Error writing data to venafi-pki/sign/tpp-backend: Error making API request. about vault-pki-backend-venafi HOT 10 CLOSED

@sfortuna did you execute vault secrets enable and, if so, did you specify -path=venafi-pki when you did? https://www.vaultproject.io/docs/commands/secrets/enable.html

from vault-pki-backend-venafi.

Yes, I was able to complete steps 1-10 in the quickstart guide. The error occurs when running this command in step 11:
vault write venafi-pki/sign/tpp-backend [email protected]

https://github.com/Venafi/vault-pki-backend-venafi

from vault-pki-backend-venafi.

Hi @sfortuna on what platform you're running venafi-pki? Could you share vault logs?

from vault-pki-backend-venafi.

RHEL

2019-07-26T12:50:11.028-0400 [TRACE] secrets.venafi-pki-backend.venafi-pki-backend_28bddf70.venafi-pki-backend: handle existence check: transport=gRPC path=sign/tpp-backend status=started
2019-07-26T12:50:11.029-0400 [TRACE] secrets.venafi-pki-backend.venafi-pki-backend_28bddf70.venafi-pki-backend: handle existence check: transport=gRPC path=sign/tpp-backend status=finished err="unsupported path" took=906.75µs
2019-07-26T12:50:11.029-0400 [TRACE] secrets.venafi-pki-backend.venafi-pki-backend_28bddf70.venafi-pki-backend: handle request: transport=gRPC path=sign/tpp-backend status=started
2019-07-26T12:50:11.030-0400 [TRACE] secrets.venafi-pki-backend.venafi-pki-backend_28bddf70.venafi-pki-backend: handle request: transport=gRPC path=sign/tpp-backend status=finished err="unsupported path" took=993.667µs

from vault-pki-backend-venafi.

@sfortuna would you please send the full sequence of commands you executed for steps 1-10 and your vault config file to [email protected] so we can attempt to reproduce the issue in our lab? Please redact any sensitive information and also confirm that you are using Vault version 0.12 with version 0.5.1 of the vault-pki-backend-venafi plugin.

from vault-pki-backend-venafi.

We are using vault v 1.1.1 and venafi 0.4.1

from vault-pki-backend-venafi.

Here are the commands with personal information removed:

1. Unzip venafi-pki-backend_0.4.1+385_linux86.zip
2. mv venafi-pki-backend /path/to/vault/vault_plugins
3. vi vault_server_config.json
4. export VAULT_ADDR=https://{fqdn}:8200
5. SHA256=$(shasum -a 256 /path/to/vault/vault_plugins/venafi-pki-backend| cut -d' ' -f1)
6. vault write sys/plugins/catalog/secret/venafi-pki-backend sha_256="${SHA256}" command="venafi-pki-backend"
7. vault secrets enable -path=venafi-pki -plugin-name=venafi-pki-backend plugin
8. vault write venafi-pki/roles/tpp-backend
   tpp_url="https://tpp.venafi.example:443/vedsdk"
   tpp_user="admin"
   tpp_password="password"
   zone="DevOps\Vault Backend"
   trust_bundle_file="/opt/venafi/bundle.pem"
   generate_lease=true store_by_cn=true store_pkey=true store_by_serial=true ttl=1h max_ttl=1h
   allowed_domains=example.com
   allow_subdomains=true
9. vault write venafi-pki/issue/tpp-backend common_name="test.example.com"
   cat < csr.conf
   [req]
   default_bits = 4096
   prompt = no
   default_md = sha256
   req_extensions = req_ext
   distinguished_name = dn

[ dn ]
CN = test-csr-32313131.vfidev.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = alt1-test-csr-32313131.vfidev.com
DNS.2 = alt2-test-csr-32313131.vfidev.com

EOF
openssl req -new -config csr.conf -keyout myserver.key -out myserver.csr -passin pass:somepassword -passout pass:anotherpassword
10. vault write venafi-pki/sign/tpp-backend [email protected]

from vault-pki-backend-venafi.

Thank you @sfortuna We first added support for signing CSRs in version 0.4.2 of our plugin so that's most likely the source of your problem. Any version higher than the one you are using should work but we recommend the latest (0.5.1).

from vault-pki-backend-venafi.

@tr1ck3r Thanks, we've updated to version 0.5.1 but are still experiencing the same issue. We are still able complete steps 1-10 in the guide but not 11

from vault-pki-backend-venafi.

Hello this was an issue with our CA configuration. Thanks

from vault-pki-backend-venafi.