terraform-provider-fortios icon indicating copy to clipboard operation
terraform-provider-fortios copied to clipboard

Published 20 hours ago verified publisher icon fortinetdev

Internal Server Error using fortios_vpncertificate_local and fortios_vpncertificate_ca

Open gmintoco opened this issue 3 years ago • 8 comments

Hi, I am trying to deploy 3 certificates to a Fortigate but am running into an error as seen below. Using v6.2.9 build1234 (GA). Let me know if you need more information or if these configurations need some changes.

resource "fortios_vpncertificate_local" "certificate" {
	name = local.cert_name
	private_key = vault_pki_secret_backend_cert.fortigate.private_key
	certificate = vault_pki_secret_backend_cert.fortigate.certificate
	password = ""
	range = "global"
}

resource "fortios_vpncertificate_ca" "ca_int" {
	name = "CA_GP_INT_VAULT_TF"
	ca = vault_pki_secret_backend_cert.fortigate.ca_chain
	range = "global"
}

resource "fortios_vpncertificate_ca" "ca" {
	name = "CA_GP_INT_VAULT_TF"
	ca = vault_pki_secret_backend_cert.fortigate.issuing_ca
	range = "global"
}

╷
│ Error: Error creating VpnCertificateLocal resource: Internal Server Error - Internal error when processing the request (500)
│ 
│   with fortios_vpncertificate_local.certificate,
│   on fortios-certificate.tf line 41, in resource "fortios_vpncertificate_local" "certificate":
│   41: resource "fortios_vpncertificate_local" "certificate" {
│ 
╵
╷
│ Error: Error creating VpnCertificateCa resource: Internal Server Error - Internal error when processing the request (500)
│ 
│   with fortios_vpncertificate_ca.ca_int,
│   on fortios-certificate.tf line 49, in resource "fortios_vpncertificate_ca" "ca_int":
│   49: resource "fortios_vpncertificate_ca" "ca_int" {
│ 
╵
╷
│ Error: Error creating VpnCertificateCa resource: Internal Server Error - Internal error when processing the request (500)
│ 
│   with fortios_vpncertificate_ca.ca,
│   on fortios-certificate.tf line 55, in resource "fortios_vpncertificate_ca" "ca":
│   55: resource "fortios_vpncertificate_ca" "ca" {
│ 
╵

gmintoco avatar Feb 23 '22 02:02 gmintoco

Hi @gmintoco,

Thank you for raising this issue. The reason may because the password is not set. Could you try to set the password and try it again? Also, you could upgrade the FortiOS Terraform provider to v1.14.0, then you could get some error info from CLI response.

By the way, please do not set range to global for resources fortios_vpncertificate_<>, otherwise, you could not delete it anymore. We have created an internal case to track this issue, and we are working with the related team to fix it.

Please let me know if you have any questions.

Thanks, Xing

lix-fortinet avatar Mar 10 '22 00:03 lix-fortinet

putting this here to help others who are troubleshooting the same issue. I started out using the api endpoint (/api/v2/monitor/vpn-certificate/local/import) which was failing (don't remember the exact error). I tried the fortios_vpncertificate_local but couldn't get around the internal server error mentioned here. Re-tracing the configuration, I noticed the key needed to be encrypted "private_key - (Required) PEM format key, encrypted with a password." Once I had the key in pem encrypted format (BEGIN ENCRYPTED PRIVATE KEY) I was able to use the api import with the correct parameters

resource "fortios_json_generic_api" "genericapi" {
  path   = "/api/v2/monitor/vpn-certificate/local/import"
  method = "POST"
  json   = <<EOF
{
    "type": "regular",
    "certname": "wildcard",
    "password": "${data.sops_file.wildcard_cert.data["tls.key.encrypted.password"]}",
    "key_file_content": "${data.sops_file.wildcard_cert.data["tls.key.encrypted"]}",
    "file_content": "${data.sops_file.wildcard_cert.data["tls.crt"]}"
}
EOF
}

bencodner avatar Apr 15 '22 17:04 bencodner

@lix-fortinet

I tried with an empty password and it still did not work. This was using the terraform provider v1.14.0 I don't see any CLI responses though.

I also tried without setting the range to global and still had no luck.

Thanks for your response

gmintoco avatar Apr 20 '22 03:04 gmintoco

@lix-fortinet

I have attempted again now after updating our fortigates to 6.4.8 61F - I have a CLI error as well which will hopefully help:

resource "fortios_vpncertificate_ca" "ca_int" {
	name = "CA1"
	ca = file("ca1.crt")
}

resource "fortios_vpncertificate_ca" "ca" {
	name = "CA2"
	ca = file("ca2.crt")
}

Error:

╷
│ Error: Error creating VpnCertificateCa resource: Internal Server Error - Internal error when processing the request (500)
│ Cli response: 
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ The field ca is empty!
│ node_check_object fail! for ca 
│ Attribute 'ca' MUST be set.
│ Command fail. Return code -146
│ 
│ 
│   with fortios_vpncertificate_ca.ca_int,
│   on fortios-certificate.tf line 49, in resource "fortios_vpncertificate_ca" "ca_int":
│   49: resource "fortios_vpncertificate_ca" "ca_int" {
│ 
╵
╷
│ Error: Error creating VpnCertificateCa resource: Internal Server Error - Internal error when processing the request (500)
│ Cli response: 
│ The string contains XSS vulnerability characters
│ The string contains XSS vulnerability characters
│ The string contains XSS vulnerability characters
│ The string contains XSS vulnerability characters
│ The string contains XSS vulnerability characters
│ The string contains XSS vulnerability characters
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ Input is not a valid CA certificate.
│ The field ca is empty!
│ node_check_object fail! for ca 
│ Attribute 'ca' MUST be set.
│ Command fail. Return code -146
│ 
│ 
│   with fortios_vpncertificate_ca.ca,
│   on fortios-certificate.tf line 54, in resource "fortios_vpncertificate_ca" "ca":
│   54: resource "fortios_vpncertificate_ca" "ca" {
│ 
╵

-----BEGIN CERTIFICATE-----
<cert contents>
-----END CERTIFICATE-----

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: <serial>
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: <issuer>
        Validity
            Not Before: Mar 26 10:29:36 2010 GMT
            Not After : Mar 20 10:29:36 2035 GMT
        Subject: <subject>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    <modulus>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Subject Key Identifier: 
                <ski>
            X509v3 Authority Key Identifier: 
                keyid:<keyid>
                DirName:<dirname>
                serial:<serial>

    Signature Algorithm: sha1WithRSAEncryption
        <sigalg>
-----BEGIN CERTIFICATE-----
<cert>
-----END CERTIFICATE-----

gmintoco avatar Aug 25 '22 10:08 gmintoco

Have you tried appending an additional " to the start and end of your certificate as per https://github.com/fortinetdev/terraform-provider-fortios/issues/216#issuecomment-1071913685

My experience on provider 1.15.0 with 7.2.1 is as follows:

This does not work ca = <<EOT -----BEGIN CERTIFICATE----- cert contents -----END CERTIFICATE----- EOT

This does work ca = <<EOT "-----BEGIN CERTIFICATE----- cert contents -----END CERTIFICATE-----" EOT

michaelj93 avatar Sep 05 '22 09:09 michaelj93

Additionally noting that while fortios_vpncertificate_ca works with addition quotation marks for the "ca" parameter, there is still an issue with the value of "ca" not making it in to terraform state. As such every terraform run the resource will be updated as "ca" appears to be empty. This does not look to be an issue with the fortios terraform provider but rather a limitation with the cmdb api where ca is blank.

api_screenshot

There is a workaround using "fortios_json_generic_api" suggested here https://github.com/fortinetdev/terraform-provider-fortios/issues/230#issuecomment-1137288624.

This will create a cert, and prevent it needing to be updated each run, however it will use the default naming cert convention and terraform will not be able to delete the certificate if the resource is removed when added through this mechanism.

resource "fortios_json_generic_api" "ca_certificate" { path = "/api/v2/monitor/vpn-certificate/ca/import" method = "POST" json = jsonencode({ import_method= "file" scope = "global" file_content = base64encode(<<EOT -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- EOT )}) }

michaelj93 avatar Sep 06 '22 09:09 michaelj93

Hi @gmintoco,

Sorry for the late response. For your case, could you try to add extra quotes for the parameter ca? For instance:

resource "fortios_vpncertificate_ca" "ca_int" {
	name = "CA1"
	ca = "\"${file("ca1.crt")}\""
}

The related REST API for this resource may require this format. We will make some improvements for it in the next release.

However, we recommend users using fortios_json_generic_api to import certificate. Since, some of the related REST API for certificate resources removed some of the operations except GET on the new version of FortiOS. So, it may cause some issues when using certificate resources. We will continually work with the related teams to make this more consistent.

Thanks, Xing

lix-fortinet avatar Sep 07 '22 21:09 lix-fortinet

Hi @gmintoco,

We handled the double quote issue in the latest release of FortiOS Terraform provider v1.16.0. You do not need to add extra quotes in your configuration. Please switch to v1.16.0 and have a try.

Thanks, Xing

lix-fortinet avatar Oct 10 '22 21:10 lix-fortinet

Hi @gmintoco

I will go ahead to close this case, if your question is still not solved, feel free to reopen it or another case.

Thanks, Maxx

MaxxLiu22 avatar Jul 07 '23 19:07 MaxxLiu22