terraform-provider-panos
terraform-provider-panos copied to clipboard
PaloAltoNetworks
Error using panos_certificate_import on panorama
Describe the bug
I'm using "panos_certificate_import" on several firewalls, but when I use it on a panorama device I get an error.
Expected behavior
Same behavior on Panorama and Palo Alto devices.
Current behavior
Error message when Terraform try to import the certificate:
Error: Import of panorama.domain.com failed. Failed to extract certificate
The certificate is uploaded, but there is no key on the uploaded certificate.
I get no error when I upload the same certificate and key file manually through the panorama web interface.
Possible solution
Maybe panorama needs some extra parameters I am missing in my TF file...?
Steps to reproduce
resource "panos_certificate_import" "cert-panorama" {
provider = panos.panorama
name = "panorama.domain.com"
pem {
certificate = file("panorama.domain.com.cer")
private_key = file("panorama.domain.com.key")
passphrase = "secret"
}
}
# panos_certificate_import.cert-panorama will be created
+ resource "panos_certificate_import" "cert-panorama" {
+ algorithm = (known after apply)
+ ca = (known after apply)
+ cert_format = (known after apply)
+ cert_passphrase = (sensitive value)
+ cert_public_key = (known after apply)
+ common_name = (known after apply)
+ csr = (known after apply)
+ expiry_epoch = (known after apply)
+ id = (known after apply)
+ issuer = (known after apply)
+ issuer_hash = (known after apply)
+ name = "panorama.domain.com"
+ not_valid_after = (known after apply)
+ not_valid_before = (known after apply)
+ private_key = (sensitive value)
+ private_key_on_hsm = (known after apply)
+ public_key = (known after apply)
+ revoke_date_epoch = (known after apply)
+ status = (known after apply)
+ subject = (known after apply)
+ subject_hash = (known after apply)
+ vsys = "shared"
+ pem {
+ certificate = <<-EOT
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
EOT
+ certificate_filename = "cert.pem"
+ passphrase = (sensitive value)
+ private_key = (sensitive value)
+ private_key_filename = "key.pem"
}
}
╷
│ Error: Import of panorama.domain.com failed. Failed to extract certificate
│
│ with panos_certificate_import.cert-panorama,
│ on panos-cert-upload.tf line 1, in resource "panos_certificate_import" "cert-panorama":
│ 1: resource "panos_certificate_import" "cert-panorama" {
│
╵
Error: Process completed with exit code 1.
Context
I want to upload certificate to the panorama device to use on a ssl profile for the management interface.
Your Environment
- Version used: 1.10.0
- Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3):
- Operating System and version (desktop or mobile): Ubuntu 20.04, Terraform 1.0.10
- Link to your project:
I ran into the same issue using acme_certificate, it'll upload manually via GUI but attempting to import it - even from an Azure Keyvault - fails.
I thought it had something to do with being byte64 encoded though
Did anyone find any workaround to this issue? It fails with Letsencrypt certs too.
Same issue here. GUI works, TF fails and throws Failed to extract certificate
Got this fixed for PEM keys in our lab, there was a typo in the pango/dev/certificate/pano.go file that referenced the public certificate instead of the private key (fw.go was correct, hence why it worked on firewalls). I have a static version published on registry.terraform.io for DEV purposes (unmaintained) until a new version includes the fix.
