Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

step-issuer failing to connect to step-certificates using JWK #107

Open
yggur-au opened this issue Aug 15, 2023 · 1 comment
Open

step-issuer failing to connect to step-certificates using JWK #107

yggur-au opened this issue Aug 15, 2023 · 1 comment
Assignees

Comments

@yggur-au
Copy link

yggur-au commented Aug 15, 2023

step-issuer.values.txt
Hi team,
I am attempting to deploy (via the smallstep Helm chart) an instance of step-issuer on AKS. The cluster is running:

  • Kernel version: 1.27.1
  • step-certificates: v0.24.2 (also deployed via the smallstep Helm chart)
  • step-issuer: v0.7.0

I am receiving the following error when deploying the step-issuer instance:
{"level":"error","ts":"2023-08-15T04:51:40Z","logger":"controllers.StepClusterIssuer","msg":"failed to initialize provisioner","stepclusterissuer":"/ecdsa-aks-step-issuer","error":"error parsing provisioner encrypted key: square/go-jose: compact JWE format must have five parts","errorVerbose":"square/go-jose: compact JWE format must have five parts\nerror parsing provisioner encrypted key\ngithub.com/smallstep/certificates/ca.decryptProvisionerJWK\n\t/go/pkg/mod/github.com/smallstep/[email protected]/ca/provisioner.go:158\ngithub.com/smallstep/certificates/ca.loadProvisionerJWKByKid\n\t/go/pkg/mod/github.com/smallstep/[email protected]/ca/provisioner.go:179\ngithub.com/smallstep/certificates/ca.NewProvisioner\n\t/go/pkg/mod/github.com/smallstep/[email protected]/ca/provisioner.go:54\ngithub.com/smallstep/step-issuer/provisioners.NewFromStepClusterIssuer\n\t/src/provisioners/step.go:61\ngithub.com/smallstep/step-issuer/controllers.(*StepClusterIssuerReconciler).Reconcile\n\t/src/controllers/stepclusterissuer_controller.go:91\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:122\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:323\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:274\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:235\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1598","stacktrace":"github.com/smallstep/step-issuer/controllers.(*StepClusterIssuerReconciler).Reconcile\n\t/src/controllers/stepclusterissuer_controller.go:93\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:122\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:323\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:274\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:235"}

The YAML config for the deployment is attached as "step-issuer.values.txt".
It seems like the StepClusterIssuer information is incomplete (or wrong), but the Step-Certificates instance is issuing certificates correctly.

@maraino
Copy link
Collaborator

maraino commented Sep 1, 2023

From the error, it looks like the provisioner JWK provisioner with kid B5MjjDUqy64XitU1lEQ06WEt4UL2H1VZi-_UpYybB58 doesn't have a valid encryptedKey value. At least that's my guess seeing this error compact JWE format must have five parts. That encryptedKey is generally in the ca.json, although it can be stored in a database if step-ca is configured with it.

You can get the encryptedKey value using step ca provisioner list, and you can make sure it is properly formatted if you see a private key in JWK format when you type:

echo <encyrptedKey> | step crypto jwe decrypt

Using the password from the secret ecdsa-iss-step-certificates-provisioner-password.password.

PS: kid, if provided, is used by default instead of the name aksissuer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants