Change Details

**Summary** When using the VyOS internal PKI subsystem to request a certificate using ACME, the issuer CA is not automatically imported in the PKI subsystem on the first run due to a race condition. **Use case** It's always a good idea to provide the full certificate chain when running a daemon that uses SSL certificates **Additional information** This can be reproduced by: Check if there are no ACME related certificates on the system. ``` vyos@vyos# ls /config/auth/letsencrypt/live ls: cannot access '/config/auth/letsencrypt/live': No such file or directory ``` Request an ACME certificate from the LetsEncrypt staging API ``` set pki certificate LR5.wue4 acme domain-name 'LR5.wue4.vyos.net' set pki certificate LR5.wue4 acme email 'LR5@vyos.net' set pki certificate LR5.wue4 acme url 'https://acme-staging-v02.api.letsencrypt.org/directory' ``` Check installed PKI certificates: ``` cpo@LR5.wue4# run show pki Certificate Authorities: Name Subject Issuer CN Issued Expiry Private Key Parent ------ --------- ----------- -------- -------- ------------- -------- Certificates: Name Type Subject CN Issuer CN Issued Expiry Revoked Private Key CA Present -------- ------ --------------------- ----------------------------------- ------------------- ------------------- --------- ------------- ------------ LR5.wue4 Server CN=lr5.wue4.vyos.net CN=(STAGING) Wannabe Watercress R11 2025-03-30 11:45:10 2025-06-28 11:45:09 No Yes No Certificate Revocation Lists: CA Name Updated Revokes --------- --------- --------- [edit] ``` It misses the auto imported CA chain. Currently only a reboot will auto import the issuing CA into `pki ca certificate` tree.

**Summary** When using the VyOS internal PKI subsystem to request a certificate using ACME, the issuer CA is not automatically imported in the PKI subsystem on the first run due to a race condition. **Use case** It's always a good idea to provide the full certificate chain when running a daemon that uses SSL certificates **Additional information** This can be reproduced by: Check if there are no ACME related certificates on the system. ``` vyos@vyos# ls /config/auth/letsencrypt/live ls: cannot access '/config/auth/letsencrypt/live': No such file or directory ``` Request an ACME certificate from the LetsEncrypt staging API ``` set pki certificate LR5.wue4 acme domain-name 'LR5.wue4.vyos.net' set pki certificate LR5.wue4 acme email 'LR5@vyos.net' set pki certificate LR5.wue4 acme url 'https://acme-staging-v02.api.letsencrypt.org/directory' ``` Check installed PKI certificates: ``` cpo@LR5.wue4# run show pki Certificate Authorities: Name Subject Issuer CN Issued Expiry Private Key Parent ------ --------- ----------- -------- -------- ------------- -------- Certificates: Name Type Subject CN Issuer CN Issued Expiry Revoked Private Key CA Present -------- ------ --------------------- ----------------------------------- ------------------- ------------------- --------- ------------- ------------ LR5.wue4 Server CN=lr5.wue4.vyos.net CN=(STAGING) Wannabe Watercress R11 2025-03-30 11:45:10 2025-06-28 11:45:09 No Yes No Certificate Revocation Lists: CA Name Updated Revokes --------- --------- --------- [edit] ``` It misses the auto imported CA chain. Currently only a reboot will auto import the issuing CA into `pki ca certificate` tree. ``` cpo@LR5.wue4:~$ show pki Certificate Authorities: Name Subject Issuer CN Issued Expiry Private Key Parent ------------------ ------------------------------------------------------------------ ---------------------------- ------------------- ------------------- ------------- -------- AUTOCHAIN_LR5.wue4 CN=(STAGING) Counterfeit Cashew R10,O=(STAGING) Let's Encrypt,C=US CN=(STAGING) Pretend Pear X1 2024-03-13 00:00:00 2027-03-12 23:59:59 No N/A Certificates: Name Type Subject CN Issuer CN Issued Expiry Revoked Private Key CA Present -------- ------ --------------------- ----------------------------------- ------------------- ------------------- --------- ------------- ------------------------ LR5.wue4 Server CN=lr5.wue4.vyos.net CN=(STAGING) Counterfeit Cashew R10 2025-03-30 11:48:57 2025-06-28 11:48:56 No Yes Yes (AUTOCHAIN_LR5.wue4) Certificate Revocation Lists: CA Name Updated Revokes --------- --------- --------- ```

**Summary** When using the VyOS internal PKI subsystem to request a certificate using ACME, the issuer CA is not automatically imported in the PKI subsystem on the first run due to a race condition. **Use case** It's always a good idea to provide the full certificate chain when running a daemon that uses SSL certificates **Additional information** This can be reproduced by: Check if there are no ACME related certificates on the system. ``` vyos@vyos# ls /config/auth/letsencrypt/live ls: cannot access '/config/auth/letsencrypt/live': No such file or directory ``` Request an ACME certificate from the LetsEncrypt staging API ``` set pki certificate LR5.wue4 acme domain-name 'LR5.wue4.vyos.net' set pki certificate LR5.wue4 acme email 'LR5@vyos.net' set pki certificate LR5.wue4 acme url 'https://acme-staging-v02.api.letsencrypt.org/directory' ``` Check installed PKI certificates: ``` cpo@LR5.wue4# run show pki Certificate Authorities: Name Subject Issuer CN Issued Expiry Private Key Parent ------ --------- ----------- -------- -------- ------------- -------- Certificates: Name Type Subject CN Issuer CN Issued Expiry Revoked Private Key CA Present -------- ------ --------------------- ----------------------------------- ------------------- ------------------- --------- ------------- ------------ LR5.wue4 Server CN=lr5.wue4.vyos.net CN=(STAGING) Wannabe Watercress R11 2025-03-30 11:45:10 2025-06-28 11:45:09 No Yes No Certificate Revocation Lists: CA Name Updated Revokes --------- --------- --------- [edit] ``` It misses the auto imported CA chain. Currently only a reboot will auto import the issuing CA into `pki ca certificate` tree. ``` cpo@LR5.wue4:~$ show pki Certificate Authorities: Name Subject Issuer CN Issued Expiry Private Key Parent ------------------ ------------------------------------------------------------------ ---------------------------- ------------------- ------------------- ------------- -------- AUTOCHAIN_LR5.wue4 CN=(STAGING) Counterfeit Cashew R10,O=(STAGING) Let's Encrypt,C=US CN=(STAGING) Pretend Pear X1 2024-03-13 00:00:00 2027-03-12 23:59:59 No N/A Certificates: Name Type Subject CN Issuer CN Issued Expiry Revoked Private Key CA Present -------- ------ --------------------- ----------------------------------- ------------------- ------------------- --------- ------------- ------------------------ LR5.wue4 Server CN=lr5.wue4.vyos.net CN=(STAGING) Counterfeit Cashew R10 2025-03-30 11:48:57 2025-06-28 11:48:56 No Yes Yes (AUTOCHAIN_LR5.wue4) Certificate Revocation Lists: CA Name Updated Revokes --------- --------- --------- ```