Closed crazyminecuber closed 1 year ago
Hi @crazyminecuber, I've just upgraded the go.step.sm/crypto into smallstep/certificates with the fix for this. If you compile from the master branch this should not happen.
Thanks for reporting this.
Awesome! I will report back when I have verified that it works! :smiley:
Steps to Reproduce
Follow this guide: https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/index.html (but I used latest ubuntu)
From another server, request to renew 4 different certificates concurrently. I did this by
systemctl restart domain1 domain2 domain3 domain4
.Your Environment
step-ca
Version - Smallstep CA/ (linux/arm64) Release Date: 2023-06-18 15:09 UTC (I think it's compiled from the 0.23.2 sources)Expected Behavior
All certificate renewal request should succeed on both the client and server side.
Actual Behavior
One of the certificates fails to renew. (Random which of the 4 certificates that fail). The reason for the failure is clearly due to a problem with the step-ca and YubiKey interaction, due to the following being printed in the step-ca logs.
where i think the interresting part is
The error code is not officially documented to my knowlege but hslatman in your discord channel pointed me to the following issue with something similar https://github.com/Yubico/yubico-piv-tool/issues/302#issuecomment-953959509
Additional Context
YubiKey version: YubiKey 5 NFC. Bought in a physical store in Sweden about a month ago.
I can with seemingly 100% reliability reproduce the issue locally with my NixOS server as the client which uses the lego ACME client internally.
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).