aws-app-mesh-examples icon indicating copy to clipboard operation
aws-app-mesh-examples copied to clipboard

Published 20 hours ago verified publisher icon aws

[BUG] TLS examples don't work with default bash IFS

Open vt102 opened this issue 3 years ago • 1 comments
trafficstars

Describe the bug In https://github.com/aws/aws-app-mesh-examples/blob/main/walkthroughs/tls-with-acm/README.md Step 2: Create a Certificate, the aws acm-pca issue-certificate step fails as follows:

[ec2-user@ip-172-31-70-72 ~]$ ROOT_CA_CSR=`aws acm-pca get-certificate-authority-csr \
>     --certificate-authority-arn ${ROOT_CA_ARN} \
>     --query Csr --output text`
[ec2-user@ip-172-31-70-72 ~]$ AWS_CLI_VERSION=$(aws --version 2>&1 | cut -d/ -f2 | cut -d. -f1)
[[ ${AWS_CLI_VERSION} -gt 1 ]] && ROOT_CA_CSR="$(echo ${ROOT_CA_CSR} | base64)"[ec2-user@ip-172-31-70-72 ~]$ [[ ${AWS_CLI_VERSION} -gt 1 ]] && ROOT_CA_CSR="$(echo ${ROOT_CA_CSR} | base64)"
[ec2-user@ip-172-31-70-72 ~]$ ROOT_CA_CERT_ARN=`aws acm-pca issue-certificate \
>     --certificate-authority-arn ${ROOT_CA_ARN} \
>     --template-arn arn:aws:acm-pca:::template/RootCACertificate/V1 \
>     --signing-algorithm SHA256WITHRSA \
>     --validity Value=10,Type=YEARS \
>     --csr "${ROOT_CA_CSR}" \
>     --query CertificateArn --output text`

An error occurred (ValidationException) when calling the IssueCertificate operation: 1 validation error detected: Value at 'csr' failed to satisfy constraint: Member must satisfy regular expression pattern: -----BEGIN CERTIFICATE REQUEST-----\r?\n([A-Za-z0-9/+]{64}\r?\n)*[A-Za-z0-9/+]{1,64}={0,2}\r?\n-----END CERTIFICATE REQUEST-----(\r?\n)?.
[ec2-user@ip-172-31-70-72 ~]$ echo $ROOT_CA_CSR | base64 -d
-----BEGIN CERTIFICATE REQUEST----- MIIC6jCCAdICAQAwgYIxCbase64: invalid input

The issue appears to be the CSR format:

[ec2-user@ip-172-31-70-72 ~]$ ROOT_CA_CSR=`aws acm-pca get-certificate-authority-csr \
>     --certificate-authority-arn ${ROOT_CA_ARN} \
>     --query Csr --output text`
[ec2-user@ip-172-31-70-72 ~]$ echo $ROOT_CA_CSR
-----BEGIN CERTIFICATE REQUEST----- MIIC6jCCAdICAQAwgYIxCzAJBgNVBAYTAlVTMRowGAYDVQQKDBFBcHAgTWVzaCBF eGFtcGxlczEUMBIGA1UECwwLVExTIEV4YW1wbGUxCzAJBgNVBAgMAldBMSIwIAYD ...teaKGrewvobYC8EKU2MMNfM+TNYeO9OBGgc74iamdXIPB9WWYCX9a0AIpRcenO0C 0eIZIIC8q/Ohy5o0E5epoKLnHX1xsqcfbsO1tkWI -----END CERTIFICATE REQUEST-----

The cause of this weird formatting appears to be due to BASH's IFS (internal field separator) behavior.

[ec2-user@ip-172-31-70-72 ~]$ printf '%q\n' "$IFS"
$' \t\n'
[ec2-user@ip-172-31-70-72 ~]$ FOO=`cat foo.txt`
[ec2-user@ip-172-31-70-72 ~]$ echo $FOO
foo bar baz
[ec2-user@ip-172-31-70-72 ~]$ IFS=
[ec2-user@ip-172-31-70-72 ~]$ printf '%q\n' "$IFS"
''
[ec2-user@ip-172-31-70-72 ~]$ FOO=`cat foo.txt`
[ec2-user@ip-172-31-70-72 ~]$ echo $FOO
foo
bar
baz

Platform Amazon Linux 4.14.281-212.502.amzn2.x86_64, bash 4.2.46(2)

To Reproduce Steps to reproduce the behavior:

  1. Confirm you have the default IFS for bash:
[ec2-user@ip-172-31-70-72 ~]$ printf '%q\n' "$IFS"
$' \t\n'
  1. Walk through steps of https://github.com/aws/aws-app-mesh-examples/blob/main/walkthroughs/tls-with-acm/README.md#step-2-create-a-certificate

vt102 avatar Jun 27 '22 20:06 vt102

I'll work up a PR soon.

vt102 avatar Jun 27 '22 20:06 vt102