Comments (13)
@mkg2 @piizei I can confirm this is the case.
Seeing that it not consistent across Azure resources, I think it would be better to create a new optional argument, something like "p12_certificate_password" which defaults to an empty string.
If you both agree I am happy to make the changes and create a PR later today. Only seems fair @vancluever, seeing that it is Azure based issues :)
from terraform-provider-acme.
@mkg2 I was having issues getting people to actually tell me if this was actually working on Azure or not. Guess it wasn't 😕
Would you be able to save the bundle to a local file, actually set a password on it and then try it, to see if it worked? If it does, I might just update the code so that it has a static password of "changeit" or something, just basically to satisfy that requirement and still communicate that we effectively don't set a password on the P12 file.
from terraform-provider-acme.
It might not be related, but it would be good to validate before I create a new issue, but I found that the base64 encoded value in certificate_p12 was not valid. I had to add "==" to the end of it to get mine to work. And another time just a single "="
Which is a bit of a pain. I plan to do a bit more digging but might help you move forward.
resource "azurerm_key_vault_secret" "cert" {
name = "cert"
value = "${acme_certificate.demo.certificate_p12}=="
key_vault_id = "${azurerm_key_vault.demo.id}"
content_type = "application/x-pkcs12"
}
A better workaround would be to use a local-exec provisioner to use openssl to recreate a pfx
from terraform-provider-acme.
@JimPaine that's the padding on the base64 encoding, which is good to know. I'll make sure that's in as well.
So did it actually work for you without a password?
from terraform-provider-acme.
Yea I just mentioned as it looked like your error mentioned it could have been an issue with the data or the password. But I do have it working with an Azure function with no password.
from terraform-provider-acme.
@mkg2 can you test with the padding fix @JimPaine has above so that we can validate?
from terraform-provider-acme.
Just in case this issue is not related to the padding issue I have raised a new issue here along with my findings. #33
from terraform-provider-acme.
@JimPaine thanks! I've replied in that thread as well.
from terraform-provider-acme.
I can confirm that it does not work with Azure WAF without password (padding or not). +1 for 'changeit'.
from terraform-provider-acme.
Unfortunately, it is not working as expected.
Point 1:
I have tried to store the certificate_p12 to a local file and ended up with an invalid text file.
Terraform code
resource "local_file" "pkcs12" {
content = "${acme_certificate.certificate.certificate_p12}=="
filename = "/tmp/Cert_direct.p12"
}
Certificate verification
I am expecting a base64 encoded data file in linux but below file is in text format.
$ file /tmp/Cert_direct.p12
Cert_direct.p12: ASCII text, with very long lines, with no line terminators
$
Verification with keytool not working as well.
$ keytool -list -v -keystore /tmp/Cert_direct.p12 -storetype PKCS12
keytool error: java.io.IOException: toDerInputStream rejects tag type 77
java.io.IOException: toDerInputStream rejects tag type 77
at sun.security.util.DerValue.toDerInputStream(DerValue.java:881)
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1939)
at java.security.KeyStore.load(KeyStore.java:1445)
at sun.security.tools.keytool.Main.doCommands(Main.java:827)
at sun.security.tools.keytool.Main.run(Main.java:368)
at sun.security.tools.keytool.Main.main(Main.java:361)
Point 2:
I have uploaded 'certificate_p12' directlry to azure vault.
Terraform code
resource "azurerm_key_vault_secret" "cert" {
name = "cert"
value = "${acme_certificate.certificate.certificate_p12}=="
key_vault_id = "${data.azurerm_key_vault.main.id}"
content_type = "application/x-pkcs12"
}
Then I tried to download the file from azure web console as certificate.
File download error
Failed to download the file. Error details: Bad request 400 Date uri content is not properly encoded. For binary type, please encode it with base64 encoding
Point 3:
Only workaround so far is to create the pkcs12 bundle with local-exec.
resource "local_file" "private_key_pem" {
content = "${acme_certificate.certificate.private_key_pem}"
filename = "/tmp/key.pem"
}
resource "local_file" "certificate_pem" {
content = "${acme_certificate.certificate.certificate_pem}"
filename = "/tmp/cert.pem"
}
resource "null_resource" "main" {
triggers {
build_number = "${timestamp()}"
}
provisioner "local-exec" {
command = "openssl pkcs12 -export -out /tmp/Cert.p12 -in /tmp/cert.pem -inkey /tmp/key.pem -passout pass:abcd"
}
}
Cerificate verification
$ file Cert.p12
Cert.p12: data
$
Verification with keytool
$ keytool -list -v -keystore /tmp/Cert.p12 -storetype PKCS12
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
....
...
from terraform-provider-acme.
@JimPaine are you working on the password? I was just wondering should I wait or implement the workaround suggested by @mkg2 ?
from terraform-provider-acme.
Sorry @piizei, picking it up today, I had a few things come up that I needed to sort. Still waiting on #34 to be merged in as well, so it might be worth doing the work around as that will also workaround that issue as well.
Work in progress is here if you want to build and run yourself
https://github.com/JimPaine/terraform-provider-acme/tree/p12-cert-password
from terraform-provider-acme.
Hey all, this has now been merged and should be going out for release early next week. Thanks @JimPaine for the PR!
from terraform-provider-acme.
Related Issues (20)
- [Q] Is new private key created with certificate renewal? HOT 1
- Documentation Missppelling HOT 2
- Certificate renovation HOT 1
- Add Support for DNS Flexible Engine Cloud Provider HOT 2
- Question: Is it possible to automate the renewal process e.g. with Lambda? How? HOT 1
- Cannot perform DNS challenge over Azure HOT 2
- Erorr initializing provider: MSI not available HOT 1
- Can we have an option to not do domain validation? HOT 5
- Azure provider credentials being override for environment variables HOT 2
- recursive_nameservers attribute is not respected HOT 11
- Azure DNS provider variables map HOT 5
- Upon creating or renewing a certificate, hundreds of records are deleted from dnsmadeeasy HOT 9
- Add new DNS provider `azuredns` to support new Azure authentication methods HOT 6
- Adding HTTP (s3) Verification HOT 9
- acme: error: 403 :: POST : An account with the provided public key exists but is deactivated HOT 3
- Not able to generate acme certificate by using oraclecloud dns provider HOT 14
- Terraform Destroy is causing error HOT 5
- Generating Certificates works on 2.15.1 (acme-certificate) but not anymore on 2.17 HOT 5
- Terraform Provider Timing Out, No Option to Change the Timeout Value HOT 4
- Fix S3 Documentation HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-provider-acme.