PKI backend sign-verbatim ignores requested ttl value #5549

jasonmf · 2018-10-19T00:14:10Z

Describe the bug
PKI backend sign-verbatim ignores requested ttl value.

To Reproduce

$ vault write ca/foo-dev-pki-vouchers/sign-verbatim/pki-server csr=@/tmp/blarg.csr ttl=24h
Error writing data to ca/foo-dev-pki-vouchers/sign-verbatim/pki-server: Error making API request.

URL: PUT https://vault.foo.example.net:8200/v1/ca/foo-dev-pki-vouchers/sign-verbatim/pki-server
Code: 400. Errors:

* requested ttl of 768h0m0s is greater than max ttl of 72h0m0s

Expected behavior
It signs the certificate with the requested lifespan

Environment:

$ vault status
Key                      Value
---                      -----
Recovery Seal Type       shamir
Sealed                   false
Total Recovery Shares    5
Threshold                3
Version                  0.11.2+prem.hsm
Cluster Name             vault-cluster-acd97b62
Cluster ID               xyz
HA Enabled               true
HA Mode                  active
HA Cluster               https://vault.primary.foo.example.net:8201

Vault CLI Version (retrieve with vault version):

$ vault version
Vault v0.11.3 ('fb601237bfbe4bc16ff679f642248ee8a86e627b')

Additional context
Add any other context about the problem here.

The text was updated successfully, but these errors were encountered:

jasonmf · 2018-10-19T00:23:43Z

Additional information:
It "works" if I set a specific ttl value for the role, which was previously set and thus 0. However, the certificate I get is somewhat nonsensical:

        Validity
            Not Before: Jan  1 00:00:00 1 GMT
            Not After : Oct 20 00:21:40 2018 GMT

That expiration is correct for a cert with a lifespan of 24 hours, as requested, but being valid starting at the beginning of 1 AD is not.

jefferai · 2018-10-19T02:26:29Z

The not before thing is a bug fixed in master already.

For the original request, can you provide a repro script so we can recreate with your role values?

jefferai · 2018-10-19T02:28:37Z

Also there is a workaround for the second issue: #5481 (comment)

jasonmf · 2018-10-19T05:38:36Z

#!/bin/bash

# $ vault version
# Vault v0.11.3 ('fb601237bfbe4bc16ff679f642248ee8a86e627b')

VBIN=vault
export VAULT_ADDR=http://localhost:8200
export VAULT_TOKEN=f00

${VBIN} server -dev -dev-root-token-id=${VAULT_TOKEN} &
sleep 2s
${VBIN} secrets enable pki
${VBIN} write pki/root/generate/internal cn=issue-5549 ttl=720h
${VBIN} write pki/roles/test allow_any_name=true max_ttl=72h
openssl req -nodes -newkey rsa:2049 -subj '/CN=test/' -keyout /tmp/test.pem -out /tmp/test.csr
${VBIN} write pki/sign-verbatim/test csr=@/tmp/test.csr tth=24h
sleep 1s
kill %1

Gives me this error:

Error writing data to pki/sign-verbatim/test: Error making API request.

URL: PUT http://localhost:8200/v1/pki/sign-verbatim/test
Code: 400. Errors:

* requested ttl of 768h0m0s is greater than max ttl of 72h0m0s

From the test script if I use this role creation line:

${VBIN} write pki/roles/test allow_any_name=true

I get a different similarly nonsensical error:

Error writing data to pki/sign-verbatim/test: Error making API request.

URL: PUT http://localhost:8200/v1/pki/sign-verbatim/test
Code: 400. Errors:

* cannot satisfy request, as TTL would result in notAfter 2018-11-19T21:43:04.969192-08:00 that is beyond the expiration of the CA certificate at 2018-11-18T05:43:04Z

With these versions:

${VBIN} write pki/root/generate/internal cn=issue-5549 ttl=72h
${VBIN} write pki/roles/test allow_any_name=true max_ttl=72h

I get this:

Error writing data to pki/sign-verbatim/test: Error making API request.

URL: PUT http://localhost:8200/v1/pki/sign-verbatim/test
Code: 400. Errors:

* requested ttl of 768h0m0s is greater than max ttl of 72h0m0s

With these:

${VBIN} write pki/root/generate/internal cn=issue-5549 ttl=72h
${VBIN} write pki/roles/test allow_any_name=true max_ttl=72h ttl=72h

I get this:

Error writing data to pki/sign-verbatim/test: Error making API request.

URL: PUT http://localhost:8200/v1/pki/sign-verbatim/test
Code: 400. Errors:

* cannot satisfy request, as TTL would result in notAfter 2018-10-21T22:45:49.494708-07:00 that is beyond the expiration of the CA certificate at 2018-10-22T05:45:47Z

With these:

${VBIN} write pki/root/generate/internal cn=issue-5549 ttl=720h
${VBIN} write pki/roles/test allow_any_name=true max_ttl=72h ttl=72h

I do get issued a certificate.

In all cases the requested cert ttl is 24h.

jefferai · 2018-10-19T15:13:30Z

Thanks for the script, made it easy to repro.

This endpoint eventually goes through generateCreationBundle where we already have the right checks. Also add expiration to returned value to match output when using root generation. Fixes #5549

jefferai · 2018-10-19T15:14:29Z

BTW your script as-is still won't work for you with the above fix because you mistyped ttl as tth in one of the calls :-D

jefferai mentioned this issue Oct 19, 2018

Remove now-spurious ttl check and logic from sign-verbatim. #5552

Merged

jefferai closed this as completed in #5552 Oct 19, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

PKI backend sign-verbatim ignores requested ttl value #5549

PKI backend sign-verbatim ignores requested ttl value #5549

jasonmf commented Oct 19, 2018

jasonmf commented Oct 19, 2018 •

edited

Loading

jefferai commented Oct 19, 2018

jefferai commented Oct 19, 2018

jasonmf commented Oct 19, 2018

jefferai commented Oct 19, 2018

jefferai commented Oct 19, 2018

PKI backend sign-verbatim ignores requested ttl value #5549

PKI backend sign-verbatim ignores requested ttl value #5549

Comments

jasonmf commented Oct 19, 2018

jasonmf commented Oct 19, 2018 • edited Loading

jefferai commented Oct 19, 2018

jefferai commented Oct 19, 2018

jasonmf commented Oct 19, 2018

jefferai commented Oct 19, 2018

jefferai commented Oct 19, 2018

jasonmf commented Oct 19, 2018 •

edited

Loading