credhub-cli icon indicating copy to clipboard operation
credhub-cli copied to clipboard

Published 20 hours ago verified publisher icon cloudfoundry

Regenerate certificate with key length

Open jbuecher opened this issue 7 months ago • 1 comments
trafficstars

Hi, as mentioned by https://github.com/cloudfoundry/credhub/pull/870#issuecomment-2740987446, I've created a proposal for using parameters, e.g. key-length in this case, in the process of regenerating credentials.

Assumption: For introducing this feature, I've assumed that the approach for generating credentials could be reused within the regenerating process.

jbuecher avatar Mar 25 '25 13:03 jbuecher

Hi @jbuecher the changes on the cli side seems to not work. I am getting the error:

The request includes an unrecognized parameter 'parameters'. Please update or remove this parameter and retry your request.

when running the command with the flag --key-length set in regenerate. If it helps I enabled the debug logging on both server and cli sides. On the server side a failed request looks like:

2025-04-16T15:53:16.295Z [https-jsse-nio-9000-exec-6] ERROR org.cloudfoundry.credhub.generate.ExceptionHandlers - The request includes an unrecognized parameter 'parameters'. Please update or remove this parameter and retry your request.
2025-04-16T15:53:16.295Z [https-jsse-nio-9000-exec-6] INFO  CEFAudit - CEF:0|cloud_foundry|credhub|2.13.2|POST /api/v1/data|POST /api/v1/data|0|rt=1744818796294 suser=credhub_client suid=uaa-client:credhub_client cs1Label=userAuthenticationMechanism cs1=uaa request=/api/v1/data requestMethod=POST cs3Label=versionUuid cs3=null cs4Label=httpStatusCode cs4=400 src=0:0:0:0:0:0:0:1 dst=localhost cs2Label=resourceName cs2=null cs5Label=resourceUuid cs5=null deviceAction=null

While a successful command without the flag --key-length would have the form of:

2025-04-16T15:55:59.309Z [https-jsse-nio-9000-exec-2] INFO  CEFAudit - CEF:0|cloud_foundry|credhub|2.13.2|POST /api/v1/data|POST /api/v1/data|0|rt=1744818958524 suser=credhub_client suid=uaa-client:credhub_client cs1Label=userAuthenticationMechanism cs1=uaa request=/api/v1/data requestMethod=POST cs3Label=versionUuid cs3=ccd3de7d-1a37-40ea-94cd-3140d1a23bac cs4Label=httpStatusCode cs4=200 src=0:0:0:0:0:0:0:1 dst=localhost cs2Label=resourceName cs2=/test/example cs5Label=resourceUuid cs5=acfdd2e8-5a94-4162-b5b2-71a552f09665 deviceAction=REGENERATE cs6Label=requestDetails cs6={"name":"/test/example"}

As you see in the case of failed request deviceAction parameter is null but in case of successful request (without keyLength parameter) deviceAction is set to REGENERATE.

bsoroushian avatar Apr 16 '25 17:04 bsoroushian

I now realize that https://github.com/cloudfoundry/credhub/pull/870 was implemented for /api/v1/regenerat endpoint but credhub-cli regenerate command invokes /api/v1/data endpoint. So it does not work as @bsoroushian found out. For this to work, additional credhub server code change is necessary. As it appears that /api/v1/regenerate endpoint implementation already satisfied the original functionality need and there is no demand for the matching functionality in credhub-cli, I am just going to close this PR.

hsinn0 avatar May 20 '25 18:05 hsinn0