vault-charm

Vault charm does not handle Microsoft line endings in SSL certificates well

Bug #2064542 reported by John Lettman
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
vault-charm
Triaged
Wishlist
Unassigned

Bug Description

Hello,

We encountered an issue where customer-supplied certificates may contain Microsoft or DOS line endings (e.g., CRLF, `^M`).
When setting the `ssl-cert` and `ssl-chain` configuration options with the variant certificates, the certificate template for `/var/snap/vault/common/vault.crt` renders incorrectly, preventing the Vault service from starting.

To resolve this, the Vault charm would need to account for the possibility of mixed line endings and normalize them.
This could be achieved fairly trivially in Python:
```python
certificate.replace('\r\n', '\n').replace('\r', '\n')
```

#### Method to reproduce
##### Set the `ssl-cert` and `ssl-chain` options
Use Microsoft line endings on `ssl-cert`:
```bash
juju config vault \
    ssl-cert="$(cat cert-with-crlf.crt | base64 -w0)" \
    ssl-chain="$(cat any-chain.crt | base64 -w0)"
```

##### Inspect the rendered certificate
On the `vault` unit:
```bash
sudo view /var/snap/vault/common/vault.crt
```
```
-----BEGIN CERTIFICATE-----^M
CERTIFICATE WITH MICROSOFT LINE-ENDINGS [...]^M
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
CHAIN STARTS HERE [...]
```

Alex Kavanagh (ajkavanagh)
Changed in vault-charm:
importance: Undecided → Wishlist
status: New → Triaged
tags: added: good-first-bug
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.