CRL Support nil pointer?

[BenB196]

Hi All,

I recently saw that in v0.23.0 that CRL support was added via; #731. So, I wanted to test this on one of my existing test Step CA deployments. I'm deployed via helm, and this is what my chart looks like:

affinity: {}
autocert:
  enabled: false
bootstrap:
  configmaps: true
  enabled: true
  image:
    pullPolicy: IfNotPresent
    repository: cr.step.sm/smallstep/step-ca-bootstrap
    tag: latest
  secrets: true
ca:
  address: ':9000'
  bootstrap:
    postInitHook: ''
  db:
    accessModes:
      - ReadWriteOnce
    enabled: true
    persistent: true
    size: 10Gi
    storageClass: nfsv3
  dns: null
  env: []
  existingSecrets:
    enabled: false
  kms:
    type: ''
  name: Step CA Dev
  password: null
  provisioner:
    name: admin
    password: null
  runAsRoot: false
  url: null
existingSecrets:
  ca: false
  configAsSecret: false
  enabled: false
  issuer: false
  sshHostCa: false
  sshUserCa: false
fullnameOverride: ''
image:
  initContainerRepository: busybox:latest
  pullPolicy: IfNotPresent
  repository: cr.step.sm/smallstep/step-ca
  tag: 0.23.0 # Overwrite tag from `0.22.1` helm chart
ingress:
  annotations: {}
  enabled: false
  hosts: []
  ingressClassName: ''
  tls: []
inject:
  certificates:
    certificate_issuer: ''
    intermediate_ca: |
      <snipped>
    root_ca: |
      <snipped>
    ssh_host_ca: ''
    ssh_user_ca: ''
  config:
    files:
      ca.json:
        address: 0.0.0.0:9000
        authority:
          claims:
            defaultHostSSHCertDuration: 720h
            defaultTLSCertDuration: 2160h
            defaultUserSSHCertDuration: 24h
            disableRenewal: false
            maxHostSSHCertDuration: 1680h
            maxTLSCertDuration: 2160h
            maxUserSSHCertDuration: 24h
            minHostSSHCertDuration: 5m
            minTLSCertDuration: 5m
            minUserSSHCertDuration: 5m
          provisioners:
            - claims: {}
              forceCN: false
              name: acme
              type: ACME
            - encryptedKey: >-
                <snipped>
              key:
                alg: ES256
                crv: P-256
                kid: <snipped>
                kty: EC
                use: sig
                x: <snipped>
                'y': <snipped>
              name: [email protected]
              type: JWK
        crt: /home/step/certs/intermediate_ca.crt
        db:
          dataSource: /home/step/db
          type: badgerV2
        dnsNames:
          - step-ca.sub.domain.com
          - step-ca-dev.sub.domain.com
          - step-ca-step-certificates.step-ca.svc.cluster.local
          - 127.0.0.1
        federateRoots: []
        key: /home/step/secrets/intermediate_ca_key
        logger:
          format: json
        root: /home/step/certs/root_ca.crt
        tls:
          cipherSuites:
            - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
            - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
            - TLS_AES_128_GCM_SHA256
          maxVersion: 1.3
          minVersion: 1.2
          renegotiation: false
        crl: # Enable crl?
          enable: true
          generateOnRevoke: true
      defaults.json:
        ca-config: /home/step/config/ca.json
        ca-url: https://step-ca.sub.domain.com:9000
        fingerprint: <snipped>
        root: /home/step/certs/root_ca.crt
    templates:
      ssh.tpl: |
        {
          "type": {{ toJson .Type }},
          "keyId": {{ toJson .KeyID }},
          "principals": {{ toJson .Principals }},
          "extensions": {{ toJson .Extensions }},
          "criticalOptions": {{ toJson .CriticalOptions }}
        }
      x509_leaf.tpl: |
        {
          "subject": {{ toJson .Subject }},
          "sans": {{ toJson .SANs }},
        {{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
          "keyUsage": ["keyEncipherment", "digitalSignature"],
        {{- else }}
          "keyUsage": ["digitalSignature"],
        {{- end }}
          "extKeyUsage": ["serverAuth", "clientAuth"]
        }
  enabled: true
  secrets:
    ca_password: <snipped>
    certificate_issuer:
      enabled: false
      key: ''
      password: ''
    provisioner_password: <snipped>
    ssh:
      enabled: false
      host_ca_key: ''
      host_ca_password: ''
      user_ca_key: ''
      user_ca_password: ''
    x509:
      enabled: true
      intermediate_ca_key: |
        <snipped>
      root_ca_key: ''
kind: StatefulSet
linkedca:
  secretKeyRef:
    key: null
    name: null
  token: null
nameOverride: ''
nodeSelector: {}
replicaCount: 1
resources: {}
service:
  annotations: {}
  nodePort: ''
  port: 9001
  targetPort: 9000
  type: ClusterIP
tolerations: []

And based on the PR I would expect to be able to hit:

curl -k https://step-ca.sub.domain.com:9001/crl

But when I hit this endpoint, Step CA throws the following:

2022/11/15 20:30:39 /usr/local/go/src/net/http/server.go:3228: http: panic serving 10.42.5.229:58834: runtime error: invalid memory address or nil pointer dereference
--
Tue, Nov 15 2022 3:30:39 pm | goroutine 3337 [running]:
Tue, Nov 15 2022 3:30:39 pm | net/http.(*conn).serve.func1()
Tue, Nov 15 2022 3:30:39 pm | /usr/local/go/src/net/http/server.go:1850 +0xbf
Tue, Nov 15 2022 3:30:39 pm | panic({0x1463140, 0x2426210})
Tue, Nov 15 2022 3:30:39 pm | /usr/local/go/src/runtime/panic.go:890 +0x262
Tue, Nov 15 2022 3:30:39 pm | github.com/smallstep/certificates/api/log.Error({0x7f57be57e5a0?, 0xc005d10c00?}, {0x1a1f5c0?, 0xc005c955c0?})
Tue, Nov 15 2022 3:30:39 pm | /src/api/log/log.go:44 +0x176
Tue, Nov 15 2022 3:30:39 pm | github.com/smallstep/certificates/api/render.Error({0x7f57be57e5a0, 0xc005d10c00}, {0x1a1f5c0?, 0xc005c955c0?})
Tue, Nov 15 2022 3:30:39 pm | /src/api/render/render.go:79 +0x3b
Tue, Nov 15 2022 3:30:39 pm | github.com/smallstep/certificates/api.CRL({0x7f57be57e5a0, 0xc005d10c00}, 0xc00047a300)
Tue, Nov 15 2022 3:30:39 pm | /src/api/crl.go:14 +0x53c
Tue, Nov 15 2022 3:30:39 pm | net/http.HandlerFunc.ServeHTTP(0x144dea0?, {0x7f57be57e5a0?, 0xc005d10c00?}, 0xc005d7c334?)
Tue, Nov 15 2022 3:30:39 pm | /usr/local/go/src/net/http/server.go:2109 +0x2f
Tue, Nov 15 2022 3:30:39 pm | github.com/go-chi/chi.(*Mux).routeHTTP(0xc005d1d620, {0x7f57be57e5a0, 0xc005d10c00}, 0xc00047a300)
Tue, Nov 15 2022 3:30:39 pm | /go/pkg/mod/github.com/go-chi/chi@v4.1.2+incompatible/mux.go:431 +0x1f9
Tue, Nov 15 2022 3:30:39 pm | net/http.HandlerFunc.ServeHTTP(0xc005c95560?, {0x7f57be57e5a0?, 0xc005d10c00?}, 0x7f57be654a88?)
Tue, Nov 15 2022 3:30:39 pm | /usr/local/go/src/net/http/server.go:2109 +0x2f
Tue, Nov 15 2022 3:30:39 pm | github.com/go-chi/chi/middleware.GetHead.func1({0x7f57be57e5a0?, 0xc005d10c00?}, 0x2425901?)
Tue, Nov 15 2022 3:30:39 pm | /go/pkg/mod/github.com/go-chi/chi@v4.1.2+incompatible/middleware/get_head.go:37 +0x1ee
Tue, Nov 15 2022 3:30:39 pm | net/http.HandlerFunc.ServeHTTP(0x1a2ccf8?, {0x7f57be57e5a0?, 0xc005d10c00?}, 0x24259a0?)
Tue, Nov 15 2022 3:30:39 pm | /usr/local/go/src/net/http/server.go:2109 +0x2f
Tue, Nov 15 2022 3:30:39 pm | github.com/go-chi/chi.(*Mux).ServeHTTP(0xc005d1d620, {0x7f57be57e5a0, 0xc005d10c00}, 0xc00047a200)
Tue, Nov 15 2022 3:30:39 pm | /go/pkg/mod/github.com/go-chi/chi@v4.1.2+incompatible/mux.go:86 +0x296
Tue, Nov 15 2022 3:30:39 pm | github.com/smallstep/certificates/logging.(*LoggerHandler).ServeHTTP(0xc0008249f0, {0x1a2b658, 0xc00018ca80}, 0x1a191f8?)
Tue, Nov 15 2022 3:30:39 pm | /src/logging/handler.go:50 +0xa3
Tue, Nov 15 2022 3:30:39 pm | github.com/smallstep/certificates/logging.RequestID.func1.1({0x1a2b658, 0xc00018ca80}, 0xc00047a100)
Tue, Nov 15 2022 3:30:39 pm | /src/logging/context.go:38 +0x2b0
Tue, Nov 15 2022 3:30:39 pm | net/http.HandlerFunc.ServeHTTP(0x0?, {0x1a2b658?, 0xc00018ca80?}, 0x469b4e?)
Tue, Nov 15 2022 3:30:39 pm | /usr/local/go/src/net/http/server.go:2109 +0x2f
Tue, Nov 15 2022 3:30:39 pm | net/http.serverHandler.ServeHTTP({0xc005c953e0?}, {0x1a2b658, 0xc00018ca80}, 0xc00047a100)
Tue, Nov 15 2022 3:30:39 pm | /usr/local/go/src/net/http/server.go:2947 +0x30c
Tue, Nov 15 2022 3:30:39 pm | net/http.(*conn).serve(0xc005d288c0, {0x1a2ccf8, 0xc000824d50})
Tue, Nov 15 2022 3:30:39 pm | /usr/local/go/src/net/http/server.go:1991 +0x607
Tue, Nov 15 2022 3:30:39 pm | created by net/http.(*Server).Serve
Tue, Nov 15 2022 3:30:39 pm | /usr/local/go/src/net/http/server.go:3102 +0x4db

Is there something I'm missing or doing wrong with this?

[BenB196]

I should mention that the setup is still able to generate/sign certs and the other endpoints are working as intended, only seems to be an issue with /crl

[foleyjohnm]

I am not that familiar with helm at all, but the config option for the CRL to be enabled needs to say "enabled": true I think. I think the docs need to be updated.

https://github.com/smallstep/certificates/blob/master/authority/config/config.go#L89

[BenB196]

Excellent call out, that seems to have done the job. Thanks!

[maraino]

@BenB196 I've not been able to reproduce the null pointer, but looking at the stacktrace it looks related to this #1187