Repeated certificate requests fail when using Digicert (maybe other CAs too)

[amcginlay]

PROBLEM SUMMARY For a single given common name, and using a Digicert CA on TLSPC, only the very first call to conn.request_cert(request, zone) succeeds. All subsequent attempts will fail before the SDK reaches the end of its procedure.

STEPS TO REPRODUCE

• Use TLSPC with a configured Digicert CA named Digicert Test Account APM (change code for alternate Digicert CA as appropriate)
• venafidemo.com should be a known/proven domain name in the Digicert account (change code for alternate domain name as appropriate)
• Run the following code:

requirements.txt

vcert==0.16.0

main.py

import os
from datetime import datetime
from vcert import (CertificateRequest, venafi_connection, CSR_ORIGIN_SERVICE)
from vcert.policy.policy_spec import (PolicySpecification, Policy, Defaults)

def main():
    # set up vars/params
    api_key = os.environ.get('TLSPCAPIKey')
    tlspc_ca = 'Digicert Test Account APM' # ... or similar DIGICERT CA in TLSPC
    cert_auth = f'DIGICERT\\{tlspc_ca}\\ssl_cloud_wildcard'
    max_valid_days = 90
    zone = 'venafidemo-bugtest-app\\venafidemo-bugtest-cit'
    domain = 'venafidemo.com' # use a domain known to you your Digicert account
    timestamp = datetime.now().now().strftime("%Y%m%d%H%M%S") # using a timestamp ensures Digicert has never before seen this CN
    common_name = f'www{timestamp}.{domain}'
    passphrase = 'Password123!'
    
    # build connection
    conn = venafi_connection(api_key=api_key)
    
    # build policy (immutable code)
    policy_spec = PolicySpecification()
    policy_spec.policy = Policy(
        cert_auth = cert_auth,
        max_valid_days = max_valid_days,
        domains = [domain]
    )
    policy_spec.defaults = Defaults()    
    conn.set_policy(zone, policy_spec)
    
    # build 1st request
    print(f'1st request for {common_name} ...')
    request = CertificateRequest(common_name=common_name)
    request.csr_origin = CSR_ORIGIN_SERVICE
    request.key_password = passphrase    
    conn.request_cert(request, zone)
    # GOOD - FIRST CALL WORKS
    
    # build 2nd request
    print(f'2nd request for {common_name} ...')
    request2 = CertificateRequest(common_name=common_name)
    request2.csr_origin = CSR_ORIGIN_SERVICE
    request2.key_password = passphrase
    conn.request_cert(request2, zone)
    # BANG!
    # SECOND CALL blows up on cloud_connection.py (line 406) with IndexError: list index out of range
    #   line 406 as follows:
    #   request.cert_guid = data['certificateRequests'][0]['certificateIds'][0]

if __name__ == '__main__':
    main()

EXPECTED RESULTS Expect the SECOND call to work as per the FIRST.

ACTUAL RESULTS As described above

ENVIRONMENT DETAILS As described above

COMMENTS/WORKAROUNDS It would appear that the VCert CLI does not fail in the same way, which may indicate that the Golang code does not exhibit this bug. FWIW it would appear that subsequent calls do succeed from the POV of both Digicert and TLSPC. That is to say repeat certificates are visible in these systems. However the format of the TLSPC response to the client must be different from the first call and incompatible with the current SDK code, which causes the error. There is currently no workaround.