". Error: Create object "\VED\Policy\Venafi Internal\Testing\VCert\PaulB\TestB" failed; ObjectAlreadyExists - ..
 Body:
 {"Error":"Failed to create \"\\VED\\Policy\\Venafi Internal\\Testing\\VCert\\PaulB\\TestB\". Error: Create object \"\\VED\\Policy\\Venafi Internal\\Testing\\VCert\\PaulB\\TestB\" failed; ObjectAlreadyExists - ."}