cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon smallstep

[Bug]: step-ca sometimes interprets --root as the trust store, and sometimes as the step-ca true root

Open achernya opened this issue 3 years ago • 4 comments

Steps to Reproduce

  1. Set up caddy with Let's Encrypt certificates
  2. Set up step-ca behind the caddy, with its own root certificate. Configure caddy to accept step-ca's certificates.
  3. Try to provision a host ssh certificate with step ssh certificate ${FQDN} /etc/ssh/ssh_host_ecdsa_key.pub --host --sign --principal ${FQDN} --principal ${HOSTNAME}

Your Environment

  • OS - 3.16.0 (docker container)
  • step-ca Version - Smallstep CA/0.21.0 (linux/amd64)

Expected Behavior

SSH certificate provisioning succeeds, after JWT password is entered.

Actual Behavior

Get "https://${CA_URL}/provisioners?limit=100": x509: certificate signed by unknown authority
github.com/smallstep/certificates/ca.(*Client).Provisioners
        github.com/smallstep/[email protected]/ca/client.go:826
github.com/smallstep/certificates/pki.GetProvisioners
        github.com/smallstep/[email protected]/pki/pki.go:148
github.com/smallstep/cli/utils/cautils.NewTokenFlow
        github.com/smallstep/cli/utils/cautils/token_flow.go:100
github.com/smallstep/cli/utils/cautils.(*CertificateFlow).GenerateSSHToken
        github.com/smallstep/cli/utils/cautils/certificate_flow.go:163
github.com/smallstep/cli/command/ssh.certificateAction
        github.com/smallstep/cli/command/ssh/certificate.go:273
go.step.sm/cli-utils/command.ActionFunc.func1
        go.step.sm/[email protected]/command/command.go:37
github.com/urfave/cli.HandleAction
        github.com/urfave/[email protected]/app.go:522
github.com/urfave/cli.Command.Run
        github.com/urfave/[email protected]/command.go:173
github.com/urfave/cli.(*App).RunAsSubcommand
        github.com/urfave/[email protected]/app.go:405
github.com/urfave/cli.Command.startApp
        github.com/urfave/[email protected]/command.go:372
github.com/urfave/cli.Command.Run
        github.com/urfave/[email protected]/command.go:102
github.com/urfave/cli.(*App).Run
        github.com/urfave/[email protected]/app.go:277
main.main
        ./main.go:113
runtime.main
        runtime/proc.go:250
runtime.goexit
        runtime/asm_amd64.s:1571

If you instead add --root=/etc/ssl/certs/ca-certificates.crt to the command line, the error becomes

Please enter the password to decrypt the provisioner key: 
error decoding /etc/ssl/certs/ca-certificates.crt: contains more than one PEM encoded block
github.com/smallstep/cli/crypto/pemutil.Parse
        github.com/smallstep/cli/crypto/pemutil/pem.go:243
github.com/smallstep/cli/crypto/pemutil.Read
        github.com/smallstep/cli/crypto/pemutil/pem.go:318
github.com/smallstep/cli/crypto/pemutil.ReadCertificate
        github.com/smallstep/cli/crypto/pemutil/pem.go:171
github.com/smallstep/cli/token.WithRootCA.func1
        github.com/smallstep/cli/token/options.go:37
github.com/smallstep/cli/token.NewClaims
        github.com/smallstep/cli/token/token.go:103
github.com/smallstep/cli/token/provision.New
        github.com/smallstep/cli/token/provision/provision.go:25
github.com/smallstep/cli/utils/cautils.(*TokenGenerator).Token
        github.com/smallstep/cli/utils/cautils/token_generator.go:83
github.com/smallstep/cli/utils/cautils.(*TokenGenerator).SignSSHToken
        github.com/smallstep/cli/utils/cautils/token_generator.go:115
github.com/smallstep/cli/utils/cautils.generateJWKToken
        github.com/smallstep/cli/utils/cautils/token_generator.go:394
github.com/smallstep/cli/utils/cautils.NewTokenFlow
        github.com/smallstep/cli/utils/cautils/token_flow.go:138
github.com/smallstep/cli/utils/cautils.(*CertificateFlow).GenerateSSHToken
        github.com/smallstep/cli/utils/cautils/certificate_flow.go:163
github.com/smallstep/cli/command/ssh.certificateAction
        github.com/smallstep/cli/command/ssh/certificate.go:273
go.step.sm/cli-utils/command.ActionFunc.func1
        go.step.sm/[email protected]/command/command.go:37
github.com/urfave/cli.HandleAction
        github.com/urfave/[email protected]/app.go:522
github.com/urfave/cli.Command.Run
        github.com/urfave/[email protected]/command.go:173
github.com/urfave/cli.(*App).RunAsSubcommand
        github.com/urfave/[email protected]/app.go:405
github.com/urfave/cli.Command.startApp
        github.com/urfave/[email protected]/command.go:372
github.com/urfave/cli.Command.Run
        github.com/urfave/[email protected]/command.go:102
github.com/urfave/cli.(*App).Run
        github.com/urfave/[email protected]/app.go:277
main.main
        ./main.go:113
runtime.main
        runtime/proc.go:250
runtime.goexit
        runtime/asm_amd64.s:1571

Additional Context

Apologies if this issue should have been filed on smallstep/cli instead.

I've set up an instance of step-ca behind caddy, with Caddy having a Let's Encrypt certificate, proxying over TLS to the step-ca instance for external access. I'm mostly interested in the SSH CA, getting assertions over OIDC. I'm aware of other issues such as smallstep/certificates#193 and smallstep/certificates#246 where some of the philosophy of why not to do this was discussed.

The root issue seems to be that --root is sometimes used as the trust store, with 1 or more certificate PEMs in it, but in other code paths it is used as the true root.

Best I can tell, the root is loaded at https://github.com/smallstep/cli/blob/master/utils/cautils/client.go#L49-L71, and the same ClientOption is used both for the Transport as it is for step operations. I think it should be possible to patch this to specify the ca-bundle separately.

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

achernya avatar Aug 01 '22 16:08 achernya