Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Max attempts error in "certificate_issued" waiter #3221

Closed
Dans-Merino opened this issue Jul 17, 2024 · 3 comments
Closed

Max attempts error in "certificate_issued" waiter #3221

Dans-Merino opened this issue Jul 17, 2024 · 3 comments
Assignees
@tim-finnigan
Labels
bug This issue is a confirmed bug. closed-for-staleness p0 This issue is the highest priority waiter

Comments

@Dans-Merino
Copy link

Dans-Merino commented Jul 17, 2024
edited
Loading

Describe the bug

After upgrading to version 1.34.144. When creating a certificate from a certificate authority, the waiter "certificate_issued" has started raising a WaiterError when it didn't before.

Expected Behavior

When the certificate is issued the waiter should end correctly

Current Behavior

The following code was working on previous versions.

aws_client.get_acm_pca("eu-west-1").get_waiter("certificate_issued").wait(
    CertificateAuthorityArn=cert_auth["Arn"],
    CertificateArn=certificate["CertificateArn"]
)

Now it returns this error:

  File "/app/botocore/waiter.py", line 55, in wait
    Waiter.wait(self, **kwargs)
  File "/app/botocore/waiter.py", line 388, in wait
    raise WaiterError(

botocore.exceptions.WaiterError: Waiter CertificateIssued failed: Max attempts exceeded.

After testing that the certificate was actually issued even if the waiter failed I checked the changes of this version and noticed that the success acceptor of the waiter has changed the matcher. My guess is that is creating the error.

When we run this updated code with the try clause we can see the error but the call to get_certificate returns the issued certificate correctly. Which means the waiter is not working properly.

    try:
        aws_client.get_acm_pca("eu-west-1").get_waiter("certificate_issued").wait(
            CertificateAuthorityArn=cert_auth["Arn"],
            CertificateArn=certificate["CertificateArn"]
        )
    except WaiterError as e:
        print("ERROR!")
        result = aws_client.get_acm_pca(region). \
            get_certificate(CertificateAuthorityArn=cert_auth["Arn"],
                            CertificateArn=certificate["CertificateArn"])
        print(result)

Incrementing the delay or the maxattempts variables does not change the behavior.

Reproduction Steps

from datetime import datetime

import boto3

# AWS credentials
access_key_id = 'access_key_here'
secret_access_key = 'secret_key_here'
aws_session_token = 'session_token_here'
region = 'region_here'
ca_name = 'ca_name_here'
csr = 'csr_here'

session = boto3.Session(
    aws_access_key_id=access_key_id,
    aws_secret_access_key=secret_access_key
)
client = session.client('acm-pca', region_name=region)


def _get_all():
    cert_auth_list_result = client.list_certificate_authorities()
    cert_auth_list = cert_auth_list_result["CertificateAuthorities"]
    while "NextToken" in cert_auth_list_result:
        token = cert_auth_list_result["NextToken"]
        cert_auth_list_result = client.list_certificate_authorities(NextToken=token)
        cert_auth_list += cert_auth_list_result["CertificateAuthorities"]
    return cert_auth_list


cert_auth = [cert_auth
             for cert_auth in _get_all()
             if cert_auth["CertificateAuthorityConfiguration"]["Subject"]["CommonName"] == ca_name][
    0]

validity_until = cert_auth["NotAfter"]
template_arn = "arn:aws:acm-pca:::template/EndEntityCertificate/V1"
now = datetime.now(tz=validity_until.tzinfo)
remaining_days = (validity_until - now).days
certificate = client.issue_certificate(
    CertificateAuthorityArn=cert_auth["Arn"],
    Csr=bytes(csr, encoding="utf-8"),
    SigningAlgorithm="SHA256WITHRSA",
    TemplateArn=template_arn,
    Validity={
        "Value": remaining_days - 1,
        "Type": "DAYS"
    }
)

client.get_waiter("certificate_issued").wait(
    CertificateAuthorityArn=cert_auth["Arn"],
    CertificateArn=certificate["CertificateArn"]
)

Possible Solution

Revert to previous matcher behavior

{
    "state": "success",
    "matcher": "status",
    "expected": 200
},

Additional Information/Context

No response

SDK version used

1.34.144

Environment details (OS name and version, etc.)

Ubuntu 20.04
@Dans-Merino Dans-Merino added bug This issue is a confirmed bug. needs-triage This issue or PR still needs to be triaged. labels Jul 17, 2024
@dmacas066
Copy link

Commenting to watch, we are seeing this issue in our environment as well after a version update to 1.34.144

@tim-finnigan tim-finnigan self-assigned this Jul 17, 2024
@tim-finnigan tim-finnigan added the investigating This issue is being investigated and/or work is in progress to resolve the issue. label Jul 17, 2024
@tim-finnigan
Copy link
Contributor

tim-finnigan commented Jul 17, 2024
edited
Loading

It looks like this is the related release note:

* api-change:``acm-pca``: Minor refactoring of C2J model for AWS Private CA

Here is a link to the Waiter model. I think the issue is with "expected": 200 changing to "expected" : false.

UPDATE: the fix should be available in the near future, here is a link to the fix: #3220. In the meantime you can downgrade if necessary to avoid this issue.

@tim-finnigan tim-finnigan added waiter p0 This issue is the highest priority and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. needs-triage This issue or PR still needs to be triaged. labels Jul 17, 2024
@tim-finnigan
Copy link
Contributor

This issue should now be fixed in version 1.34.145. Please update to that version or above and let us know if still running into any issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tim-finnigan tim-finnigan

Labels
bug This issue is a confirmed bug. closed-for-staleness p0 This issue is the highest priority waiter
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Dans-Merino @dmacas066 @tim-finnigan