https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# python
s
This message was deleted.
b
I might be able to help! What's up?
m
I have a bit of an involved setup and am suspecting that pkiSecret is truncating the ca_chain
I have an offline Root CA
whereby i generate a signed cert for an online intermediate Vault CA
This is the code for the online intermediate vault CA
Copy code
class OLVaultPKIIntermediateCABackend(ComponentResource):
    """
    PKI Intermediate CA Backend is set to pki-intermediate-ca.

    This should be used to create and configure the intermediate vault pki CA backend
    which is used to sign certificates used by the intermediate PKI's in the different
    environments.

    Offline CA --- pki-intermediate-ca --- sign -----> pki-intermediate-mitx-qa
                                                       pki-intermediate-mitxpro-qa
                                                       pki-intermeidate-...
    """

    def __init__(
        self,
        backend_config: OLVaultPKIIntermediateCABackendConfig,
        opts: ResourceOptions = None,
    ):
        super().__init__(
            "ol:services:Vault:PKI:IntermediateCABackend",
            "pki-intermediate-ca",
            None,
            opts,
        )

        resource_options = ResourceOptions(parent=self).merge(opts)  # type: ignore

        self.pki_intermediate_ca_backend = Mount(
            "pki-intermediate-ca",
            opts=resource_options,
            path="pki-intermediate-ca",
            type="pki",
            description="Backend to create certs for pki-intermediate-env backends",
            max_lease_ttl_seconds=backend_config.max_ttl,
            default_lease_ttl_seconds=backend_config.default_ttl,
        )

        self.pki_intermediate_ca_set_signed = (
            pkisecret.SecretBackendIntermediateSetSigned(
                "pki-intermediate-ca-set-signed",
                backend=self.pki_intermediate_ca_backend.id,
                #certificate=backend_config.intermediate_ca_cert,
                certificate=backend_config.intermediate_ca_pem_bundle,
            )
        )

        self.pki_intermediate_ca_config_urls = pkisecret.SecretBackendConfigUrls(
            "pki-intermediate-ca-config-url",
            backend=self.pki_intermediate_ca_backend.id,
            crl_distribution_points=[
                f"{VAULT_API_URL}/backend_config.vault_intermediate_ca_backend_path/crl"
            ],
            issuing_certificates=[
                f"{VAULT_API_URL}/backend_config.vault_intermediate_ca_backend_path/ca"
            ],
        )

        self.register_outputs(
            {"pki_intermediate_ca": self.pki_intermediate_ca_backend.id}
        )
Then i create different online vault CA for our specific environments
Here’s the code for that:
Copy code
class OLVaultPKIIntermediateEnvBackendConfig(BaseModel):
    environment_name: Text  # e.g. mitx-qa
    max_ttl: int = TWELVE_MONTHS
    default_ttl: int = TWELVE_MONTHS


class OLVaultPKIIntermediateEnvBackend(ComponentResource):
    """
    Create PKI Intermediate Backends per environment.

    This should be used to create and configure an intermediate vault pki backend
    in the specified environment. The certificate for this backend will be signed
    by the pki-intermediate-ca which in turn is signed by our offline CA.
    """

    def __init__(
        self,
        backend_config: OLVaultPKIIntermediateEnvBackendConfig,
        opts: ResourceOptions = None,
    ):
        super().__init__(
            "ol:services:Vault:PKI:IntermediateEnvBackendConfig",
            backend_config.environment_name,
            None,
            opts,
        )

        resource_options = ResourceOptions(parent=self).merge(opts)  # type: ignore

        self.pki_intermediate_environment_backend = Mount(
            f"pki-intermediate-{backend_config.environment_name}",
            opts=resource_options,
            path=f"pki-intermediate-{backend_config.environment_name}",
            type="pki",
            description=f"Backend to create certs for pki-intermediate-{backend_config.environment_name} backends",
            max_lease_ttl_seconds=backend_config.max_ttl,
            default_lease_ttl_seconds=backend_config.default_ttl,
        )

        # Generate CSR for pki-intermediate-{env} backend
        self.pki_intermediate_envrionment_cert_request = pkisecret.SecretBackendIntermediateCertRequest(
            f"pki-intermediate-{backend_config.environment_name}-csr",
            backend=self.pki_intermediate_environment_backend.id,
            common_name=f"pki-intermediate-{backend_config.environment_name} Intermediate Authority",
            type="internal",
            country=CERTIFICATE_CONFIG["country"],
            province=CERTIFICATE_CONFIG["state"],
            locality=CERTIFICATE_CONFIG["city"],
            organization=CERTIFICATE_CONFIG["organization"],
            ou=CERTIFICATE_CONFIG["organizational_unit"],
            postal_code=CERTIFICATE_CONFIG["zip_code"],
        )

        # Sign genereated CSR for pki-intermediate-{env} backend by pki-intermediate-ca
        self.pki_intermediate_environment_signed_csr = pkisecret.SecretBackendRootSignIntermediate(
            f"pki-intermediate-{backend_config.environment_name}-signed-csr",
            backend="pki-intermediate-ca",
            common_name=f"pki-intermediate-{backend_config.environment_name} Intermediate Authority",
            csr=self.pki_intermediate_envrionment_cert_request.csr,
        )

        self.pki_intermediate_environment_set_signed = (
            pkisecret.SecretBackendIntermediateSetSigned(
                f"pki-intermediate-{backend_config.environment_name}-signed-cert",
                backend=self.pki_intermediate_environment_backend.id,
                certificate=self.pki_intermediate_environment_signed_csr.certificate,
            )
        )

        self.pki_intermediate_environment_config_urls = (
            pkisecret.SecretBackendConfigUrls(
                f"pki-intermediate-{backend_config.environment_name}-config-url",
                backend=self.pki_intermediate_environment_backend.id,
                crl_distribution_points=[
                    f"{VAULT_API_URL}/backend_confg.environment_name/crl"
                ],
                issuing_certificates=[
                    f"{VAULT_API_URL}/backend_confg.environment_name/ca"
                ],
            )
        )

        self.register_outputs({})
The problem is that when i look at the 
ca_chain
on the intermediate environment CA, it only has one cert and not the full chain
the main online intermediate CA does have two certs in the 
ca_chain
So it seems like something’s getting truncated when the intermediate-env-CA is generating its csr and getting it signed by the main intermediate CA
In short, 
intermediate-ca
has two certs in its 
ca_chain
and the 
intermediate-env-ca
which is signed by the intermediate-ca only has one cert in its ca_chain
b
ha, you weren't kidding about involved! if you look at the vault certs directly, is that still the case? The Vault provider is just calling the API endpoint, so I'd start with looking it up in vault directly
m
Yeah looking at vault directly shows me that i’m missing a cert in the chain. I tried running the commands on vault directly and it worked just fine. It’s only when i run things through Pulumi is when i noticed the missing cert in the chain
My sense and i can’t really prove thus far is that the response from the intermediate-ca to the csr request is getting truncated for some reason by Pulumi
this one here - certificate
Tried looking at the pulumi vault library but it’s using tfgen and so not very clear how best to debug this
b
pulumi's vault provider uses the terraform provider under the hood, so you may want to go spelunking in the tf issues
m
Yeah figured as much. Was just hoping that i’m missing something simple but doesn’t sound like it
b
sorry I couldn't be more help!
m
No worries. Thanks for taking a glance at it
5 Views
Open in Slack
PreviousNext
Powered by