Align the primary operations with the Vault PKI API

[mbrancato]

Hi @remilapeyre - this is a great undertaking to add Let's Encrypt as a backend. Something I would suggest with my experience with other PKI backends in Vault is that mimicking or even copying the PKI API from mainline Vault is a great way to improve compatibility.

This should include support for the /sign and /issue paths.

[remilapeyre]

Hi @mbrancato, thanks for looking into it. I think making the API of this backend as close as possible as the PKI one was my idea as well at first but I'm not sure it's a very good idea.

For example the PKI backend supports IP SANs, which ACME providers do not support at the moment. What should we do if the client sends us a request to sign a certificate with an IP SANs?

I guess we could try to mimic the PKI API as close as possible and returns a 400 if ip_sans or another parameters that does not make sense for an ACME provider is set to a non-default value.

I will try to look into this in the coming days.

[mbrancato]

I wouldn't worry too much about making it exactly the same, just mostly compatible. Even without the alt_names support, many tools would be immediately compatible. The API could just throw an error if alt_names is specified. The only required fields with the Vault PKI engine are name and common_name, so its a pretty low bar to build minimal compatibility.

I would take a look at other 3rd party PKI tools like Venafi are doing this. They generally support all that the built-in PKI plugin does, but they also have more fields. That said, tools like cert-manager are compatible with it when they think they are talking to Vault. https://github.com/Venafi/vault-pki-monitor-venafi https://github.com/Venafi/vault-pki-backend-venafi

I'm willing to help out here, and I'm really familiar with Vault and its API. Just let me know if you want to try and move forward on this and how I can help.

[remilapeyre]

Yes the Venafi backend does that so I guess it's ok for us to do that too. I still think it may lead to issues but this is something that we can fix in Vault directly later.

To add this I think we have to:

• move the certs endpoint to /issue and adapt its arguments
• add the /sign endpoint
• document that Kubernetes egress controller are supported
• optionally add a test for k8s to make sure that we don't break that later

If you have some time to write on it, please open a draft PR and I will contribute in it when I find the time to do so.

[hongkongkiwi]

Just wanted to add, I'm really excited for this feature because it means a cool usecase like Fabio.

Fabio is a service router which can use Vault PKI for backend certificates. So if we point it to the Acme Plugin it thinks it's just talking to the normal PKI endpoint but it's really tasking Vault to get a new LetsEncrypt certificate.

I also have another use-case which is to be able to use Vaultbot which only supports the PKI backend to renew the certificates.

[remilapeyre]

Hi, I'm working on this, I can't give an ETA on when it will be ready but the first experiments seems like it should be possible to get working.

So if we point it to the Acme Plugin it thinks it's just talking to the normal PKI endpoint but it's really tasking Vault to get a new LetsEncrypt certificate.

How does Fabio handles certificates once it got it? ACME providers expect the client to keep the private key and not request new certificates often. The current behaviour of Vault-ACME is to cache the private key so it does not need to sign a new one everytime the same certificate is requested. Will Fabio be able to do this? If not it may run into rate limitations of the provider when trying to sign too many certs in a day.

[mbrancato]

I've opened a draft PR #21 to begin to capture some work in this direction.

[gardar]

Any progress? Being able to use cert-manager would be a game changer.

[remilapeyre]

I know how I want to go forward on this issue, I need to find the time to write the code and don’t have an ETA for now.

On 3 Jun 2022, at 17:14, gardar @.***> wrote:

Any progress? Being able to use cert-manager would be a game changer.

— Reply to this email directly, view it on GitHub https://github.com/remilapeyre/vault-acme/issues/9#issuecomment-1146064479, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIMSCUHTJ3HHXFKCCIYD42LVNIOPDANCNFSM4LTDE7LQ. You are receiving this because you were mentioned.

[gardar]

Now that vault has added PKI ACME support, perhaps that could be leveraged? https://developer.hashicorp.com/vault/tutorials/secrets-management/pki-acme-caddy