tctl and webapi auth export commands fail with multiple active CAs

programmerq commented 11 months ago

Expected behavior:

When using tctl auth export --type windows or accessing https://<proxy_address>/webapi/auth/export?type=windows, even when two active CAs of type 'user' are present, the export should handle and allow for exporting each CA.

Current behavior:

Executing tctl auth export --type windows or accessing the webapi endpoint when two active CAs of type 'user' are present results in an error: expected one TLS key pair, got 2. This prevents exporting the necessary certificates for external service configuration, such as Windows service integration.

Bug details:

Teleport version: 14.1.0
Recreation steps:
1. Setup Teleport with HSM and ensure two active CAs of type 'user' are present.
2. Attempt to export the 'user' type CA using tctl auth export --type windows.
3. Alternatively, attempt to export the CA through the webapi endpoint https://<proxy_address>/webapi/auth/export?type=windows.

Debug logs:

% tctl -d auth export --type windows
2023-12-05T22:01:51Z DEBU [SQLITE]    Connected to: file:/var/lib/teleport/proc/sqlite.db?_busy_timeout=10000&_sync=FULL&_txlock=immediate, poll stream period: 1s lite/lite.go:254
2023-12-05T22:01:51Z DEBU [SQLITE]    journal_mode=delete, synchronous=2, busy_timeout=10000 lite/lite.go:305
2023-12-05T22:01:51Z DEBU             Connecting to: [{0.0.0.0:3025 tcp }]. authclient/authclient.go:61
ERROR REPORT:
Original Error: *trace.BadParameterError expected one TLS key pair, got 2
Stack Trace:
      github.com/gravitational/teleport/lib/client/ca_export.go:257 github.com/gravitational/teleport/lib/client.exportTLSAuthority
      github.com/gravitational/teleport/lib/client/ca_export.go:126 github.com/gravitational/teleport/lib/client.exportAuth
      github.com/gravitational/teleport/lib/client/ca_export.go:75 github.com/gravitational/teleport/lib/client.ExportAuthorities
      github.com/gravitational/teleport/tool/tctl/common/auth_command.go:215 github.com/gravitational/teleport/tool/tctl/common.(*AuthCommand).ExportAuthorities
      github.com/gravitational/teleport/tool/tctl/common/auth_command.go:170 github.com/gravitational/teleport/tool/tctl/common.(*AuthCommand).TryRun
      github.com/gravitational/teleport/tool/tctl/common/tctl.go:224 github.com/gravitational/teleport/tool/tctl/common.TryRun
      github.com/gravitational/teleport/tool/tctl/common/tctl.go:98 github.com/gravitational/teleport/tool/tctl/common.Run
      github.com/gravitational/teleport/e/tool/tctl/main.go:20 main.main
      runtime/proc.go:267 runtime.main
      runtime/asm_amd64.s:1650 runtime.goexit
User Message: expected one TLS key pair, got 2

programmerq commented 11 months ago

I was able to find the following workaround in case anyone else runs into this when setting up Desktop Access with Active Directory:

tctl get cert_authority - this will dump all the cert authorities on this auth service, even if there are multiple of the same time.

For the cert authorities of type user, there will be a tls section:

  spec:
    active_keys:
      tls:
      - public_key: c3N...
      - cert: LS0tL...

The cert field is what you want. base64 decode that value, and you will be left with an x509 PEM formatted cert.

To convert that to DER format, to match what the tctl auth export --type windows does for you:

openssl x509 -in user.pem -inform PEM -outform DER -out windows.cer

If those two certificate authorities are at all different, you will want to import both during the setup step for importing the cert during desktop access setup.

tctl auth export appends a newline at the end of its output, but the OpenSSL command does not. This should not pose a problem, but you can append a newline to make it match.

GavinFrazar commented 11 months ago

during CA rotation there are additional trusted keys that (imo) should also be exported, but we only export a single active key.

gravitational / teleport