-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CRL returns empty for vault versions >= 1.11.0 #20137
Comments
@flassman Can you share your list of issuers, your CRL config, and your list of keys? It'd be good to know if the issuers include Re: API LIST on |
list of issuers
CRL config
list of keys
Do issuers have key_id values in included in their entries as well?
Should the crl_distribution_points list have some entry here? In the vault UI we have a URL for "CRL Distribution Points" in the Configure PKI -> URLs tab. What happens if you attempt to manually rebuild the CRL?
But it does not fix the issue. What I wonder is why the rotate does not print a single log entry, even with DEBUG enabled. As for API LIST on my-pki/certs/revoked, I wonder why this is exposed in the API explorer if the endpoint was only added on 1.13? But anyway, I don't care about that one. |
A guess... maybe if you've been rapidly upgrading/downgrading versions, your browser had cached parts of the API explorer? |
It appears your issuer is configured without Can you share your CA certificate, or just the value of its Extended Key Usage X509v3 extension? I'm wondering whether it isn't set up to permit CRL signing. |
these are our X509v3 extensions:
so we do not explicitly permit CRL signing, but according to what I found here all usages should be allowed if no keyUsage extension is present:
|
That's a good point... all of the
style tests in the Vault PKI secrets engine will operate incorrectly with such a certificate. |
Interesting, great investigation @maxb and @flassman. Note that this is the same check as in Go: https://github.com/golang/go/blob/0853f8caec60f59df234c287be7f5971ab62133f/src/crypto/x509/x509.go#L2299 So while we could enable this ourselves, we'd need another bug report against Go as well before this will actually function, as otherwise you'd hit that error while building the CRL. :-) Interestingly, the RFC is less clear than that RH link as it doesn't explicitly describe the behavior when missing:
i.e., CA certs must include this, with the possible exception of a root CA. I do not see the subquotes Given this so far, unless we can find a more authoritative source and/or show OpenSSL and NSS both conform to RH's reading of this spec, I'm inclined to believe Go will reject our attempt to weaken restrictions on CRL building. |
The oldest incarnation of that RFC, from 1999, lacks the requirement to include a key usage extension... however it was added in the 2002 incarnation, so there's an argument that by now, Go is being reasonable to enforce the requirement. I guess the short term questions are now:
|
Aha... the answer is that Vault 1.10 used a different legacy Go API that did not enforce that standard, which was deprecated by golang/go@5d47f87 So, as a side-effect of migrating to more modern underlying Go libraries, with other fixes, Vault >= 1.11 now no longer supports CRL generation for CAs without a modern compliant Key Usage extension. |
Regarding the first bullet point, we could and should definitely add a log message here. We cannot err (in general -- we can and do from the config setting) for two reasons:
As it is now, we don't build one CRL as it lacks a crlSigning extension, but if you had another (valid) CA, you could successfully build its CRLs. @maxb said:
Yes, this is a valid read and matches my understanding. I believe this was communicated in the CL at the time, as it also fixed a bug around CRL issuer name building when we upgraded to a newer Go version (#10550). AFAIK, it is impossible to trigger this behavior with Vault-generated CAs; this behavior would strictly be from an imported CA. We could potentially err on this import on newer versions of Vault, but note that signing is not affected, only CRL generation (including external CRL generation capabilities -- since the key material was already outside of Vault though, you could manually maintain an external CRL without calling into Vault for the signing operation). I think erring on 1.10->1.11+ migration would be a step too far though. It is not immediately clear if clients will reject this CRL though. @flassman One workaround could be to re-generate this CA (with same key material) and the new KU extension; if it is a root CA, you can import it into Vault and set it as non-default as long as you had the same SKID/AKID/Subject: your issuance would use the old root (might need a |
Turns out to be because this is a "do this for all issuers" operation, and it is "successfully" building no CRL at all, having reviewed all issuers and determined none of them have CRL signing turned on as a usage.
Another option to consider, would be to change the current rather bare bones response from the
to give a bit more information about what happened - and possibly a warning if no CRL was actually built. |
Thanks to you all for your fast answers and clear analysis of my issue! |
@maxb Aha, past me had the same comment on Slack:
And then:
Notably, the latest ITU X.509 specification on printed page 73/pdf page 83 still includes this language. So I think we do have justification to go back to Go and get them to loosen the check. |
I've filed golang/go#59669 to discuss this with Go -- we've come up with a workaround (also mentioned in golang/go#49414) that we could assert We're still discussing the short-term workarounds we'd like to do in the mean time, however. |
When an entire issuer equivalency class is missing CRL signing usage (but otherwise has key material present), we should add a warning so operators can either correct this issuer or create an equivalent version with KU specified. Resolves: #20137 Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
…suer equivalency sets (#20253) * Add infrastructure for warnings on CRL rebuilds Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add warning on issuer missing KU for CRL Signing When an entire issuer equivalency class is missing CRL signing usage (but otherwise has key material present), we should add a warning so operators can either correct this issuer or create an equivalent version with KU specified. Resolves: #20137 Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add tests for issuer warnings Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Fix return order of CRL builders Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Describe the bug
After upgrading from 1.5.4 to 1.13.1 we found that querying any CRL with curl (like from https://vault.example.com/v1/my-pki/crl/pem) returns empty, status code 204.
Trying different vault versions it turned out that it works up to 1.10.11 and starts to fail with 1.11.0
In the pod log there is this warning for each such query:
Not sure if it is related: an API LIST on my-pki/certs/revoked also returns nothing for 1.11.x and 1.12.x but it works for 1.13.1 (where the CRL query still returns 204)
To Reproduce
I fear this can only reproduced with my vault data/config?!
Expected behavior
Obviously I want to get the CRL containing the revoked certificates (or an empty CRL) just as with vault <= 1.10.11
Environment:
vault status
): 1.11.0vault version
): 1.11.0.0
Vault server configuration file(s):
Additional context
Happy to help debug this, let me know if you need more information.
The text was updated successfully, but these errors were encountered: