fleet icon indicating copy to clipboard operation
fleet copied to clipboard

Published 20 hours ago verified publisher icon fleetdm

ABM public key supplied as .crt when Apple asks for .pem or .der

Open georgekarrv opened this issue 1 year ago • 1 comments

💥  Actual behavior

ABM now requires the public key in PEM or DER format, but fleet generates a CRT file. image

🧑‍💻  Steps to reproduce

  1. Follow the ABM MDM enrollment flow
  2. Issue can be found in MDM Server Settings section where a public key must be uploaded.

🕯️ More info (optional)

Customer was able to convert it with openssl x509 -in mycert.crt -out mycert.pem -outform PEM

georgekarrv avatar Oct 18 '24 19:10 georgekarrv

https://github.com/fleetdm/fleet/issues/22955 Original issue for context

georgekarrv avatar Oct 18 '24 19:10 georgekarrv

Hey @rachaelshaw, as solution to this bug I specified API change in "To fix" section of issue description. Apple changed format that they ask for, so users can't successfully upload .crt type fo public key that we return today. It's kind of breaking change, but that's what Apple is asking for (it's in contributor API docs).

marko-lisica avatar Oct 23 '24 11:10 marko-lisica

@georgekarrv We want to return .pem instead of .crt, because in some browsers ABM doesn't let you select formats other than .pem or .der.

Not sure which of the two formats should we use? .pem or .der? Are there any advantages for any of them?

marko-lisica avatar Oct 23 '24 12:10 marko-lisica

.pem is more common

georgekarrv avatar Oct 23 '24 12:10 georgekarrv

Also @marko-lisica your link above just linked back to this ticket, not a change request

georgekarrv avatar Oct 23 '24 12:10 georgekarrv

Also @marko-lisica your link above just linked back to this ticket, not a change request

I highlighted and linked to "To fix" section in issue description, but it was hard to notice I guess. I updated my comment to be explicit where the change is specified.

marko-lisica avatar Oct 23 '24 13:10 marko-lisica

.pem is more common

Then I think it makes sense to return .pem. Specified that in "🛠️ To fix" section.

marko-lisica avatar Oct 23 '24 13:10 marko-lisica

@dantecatalfamo Sorry I didn't see this was changed to just break the api. I would recommend we add the query param alt then if alt=pem is specified return .pem otherwise remain unchanged.

Why do this, there could be customers w/ automation in place that already expect the .crt format and wouldn't want to break them unnecessarily.

@marko-lisica Please let me know if that doesn't work for product

georgekarrv avatar Nov 15 '24 19:11 georgekarrv

Then it's as simple for our UI to request it with alt=pem to make the default fleet UI generate .pem without breaking anything

georgekarrv avatar Nov 15 '24 19:11 georgekarrv

@georgekarrv Excellent news, it's already in PEM format and we just had to change the extension in the front end when downloading it. No API changes required

dantecatalfamo avatar Nov 15 '24 20:11 dantecatalfamo

QA Notes:

Verified public key downloads in .pem format. Verified ABM accepts generated file and MDM server can be added under Automatic EnrollmentScreenshot 2024-11-18 at 5.26.35 PM.png

jmwatts avatar Nov 18 '24 23:11 jmwatts

Apple seeks key in .pem, Fleet yields .crt, not the gem. Graceful code transform.

In cloud city's heart, Key converts, new journey starts, Ease for users, smart.

No facade alters, Yet, this small change falters not, Fleet's growth never halts.

fleet-release avatar Nov 27 '24 21:11 fleet-release