invalid key with azurerm_key_vault_certificate_data

[kraduk]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

v1.2.4

AzureRM Provider Version

v3.15.0

Affected Resource(s)/Data Source(s)

data.azurerm_key_vault_certificate_data

Terraform Configuration Files

data "azurerm_key_vault" "main" {
  name                = var.kv.name
  resource_group_name = var.kv.rg
}


data "azurerm_key_vault_certificate_data" "main" {
  name         = "XXX"
  key_vault_id = data.azurerm_key_vault.main.id
}

resource "local_file" "key" {
  content  = data.azurerm_key_vault_certificate_data.main.key
  filename = "/tmp/key"
}

resource "local_file" "crt" {
  content  = data.azurerm_key_vault_certificate_data.main.pem
  filename = "/tmp/crt"
}

Debug Output/Panic Output

NA

Expected Behaviour

produce a pem format cert file and private key

Actual Behaviour

Looks like its worked, however the private key errors and says the key doesnt match the cert when trying to import it to a number of things (apache2.4, traefik)

The cert is correct.

If I manually download via the azure portal and decode the pfx to pem format i get a different private key in the resulting file !!! (first block)

eg
openssl pkcs12 -in sample.pfx -out file.pem -nodes

The certs were created by acmebot-keyvault, which uses the kv to generate the key then uses the resulting csr with letsencrypt

Manually downloading the key and cert and using that works just not when i data it all via terraform

Steps to Reproduce

No response

Important Factoids

acmebot-keyvault cert generation

References

No response

[magodo]

@kraduk Have you verified that the downloaded certificate matches what the data source returns? If so, then it indicates the provider is working as expected. Regarding why the key embedded in the certificate is not the one you expected, this sounds relating to how you use acmebot-keyvault to generate the kv certificate?

[kraduk]

As stated i download the secret via the following (throw away cert)

# az keyvault secret download --file test2.pfx --name ipam --vault-name some-vault --encoding base64
# openssl pkcs12 -in test2.pfx -nodes -nocerts -out priv.key -password pass:""
# tail -3 /tmp/key
2baXRXygCalh15aEEH+IS6ChQy3KJ8MnxKU767aRWXAWIhDO7La3+znACd+1BqLN
V9Wz11j5PbWcXXKCcOUmkd/VH38b7K+vwcBhjZ0GABTJiqyMnY7Y
-----END RSA PRIVATE KEY-----
# tail -3 priv.key
1JiN5uPnjNs64CjOeekmzjFHGhxS+YagppaR6KH047Lo4DPKBPcUFy5+9UVCFMg/
ZAaARDIj2QFj+Iff0STKp6uR
-----END PRIVATE KEY-----
# file test2.pfx 
test2.pfx: data
# 

[JRolfe-Gen]

I have this same issue. There are two issues that I see.

1. When I read in the certificate that is stored as PKCS12 in the keyvault (using azurerm_key_vault_certificate_data ), the certificate chain is returned in the wrong order ( root, int, server) it should be server, int, root when using pem format
2. When using PEM format, Most servers cannot use the private key in PKCS1 ( primarily RSA ) and need the key in PKCS8

When I built the environment AppGW required the certificate stored in PKCS12, I need the certificate in other formats as well though. If you could reorder the cert properly and output the key in another format, that would make this very easy.

[JRolfe-Gen]

Can this be updated to bug due to certificate returned in wrong order?

[kraduk]

Still no movement on this?