Unclear error when CA fingerprint does not match #841

tashian · 2023-02-02T00:57:05Z

When the CA URL is correct, and the fingerprint does not match, the output of step ca bootstrap is confusing:

$ step ca bootstrap --ca-url https://ca.example.com --fingerprint abc1230
The requested resource could not be found. Please see the certificate authority logs for more info.
Re-run with STEPDEBUG=1 for more info.

It would be nice here if the client could say that the cert fingerprint doesn't match.

The text was updated successfully, but these errors were encountered:

marten-seemann · 2024-06-19T07:03:53Z

The cli issues a HTTP GET request to <ca-url>/root/<fingerprint>. Assuming that we manage to connect to the hostname and perform the GET request, the error we get when using an invalid fingerprint is a 404:

{"status":404,"message":"The requested resource could not be found. Please see the certificate authority logs for more info."}

I can see two ways to get a more meaningful error message here:

Return a more meaningful 404 message from the CA.
Special-case the 404 handling in the cli, and emit a more helpful error message.

(1) seems preferable to me, since there might be other consumers of the REST API. @tashian, wdyt?

hslatman · 2024-06-19T11:07:05Z

First option would be my choice too.

A combination of the two might also be possible, but I think then we would preferably have an application error code as a field in the response, which the CLI (and possibly other clients) can act on. That's what's done with the ACME API, and would be nice if we'd implement this on more endpoints. But just a clearer message will get the job done now.

tashian added enhancement needs triage Waiting for discussion / prioritization by team labels Feb 2, 2023

tashian changed the title ~~step ca bootstrap error when CA fingerprint does not match~~ Unclear error when CA fingerprint does not match Feb 2, 2023

dopey added this to the v0.24.0 milestone Feb 8, 2023

dopey assigned tashian Feb 8, 2023

maraino modified the milestones: v0.24.0, v0.24.1 Apr 12, 2023

maraino modified the milestones: v0.24.4, v0.24.5 Jul 18, 2023

maraino modified the milestones: v0.25.0, v0.25.1 Sep 27, 2023

hslatman modified the milestones: v0.25.1, v0.25.2 Nov 29, 2023

hslatman modified the milestones: v0.25.2, v0.25.3 Feb 20, 2024

hslatman modified the milestones: v0.26.0, v0.26.1 Mar 29, 2024

hslatman modified the milestones: v0.26.1, v0.26.2 Apr 25, 2024

hslatman modified the milestones: v0.26.2, v0.26.3 Jun 17, 2024

marten-seemann linked a pull request Jun 20, 2024 that will close this issue

api: output a more helpful error message when root is not found smallstep/certificates#1893

Open

marten-seemann assigned marten-seemann and unassigned tashian Jun 20, 2024

marten-seemann removed the needs triage Waiting for discussion / prioritization by team label Jun 20, 2024

hslatman modified the milestones: v0.27.0, v0.27.2 Jul 15, 2024

hslatman removed this from the v0.27.2 milestone Jul 23, 2024

hslatman added this to the v0.27.3 milestone Jul 23, 2024

hslatman modified the milestones: v0.27.4, v0.27.5 Sep 16, 2024

hslatman modified the milestones: v0.27.5, v0.27.6 Oct 22, 2024

hslatman modified the milestones: v0.27.6, v0.28.1 Oct 30, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unclear error when CA fingerprint does not match #841

Unclear error when CA fingerprint does not match #841

tashian commented Feb 2, 2023

marten-seemann commented Jun 19, 2024

hslatman commented Jun 19, 2024 •

edited

Loading

Unclear error when CA fingerprint does not match #841

Unclear error when CA fingerprint does not match #841

Comments

tashian commented Feb 2, 2023

marten-seemann commented Jun 19, 2024

hslatman commented Jun 19, 2024 • edited Loading

hslatman commented Jun 19, 2024 •

edited

Loading