Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS CLI v2 - Cannot import certificate, certificate chain base64 not accepted, but valid #4978

Closed
NicolaivdSmagt opened this issue Feb 19, 2020 · 5 comments
Closed

AWS CLI v2 - Cannot import certificate, certificate chain base64 not accepted, but valid #4978

NicolaivdSmagt opened this issue Feb 19, 2020 · 5 comments
Assignees
@KaibaLopez
Labels
closing-soon This issue will automatically close in 4 days unless further comments are made.

Comments

@NicolaivdSmagt
Copy link

While trying to import a certificate to ACM using CLI v2, I get an error that my certificate chain contains invalid base64:

[nicolai@bastion client-vpn]$ aws --version
aws-cli/2.0.0 Python/3.7.3 Linux/4.14.152-127.182.amzn2.x86_64 botocore/2.0.0dev4
[nicolai@bastion client-vpn]$ aws acm import-certificate --certificate file://server.crt --private-key file://server.key --certificate-chain file://ca.crt --regio
n eu-west-1
Invalid base64: "-----BEGIN PRIVATE KEY-----
[BASE64-ENCODED PRIVATE KEY DISPLAYED HERE]
-----END PRIVATE KEY-----
"

However, importing the same ca.crt works fine with CLI v1:

[nicolai@bastion client-vpn]$ /usr/bin/aws --version
aws-cli/1.16.300 Python/2.7.16 Linux/4.14.152-127.182.amzn2.x86_64 botocore/1.13.36
[nicolai@bastion client-vpn]$ /usr/bin/aws acm import-certificate --certificate file://server.crt --private-key file://server.key --certificate-chain file://ca.cr
t --region eu-west-1
{
    "CertificateArn": "arn:aws:acm:eu-west-1:811065773072:certificate/f0ade5e2-902c-41f1-9653-ba4153f8e5ef"
}

ca.crt has been created using the latest easy-rsa from Github, on AL2.
@pjaol
Copy link

pjaol commented Feb 19, 2020

Ditto it looks like a python base64.py issue

File "awscli/customizations/binaryformat.py", line 59, in _visit_scalar
  File "base64.py", line 87, in b64decode
binascii.Error: Incorrect padding

@pjaol
Copy link

pjaol commented Feb 19, 2020

Created a pull request #4981 - seems to work based on this gist
https://gist.github.com/perrygeo/ee7c65bb1541ff6ac770

@KaibaLopez KaibaLopez self-assigned this Feb 21, 2020
@KaibaLopez KaibaLopez added the bug This issue is a bug. label Feb 21, 2020
@stealthycoin
Copy link
Contributor

This is due to how cli v2 changed processing binary inputs to support round tripping values by default. You can read about the change here: https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration.html#cliv2-migration-binaryparam and either update to using fileb:// instead, or revert to the previous behavior with the configuration option.

@stealthycoin stealthycoin added closing-soon This issue will automatically close in 4 days unless further comments are made. and removed bug This issue is a bug. labels Feb 27, 2020
likeshumidity added a commit to likeshumidity/aws-client-vpn-administrator-guide that referenced this issue Mar 9, 2020
@likeshumidity
updated file to fileb to avoid invalid base64 issue
814193d 
To address issue mentioned here:
aws/aws-cli#4978
@likeshumidity likeshumidity mentioned this issue Mar 9, 2020
Closed
@klaytaybai klaytaybai mentioned this issue Mar 11, 2020
Closed
cloud-construct pushed a commit to cloud-construct/aws-client-vpn-administrator-guide that referenced this issue May 22, 2020
change acmes import to use fileb instead of file
9590c95 
Following this guide failed due to this https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration.html#cliv2-migration-binaryparam
and this
aws/aws-cli#4978
@cloud-construct cloud-construct mentioned this issue May 22, 2020
Merged
@motzyball motzyball mentioned this issue Jul 3, 2020
Closed
2 tasks
anjo-swe added a commit to anjo-swe/aws-certificate-user-guide that referenced this issue Aug 20, 2020
@anjo-swe
Updated Import a Certificate Example to use fileb
7af119a 
Reference: aws/aws-cli#4978 (comment)
@anjo-swe anjo-swe mentioned this issue Aug 20, 2020
Closed
@justindho justindho mentioned this issue May 25, 2022
Closed
@sayor-basu sayor-basu mentioned this issue Apr 23, 2023
Closed
mehulved pushed a commit to mehulved/aws-clientvpn-helper that referenced this issue Jun 5, 2023
Fix for certificate upload failure
4ed3a7e 
Fix for AWS CLI v2 to handle bug aws/aws-cli#4978
This was referenced Jun 5, 2023
Merged
Merged
@rajancstack
Copy link

is this fixed, coz i'm still getting this error!

@caretak3r
Copy link

is this fixed, coz i'm still getting this error!

Upload the certificate to AWS ACM

aws acm import-certificate --certificate fileb://certificate.pem --private-key fileb://privatekey.pem --certificate-chain fileb://chain.pem --profile default --region us-west-2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@KaibaLopez KaibaLopez

Labels
closing-soon This issue will automatically close in 4 days unless further comments are made.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@pjaol @stealthycoin @NicolaivdSmagt @KaibaLopez @caretak3r @rajancstack