Signing the X509 CA certificate does not work on Debian 8

[x12a1f]

I've copied the sample from https://docs.saltstack.com/en/latest/ref/states/all/salt.states.x509.html but it does not work and I get this error:

         ID: /etc/pki/ca.crt
    Function: x509.certificate_managed
      Result: False
     Comment: An exception occurred in this state: Traceback (most recent call last):
                File "/usr/lib/python2.7/dist-packages/salt/state.py", line 1591, in call
                  **cdata['kwargs'])
                File "/usr/lib/python2.7/dist-packages/salt/states/x509.py", line 413, in certificate_managed
                  new = __salt__['x509.create_certificate'](testrun=True, **kwargs)
                File "/usr/lib/python2.7/dist-packages/salt/modules/x509.py", line 1186, in create_certificate
                  cert_props = read_certificate(cert)
                File "/usr/lib/python2.7/dist-packages/salt/modules/x509.py", line 452, in read_certificate
                  'Public Key': get_public_key(cert.as_pem())
                File "/usr/lib/python2.7/dist-packages/salt/modules/x509.py", line 576, in get_public_key
                  cert = M2Crypto.X509.load_cert_string(text)
                File "/usr/lib/python2.7/dist-packages/M2Crypto/X509.py", line 655, in load_cert_string
                  return load_cert_bio(bio, format)
                File "/usr/lib/python2.7/dist-packages/M2Crypto/X509.py", line 639, in load_cert_bio
                  raise X509Error(Err.get_error())
              X509Error: 140280410953472:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:303:
              140280410953472:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:769:Field=algorithm, Type=X509_ALGOR
              140280410953472:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:769:Field=signature, Type=X509_CINF
              140280410953472:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:769:Field=cert_info, Type=X509
              140280410953472:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:
     Started: 06:29:09.219974
    Duration: 66.959 ms
     Changes:   

It is a fresh Debian 8.2 install with salt installed from repo.saltstack.com

Salt Version:
           Salt: 2015.8.0

Dependency Versions:
         Jinja2: 2.7.3
       M2Crypto: 0.21.1
           Mako: 1.0.0
         PyYAML: 3.11
          PyZMQ: 14.4.0
         Python: 2.7.9 (default, Mar  1 2015, 12:57:24)
           RAET: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.0.5
           cffi: 0.8.6
       cherrypy: Not Installed
       dateutil: 2.2
          gitdb: 0.5.4
      gitpython: Not Installed
          ioflo: Not Installed
        libnacl: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.4.2
   mysql-python: Not Installed
      pycparser: 2.10
       pycrypto: 2.6.1
         pygit2: Not Installed
   python-gnupg: Not Installed
          smmap: 0.8.2
        timelib: Not Installed

System Versions:
           dist: debian 8.2 
        machine: x86_64
        release: 3.16.0-4-amd64
         system: debian 8.2 

The only states I have is:

top.sls

base:
  '*':
    - ca

ca.sls

/etc/pki:
  file.directory: []

/etc/pki/ca.key:
  x509.private_key_managed:
    - bits: 4096
    - backup: True
    - require:
      - file: /etc/pki

/etc/pki/ca.crt:
  x509.certificate_managed:
    - signing_private_key: /etc/pki/ca.key
    - CN: ca.example.com
    - C: US
    - ST: Utah
    - L: Salt Lake City
    - basicConstraints: "critical CA:true"
    - keyUsage: "critical cRLSign, keyCertSign"
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid,issuer:always
    - days_valid: 3650
    - days_remaining: 0
    - backup: True
    - require:
      - x509: /etc/pki/ca.key

What is wrong?

[jfindlay]

@ralphvanetten, thanks for reporting this issue. This looks like a bug to me.

[x12a1f]

Does anyone know a work around or at least can tell me what the error message means?
I would really like to use this so if there is a work around it would be great.

Thanks.

[jfindlay]

Ping @clinta.

[clinta]

I'm checking this out now, not seen this before, but not tested on Debian, though I can't see why that would make a difference, you have the same version of M2Crypto that I'm running in production.

[clinta]

Using your exact configs works for me with Salt 2015.8.0 and M2Crypto 0.21.1 on Ubuntu 14.04. I'll need to build a Debian vm to test further.

[jfindlay]

@clinta, thanks for working on this. Let me know if you need any help.

[x12a1f]

I did some searching and I think this is a similar problem which appeared after upgrading openssl to 1.0.1i : http://comments.gmane.org/gmane.comp.encryption.openssl.user/52604

Since Ubuntu 14.04 seems to be using openssl 1.0.1f and Debian 8 is using 1.0.1k I think it could be caused by a change in openssl.

[clinta]

I believe this will need to be fixed in upstream M2Crypto to make it compatible with newer versions of OpenSSL. It looks like M2Crypto development has been moved to GitLab. I'm going to try and put together some simple python test cases tomorrow to narrow down the issue.

[mcepl]

Take a look at https://gitlab.com/m2crypto/m2crypto/merge_requests/1, I think we have fixed stuff like this for RHEL, and all Fedora/RHEL patches are in that merge request, which is going to be the next M2Crypto release hopefully soon.

[clinta]

@mcepl, thanks. I'll test in Fedora to make sure these patches do correct the issue.

[clinta]

So it looks like this issue is not fixed in Fedora 22 with M2Crypto 0.21.1. Going to have to narrow this down further.

[clinta]

I'm testing a fix now. It looks like recent versions of OpenSSL refuse to import incompelete PEM formatted certificates. I believe I have fixed this by avoiding unnecessary exporint/importing as PEM.

[mcepl]

So, whose fault it is? OpenSSL, M2Crypto? Could I get some the smallest testcase reproducing this problem, please?

[clinta]

@mcepl here is a small test case. It's entirely possible that the behavior I was using was never intended, so I'm going to fix it in the salt module. In versions of OpenSSL <= 1.0.1f this gist runs without error. In newer versions it gives the following traceback:

Traceback (most recent call last):
  File "m2crypto-test.py", line 80, in <module>
    loadcert = M2Crypto.X509.load_cert_string(cert_pem)
  File "/usr/lib/python2.7/site-packages/M2Crypto/X509.py", line 655, in load_cert_string
    return load_cert_bio(bio, format)
  File "/usr/lib/python2.7/site-packages/M2Crypto/X509.py", line 639, in load_cert_bio
    raise X509Error(Err.get_error())
M2Crypto.X509.X509Error: 140593730029312:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:283:
140593730029312:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:694:Field=algorithm, Type=X509_ALGOR
140593730029312:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:694:Field=signature, Type=X509_CINF
140593730029312:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:694:Field=cert_info, Type=X509
140593730029312:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

[mcepl]

Hmm, with master of M2Crypto:

matej@mitmanek: m2crypto (master *)$ python ~/m2crypto-test.py 
Traceback (most recent call last):
  File "/home/matej/m2crypto-test.py", line 83, in <module>
    loadcert = M2Crypto.X509.load_cert_string(cert_pem)
  File "/home/matej/archiv/knihovna/repos/m2crypto/M2Crypto/X509.py", line 852, in load_cert_string
    return load_cert_bio(bio, format)
  File "/home/matej/archiv/knihovna/repos/m2crypto/M2Crypto/X509.py", line 828, in load_cert_bio
    cptr = m2.x509_read_pem(bio._ptr())
M2Crypto.X509.X509Error: invalid object encoding
matej@mitmanek: m2crypto (master *)$

I will have to investigate.

[stale]

Thank you for updating this issue. It is no longer marked as stale.

[mcepl]

yes, incomplete certificate. According to #27514 this bug should be closed. @jfindlay would you close this, please?