Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pki: ca_chain endpoints do not return the chain when populated by root/generate #13489

Closed
dnephin opened this issue Dec 21, 2021 · 2 comments
Closed

Comments

@dnephin
Copy link

dnephin commented Dec 21, 2021

Background

Vault has 3 endpoints for reading certificates from a PKI secrets engine, one of which has multiple options for the response:

  1. pki/ca/pem - returns the single certificate
  2. pki/ca_chain - returns the full certificate chain
  3. pki/cert/{ca,ca_chain} - returns a JSON response with either the single certificate, or the full certificate chain

Describe the bug

pki/ca_chain and pki/cert/ca_chain return an empty response when the value was created with /pki/root/generate/internal. They correctly return the full chain if the value was populated using /pki/intermediate/set-signed.

To Reproduce
Steps to reproduce the behavior:

$ vault secrets enable pki
$ vault write -field=certificate pki/root/generate/internal common_name="dc1.consul"

$ curl -v "${VAULT_ADDR}/v1/pki/ca_chain"
# 204 No Content , with empty response body

$ curl -v "${VAULT_ADDR}/v1/pki/cert/ca_chain"
{"data":{"certificate":"","revocation_time":0}}

Expected behavior

The docs say the following about these endpoints:

This endpoint retrieves the CA certificate chain, including the CA

And, when a chain is saved using /pki/intermediate/set-signed they do properly return the full chain (including the root cert, if it was included in the PEM passed to set-signed).

So my expectations are:

The first curl should have a response body with the certificate PEM, not an empty response. A chain of 1 root cert is still a valid chain.

The second curl should have a non-empty value for data.certificate. The value should be the certificate PEM of the root cert.

@dnephin
Copy link
Author

dnephin commented Dec 21, 2021

Related to hashicorp/consul#11598

@dnephin
Copy link
Author

dnephin commented Dec 21, 2021

I understand fixing this may be a breaking change for anyone expecting an empty result. But it seems like pki/cert/ca_chain can be changed in a backwards compatible way. A new ca_chain field could be added to the JSON response.

cipherboy added a commit that referenced this issue Feb 7, 2022
This allows callers to get the full chain (including issuing
certificates) from a call to /cert/ca_chain. Previously, most endpoints
(including during issuance) do not include the root authority, requiring
an explicit call to /cert/ca to fetch. This allows full chains to be
constructed without without needing multiple calls to the API.

Resolves: #13489

Signed-off-by: Alexander Scheel <[email protected]>
fairclothjm pushed a commit that referenced this issue Feb 12, 2022
* Include full chain in /cert/ca_chain response

This allows callers to get the full chain (including issuing
certificates) from a call to /cert/ca_chain. Previously, most endpoints
(including during issuance) do not include the root authority, requiring
an explicit call to /cert/ca to fetch. This allows full chains to be
constructed without without needing multiple calls to the API.

Resolves: #13489

Signed-off-by: Alexander Scheel <[email protected]>

* Add test case for full CA issuance

We test three main scenarios:

 1. A root-only CA's `/cert/ca_chain`'s `.data.ca_chain` field should
    contain only the root,
 2. An intermediate CA (with root provide) should contain both the root
    and the intermediate.
 3. An external (e.g., `/config/ca`-provided) CA with both root and
    intermediate should contain both certs.

Signed-off-by: Alexander Scheel <[email protected]>

* Add documentation for new ca_chain field

Signed-off-by: Alexander Scheel <[email protected]>

* Add changelog entry

Signed-off-by: Alexander Scheel <[email protected]>

* Add note about where to find the entire chain

Signed-off-by: Alexander Scheel <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants