Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CAs generated by BOSH do not work correctly when imported into CredHub

See original GitHub issue

What version of the credhub server you are using?

2.5.6 (also tested on 2.5.11)

What version of the credhub cli you are using?

2.6.2 (also tested on 2.7.0)

NB: This was tested both times against BUCC

If you were attempting to accomplish a task, what was it you were attempting to do?

Import a CA generated by bosh create-env into CredHub then use that CA to issue certificates (using credhub generate

What did you expect to happen?

CredHub to issue certificates with a valid cert chain back to the imported CA

What was the actual behavior?

CredHub issues certificates that don’t have a valid cert chain back to the imported CA

Please confirm where necessary:

  • I have included a log output
  • My log includes an error message
  • I have included steps for reproduction

Reproduction steps

(I’ve included the whole list of commands to run since it takes a few to demonstrate the issue)

# Generate a CA with BOSH and import it into CredHub
cat > credhub_import.yml.tpl <<EOF
- name: bosh_generated_ca
  type: certificate
    is_ca: true

- name: bosh_generated_ca
  type: certificate
  value: ((bosh_generated_ca))

bosh int credhub_import.yml.tpl --vars-store vars.yml > credhub_import.yml
credhub import -f credhub_import.yml
credhub generate -n bosh_issued_cert -t certificate -c "" --ca bosh_generated_ca

# Not valid certificate chain
credhub get -n bosh_issued_cert -k certificate > bosh_issued_cert.crt
credhub get -n bosh_issued_cert -k ca > bosh_generated_ca.crt
openssl verify -CAfile bosh_generated_ca.crt bosh_issued_cert.crt

# Works with openssl
credhub get -n bosh_generated_ca -k private_key > bosh_generated_ca.key
openssl req -new -keyout openssl_issued_cert.key -out openssl_issued_cert.csr -newkey rsa:2048 -nodes -subj "/"
openssl x509 -req -in openssl_issued_cert.csr -CA bosh_generated_ca.crt -CAkey bosh_generated_ca.key -CAcreateserial -out openssl_issued_cert.crt
openssl verify -CAfile bosh_generated_ca.crt openssl_issued_cert.crt

# CredHub generated cert works fine
credhub generate -n credhub_generated_ca -t certificate -c "" --is-ca
credhub generate -n credhub_issued_cert -t certificate -c "" --ca credhub_generated_ca
credhub get -n credhub_issued_cert -k ca > credhub_generated_ca.crt
credhub get -n credhub_issued_cert -k certificate > credhub_issued_cert.crt
openssl verify -CAfile credhub_generated_ca.crt credhub_issued_cert.crt

We’ve temporarily worked around this by generating the CA with openssl and then importing that rather than generating it with BOSH and this has worked for us. We don’t have the option of generating the original CA with CredHub as this is when we are running bosh create-env so we don’t have a CredHub server yet.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:1
  • Comments:7 (1 by maintainers)

github_iconTop GitHub Comments

tomkennedy513commented, Apr 28, 2020

Yes, of course, thank you for catching this

tlwrcommented, Apr 28, 2020

Would it be possible to include this change in the release notes?

Read more comments on GitHub >

github_iconTop Results From Across the Web

CAs generated by BOSH do not work correctly when imported ...
Imported that into CredHub and the certs issued from that are fine. I had to generated the CA in a linux container though...
Read more >
Reviewing and Resetting Manually Set Certificates in BOSH ...
A manually set certificate is a certificate that an operator has added directly to BOSH CredHub through the CredHub CLI instead of using...
Read more >
Setting Up and Deploying CredHub with BOSH
This topic provides information about how to deploy a BOSH Director with CredHub so that you can use credential variables in your deployment ......
Read more >
Using CredHub for Kubernetes Deployments - YouTube
Storing sensitive data, such as certificates and passwords, is critical for any deployment. CredHub has proved to be a working solution for ...
Read more >
Importing Credentials to Credhub -
Inspect the values generated in dev-bosh-import.yml . Verify that the credential types are correct. Now target and login to the corresponding credhub that ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found