Venafi
Repeated certificate requests fail when using Digicert (maybe other CAs too)
PROBLEM SUMMARY
For a single given common name, and using a Digicert CA on TLSPC, only the very first call to conn.request_cert(request, zone) succeeds. All subsequent attempts will fail before the SDK reaches the end of its procedure.
STEPS TO REPRODUCE
- Use TLSPC with a configured Digicert CA named
Digicert Test Account APM(change code for alternate Digicert CA as appropriate) -
venafidemo.comshould be a known/proven domain name in the Digicert account (change code for alternate domain name as appropriate) - Run the following code:
requirements.txt
vcert==0.16.0
main.py
import os
from datetime import datetime
from vcert import (CertificateRequest, venafi_connection, CSR_ORIGIN_SERVICE)
from vcert.policy.policy_spec import (PolicySpecification, Policy, Defaults)
def main():
# set up vars/params
api_key = os.environ.get('TLSPCAPIKey')
tlspc_ca = 'Digicert Test Account APM' # ... or similar DIGICERT CA in TLSPC
cert_auth = f'DIGICERT\\{tlspc_ca}\\ssl_cloud_wildcard'
max_valid_days = 90
zone = 'venafidemo-bugtest-app\\venafidemo-bugtest-cit'
domain = 'venafidemo.com' # use a domain known to you your Digicert account
timestamp = datetime.now().now().strftime("%Y%m%d%H%M%S") # using a timestamp ensures Digicert has never before seen this CN
common_name = f'www{timestamp}.{domain}'
passphrase = 'Password123!'
# build connection
conn = venafi_connection(api_key=api_key)
# build policy (immutable code)
policy_spec = PolicySpecification()
policy_spec.policy = Policy(
cert_auth = cert_auth,
max_valid_days = max_valid_days,
domains = [domain]
)
policy_spec.defaults = Defaults()
conn.set_policy(zone, policy_spec)
# build 1st request
print(f'1st request for {common_name} ...')
request = CertificateRequest(common_name=common_name)
request.csr_origin = CSR_ORIGIN_SERVICE
request.key_password = passphrase
conn.request_cert(request, zone)
# GOOD - FIRST CALL WORKS
# build 2nd request
print(f'2nd request for {common_name} ...')
request2 = CertificateRequest(common_name=common_name)
request2.csr_origin = CSR_ORIGIN_SERVICE
request2.key_password = passphrase
conn.request_cert(request2, zone)
# BANG!
# SECOND CALL blows up on cloud_connection.py (line 406) with IndexError: list index out of range
# line 406 as follows:
# request.cert_guid = data['certificateRequests'][0]['certificateIds'][0]
if __name__ == '__main__':
main()
EXPECTED RESULTS Expect the SECOND call to work as per the FIRST.
ACTUAL RESULTS As described above
ENVIRONMENT DETAILS As described above
COMMENTS/WORKAROUNDS It would appear that the VCert CLI does not fail in the same way, which may indicate that the Golang code does not exhibit this bug. FWIW it would appear that subsequent calls do succeed from the POV of both Digicert and TLSPC. That is to say repeat certificates are visible in these systems. However the format of the TLSPC response to the client must be different from the first call and incompatible with the current SDK code, which causes the error. There is currently no workaround.
Latest thinking is that this behaviour is better classified as intermittent. Investigations are ongoing by submitter.
FWIW a fix was applied to a copy of this source code over at https://github.com/paulternate/cf-venafi-automation/commit/d26da136117c812cec45a5697c57ede329102a22. Anticipating this change can be folded back in here when this issue is addressed.
@amcginlay If you already have a workaround in a fork. Would you mind sending a PR to this repo? We can review it and merge it to address this issue on next release.
