Closed gdbelvin closed 3 years ago
maraino
commented
3 years ago I have a PR open https://github.com/smallstep/certificates/pull/488 that will return an error when we create the crypto.Signer. If you try with that specific branch, I think you will get the appropriate error from CloudKMS.
maraino
commented
3 years ago And by the way, we've seen a similar error before, and the problem was that the intermediate key, in the key parameter didn't match the intermediate certificate in the crt.
One way to find out if that's your problem, is exporting the public key from gcloud, and compare it with the public key in the certificate:
step certificate inspect your-intermediate.crt
step crypto key inspect intermediate-public.keyThe public key in the certificate must match the one coming from GCP.
gdbelvin
commented
3 years ago Thank you. Much more helpful error: rpc error: code = PermissionDenied desc = Request is prohibited by organization's policy. vpcServiceControlsUniqueIdentifier: GmDrowQvhXw5DNzHpk0dA5EH3A6K3WBVR_RGtbztlw5Ukf7Pu80Vfw
gdbelvin
commented
3 years ago Resolving the GCP permissions issue resolved the error as well.
Subject of the issue
step-ca fails to create its own leaf certificate on startup
Describe your issue here.
Your environment
uname -aLinux ** 4.19.92.**** #1 SMP Thu Jan 2 14:36:58 EST 2020 x86_64 GNU/LinuxSteps to reproduce
STEPDEBUG=1 /usr/bin/step-ca /etc/step/poc/config/ca.jsoncat /etc/step/poc/config/ca.json { "address": "stepca.hostname.com:443", "authority": { "claims": { "defaultTLSCertDuration": "24h", "disableRenewal": false, "maxTLSCertDuration": "720h", "minTLSCertDuration": "5m" }, "provisioners": [ { "name": "poc-acme", "type": "ACME" } ] }, "crt": "/etc/step/poc/certs/gcp-kms-1.pem", "db": { "badgerFileLoadingMode": "", "dataSource": "/var/lib/stepca/poc", "type": "badger" }, "dnsNames": [ "stepca.hudson-trading.com" ], "federatedRoots": [], "key": "projects/hsm-test-***/locations/global/keyRings/intermediate-test1/cryptoKeys/intermediate-test1-key/cryptoKeyVersions/1", "kms": { "credentialsFile": "/etc/step/poc/secrets/hsm-test.json", "type": "cloudkms" }, "logger": { "format": "text" }, "root": "/etc/step/hrt-pki-yubikey-kms-poc/certs/root_ca.pem", "tls": { "cipherSuites": [ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" ], "maxVersion": 1.3, "minVersion": 1.2, "renegotiation": false } }
cat /etc/step/hrt-pki-yubikey-kms-poc/certs/root.pem -----BEGIN CERTIFICATE----- MIIB2TCCAYCgAwIBAgIUdNe/8YRHtpdpJTzwwUEWIzZRPh0wCgYIKoZIzj0EAwIw NjE0MDIGA1UEAwwrVGVzdCBIdWRzb24gUml2ZXIgVHJhZGluZyBJbnRlcm5hbCBI VFRQUyBDQTAeFw0yMTAxMjkxMTQ3MDdaFw0yMTA3MjgxMTQ3MDdaMDYxNDAyBgNV BAMMK1Rlc3QgSHVkc29uIFJpdmVyIFRyYWRpbmcgSW50ZXJuYWwgSFRUUFMgQ0Ew WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATPLk1WGPkoz/XXgPYLeAJXMhWvCcTw obrH2qlF39IrBFahAHCTHAiMcyyxKUuh3h/+cr+zQy26gXgdkhhJLcm4o2wwajAd BgNVHQ4EFgQUL0UnwBORHwNhMPS/413wnEsppUAwEgYDVR0TAQH/BAgwBgEB/wIB ATAOBgNVHQ8BAf8EBAMCAQYwJQYDVR0eAQH/BBswGaAXMBWCEy5odWRzb24tdHJh ZGluZy5jb20wCgYIKoZIzj0EAwIDRwAwRAIgVfEjyjYkT9ag4gJ/NVwuPGTjD1Fj Sp0kpNgpz6CY4WkCIDyDv2WbeKXALnTsN2d0Ck3q+UmALvwK6O7EawcuPnko -----END CERTIFICATE-----
cat /etc/step/poc/certs/gcp-kms-1.pem -----BEGIN CERTIFICATE----- MIIBsTCCAVegAwIBAgICEAIwCgYIKoZIzj0EAwIwNjE0MDIGA1UEAwwrVGVzdCBI dWRzb24gUml2ZXIgVHJhZGluZyBJbnRlcm5hbCBIVFRQUyBDQTAeFw0yMTAxMjkx MTQ5NDJaFw0yMjAxMjkxMTQ5NDJaMCUxIzAhBgNVBAMTGlRlc3QgSW50ZXJtZWRp YXRlIEhUVFBTIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWMSrq1WA/xSD /PFOa7wnHej53+gPvuXHW3k00DLYh62OSPsbdqmU3Zilejp4IJFQwr4mXI4z0wxn DkQQGl8Pq6NmMGQwHQYDVR0OBBYEFFUa1ZMj7ycpCr6oOIOiSr57ICdoMB8GA1Ud IwQYMBaAFC9FJ8ATkR8DYTD0v+Nd8JxLKaVAMBIGA1UdEwEB/wQIMAYBAf8CAQAw DgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0gAMEUCIAMEfZRE7bno0+/aUTc+ qB0AdLxkOt/dekxuvwrct/UqAiEA3reXd4XyU8WD5kU+wmVQowQoz4/tSdHG/Tp7 hdyrfjE= -----END CERTIFICATE-----
Expected behaviour
Successful startup.
Actual behaviour
STEPDEBUG=1 /usr/bin/step-ca /etc/step/poc/config/ca.json x509: only RSA, ECDSA and Ed25519 keys supported error creating certificate go.step.sm/crypto/x509util.CreateCertificate /home/travis/gopath/pkg/mod/go.step.sm/crypto@v0.6.1/x509util/certificate.go:144 github.com/smallstep/certificates/cas/softcas.(SoftCAS).CreateCertificate /home/travis/gopath/src/github.com/smallstep/certificates/cas/softcas/softcas.go:65 github.com/smallstep/certificates/authority.(Authority).GetTLSCertificate /home/travis/gopath/src/github.com/smallstep/certificates/authority/tls.go:428 github.com/smallstep/certificates/ca.(CA).getTLSConfig /home/travis/gopath/src/github.com/smallstep/certificates/ca/ca.go:244 github.com/smallstep/certificates/ca.(CA).Init /home/travis/gopath/src/github.com/smallstep/certificates/ca/ca.go:99 github.com/smallstep/certificates/ca.New /home/travis/gopath/src/github.com/smallstep/certificates/ca/ca.go:80 github.com/smallstep/certificates/commands.appAction /home/travis/gopath/src/github.com/smallstep/certificates/commands/app.go:75 github.com/urfave/cli.HandleAction /home/travis/gopath/pkg/mod/github.com/urfave/cli@v1.22.2/app.go:523 github.com/urfave/cli.Command.Run /home/travis/gopath/pkg/mod/github.com/urfave/cli@v1.22.2/command.go:174 main.main.func3 /home/travis/gopath/src/github.com/smallstep/certificates/cmd/step-ca/main.go:152 github.com/urfave/cli.HandleAction /home/travis/gopath/pkg/mod/github.com/urfave/cli@v1.22.2/app.go:523 github.com/urfave/cli.(App).Run /home/travis/gopath/pkg/mod/github.com/urfave/cli@v1.22.2/app.go:285 main.main /home/travis/gopath/src/github.com/smallstep/certificates/cmd/step-ca/main.go:155 runtime.main /home/travis/.gimme/versions/go1.14.10.linux.amd64/src/runtime/proc.go:203 runtime.goexit /home/travis/.gimme/versions/go1.14.10.linux.amd64/src/runtime/asm_amd64.s:1373 authority.GetTLSCertificate github.com/smallstep/certificates/errs.Wrap /home/travis/gopath/src/github.com/smallstep/certificates/errs/error.go:106 github.com/smallstep/certificates/authority.(Authority).GetTLSCertificate.func1 /home/travis/gopath/src/github.com/smallstep/certificates/authority/tls.go:397 github.com/smallstep/certificates/authority.(Authority).GetTLSCertificate /home/travis/gopath/src/github.com/smallstep/certificates/authority/tls.go:434 github.com/smallstep/certificates/ca.(CA).getTLSConfig /home/travis/gopath/src/github.com/smallstep/certificates/ca/ca.go:244 github.com/smallstep/certificates/ca.(CA).Init /home/travis/gopath/src/github.com/smallstep/certificates/ca/ca.go:99 github.com/smallstep/certificates/ca.New /home/travis/gopath/src/github.com/smallstep/certificates/ca/ca.go:80 github.com/smallstep/certificates/commands.appAction /home/travis/gopath/src/github.com/smallstep/certificates/commands/app.go:75 github.com/urfave/cli.HandleAction /home/travis/gopath/pkg/mod/github.com/urfave/cli@v1.22.2/app.go:523 github.com/urfave/cli.Command.Run /home/travis/gopath/pkg/mod/github.com/urfave/cli@v1.22.2/command.go:174 main.main.func3 /home/travis/gopath/src/github.com/smallstep/certificates/cmd/step-ca/main.go:152 github.com/urfave/cli.HandleAction /home/travis/gopath/pkg/mod/github.com/urfave/cli@v1.22.2/app.go:523 github.com/urfave/cli.(App).Run /home/travis/gopath/pkg/mod/github.com/urfave/cli@v1.22.2/app.go:285 main.main /home/travis/gopath/src/github.com/smallstep/certificates/cmd/step-ca/main.go:155 runtime.main /home/travis/.gimme/versions/go1.14.10.linux.amd64/src/runtime/proc.go:203 runtime.goexit /home/travis/.gimme/versions/go1.14.10.linux.amd64/src/runtime/asm_amd64.s:1373
Additional context
The ca was working with this config - or so we thought for a bit. Not sure what changed.
At the very least, it would help to output the type of public key here, since it is failing a golang internal type switch.
https://github.com/smallstep/crypto/blob/master/x509util/certificate.go#L144