Skip to content

bug: acm-pca get-certificate-authority-certificate #12076

New issue
New issue
Closed
getmoto/moto
#8793
Closed
bug: acm-pca get-certificate-authority-certificate#12076
getmoto/moto
#8793
Assignees
HarshCasper
Labels
aws:acmAWS Certificate Manageraws:acm-pcaAWS ACM Private Certificate Authoritygood first issueGood item to work on for newcomersstatus: backlogTriaged but not yet being worked ontype: bugBug report
@st1971

Description

@st1971
st1971
opened on Dec 27, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

CertificateChain is not correctly formatted when returned from get-certificate-authority-certificate, the returned value is a base64 encoded pem or chain of pem's as below:

aws acm-pca get-certificate-authority-certificate --certificate-authority-arn=arn:aws:acm-pca:us-east-1:000000000000:certificate-authority/ea258b76-04e4-4384-a843-15af1ffa865b

{
  "Certificate": "-----BEGIN CERTIFICATE-----\nMIICgDCCAgagAwIBAgIQPVpmtKY8FtTxnFBCfyCYLTAKBggqhkjOPQQDAzA1MRMw\nEQYDVQQKEwpUYXlsb3JNdWZmMR4wHAYDVQQDExVteWNhLnRheWxvcm11ZmYuY28u\ndWswHhcNMjQxMjI3MTUxNzAwWhcNMzQxMjI1MTUxNzAwWjAhMR8wHQYDVQQDExZh\nY21jYS50YXlsb3JtdWZmLmNvLnVrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEAuKb80EA2oJu7LSbGdyMoGg+mM6FsQDpHHhIm/yVai0oSJynEl5i8MJ90\nIvdJnBj97SO7pzjGb2GZtQZp1iLvSMVx9G2ZPSSGBF853S9OPcJohXPRg7p5Q0bG\nrYkDP6R02DX3xuoIugUOvyFVsFWR0xfChxZDgH3TEyAqvIzlv1YKEN/1aM6b7HxB\n2mYMf7kzdlSmbKy21SlaGmF7MvXhMeHKrOnW0SqUW/6Fmv7DRCwCwXAcri14GgyN\nJjJpmdS/2A3X8j9E5nzrQl394sN1QaSCRk+lwu9LbpJPHoAvbvotWDkLOSpkmJOh\n9luXf3KWUy12iRzayslMZhAV5ZuMaQIDAQABo0EwPzAOBgNVHQ8BAf8EBAMCAqQw\nDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBTqcjhsYlZXDfx4XK3pu0/mFSbJ/TAK\nBggqhkjOPQQDAwNoADBlAjA4gwcbBIqzGuFQv4uZzbYiCmLK8m9hC29RXzBLsZzj\ngeZQM6hcRbwttpQJe5gKG1QCMQC6hxS6aZYmyKSpFfm1B51MBGtCPCAmh/EVvSIm\niro9tEa2hvJNUw9AYiicU4tIEEM=\n-----END CERTIFICATE-----\n",
  "CertificateChain": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUI1akNDQVcyZ0F3SUJBZ0lRTWNaYU5HU3hKQ2d3WmRVU0FOVWg1ekFLQmdncWhrak9QUVFEQXpBMU1STXcKRVFZRFZRUUtFd3BVWVhsc2IzSk5kV1ptTVI0d0hBWURWUVFERXhWdGVXTmhMblJoZVd4dmNtMTFabVl1WTI4dQpkV3N3SGhjTk1qUXhNakkzTVRVeE5qVTRXaGNOTXpReE1qSTFNVFV4TmpVNFdqQTFNUk13RVFZRFZRUUtFd3BVCllYbHNiM0pOZFdabU1SNHdIQVlEVlFRREV4VnRlV05oTG5SaGVXeHZjbTExWm1ZdVkyOHVkV3N3ZGpBUUJnY3EKaGtqT1BRSUJCZ1VyZ1FRQUlnTmlBQVFTSUROYnJPampuS0pqakxlMjYrbkdJeFBhejRlODZPQ3Z0TlpLZHJ1QgpyMm1QbWZBdkQra2l3VWJ0WTdXYmFGQ0o5ZnI3TlUzbVNhYjRVWXhMSWM1RmlTQ2puT05EdmdQNUxucmVLRlFtCisvN01yaGlObkVUSWFmdU5KcVFYRllXalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQ3BEQVBCZ05WSFJNQkFmOEUKQlRBREFRSC9NQjBHQTFVZERnUVdCQlRxY2poc1lsWlhEZng0WEszcHUwL21GU2JKL1RBS0JnZ3Foa2pPUFFRRApBd05uQURCa0FqQUh2R0dBdDF6YmNpOWllZXovSFI4eUsvWUU3WENQSGN2QVZvbGhnWGozV0ZSV3ViQS9XWk1WCkNPWG9vTVpTVm1BQ01EbWdXaFBWeXFBWGJBUDNOOTEvcVN5UUdObXhDcFRFUE5YdUpxa0Q3V2hUK2VBb0thOFAKcWJoZGE4R0grUzF2Y2c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
}

Expected Behavior

aws acm-pca get-certificate-authority-certificate --certificate-authority-arn=arn:aws:acm-pca:us-east-1:000000000000:certificate-authority/ea258b76-04e4-4384-a843-15af1ffa865b
{
  "Certificate": "-----BEGIN CERTIFICATE-----\nMIICgDCCAgagAwIBAgIQPVpmtKY8FtTxnFBCfyCYLTAKBggqhkjOPQQDAzA1MRMw\nEQYDVQQKEwpUYXlsb3JNdWZmMR4wHAYDVQQDExVteWNhLnRheWxvcm11ZmYuY28u\ndWswHhcNMjQxMjI3MTUxNzAwWhcNMzQxMjI1MTUxNzAwWjAhMR8wHQYDVQQDExZh\nY21jYS50YXlsb3JtdWZmLmNvLnVrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEAuKb80EA2oJu7LSbGdyMoGg+mM6FsQDpHHhIm/yVai0oSJynEl5i8MJ90\nIvdJnBj97SO7pzjGb2GZtQZp1iLvSMVx9G2ZPSSGBF853S9OPcJohXPRg7p5Q0bG\nrYkDP6R02DX3xuoIugUOvyFVsFWR0xfChxZDgH3TEyAqvIzlv1YKEN/1aM6b7HxB\n2mYMf7kzdlSmbKy21SlaGmF7MvXhMeHKrOnW0SqUW/6Fmv7DRCwCwXAcri14GgyN\nJjJpmdS/2A3X8j9E5nzrQl394sN1QaSCRk+lwu9LbpJPHoAvbvotWDkLOSpkmJOh\n9luXf3KWUy12iRzayslMZhAV5ZuMaQIDAQABo0EwPzAOBgNVHQ8BAf8EBAMCAqQw\nDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBTqcjhsYlZXDfx4XK3pu0/mFSbJ/TAK\nBggqhkjOPQQDAwNoADBlAjA4gwcbBIqzGuFQv4uZzbYiCmLK8m9hC29RXzBLsZzj\ngeZQM6hcRbwttpQJe5gKG1QCMQC6hxS6aZYmyKSpFfm1B51MBGtCPCAmh/EVvSIm\niro9tEa2hvJNUw9AYiicU4tIEEM=\n-----END CERTIFICATE-----\n",
  "CertificateChain": "-----BEGIN CERTIFICATE-----\nMIIB5jCCAW2gAwIBAgIQMcZaNGSxJCgwZdUSANUh5zAKBggqhkjOPQQDAzA1MRMw\nEQYDVQQKEwpUYXlsb3JNdWZmMR4wHAYDVQQDExVteWNhLnRheWxvcm11ZmYuY28u\ndWswHhcNMjQxMjI3MTUxNjU4WhcNMzQxMjI1MTUxNjU4WjA1MRMwEQYDVQQKEwpU\nYXlsb3JNdWZmMR4wHAYDVQQDExVteWNhLnRheWxvcm11ZmYuY28udWswdjAQBgcq\nhkjOPQIBBgUrgQQAIgNiAAQSIDNbrOjjnKJjjLe26+nGIxPaz4e86OCvtNZKdruB\nr2mPmfAvD+kiwUbtY7WbaFCJ9fr7NU3mSab4UYxLIc5FiSCjnONDvgP5LnreKFQm\n+/7MrhiNnETIafuNJqQXFYWjQjBAMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8E\nBTADAQH/MB0GA1UdDgQWBBTqcjhsYlZXDfx4XK3pu0/mFSbJ/TAKBggqhkjOPQQD\nAwNnADBkAjAHvGGAt1zbci9ieez/HR8yK/YE7XCPHcvAVolhgXj3WFRWubA/WZMV\nCOXooMZSVmACMDmgWhPVyqAXbAP3N91/qSyQGNmxCpTEPNXuJqkD7WhT+eAoKa8P\nqbhda8GH+S1vcg==\n-----END CERTIFICATE-----\n"
}

How are you starting LocalStack?

With a docker-compose file

Steps To Reproduce

How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)

started using podman-compose, compose file below:

---
services:
  localstack:
    image: docker.io/localstack/localstack-pro:latest
    ports:
      - "127.0.0.1:4566:4566"
      - "127.0.0.1:4510-4559:4510-4559"
      - "127.0.0.1:8443:443"
    environment:
      LOCALSTACK_AUTH_TOKEN: <redacted>
      DEBUG: 1
      PERSISTENCE: 1
      REDIS_CONTAINER_MODE: 1
    volumes:
      - type: bind
        source: ./localstack-vol
        target: /var/lib/localstack
        bind:
          selinux: z
      - type: bind
        source: $XDG_RUNTIME_DIR/podman/podman.sock
        target: /var/run/docker.sock
    networks:
      - localstack-net
networks:
  localstack-net:

Client commands (e.g., AWS SDK code snippet, or sequence of "awslocal" commands)

openssl genrsa -out my-root-ca.key 4096
openssl req -x509 -new -nodes -key my-root-ca.key \
      -sha256 -days 3650 -out my-root-ca.crt \
      -subj "/CN=my-root-ca"
aws acm-pca create-certificate-authority \
       --certificate-authority-configuration \
       KeyAlgorithm=RSA_2048,SigningAlgorithm=SHA256WITHRSA,Subject={CommonName=my-subordinate-ca} \
      --certificate-authority-type "SUBORDINATE"
aws acm-pca get-certificate-authority-csr --certificate-authority-arn <ARN> --query "Csr" --output text > my-subordinate-ca.csr
echo "basicConstraints=critical,CA:TRUE" > openssl-ca-extensions.ext
openssl x509 -req -in my-subordinate-ca.csr \
      -CA my-root-ca.crt -CAkey my-root-ca.key \
      -CAcreateserial -out my-subordinate-ca.crt -days 3650 -sha256 \
      -extfile openssl-ca-extensions.ext
aws acm-pca import-certificate-authority-certificate \
      --certificate-authority-arn <ARN> \
      --certificate fileb://my-subordinate-ca.crt \
      --certificate-chain fileb://my-root-ca.crt
aws acm-pca get-certificate-authority-certificate --certificate-authority-arn <ARN>

Environment

- OS: Fedora 41
- LocalStack:
  LocalStack version: 4.0.4.dev63
  LocalStack Docker image sha: sha256:d19a03dfe10274ee574a896ae40b9ecf99654ea8ffa1ff28de4530a6731e2e70
  LocalStack build date: 2024-12-27
  LocalStack build git hash: 11d12723f

Anything else?

The fix to be made in https://github.com/getmoto/moto

https://github.com/getmoto/moto/blob/4c1a20822259a312cd6084a7570ca4cd502732f7/moto/acmpca/models.py#L374-L380

Metadata

Metadata

Assignees

Labels

aws:acmAWS Certificate Manageraws:acm-pcaAWS ACM Private Certificate Authoritygood first issueGood item to work on for newcomersstatus: backlogTriaged but not yet being worked ontype: bugBug report

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions