Page MenuHomeVyOS Platform

PKI: generate pki certificate sign <ca-name> is not working
Closed, ResolvedPublicBUG

Description

While signing the certificate without mentioning the install name, the following error is received:

vyos@vyos:~$ generate pki certificate sign root_ca
Do you already have a certificate request? [y/N] y
Paste certificate request and press enter:
MIICsjCCAZoCAQAwXDELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUx
EjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEVMBMGA1UEAwwMaXBz
ZWMtc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSVC5Gro
fn5rFPN6GBnKGtJjTi3oXIDHFy86NKEC5EUUyO8B0j9ytdGrib8HTC3QYmP8O4qv
+2oM9KwILk+dDOdFH9BzZUOWJ9z7LixBPdoMPMLxgqy5Rgz7pOBJfs9W9WZQJ7px
flUntyC1jFpAMLvWEtC3u5cIw6kC6V1b9q6Er6Z2aa5AGg3eoswYTaRyrBf7/0VS
GyWvui9EwjaNjvgtxcunRG0X/qJg4RRBCsXyEwsVqeBV1EBCeevk/F849K/cyh9S
qMr7o1cSaWTRwO2a9DrXJG8c+wayerJOFVppT9JN5iRhT04VuHyqQrFbPPyGcWBE
0WxeagxAH3G7tQIDAQABoBEwDwYJKoZIhvcNAQkOMQIwADANBgkqhkiG9w0BAQsF
AAOCAQEAukqy1h6xeM02w8r5wXxOLW82VFkUzhv8lVh3OCV1fa3fKuLgAVCJqdDq
O5BLVbovrhInjU5YJot+Yz85+pbcG4/05GH0rKPJkleuOFads4qSIQFAbiYq1wwr
iqTXDU7iLQDGZJvXAw26GuQ/OElqHGrY6Q6Cq4IG9a+bgdfLBOYKKBwKehwQ+Un7
/Ihp+5mhvezt+5cIdDlvYfoSFoxj87p13229ticALidBdnb660ZRqj6hao/VWBPR
HAvpWp2C+2w3nMpWYCFv8L/O8WzyGZ0BAbzIYxQfinqYaHZ8bHrfeQWS35g4tM4Y
3TZ5y945oD2+6Zj2VxMAII6HQvrPxw==

Enter how many days certificate will be valid: (Default: 365)
Enter certificate type: (client, server) (Default: server) server
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] N
-----BEGIN CERTIFICATE-----
MIIDtjCCAp6gAwIBAgIUJXxea2uiIl/HY+cW4S1wxo0q+mMwDQYJKoZIhvcNAQEL
BQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcM
CVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHcm9vdF9jYTAeFw0y
MTExMjkxMTU3MzVaFw0yMjExMjkxMTU3MzVaMFwxCzAJBgNVBAYTAkdCMRMwEQYD
VQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5
T1MxFTATBgNVBAMMDGlwc2VjLXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMElQuRq6H5+axTzehgZyhrSY04t6FyAxxcvOjShAuRFFMjvAdI/
crXRq4m/B0wt0GJj/DuKr/tqDPSsCC5PnQznRR/Qc2VDlifc+y4sQT3aDDzC8YKs
uUYM+6TgSX7PVvVmUCe6cX5VJ7cgtYxaQDC71hLQt7uXCMOpAuldW/auhK+mdmmu
QBoN3qLMGE2kcqwX+/9FUhslr7ovRMI2jY74LcXLp0RtF/6iYOEUQQrF8hMLFang
VdRAQnnr5PxfOPSv3MofUqjK+6NXEmlk0cDtmvQ61yRvHPsGsnqyThVaaU/STeYk
YU9OFbh8qkKxWzz8hnFgRNFsXmoMQB9xu7UCAwEAAaN1MHMwDAYDVR0TAQH/BAIw
ADAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYE
FN3dCB5+W4JEIa9YxxqQxXBN7asgMB8GA1UdIwQYMBaAFB/2bDdL/YniFhAWojXz
nswT/GvyMA0GCSqGSIb3DQEBCwUAA4IBAQABKi/Hn1SxtFoZmYeDIc64+9wUUg4+
cxzvj/MKePY6Q2RMQurlzUHiK7zZbjJMSibEgWDVVncpCW+bNEJwh/tOab6uwKy7
jMvu1bAdZCKThxpGSIG9yRwSbKaJfOFwGbcZHthAHTlWe1JjU7+HIsfwJSmZl4EV
elN6Kk9cTEcOHYmVUKUSBViEtvc07iYLUoL8rapR/mctx8sShg5ZjWFbZnHJHBRu
SEESFZbDbTIEax4v9QEWQjsg6umZH6SjH+4BJcl3pP8C9vsAywNH6yCO9MdTVl/Q
cOCy3Eqt5ulPbtZmR70HGn0SWh04Whey+/XdFLgb/A2Jc2HMeNwFLl76
-----END CERTIFICATE-----

Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/pki.py", line 813, in <module>
    generate_certificate_sign(args.certificate, args.sign, install=args.install, file=args.file)
  File "/usr/libexec/vyos/op_mode/pki.py", line 483, in generate_certificate_sign
    print(encode_private_key(private_key, passphrase=passphrase))
  File "/usr/lib/python3/dist-packages/vyos/pki.py", line 84, in encode_private_key
    return private_key.private_bytes(
AttributeError: 'NoneType' object has no attribute 'private_bytes'

Same error received when passphrase provided.

Successful when install name is provided:

vyos@vyos:~$ generate pki certificate sign root_ca install ipsec-server
Do you already have a certificate request? [y/N] y
Paste certificate request and press enter:
MIICsjCCAZoCAQAwXDELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUx
EjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEVMBMGA1UEAwwMaXBz
ZWMtc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSVC5Gro
fn5rFPN6GBnKGtJjTi3oXIDHFy86NKEC5EUUyO8B0j9ytdGrib8HTC3QYmP8O4qv
+2oM9KwILk+dDOdFH9BzZUOWJ9z7LixBPdoMPMLxgqy5Rgz7pOBJfs9W9WZQJ7px
flUntyC1jFpAMLvWEtC3u5cIw6kC6V1b9q6Er6Z2aa5AGg3eoswYTaRyrBf7/0VS
GyWvui9EwjaNjvgtxcunRG0X/qJg4RRBCsXyEwsVqeBV1EBCeevk/F849K/cyh9S
qMr7o1cSaWTRwO2a9DrXJG8c+wayerJOFVppT9JN5iRhT04VuHyqQrFbPPyGcWBE
0WxeagxAH3G7tQIDAQABoBEwDwYJKoZIhvcNAQkOMQIwADANBgkqhkiG9w0BAQsF
AAOCAQEAukqy1h6xeM02w8r5wXxOLW82VFkUzhv8lVh3OCV1fa3fKuLgAVCJqdDq
O5BLVbovrhInjU5YJot+Yz85+pbcG4/05GH0rKPJkleuOFads4qSIQFAbiYq1wwr
iqTXDU7iLQDGZJvXAw26GuQ/OElqHGrY6Q6Cq4IG9a+bgdfLBOYKKBwKehwQ+Un7
/Ihp+5mhvezt+5cIdDlvYfoSFoxj87p13229ticALidBdnb660ZRqj6hao/VWBPR
HAvpWp2C+2w3nMpWYCFv8L/O8WzyGZ0BAbzIYxQfinqYaHZ8bHrfeQWS35g4tM4Y
3TZ5y945oD2+6Zj2VxMAII6HQvrPxw==

Enter how many days certificate will be valid: (Default: 365)
Enter certificate type: (client, server) (Default: server) server
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] N
You are not in configure mode, commands to install manually from configure mode:
set pki certificate ipsec-server certificate 'MIIDtjCCAp6gAwIBAgIURNhTCUy/r9g/UihWEffEGzFlPV8wDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHcm9vdF9jYTAeFw0yMTExMjkxMTU1NTVaFw0yMjExMjkxMTU1NTVaMFwxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxFTATBgNVBAMMDGlwc2VjLXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMElQuRq6H5+axTzehgZyhrSY04t6FyAxxcvOjShAuRFFMjvAdI/crXRq4m/B0wt0GJj/DuKr/tqDPSsCC5PnQznRR/Qc2VDlifc+y4sQT3aDDzC8YKsuUYM+6TgSX7PVvVmUCe6cX5VJ7cgtYxaQDC71hLQt7uXCMOpAuldW/auhK+mdmmuQBoN3qLMGE2kcqwX+/9FUhslr7ovRMI2jY74LcXLp0RtF/6iYOEUQQrF8hMLFangVdRAQnnr5PxfOPSv3MofUqjK+6NXEmlk0cDtmvQ61yRvHPsGsnqyThVaaU/STeYkYU9OFbh8qkKxWzz8hnFgRNFsXmoMQB9xu7UCAwEAAaN1MHMwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFN3dCB5+W4JEIa9YxxqQxXBN7asgMB8GA1UdIwQYMBaAFB/2bDdL/YniFhAWojXznswT/GvyMA0GCSqGSIb3DQEBCwUAA4IBAQAAsTpou/J+ldjOA23mJuiINaD989B/ve1nCglPnxZEtOjlZDab8ECTKi5TKChIljT4D5MVPiRhxSzDQi5fjb04D9pzAclxeizFAv3Ev6sfY+FDT4ZZzlepEOgCdslZPfA2gctgl7TogBwdqos5fbbDcBxQLgJs/3NZe5YMJpeSPG+qacpm4HXJnH0seDG9BS8iFxjm0IzC7O0czQBwNEfWSl/+mN9s9Tm62uS7cB/ehjLzIA28O3MySzGd+k/GrxhTwEE80BuzQcC23BCSHUseMeYr+qFiNXPCXJqwGaWNtW29G0XUGQW82jOaXykPBxPBeUOXC2oZ3b5q8HRtm7QE'

Details

Version
1.4-rolling-202111281249
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

Tested in 1.4.0 version and did not receive the error:

vyos@vyos:~$ generate pki certificate sign server_ca
Do you already have a certificate request? [y/N] N
Enter private key type: [rsa, dsa, ec] (Default: rsa)
Enter private key bits: (Default: 2048)
Enter country code: (Default: GB)
Enter state: (Default: Some-State)
Enter locality: (Default: Some-City)
Enter organization name: (Default: VyOS)
Enter common name: (Default: vyos.io) mainframe
Do you want to configure Subject Alternative Names? [y/N] N
Enter how many days certificate will be valid: (Default: 365)
Enter certificate type: (client, server) (Default: server)
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] N
-----BEGIN CERTIFICATE-----
MIIDszCCApugAwIBAgIUJzwt85V31IonpoT6JkkrlECFOLEwDQYJKoZIhvcNAQEL
BQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcM
CVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0y
NDA3MjMxMzEyMzFaFw0yNTA3MjMxMzEyMzFaMFkxCzAJBgNVBAYTAkdCMRMwEQYD
VQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5
T1MxEjAQBgNVBAMMCW1haW5mcmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKph2bH/kbuUhNfmI2d1MwKCM78yzfOl5iDxPXBoKG7dQTx84VAn5AZf
kQb7Mgo8Jh/Su8CFadufSuYrZ+ff0kJhgbd27hbh4YnVxt053w+Yw65JEYcIeKni
HRuTcJW4mMSjkoTlxYaLvL0OZjGtLiPeFR4jNCNZh3RZlMMlWd+VzQx+RVEyHuGc
7m6scDaZ27JQnwVSBVD4WJsAZ8pWl762T9nmsNxUoaGfpT5+m+sN3dsyXw+7X/qR
7FdlDo3zPAzux8S0YjQA40L8+SH0mCObCGYdXt9uM6nU6ONi+onut0AyyTJIs9Hg
V8okpITDdnmAwnG2NG8nRUz2Q7kgh88CAwEAAaN1MHMwDAYDVR0TAQH/BAIwADAO
BgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFLli
jvtWShsqMkpFDqDsJ4+mAkn4MB8GA1UdIwQYMBaAFFUWF61vZVI++X8ZZyRwvggx
m0DgMA0GCSqGSIb3DQEBCwUAA4IBAQB4hPVR4RyLHqgqSGXrsx7Fc/e/gW6mu5xy
2niGC8ggsqj4UQhBjWlwhx367iPQU0uJ+dD+yy4tTu1UVgR3+zOYOoe8WMrHZs1g
5PudLNiiPdKXYUq+8B/+mAP2AZX/nuA8Zv8sGYk+utrnGNLpRGGPgMwsdd/Y4x0C
utcKCZbyPICVx7deLF92pRhqI+goDAiuYDMwy4RLq0KVVD21hWGhgObK4hCu7OPy
9o3bun/wQDHPh3Tc+MyFn7b1Ox0uc5n8c4zGDF34WImp4q1vwIpmTumqISLRn7CC
aV2WD1/1phj+tl/ZPnygE5YtbwsxRaM+t30s0mCVUD+KiT7EpVlQ
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCqYdmx/5G7lITX
5iNndTMCgjO/Ms3zpeYg8T1waChu3UE8fOFQJ+QGX5EG+zIKPCYf0rvAhWnbn0rm
K2fn39JCYYG3du4W4eGJ1cbdOd8PmMOuSRGHCHip4h0bk3CVuJjEo5KE5cWGi7y9
DmYxrS4j3hUeIzQjWYd0WZTDJVnflc0MfkVRMh7hnO5urHA2mduyUJ8FUgVQ+Fib
AGfKVpe+tk/Z5rDcVKGhn6U+fpvrDd3bMl8Pu1/6kexXZQ6N8zwM7sfEtGI0AONC
/Pkh9JgjmwhmHV7fbjOp1OjjYvqJ7rdAMskySLPR4FfKJKSEw3Z5gMJxtjRvJ0VM
9kO5IIfPAgMBAAECggEACNqD0u2KV5p8mrFxRod/CpLUeIt9yzrkLfMLM8Od0kD6
Clgc5yrjfPdLVHcKHyEIBCBRtEvad9ibrkE0KYbmaJ+je3KZJaRAMYbjygwfTLKt
/Gj8ma01g/Jle9DaCVWpzpIHY5ODA55QROyyH8O1gZShOUswAuQ8ly2ufsN6m5UZ
0tgijfHDF+gu4J8PeYX5Q7ADnE14+Ngwf6L2aN3Sl+gMjOo3/5L8KnFXb0mJrs27
LwbcsGB5jJWBWhTQPsNCbCQTHfgtTsQn10juSL8JE63WvairbQbX9VtjQ7iCLxxL
QZOgVHgtAKfqhVy5OXu2zWZQd7Twbj0+iikKCjKa8QKBgQDrArmsTuFK7fCnfV6p
RsUjpHjareoB6OK3RuF+Ttwm1lQJOw8bIVrRNxMN1hdC+eg622l/BFWR/yeFmieC
KTGym9t8eH+0A7AFv+HCnH9Vu00RbpYMib25c32x0oDvGZZP6T+uz+jItZ7m/I8I
F/msaInMFxJRYgJOKFfszza4MQKBgQC5mXadIzeuDVx1yi5ipoEHwyzz3T6l1J8Y
TVuvf+VggL90l1ecNfWWIBcbI1J9QyENWU/LKotb3aSqMzYU8FA87G8F1b/XbNUf
jj+92ysT0mq5ZppL2umScLlEvTuoUJ/KPSL+tq4jM6Pw4Eiz+dqk4olyKV8hnnow
qD1aFzs//wKBgB+H8RN+Tdn4zLYcKww5M5ARrCli9ielcG24s953hDAtx36pjuBL
/FxfsE3F8L8Kuq7S63egRD7fZhUV1sEu970IDk3H+RJVAFP1J7wttSPyimeRV858
2Ji+NxoZrTTnUPSNzf6NZKUxQQ2qyyIB3XzVVc+tNMb4iGimHw3ly2ixAoGBAJIz
cj08JbtEqSXcWwe404Fy3LFJAfWNdLmnDmdD30NSh/5mzUuvMcLNioYFIBCuVZX3
WaTX4ak/AlxUNPDvkLU9JgO5qgIfqA7QdiOvRtK5ePqM+VRxoHaLt1WPnzPqNsUP
vcZZzvjJ0AWKF5s2YWZrUQwNzPNlrCkyDgourKyvAoGAGXw1+VLAFR97E0uUa8l8
Loj6648xsByA/D6MNwbRBd5urDtR57unMUG6ELd27S1vhvOLlbufGCIaQZCy9JSS
/ovQpw0CXUK7n33xuAT9u42cFPgWAH/4Bm3pVf0RgQz2wW9vYtMSTEluRsgXjgC5
SdfoeX2+3ILOc9wI5syogYI=
-----END PRIVATE KEY-----

vyos@vyos:~$
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.Dec 6 2024, 2:47 PM
dmbaturin changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).