use of 'aws acm-pca issue-certificate' fails with aws(1) v2

Question

use of 'aws acm-pca issue-certificate' fails with aws(1) v2

jlbutler opened this issue 4 years ago · comments

Use of 'aws acm-pca issue-certificate' within the repo will fail with aws cli v2. This is due to a breaking change regarding how binary data is handled. See https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration.html#cliv2-migration-binaryparam for more information.

For example, in the ECS Ingress Gateway walkthrough:

$ ROOT_CA_CERT_ARN=`aws acm-pca issue-certificate \
    --certificate-authority-arn ${ROOT_CA_ARN} \
    --template-arn arn:aws:acm-pca:::template/RootCACertificate/V1 \
    --signing-algorithm SHA256WITHRSA \
    --validity Value=10,Type=YEARS \
    --csr "${ROOT_CA_CSR}" \
    --query CertificateArn --output text`

Invalid base64: "-----BEGIN CERTIFICATE REQUEST-----
MIIC7jCCAdYCAQAwgYYxCzAJBgNVBAYTAlVTMRowGAYDVQQKDBFBcHAgTWVzaCBF
..

The fix is to pass the returned csr data through base64 when using aws cli v2.

$ ROOT_CA_CSR=$(echo ${ROOT_CA_CSR} | base64)
$ ROOT_CA_CERT_ARN=`aws acm-pca issue-certificate \
    --certificate-authority-arn ${ROOT_CA_ARN} \
    --template-arn arn:aws:acm-pca:::template/RootCACertificate/V1 \
    --signing-algorithm SHA256WITHRSA \
    --validity Value=10,Type=YEARS \
    --csr "${ROOT_CA_CSR}" \
    --query CertificateArn --output text`
$

Brian Celenza · Answer 1 · Fri Jul 10 2020 01:45:10 GMT+0800 (China Standard Time)

Resolved with #319.