-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pki: ca_chain endpoints do not return the chain when populated by root/generate #13489
Labels
Comments
Related to hashicorp/consul#11598 |
I understand fixing this may be a breaking change for anyone expecting an empty result. But it seems like |
cipherboy
added a commit
that referenced
this issue
Feb 7, 2022
This allows callers to get the full chain (including issuing certificates) from a call to /cert/ca_chain. Previously, most endpoints (including during issuance) do not include the root authority, requiring an explicit call to /cert/ca to fetch. This allows full chains to be constructed without without needing multiple calls to the API. Resolves: #13489 Signed-off-by: Alexander Scheel <[email protected]>
fairclothjm
pushed a commit
that referenced
this issue
Feb 12, 2022
* Include full chain in /cert/ca_chain response This allows callers to get the full chain (including issuing certificates) from a call to /cert/ca_chain. Previously, most endpoints (including during issuance) do not include the root authority, requiring an explicit call to /cert/ca to fetch. This allows full chains to be constructed without without needing multiple calls to the API. Resolves: #13489 Signed-off-by: Alexander Scheel <[email protected]> * Add test case for full CA issuance We test three main scenarios: 1. A root-only CA's `/cert/ca_chain`'s `.data.ca_chain` field should contain only the root, 2. An intermediate CA (with root provide) should contain both the root and the intermediate. 3. An external (e.g., `/config/ca`-provided) CA with both root and intermediate should contain both certs. Signed-off-by: Alexander Scheel <[email protected]> * Add documentation for new ca_chain field Signed-off-by: Alexander Scheel <[email protected]> * Add changelog entry Signed-off-by: Alexander Scheel <[email protected]> * Add note about where to find the entire chain Signed-off-by: Alexander Scheel <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Background
Vault has 3 endpoints for reading certificates from a PKI secrets engine, one of which has multiple options for the response:
Describe the bug
pki/ca_chain
andpki/cert/ca_chain
return an empty response when the value was created with /pki/root/generate/internal. They correctly return the full chain if the value was populated using /pki/intermediate/set-signed.To Reproduce
Steps to reproduce the behavior:
Expected behavior
The docs say the following about these endpoints:
And, when a chain is saved using
/pki/intermediate/set-signed
they do properly return the full chain (including the root cert, if it was included in the PEM passed to set-signed).So my expectations are:
The first
curl
should have a response body with the certificate PEM, not an empty response. A chain of 1 root cert is still a valid chain.The second
curl
should have a non-empty value fordata.certificate
. The value should be the certificate PEM of the root cert.The text was updated successfully, but these errors were encountered: