Skip to content

[BUG] TLS examples don't work with default bash IFSΒ #495

New issue
New issue
Open
Open
[BUG] TLS examples don't work with default bash IFS#495
Labels
bugSomething isn't working
@vt102

Description

@vt102
vt102
opened on Jun 27, 2022

Describe the bug
In https://github.com/aws/aws-app-mesh-examples/blob/main/walkthroughs/tls-with-acm/README.md Step 2: Create a Certificate, the aws acm-pca issue-certificate step fails as follows:

[ec2-user@ip-172-31-70-72 ~]$ ROOT_CA_CSR=`aws acm-pca get-certificate-authority-csr \
>     --certificate-authority-arn ${ROOT_CA_ARN} \
>     --query Csr --output text`
[ec2-user@ip-172-31-70-72 ~]$ AWS_CLI_VERSION=$(aws --version 2>&1 | cut -d/ -f2 | cut -d. -f1)
[[ ${AWS_CLI_VERSION} -gt 1 ]] && ROOT_CA_CSR="$(echo ${ROOT_CA_CSR} | base64)"[ec2-user@ip-172-31-70-72 ~]$ [[ ${AWS_CLI_VERSION} -gt 1 ]] && ROOT_CA_CSR="$(echo ${ROOT_CA_CSR} | base64)"
[ec2-user@ip-172-31-70-72 ~]$ ROOT_CA_CERT_ARN=`aws acm-pca issue-certificate \
>     --certificate-authority-arn ${ROOT_CA_ARN} \
>     --template-arn arn:aws:acm-pca:::template/RootCACertificate/V1 \
>     --signing-algorithm SHA256WITHRSA \
>     --validity Value=10,Type=YEARS \
>     --csr "${ROOT_CA_CSR}" \
>     --query CertificateArn --output text`

An error occurred (ValidationException) when calling the IssueCertificate operation: 1 validation error detected: Value at 'csr' failed to satisfy constraint: Member must satisfy regular expression pattern: -----BEGIN CERTIFICATE REQUEST-----\r?\n([A-Za-z0-9/+]{64}\r?\n)*[A-Za-z0-9/+]{1,64}={0,2}\r?\n-----END CERTIFICATE REQUEST-----(\r?\n)?.
[ec2-user@ip-172-31-70-72 ~]$ echo $ROOT_CA_CSR | base64 -d
-----BEGIN CERTIFICATE REQUEST----- MIIC6jCCAdICAQAwgYIxCbase64: invalid input

The issue appears to be the CSR format:

[ec2-user@ip-172-31-70-72 ~]$ ROOT_CA_CSR=`aws acm-pca get-certificate-authority-csr \
>     --certificate-authority-arn ${ROOT_CA_ARN} \
>     --query Csr --output text`
[ec2-user@ip-172-31-70-72 ~]$ echo $ROOT_CA_CSR
-----BEGIN CERTIFICATE REQUEST----- MIIC6jCCAdICAQAwgYIxCzAJBgNVBAYTAlVTMRowGAYDVQQKDBFBcHAgTWVzaCBF eGFtcGxlczEUMBIGA1UECwwLVExTIEV4YW1wbGUxCzAJBgNVBAgMAldBMSIwIAYD ...teaKGrewvobYC8EKU2MMNfM+TNYeO9OBGgc74iamdXIPB9WWYCX9a0AIpRcenO0C 0eIZIIC8q/Ohy5o0E5epoKLnHX1xsqcfbsO1tkWI -----END CERTIFICATE REQUEST-----

The cause of this weird formatting appears to be due to BASH's IFS (internal field separator) behavior.

[ec2-user@ip-172-31-70-72 ~]$ printf '%q\n' "$IFS"
$' \t\n'
[ec2-user@ip-172-31-70-72 ~]$ FOO=`cat foo.txt`
[ec2-user@ip-172-31-70-72 ~]$ echo $FOO
foo bar baz
[ec2-user@ip-172-31-70-72 ~]$ IFS=
[ec2-user@ip-172-31-70-72 ~]$ printf '%q\n' "$IFS"
''
[ec2-user@ip-172-31-70-72 ~]$ FOO=`cat foo.txt`
[ec2-user@ip-172-31-70-72 ~]$ echo $FOO
foo
bar
baz

Platform
Amazon Linux 4.14.281-212.502.amzn2.x86_64, bash 4.2.46(2)

To Reproduce
Steps to reproduce the behavior:

  1. Confirm you have the default IFS for bash:
[ec2-user@ip-172-31-70-72 ~]$ printf '%q\n' "$IFS"
$' \t\n'
  1. Walk through steps of https://github.com/aws/aws-app-mesh-examples/blob/main/walkthroughs/tls-with-acm/README.md#step-2-create-a-certificate

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions