aws / aws-cli

Universal Command Line Interface for Amazon Web Services
Other
15.54k stars 4.13k forks source link

"The certificate field contains more than one certificate" error message with valid certificate #6569

Closed Orabig closed 2 years ago

Orabig commented 2 years ago

Confirm by changing [ ] to [x] below to ensure that it's a bug:

Describe the bug

Using acm import-certificate on a valid certificate that has space in the end of each line (some authorities return certificates in this format) the CLI returns a misleading error message "An error occurred (ValidationException) when calling the ImportCertificate operation: The certificate field contains more than one certificate. You can specify only one certificate in this field."

SDK version number 2.4.1

Platform/OS/Hardware/Device amazon/aws-cli:2.4.1 docker container

To Reproduce (observed behavior)

Run acm import-certificate command. The certificate file must have a space at the end of each line. (this is STILL a valid certificate which is accepted in many situations.)

Expected behavior

The certificate must be accepted.

Logs/output N/A

Additional context N/A

(Issue described in https://serverfault.com/questions/997887/import-cert-into-aws-acm-validationexception-when-calling-the-importcertificate )

tim-finnigan commented 2 years ago

Hi @Orabig, thanks for reaching out. That error message was also mentioned in issues https://github.com/aws/aws-cli/issues/5041 and https://github.com/aws/aws-cli/issues/5231.

Please note the requirement here in the documentation:

When you import a certificate by using the CLI, you must specify the certificate, the certificate chain, and the private key by their file names preceded by fileb://

If you’re still having issues then we would need more information to help. Can you provide the debug logs by adding --debug to the command?

Orabig commented 2 years ago

Hi, thanks for your answer.

First of all, I can read a documentation, and I used the fileb:// prefix in my command, which was : $ docker run --rm -v /home/me/.aws:/root/.aws -v /home/me/certs:/aws amazon/aws-cli:2.4.1 acm --region us-east-2 --profile my-profile import-certificate --certificate fileb:///aws/mycert.crt --private-key fileb:///aws/mycert.key --certificate-chain fileb:///aws/mycert.ca-bundle

Did you read the "To reproduce" part of the bug report ?

Here are the detailled and easy steps to reproduce :

$ docker run --rm -v /home/me/.aws:/root/.aws \
          -v /home/me/certs:/aws \
          amazon/aws-cli:2.4.1 acm \
          --region us-east-2 \
          --profile my-profile \
          import-certificate \
          --certificate fileb:///aws/mycert.crt \
          --private-key fileb:///aws/mycert.key \
          --certificate-chain fileb:///aws/mycert.ca-bundle
{
    "CertificateArn": "arn:aws:acm:us-east-2:xxxxxx:certificate/yyyyyyyy".         <<<< This is working
}

$ perl -pe 's/$/ /gm' mycert.crt > mycert_with_spaces.crt          <<<< This is creating a cert with space-prefixed lines

$ docker run --rm -v /home/me/.aws:/root/.aws \
          -v /home/me/certs:/aws \
          amazon/aws-cli:2.4.1 acm \
          --region us-east-2 \
          --profile my-profile \
          import-certificate \
          --certificate fileb:///aws/mycert_with_spaces.crt \
          --private-key fileb:///aws/mycert.key \
          --certificate-chain fileb:///aws/mycert.ca-bundle

An error occurred (ValidationException) when calling the ImportCertificate operation: The certificate field contains more than one certificate. You can specify only one certificate in this field.

Before you ask "why do you corrupt your certificate with spaces ?", I'll answer that I received certificates like this from known certificate authorities from time to time... And these certificate file are valid in every other scenarios (including manually uploading them in AWS console)

Orabig commented 2 years ago

Here is the result of --debug output (I had to remove many sensitive informations for obvious reasons)


2021-11-27 09:55:40,003 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.4.1 Python/3.8.8 Linux/5.10.47-linuxkit docker/x86_64.amzn.2
2021-11-27 09:55:40,003 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['acm', '--region', 'us-east-2', '--profile', 'REMOVED']
2021-11-27 09:55:40,026 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_s3 at 0x7f5102cb2e50>
2021-11-27 09:55:40,027 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_ddb at 0x7f5102e09b80>
2021-11-27 09:55:40,027 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.configure.configure.ConfigureCommand'>>
2021-11-27 09:55:40,027 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x7f5102eb33a0>
2021-11-27 09:55:40,027 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x7f5102eb94c0>
2021-11-27 09:55:40,028 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function alias_opsworks_cm at 0x7f5102c408b0>
2021-11-27 09:55:40,028 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_history_commands at 0x7f5102dd49d0>
2021-11-27 09:55:40,028 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.devcommands.CLIDevCommand'>>
2021-11-27 09:55:40,029 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_waiters at 0x7f5102cb8af0>
2021-11-27 09:55:40,029 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.4.1/dist/awscli/data/cli.json
2021-11-27 09:55:40,034 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_types at 0x7f5102d099d0>
2021-11-27 09:55:40,034 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function no_sign_request at 0x7f5102d0a550>
2021-11-27 09:55:40,034 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_verify_ssl at 0x7f5102d0a4c0>
2021-11-27 09:55:40,034 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_read_timeout at 0x7f5102d0a670>
2021-11-27 09:55:40,034 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_connect_timeout at 0x7f5102d0a5e0>
2021-11-27 09:55:40,035 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <built-in method update of dict object at 0x7f5102bdb940>
2021-11-27 09:55:40,035 - MainThread - botocore.session - DEBUG - Setting config variable for profile to 'sre-speu'
2021-11-27 09:55:40,035 - MainThread - botocore.session - DEBUG - Setting config variable for region to 'us-east-2'
2021-11-27 09:55:40,036 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.4.1 Python/3.8.8 Linux/5.10.47-linuxkit docker/x86_64.amzn.2 prompt/off
2021-11-27 09:55:40,036 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['acm', '--region', 'us-east-2', '--profile', 'REMOVED', '--debug']
2021-11-27 09:55:40,036 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_timestamp_parser at 0x7f5102cb04c0>
2021-11-27 09:55:40,036 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x7f51036fa940>
2021-11-27 09:55:40,037 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_binary_formatter at 0x7f5102c1e430>
2021-11-27 09:55:40,037 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function no_pager_handler at 0x7f51036f3dc0>
2021-11-27 09:55:40,037 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x7f51036685e0>
2021-11-27 09:55:40,038 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/
2021-11-27 09:55:40,040 - MainThread - botocore.credentials - DEBUG - Skipping environment variable credential check because profile name was explicitly set.
2021-11-27 09:55:40,040 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x7f5102dd48b0>
2021-11-27 09:55:40,041 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_json_file_cache at 0x7f5102e0aa60>
2021-11-27 09:55:40,063 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.4.1/dist/awscli/botocore/data/acm/2015-12-08/service-2.json
2021-11-27 09:55:40,067 - MainThread - botocore.hooks - DEBUG - Event building-command-table.acm: calling handler <function add_waiters at 0x7f5102cb8af0>
2021-11-27 09:55:40,089 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.4.1/dist/awscli/botocore/data/acm/2015-12-08/waiters-2.json
2021-11-27 09:55:40,091 - MainThread - awscli.clidriver - DEBUG - OrderedDict([('certificate-arn', <awscli.arguments.CLIArgument object at 0x7f51023a1280>), ('certificate', <awscli.arguments.CLIArgument object at 0x7f51023a10d0>), ('private-key', <awscli.arguments.CLIArgument object at 0x7f51023a11c0>), ('certificate-chain', <awscli.arguments.CLIArgument object at 0x7f51023b3910>), ('tags', <awscli.arguments.ListArgument object at 0x7f51023b3820>)])
2021-11-27 09:55:40,091 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.acm.import-certificate: calling handler <function add_streaming_output_arg at 0x7f5102cb0a60>
2021-11-27 09:55:40,092 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.acm.import-certificate: calling handler <function add_cli_input_json at 0x7f5103668e50>
2021-11-27 09:55:40,092 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.acm.import-certificate: calling handler <function add_cli_input_yaml at 0x7f5103671160>
2021-11-27 09:55:40,093 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.acm.import-certificate: calling handler <function unify_paging_params at 0x7f5102e141f0>
2021-11-27 09:55:40,115 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.4.1/dist/awscli/botocore/data/acm/2015-12-08/paginators-1.json
2021-11-27 09:55:40,117 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.acm.import-certificate: calling handler <function add_generate_skeleton at 0x7f5102cfbf70>
2021-11-27 09:55:40,117 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.acm.import-certificate: calling handler <bound method OverrideRequiredArgsArgument.override_required_args of <awscli.customizations.cliinput.CliInputJSONArgument object at 0x7f51023b39d0>>
2021-11-27 09:55:40,117 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.acm.import-certificate: calling handler <bound method OverrideRequiredArgsArgument.override_required_args of <awscli.customizations.cliinput.CliInputYAMLArgument object at 0x7f51023b39a0>>
2021-11-27 09:55:40,117 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.acm.import-certificate: calling handler <bound method GenerateCliSkeletonArgument.override_required_args of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7f51023b3af0>>
2021-11-27 09:55:40,119 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.acm.import-certificate.certificate-arn: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f5102396250>
2021-11-27 09:55:40,119 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.acm.import-certificate.certificate: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f5102396250>
2021-11-27 09:55:40,122 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.acm.import-certificate: calling handler <awscli.argprocess.ParamShorthandParser object at 0x7f51036a0790>
2021-11-27 09:55:40,122 - MainThread - awscli.arguments - DEBUG - Unpacked value of b'-----BEGIN CERTIFICATE----- \n REMOVED \n -----END CERTIFICATE----- \n '
2021-11-27 09:55:40,123 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.acm.import-certificate.private-key: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f5102396250>
2021-11-27 09:55:40,127 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.acm.import-certificate: calling handler <awscli.argprocess.ParamShorthandParser object at 0x7f51036a0790>
2021-11-27 09:55:40,127 - MainThread - awscli.arguments - DEBUG - Unpacked value of b'-----BEGIN RSA PRIVATE KEY-----\n REMOVED \n-----END RSA PRIVATE KEY-----\n'
2021-11-27 09:55:40,127 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.acm.import-certificate.certificate-chain: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f5102396250>
2021-11-27 09:55:40,130 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.acm.import-certificate: calling handler <awscli.argprocess.ParamShorthandParser object at 0x7f51036a0790>
2021-11-27 09:55:40,130 - MainThread - awscli.arguments - DEBUG - Unpacked value of b'-----BEGIN CERTIFICATE-----\n REMOVED \n-----END CERTIFICATE-----\n\r\n'
2021-11-27 09:55:40,131 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.acm.import-certificate.tags: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f5102396250>
2021-11-27 09:55:40,131 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.acm.import-certificate.cli-input-json: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f5102396250>
2021-11-27 09:55:40,131 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.acm.import-certificate.cli-input-yaml: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f5102396250>
2021-11-27 09:55:40,131 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.acm.import-certificate.generate-cli-skeleton: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f5102396250>
2021-11-27 09:55:40,131 - MainThread - botocore.hooks - DEBUG - Event calling-command.acm.import-certificate: calling handler <bound method CliInputArgument.add_to_call_parameters of <awscli.customizations.cliinput.CliInputJSONArgument object at 0x7f51023b39d0>>
2021-11-27 09:55:40,131 - MainThread - botocore.hooks - DEBUG - Event calling-command.acm.import-certificate: calling handler <bound method CliInputArgument.add_to_call_parameters of <awscli.customizations.cliinput.CliInputYAMLArgument object at 0x7f51023b39a0>>
2021-11-27 09:55:40,131 - MainThread - botocore.hooks - DEBUG - Event calling-command.acm.import-certificate: calling handler <bound method GenerateCliSkeletonArgument.generate_skeleton of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7f51023b3af0>>
2021-11-27 09:55:40,132 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2021-11-27 09:55:40,132 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2021-11-27 09:55:40,132 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso
2021-11-27 09:55:40,132 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2021-11-27 09:55:40,137 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials
2021-11-27 09:55:40,139 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.4.1/dist/awscli/botocore/data/endpoints.json
2021-11-27 09:55:40,154 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x7f5104a849d0>
2021-11-27 09:55:40,156 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.acm: calling handler <function add_generate_presigned_url at 0x7f5105098ee0>
2021-11-27 09:55:40,160 - MainThread - botocore.endpoint - DEBUG - Setting acm timeout as (60, 60)
2021-11-27 09:55:40,162 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.acm.ImportCertificate: calling handler <function base64_decode_input_blobs at 0x7f5102c1eb80>
2021-11-27 09:55:40,162 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.acm.ImportCertificate: calling handler <function generate_idempotent_uuid at 0x7f5104a2aa60>
2021-11-27 09:55:40,162 - MainThread - botocore.hooks - DEBUG - Event before-call.acm.ImportCertificate: calling handler <function inject_api_version_header_if_needed at 0x7f5104a30310>
2021-11-27 09:55:40,162 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=ImportCertificate) with params: {'url_path': '/', 'query_string': '', 'method': 'POST', 'headers': {'X-Amz-Target': 'CertificateManager.ImportCertificate', 'Content-Type': 'application/x-amz-json-1.1', 'User-Agent': 'aws-cli/2.4.1 Python/3.8.8 Linux/5.10.47-linuxkit docker/x86_64.amzn.2 prompt/off command/acm.import-certificate'}, 'body': b'{"Certificate": "REMOVED", "PrivateKey": "REMOVED", "CertificateChain": "REMOVED"}', 'url': 'https://acm.us-east-2.amazonaws.com/', 'context': {'client_region': 'us-east-2', 'client_config': <botocore.config.Config object at 0x7f510231db80>, 'has_streaming_input': False, 'auth_type': None}}
2021-11-27 09:55:40,163 - MainThread - botocore.hooks - DEBUG - Event request-created.acm.ImportCertificate: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x7f510231dc10>>
2021-11-27 09:55:40,163 - MainThread - botocore.hooks - DEBUG - Event choose-signer.acm.ImportCertificate: calling handler <function set_operation_specific_signer at 0x7f5104a2a940>
2021-11-27 09:55:40,164 - MainThread - botocore.auth - DEBUG - Calculating signature using v4 auth.
2021-11-27 09:55:40,164 - MainThread - botocore.auth - DEBUG - CanonicalRequest:
POST
/

content-type:application/x-amz-json-1.1
host:acm.us-east-2.amazonaws.com
x-amz-date:20211127T095540Z
x-amz-target:CertificateManager.ImportCertificate

content-type;host;x-amz-date;x-amz-target
REMOVED
2021-11-27 09:55:40,164 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20211127T095540Z
20211127/us-east-2/acm/aws4_request
REMOVED
2021-11-27 09:55:40,164 - MainThread - botocore.auth - DEBUG - Signature:
REMOVED
2021-11-27 09:55:40,165 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=https://acm.us-east-2.amazonaws.com/, headers={'X-Amz-Target': b'CertificateManager.ImportCertificate', 'Content-Type': b'application/x-amz-json-1.1', 'User-Agent': b'aws-cli/2.4.1 Python/3.8.8 Linux/5.10.47-linuxkit docker/x86_64.amzn.2 prompt/off command/acm.import-certificate', 'X-Amz-Date': b'20211127T095540Z', 'Authorization': b'AWS4-HMAC-SHA256 Credential=REMOVED, SignedHeaders=content-type;host;x-amz-date;x-amz-target, Signature=REMOVED', 'Content-Length': '12905'}>
2021-11-27 09:55:40,166 - MainThread - botocore.httpsession - DEBUG - Certificate path: /usr/local/aws-cli/v2/2.4.1/dist/awscli/botocore/cacert.pem
2021-11-27 09:55:40,166 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): acm.us-east-2.amazonaws.com:443
2021-11-27 09:55:40,907 - MainThread - urllib3.connectionpool - DEBUG - https://acm.us-east-2.amazonaws.com:443 "POST / HTTP/1.1" 400 154
2021-11-27 09:55:40,908 - MainThread - botocore.parsers - DEBUG - Response headers: {'x-amzn-RequestId': 'REMOVED', 'Content-Type': 'application/x-amz-json-1.1', 'Content-Length': '154', 'Date': 'Sat, 27 Nov 2021 09:55:39 GMT', 'Connection': 'close'}
2021-11-27 09:55:40,908 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"__type":"ValidationException","message":"The certificate field contains more than one certificate. You can specify only one certificate in this field."}'
2021-11-27 09:55:40,910 - MainThread - botocore.parsers - DEBUG - Response headers: {'x-amzn-RequestId': 'REMOVED', 'Content-Type': 'application/x-amz-json-1.1', 'Content-Length': '154', 'Date': 'Sat, 27 Nov 2021 09:55:39 GMT', 'Connection': 'close'}
2021-11-27 09:55:40,910 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"__type":"ValidationException","message":"The certificate field contains more than one certificate. You can specify only one certificate in this field."}'
2021-11-27 09:55:40,910 - MainThread - botocore.hooks - DEBUG - Event needs-retry.acm.ImportCertificate: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x7f5101ef9310>>
2021-11-27 09:55:40,911 - MainThread - botocore.retries.standard - DEBUG - Not retrying request.
2021-11-27 09:55:40,911 - MainThread - botocore.hooks - DEBUG - Event after-call.acm.ImportCertificate: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x7f51023b3c70>>
2021-11-27 09:55:40,912 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
  File "awscli/clidriver.py", line 459, in main
  File "awscli/clidriver.py", line 594, in __call__
  File "awscli/clidriver.py", line 770, in __call__
  File "awscli/clidriver.py", line 901, in invoke
  File "awscli/clidriver.py", line 913, in _make_client_call
  File "awscli/botocore/client.py", line 281, in _api_call
  File "awscli/botocore/client.py", line 609, in _make_api_call
botocore.errorfactory.ValidationException: An error occurred (ValidationException) when calling the ImportCertificate operation: The certificate field contains more than one certificate. You can specify only one certificate in this field.

An error occurred (ValidationException) when calling the ImportCertificate operation: The certificate field contains more than one certificate. You can specify only one certificate in this field.
tim-finnigan commented 2 years ago

Hi @Orabig, thanks for following up and providing that information. I found other documentation providing more insight into this: https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-format.html

Note that if you edit any of the characters in a PEM file incorrectly or if you add one or more spaces to the end of any line, the certificate, certificate chain, or private key will be invalid.

So it appears that this behavior is expected. And based on your post in serverfault it looks like you were able to find a solution for removing those extra spaces. I’m going to close this issue as it appears to be documented behavior and not a bug.

github-actions[bot] commented 2 years ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

Orabig commented 2 years ago

Hum, closing the issue without discussion is a little rude... Ok, I can accept that you interpret RFC7468 ( https://datatracker.ietf.org/doc/html/rfc7468#section-3 ) in a stricter than any other tool (even AWS console is using the Standard ABNF iirc), but you can't deny that an error message telling "The certificate field contains more than one certificate" is incorrect in that case, and that it could be considered a bug, can you ?

(I don't know if this comment will be seen, which is sad...)

tim-finnigan commented 2 years ago

Thanks @Orabig for the feedback, I can pass that along to the ACM team. That error is also referenced in this troubleshooting guide: https://aws.amazon.com/premiumsupport/knowledge-center/acm-import-troubleshooting/. I think they could mention that extra spaces in that certificate can also cause that error.

Orabig commented 2 years ago

Yes, I've found that page very soon when looking for solutions, and it provided no help. So I guess that updating it whith this case would be a first step (and would help other users). Thanks