-
Notifications
You must be signed in to change notification settings - Fork 161
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Impossible to store SSL/SSH private Key in vault #370
Comments
Please escalate this if at all possible. This was reported January 12, 2021 by me via our paid support with Chef and assigned zendesk ticket ID 26886. The bug still exists in whatever version of vault ships with 21.4.365. We have been having to keep a host around with a super old version of Workstation around just for updating vault items. This is in conflict with the premise that we're supposed to keep Workstation as updated as possible in order to do Chef next-gen cookbook development. |
Interesting, we have always escaped the newlines in our certificates before adding them to vault. I didn't think it was valid to have newline characters in a JSON value. The escaped new lines do turn the certificates into some really ugly strings. |
In our case, we're trying to upload TLS certificates and private keys. And the 2-character sequence '\n' as shown below which has always worked now fails in vault operations. According to https://json.org it is valid JSON.
|
yes, I've always seen that work. How odd. |
I also need to add that "don't use Chef Vault" isn't really an acceptable answer coming from Chef support, IMO. Chef Vault has worked fine for us for 6 years. Someone's change broke it and we're now no longer able to adhere to Chef's stated Best Practice of keeping up with Workstation releases. |
Disallowing line breaks (and possibly tabs) renders Chef Vaults unusable for X.509 and SSH keys (see chef#370). This commit include these character in the set of allowed characters.
Disallowing line breaks (and possibly tabs) renders Chef Vaults unusable for X.509 and SSH keys (see chef#370). This commit include these character in the set of allowed characters. Signed-off-by: Mario Haustein <mario.haustein@hrz.tu-chemnitz.de>
I have prepared a pull request which at least tries to fix this kind of issues. But there are more cases where it would be convenient to store binary data (e.g., PKCS#12 files, Kerberos Keytabs, unarmored OpenPGP keys, ...) in vaults. These cases are out of the scope of the PR. Allowing arbitrary data would effectively require to undo the changes of #347. In my opinion it would be worth to discuss this topic, but I have no clue how to start this discussion. |
Hello, |
We also have this problem with TLS certificates and keys stored in chef-vault, but as a workaround we base64 encode the certificate/key, prepare the json, push it to chef-vault and then base64 decode it before using it.
And then from chef recipe:
|
This issue is addressed in chef-vault latest version 4.1.4 |
Version:
4.1.0
Environment:
Linux
Scenario:
I want to store SSL private keys and SSH private keys in a vault. I think this is what chef-vault is made for. Unfortunately it refuses to encrypt a valid JSON file if there are linebreaks in values.
Steps to Reproduce:
ssh-keygen -N '' -f demokey -t rsa -q -C ''
knife vault create testsecrets ssh -A admin1,admin2 -J demokey.json -M client
Expected Result:
I want my key uploaded :-)
Actual Result:
I get an Exception:
The text was updated successfully, but these errors were encountered: