-
Notifications
You must be signed in to change notification settings - Fork 432
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: RA mode won't start up with Vault + SCEP #1560
Comments
There are a couple of problems here:
|
This bug was uncovered by me as I was trying to use the SCEP provisioner to issue certificates through Vault. I'm exploring whether I'd be able to use ACME instead of SCEP. Considering that the problem is with |
@spieglt in my testing, I was able to start up the RA with an ACME provisioner |
From @maraino's description, it sounds like the fix might be relatively straightforward? We're more or less blocked by this so I told the team I'd look into whether I could take a pass at fixing it. Not sure if it would interfere with @hslatman's work on SCEP he mentioned in Discord or whether the 0.25.1 milestone and his self-assignment of the issue is an indication that it's slated to be worked on in the near-term? |
Hey @spieglt, it's fairly high on my list of things I want to fix and closely related on things we're working on, so I hope I'll get to it sometime this week. But feel free to take a stab at it if you want it sooner or to be more sure about the timeline. |
Exciting news, thank you! I will not be able to work on it this week unfortunately. |
Hi @hslatman, any updates on this? |
Hey @spieglt, started looking into it, but not much actual progress yet due to other priorities. This week I should have some more time available for this and other SCEP things. |
Hey @spieglt, had to switch gears into product stuff, so haven't gotten to it yet. We're nearing the end of that, at least the most concrete and critical part, so I may get some time for this again soon. |
Thanks for the heads up. I'm finishing up another project and trying to switch focus back to this. We're eager to get this unblocked, is there anything I can do to help? I can try to fix it but am not sure of how likely my changes would be to conflict with changes you'd make in the near future. |
@hslatman I added a few lines to pass the intermediate certificates which has fixed the panic. Now I get an error thrown here saying
I feel like I can make changes to follow the "not require this" route, but I am concerned about the implication of "might only support decrypters" sentence. If the Vault RA only supports decrypters in the provisioners, does that mean I'd still be able to have step-ca issue certificates from Vault via SCEP? Can you tell me more about what signer and decrypter mean here exactly? |
After some reckless commenting-out of signer-related code and turning errors into print statements, I've gotten it to where step-ca actually starts with Vault as the RA and the SCEP provisioner in place. I get these log lines:
but everything else appears normal. |
@spieglt not at kb now, but the short answer is that the "decrypter approach" is probably the simplest way forward. It allows you to use an RSA certificate as the recipient (in SCEP, this would be the Registration Authority), so that messages can be encrypted to it by the client. The signer (intermediate) can then be either ECDSA or RSA, and you likely don't need more changes. The RSA decrypter is configured as a PEM cert + key; currently no KMS URI is supported. If that's not an option, then you'll need changes to how the intermediate key is made available for both decryption and signing. |
Okay, unfortunately I don't understand much of that so I guess I have some more code to read. What is the "decrypter approach"? Having a working decrypter but not a working signer? And what is required for that? The Vault RA cert chain is RSA. How would I use the RSA decrypter configured as PEM cert + key while using Vault in RA mode? That question may not be coherent, apologies if so. |
What I think @hslatman suggests is configuring the SCEP provisioner with an RSA certificate and key. This option was added a few weeks ago. You can see the fields here: certificates/authority/provisioner/scep.go Lines 47 to 50 in 7bfe11c
If you're using I haven't tested this configuration with VaultCAS, but I think it will work. |
@spieglt basically what @maraino describes above. In the SCEP protocol clients encrypt messages to the CA (usually an RA, Registration Authority; and the RA communicates with the CA using some protocol). The "decrypter approach" refers to a configuration in which each SCEP provisioner can have its own "RSA decrypter certificate". Clients can discover that decrypter certificate, and use it to encrypt messages to the public key. The SCEP provisioner decrypts the encrypted messages, incl. the CSR, and then makes the CAS sign the certificate using the intermediate key. In this setup, the SCEP provisioner with the decrypter cert operates as an RA in SCEP parlance; the CAS is the CA, and the protocol is effectively the CAS interface. The reason that approach is likely to work and to be the simplest to support in your use case, is because the CAS interface does not need to provide a |
Thanks for the explanations, that clears up a lot. Had not seen the new flags for creating the SCEP provisioner. Do the RSA key and cert used by the SCEP provisioner need to bear any relation to the cert chain used by Vault? Or is it just a completely separate chain? |
I don't think it's required (in all cases), but we've seen the best results with an RSA decrypter signed by the intermediate, so directly chaining to it. I remember seeing some source from Apple ecosystem requiring that; not sure about Microsoft/Linux clients, but the approach works there too. |
The steps you've described here will still require changes to the codebase though, yes? If I follow the Vault RA and step-ca setup guides, cut an RSA cert from Vault, use it and its key with these new SCEP provisioner flags, I still get the initial panic described in this bug. If I change a couple lines to pass around the intermediate certificates to If I run these lines from the Registration Authority Mode guide:
I get errors related to the lack of a signer. If I turn a couple errors into print statements, and comment out a couple blocks of code related to signers, I can get step-ca to start. And in that messy state, I was actually able to cut a cert from Vault via SCEP, which is what I've been trying to do for months now! So I will make a branch with my changes and link it here, but I will likely need your help making the signer optional. Does that make sense? |
@spieglt yes, just using the SCEP decrypter isn't enough. Some small changes are expected. |
…s a Registration Authority with Vault, and as a SCEP provisioner, with the certificates provisioned by SCEP coming from the Vault CA. This is incomplete as I'm not sure how to properly make the signer optional.
Here are the minimal changes required to use Vault as a Registration Authority with the SCEP provisioner: spieglt@b34dd57 To test, I:
When starting step-ca, the output looks like:
I'm not sure how to make the Signer optional in the proper way yet, please let me know if you have any insights there already. Thanks. |
Hi @theron-idme, happy new year! We will meet to discuss open source projects today and will get back to you shortly. |
Hi @tashian, any word from that meeting? |
Hey @theron-idme, I'm going to look at it, but other priorities atm. |
Hi, I encountered similar issue and this thread is extremely helpful. I tried the following and is able to setup SCEP with a step-ca only setup.
|
Steps to Reproduce
step ca provisioner add scepca --type SCEP --challenge "abc123" --encryption-algorithm-identifier 2
Your Environment
step-ca
Version -0.24.3-rc.5-144-gf9db22d3
step
Version -CLI/0.24.2-rc.3-138-g01d4e9e8
Expected Behavior
I expected the RA to start up with a SCEP provisioner.
Actual Behavior
Additional Context
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: