mbrancato
commented
4 years ago Current status with this is that I have migrated /certs to /issue. I've switched to the upstream go-acme/lego. Issuing a cert initially fails, but a cert is returned eventually and stored in cache. I think supporting the upstream API will require support for /cert as well which is where cached certs would go.
Issuing a cert:
$ vault write acme/issue/mytestrole common_name=test-issue.mydomain.com
2020-11-21T10:14:02.416-0500 [DEBUG] secrets.acme.acme_4b97295b.acme.acme: 2020/11/21 10:14:02 Getting alt_names
2020-11-21T10:14:02.416-0500 [DEBUG] secrets.acme.acme_4b97295b.acme.acme: 2020/11/21 10:14:02 Make names
2020-11-21T10:14:02.416-0500 [DEBUG] secrets.acme.acme_4b97295b.acme.acme: 2020/11/21 10:14:02 Get CN
2020-11-21T10:14:02.417-0500 [DEBUG] secrets.acme.acme_4b97295b.acme.acme: Validate names: names=[test-issue.mydomain.com] role="map[Account:mytestaccount AllowBareDomains:false AllowSubdomains:true AllowedDomains:[mydomain.com] CacheForRatio:70 DisableCache:false]" timestamp=2020-11-21T10:14:02.416-0500
2020-11-21T10:14:02.417-0500 [DEBUG] secrets.acme.acme_4b97295b.acme.acme: Look in the cache for a saved cert: timestamp=2020-11-21T10:14:02.417-0500
2020-11-21T10:14:02.417-0500 [DEBUG] secrets.acme.acme_4b97295b.acme.acme: Certificate not found in the cache: timestamp=2020-11-21T10:14:02.417-0500
2020-11-21T10:14:02.417-0500 [DEBUG] secrets.acme.acme_4b97295b.acme.acme: Contacting the ACME provider to get a new certificate: timestamp=2020-11-21T10:14:02.417-0500
2020-11-21T10:14:02.630-0500 [DEBUG] secrets.acme.acme_4b97295b.acme.acme: 2020/11/21 10:14:02 [test-issue.mydomain.com] acme: Obtaining bundled SAN certificate
Error writing data to acme/issue/mytestrole: Put http://127.0.0.1:8200/v1/acme/issue/mytestrole: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
2020-11-21T10:15:07.003-0500 [DEBUG] secrets.acme.acme_4b97295b.acme.acme: 2020/11/21 10:15:07 [test-issue.mydomain.com] acme: Validations succeeded; requesting certificates
2020-11-21T10:15:07.351-0500 [DEBUG] secrets.acme.acme_4b97295b.acme.acme: 2020/11/21 10:15:07 [test-issue.mydomain.com] Server responded with a certificate.Signing a CSR only has a different result and a cert is never returned, but lego seems to be doing the challenge response:
$ vault write acme/sign/mytestrole csr=@test.csr common_name=test-csr.mydomain.com
2020-11-21T10:26:46.008-0500 [DEBUG] secrets.acme.acme_4b97295b.acme.acme: 2020/11/21 10:26:46 Getting alt_names
2020-11-21T10:26:46.008-0500 [DEBUG] secrets.acme.acme_4b97295b.acme.acme: 2020/11/21 10:26:46 Make names
2020-11-21T10:26:46.008-0500 [DEBUG] secrets.acme.acme_4b97295b.acme.acme: 2020/11/21 10:26:46 Get CN
2020-11-21T10:26:46.009-0500 [DEBUG] secrets.acme.acme_4b97295b.acme.acme: Validate names: names=[test-csr.mydomain.com] role="map[Account:mytestaccount AllowBareDomains:false AllowSubdomains:true AllowedDomains:[mydomain.com] CacheForRatio:70 DisableCache:false]" timestamp=2020-11-21T10:26:46.009-0500
2020-11-21T10:26:46.249-0500 [DEBUG] secrets.acme.acme_4b97295b.acme.acme: Creating cert request: timestamp=2020-11-21T10:26:46.248-0500
2020-11-21T10:26:46.249-0500 [DEBUG] secrets.acme.acme_4b97295b.acme.acme: obtaining cert: timestamp=2020-11-21T10:26:46.249-0500
2020-11-21T10:26:46.249-0500 [DEBUG] secrets.acme.acme_4b97295b.acme.acme: 2020/11/21 10:26:46 [test-csr.mydomain.com] acme: Obtaining bundled SAN certificate given a CSR
2020-11-21T10:27:43.086-0500 [DEBUG] secrets.acme.acme_4b97295b.acme.acme: 2020/11/21 10:27:43 [test-csr.mydomain.com] acme: Validations succeeded; requesting certificates
Error writing data to acme/sign/mytestrole: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/acme/sign/mytestrole
Code: 400. Errors:
* Failed to validate certificate signing request.
This is currently a WIP.
The goal is to support the standard
/signand/issueAPI targets making this plugin compatible with the built-in PKI secret engine.