rmbolger / Posh-ACME

PowerShell module and ACME client to create certificates from Let's Encrypt (or other ACME CA)
https://poshac.me/docs/latest/
MIT License
770 stars 189 forks source link

"Bad Data" Error WHen Signing Into GCloud DNS #512

Closed cowlthr-pdxedu closed 11 months ago

cowlthr-pdxedu commented 1 year ago

Good morning,

I am having some trouble with the GCloud DNS plugin, the error message I am receiving is below. Using manual DNS record creation and WebSelfHost I am able to create certs. Unfortunately, I can't use WebSelfHost because the server will be using port 80 when in production. With the gCloud CLI, I am able to create DNS records using my Google service account so I believe I have that setup correctly.

Let me know if there is anything else that may be helpful or if it looks like I am just doing something wrong.

Thanks, Rob

ERROR MESSAGE

PS  > $pArgs = @{GCKeyFile = "C:\admin\poshAcme\GoogleServiceAccount.json";GCProjectId="dns-project"}
PS  > New-PACertificate -Domain service.domain.edu -Contact cowlthr@domain.edu  -AcceptTOS -Install -Plugin GCloud -PluginArgs $pArgs -Verbose
VERBOSE: Updating directory info from https://acme-staging-v02.api.letsencrypt.org/directory
VERBOSE: Using ACME Server https://acme-staging-v02.api.letsencrypt.org/directory
VERBOSE: Using account 123456789
VERBOSE: Order name not specified, using 'service.domain.edu'
VERBOSE: Using existing order 'service.domain.edu' with status pending
VERBOSE: Updating plugin args for plugin(s) GCloud
VERBOSE: Saving order changes
VERBOSE: Publishing challenge for Domain service.domain.edu with Token <myToken> using Plugin GCloud and DnsAlias ''.
VERBOSE: Signing into GCloud DNS
Submit-ChallengeValidation : Exception calling "ImportParameters" with "1" argument(s): "Bad Data.
"
At C:\Program Files\WindowsPowerShell\Modules\posh-acme\4.18.0\Public\New-PACertificate.ps1:252 char:9
+         Submit-ChallengeValidation
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Submit-ChallengeValidation], MethodInvocationException
    + FullyQualifiedErrorId : CryptographicException,Submit-ChallengeValidation

ADDITIONAL ERROR DETAIL

PS > $error[0] | select *

PSMessageDetails      :
Exception             : System.Management.Automation.MethodInvocationException: Exception calling "ImportParameters" with "1" argument(s): "Bad Data.
                        " ---> System.Security.Cryptography.CryptographicException: Bad Data.

                           at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
                           at System.Security.Cryptography.Utils._ImportKey(SafeProvHandle hCSP, Int32 keyNumber, CspProviderFlags flags, Object cspObject, SafeKeyHandle& hKey)
                           at System.Security.Cryptography.RSACryptoServiceProvider.ImportParameters(RSAParameters parameters)
                           at CallSite.Target(Closure , CallSite , Object , Object )
                           --- End of inner exception stack trace ---
                           at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
                           at ConvertFrom-BCKey(Closure , FunctionContext )
                           at System.Management.Automation.PSScriptCmdlet.RunClause(Action`1 clause, Object dollarUnderbar, Object inputToProcess)
                           at System.Management.Automation.PSScriptCmdlet.DoEndProcessing()
                           at System.Management.Automation.CommandProcessorBase.Complete()
TargetObject          :
CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
FullyQualifiedErrorId : CryptographicException
ErrorDetails          :
InvocationInfo        : System.Management.Automation.InvocationInfo
ScriptStackTrace      : at ConvertFrom-BCKey, C:\Program Files\WindowsPowerShell\Modules\posh-acme\4.18.0\Private\ConvertFrom-BCKey.ps1: line 68
                        at Connect-GCloudDns, C:\Program Files\WindowsPowerShell\Modules\posh-acme\4.18.0\Plugins\GCloud.ps1: line 306
                        at Add-DnsTxt, C:\Program Files\WindowsPowerShell\Modules\posh-acme\4.18.0\Plugins\GCloud.ps1: line 20
                        at Publish-Challenge, C:\Program Files\WindowsPowerShell\Modules\posh-acme\4.18.0\Public\Publish-Challenge.ps1: line 48
                        at Submit-ChallengeValidation<Process>, C:\Program Files\WindowsPowerShell\Modules\posh-acme\4.18.0\Public\Submit-ChallengeValidation.ps1: line 135
                        at New-PACertificate, C:\Program Files\WindowsPowerShell\Modules\posh-acme\4.18.0\Public\New-PACertificate.ps1: line 252
                        at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo : {}
rmbolger commented 1 year ago

Hey @cowlthr-pdxedu, thanks for reaching out. The errors make it seem like the current code that tries to parse the private key from the account JSON file isn't working. Does the GCloud CLI use the same JSON file for auth? If so, there's not likely anything wrong with the file itself. I wonder if Google changed the type of private key being used.

Do me a favor and run the following to see the value of the private key from the JSON. DO NOT post the whole key here. I'm only interested in seeing the header/footer values (if they exist). They should be something similar to -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----.

# DON'T POST THE RESULT OF THIS TO GITHUB, just the header/footer if they exist.
Get-Content $pArgs.GCKeyFile -Raw | ConvertFrom-Json | Select -Expand private_key

I'm also going to try and generate a new file from my own account to see if it's different than the old one I've been using.

rmbolger commented 1 year ago

So the new service account I generated for myself looks just like the old one in terms of its private key. So unless there's a project level change I'm not familiar with that would affect the generated private key, I'm thinking that's not the issue.

Assuming your private_key value looks normal as far as the header/footer goes, let's try running just a DNS publish command with Debug logging turned on like this after re-importing the module to clear out any existing state.

Import-Module Posh-ACME -Force
$pArgs = @{GCKeyFile = "C:\admin\poshAcme\GoogleServiceAccount.json";GCProjectId="dns-project"}
$DebugPreference = 'Continue'
Publish-Challenge service.domain.edu (Get-PAAccount) dummyvalue GCloud $pArgs -Verbose

The portion of the output we're looking for should look something like this:

VERBOSE: Signing into GCloud DNS
DEBUG: Loading saved plugin vars
DEBUG: Using key file
DEBUG: Loading saved plugin vars
DEBUG: Saving updated plugin vars
DEBUG: Loading private key for mysvcacct@myproject.iam.gserviceaccount.com
DEBUG: PemReader found 'Org.BouncyCastle.Crypto.Parameters.RsaPrivateCrtKeyParameters'. Attempting to convert to AsymmetricCipherKeyPair.
DEBUG: Claim set: {
<more stuff>