search

smallstep / certificates

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
https://smallstep.com/certificates
Apache License 2.0
6.64k stars 432 forks source link

[Bug]: Concurrency bug with YubiKey in tiny CA #1463

Closed crazyminecuber closed 1 year ago

crazyminecuber commented 1 year ago

Steps to Reproduce

Follow this guide: https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/index.html (but I used latest ubuntu)

From another server, request to renew 4 different certificates concurrently. I did this by systemctl restart domain1 domain2 domain3 domain4.

Your Environment

Expected Behavior

All certificate renewal request should succeed on both the client and server side.

Actual Behavior

One of the certificates fails to renew. (Random which of the 4 certificates that fail). The reason for the failure is clearly due to a problem with the step-ca and YubiKey interaction, due to the following being printed in the step-ca logs.

Jul 05 11:45:21 berry sh[3111]: time="2023-07-05T11:45:21+02:00" level=error duration=117.040988ms duration-ns=117040988 error="error finalizing order: error signing certificate for order bhZo7QysH0xYMKUIz8XXt0YWGl62YCAd: authority.Sign; error creating certificate: error creating certificate: command failed: smart card error 6982: security status not satisfied" fields.time="2023-07-05T11:45:21+02:00" method=POST name=ca nonce=c0lyRGFxbURGdllpTklZdUZhWXMzT1lqWWFvS1hTMVU path=/acme/acme/order/bhZo7QysH0xYMKUIz8XXt0YWGl62YCAd/finalize protocol=HTTP/1.1 referer= remote-address=10.10.10.12 request-id=ciijnc9ogt4drdkoolvg response="{\"type\":\"urn:ietf:params:acme:error:serverInternal\",\"detail\":\"The server experienced an internal error\"}" size=105 status=500 user-agent="lego-cli/4.11.0 xenolf-acme/4.11.0 (release; linux; amd64)" user-id=

where i think the interresting part is

error creating certificate: command failed: smart card error 6982: security status not satisfied"

The error code is not officially documented to my knowlege but hslatman in your discord channel pointed me to the following issue with something similar https://github.com/Yubico/yubico-piv-tool/issues/302#issuecomment-953959509

Additional Context

YubiKey version: YubiKey 5 NFC. Bought in a physical store in Sweden about a month ago.

I can with seemingly 100% reliability reproduce the issue locally with my NixOS server as the client which uses the lego ACME client internally.

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

maraino commented 1 year ago

Hi @crazyminecuber, I've just upgraded the go.step.sm/crypto into smallstep/certificates with the fix for this. If you compile from the master branch this should not happen.

Thanks for reporting this.

crazyminecuber commented 1 year ago

Awesome! I will report back when I have verified that it works! :smiley: