Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CAs generated by BOSH do not work correctly when imported into CredHub
See original GitHub issueWhat version of the credhub server you are using?
2.5.6 (also tested on 2.5.11)
What version of the credhub cli you are using?
2.6.2 (also tested on 2.7.0)
NB: This was tested both times against BUCC
If you were attempting to accomplish a task, what was it you were attempting to do?
Import a CA generated by bosh create-env into CredHub then use that CA to issue certificates (using credhub generate
What did you expect to happen?
CredHub to issue certificates with a valid cert chain back to the imported CA
What was the actual behavior?
CredHub issues certificates that don’t have a valid cert chain back to the imported CA
Please confirm where necessary:
- I have included a log output
- My log includes an error message
- I have included steps for reproduction
Reproduction steps
(I’ve included the whole list of commands to run since it takes a few to demonstrate the issue)
# Generate a CA with BOSH and import it into CredHub
cat > credhub_import.yml.tpl <<EOF
variables:
- name: bosh_generated_ca
type: certificate
options:
is_ca: true
common_name: bosh.io
credentials:
- name: bosh_generated_ca
type: certificate
value: ((bosh_generated_ca))
EOF
bosh int credhub_import.yml.tpl --vars-store vars.yml > credhub_import.yml
credhub import -f credhub_import.yml
credhub generate -n bosh_issued_cert -t certificate -c "foo.com" --ca bosh_generated_ca
# Not valid certificate chain
credhub get -n bosh_issued_cert -k certificate > bosh_issued_cert.crt
credhub get -n bosh_issued_cert -k ca > bosh_generated_ca.crt
openssl verify -CAfile bosh_generated_ca.crt bosh_issued_cert.crt
# Works with openssl
credhub get -n bosh_generated_ca -k private_key > bosh_generated_ca.key
openssl req -new -keyout openssl_issued_cert.key -out openssl_issued_cert.csr -newkey rsa:2048 -nodes -subj "/CN=foo.com/"
openssl x509 -req -in openssl_issued_cert.csr -CA bosh_generated_ca.crt -CAkey bosh_generated_ca.key -CAcreateserial -out openssl_issued_cert.crt
openssl verify -CAfile bosh_generated_ca.crt openssl_issued_cert.crt
# CredHub generated cert works fine
credhub generate -n credhub_generated_ca -t certificate -c "credhub.io" --is-ca
credhub generate -n credhub_issued_cert -t certificate -c "foo.com" --ca credhub_generated_ca
credhub get -n credhub_issued_cert -k ca > credhub_generated_ca.crt
credhub get -n credhub_issued_cert -k certificate > credhub_issued_cert.crt
openssl verify -CAfile credhub_generated_ca.crt credhub_issued_cert.crt
We’ve temporarily worked around this by generating the CA with openssl and then importing that rather than generating it with BOSH and this has worked for us. We don’t have the option of generating the original CA with CredHub as this is when we are running bosh create-env so we don’t have a CredHub server yet.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:7 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Yes, of course, thank you for catching this
Would it be possible to include this change in the release notes?