use of 'aws acm-pca issue-certificate' fails with aws(1) v2
jlbutler opened this issue · comments
Jesse Butler commented
Use of 'aws acm-pca issue-certificate' within the repo will fail with aws cli v2. This is due to a breaking change regarding how binary data is handled. See https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration.html#cliv2-migration-binaryparam for more information.
For example, in the ECS Ingress Gateway walkthrough:
$ ROOT_CA_CERT_ARN=`aws acm-pca issue-certificate \
--certificate-authority-arn ${ROOT_CA_ARN} \
--template-arn arn:aws:acm-pca:::template/RootCACertificate/V1 \
--signing-algorithm SHA256WITHRSA \
--validity Value=10,Type=YEARS \
--csr "${ROOT_CA_CSR}" \
--query CertificateArn --output text`
Invalid base64: "-----BEGIN CERTIFICATE REQUEST-----
MIIC7jCCAdYCAQAwgYYxCzAJBgNVBAYTAlVTMRowGAYDVQQKDBFBcHAgTWVzaCBF
..
The fix is to pass the returned csr data through base64 when using aws cli v2.
$ ROOT_CA_CSR=$(echo ${ROOT_CA_CSR} | base64)
$ ROOT_CA_CERT_ARN=`aws acm-pca issue-certificate \
--certificate-authority-arn ${ROOT_CA_ARN} \
--template-arn arn:aws:acm-pca:::template/RootCACertificate/V1 \
--signing-algorithm SHA256WITHRSA \
--validity Value=10,Type=YEARS \
--csr "${ROOT_CA_CSR}" \
--query CertificateArn --output text`
$
Brian Celenza commented
Resolved with #319.