[Bug]: step ca provisioner update fails for JWK provisioner if --create is specified #1059
Description
Steps to Reproduce
I am trying to apply the first example from the step ca provisioner update docs in a minimal test environment:
Update a JWK provisioner with newly generated keys and a template for x509 certificates:
step ca provisioner update cicd --create --x509-template ./templates/example.tpl
- Start a
step-cacontainer:
$ docker run --rm -it --name step-ca-test \
-p 9000:9000 \
-e "DOCKER_STEPCA_INIT_NAME=Test" \
-e "DOCKER_STEPCA_INIT_DNS_NAMES=localhost,$(hostname -f)" \
smallstep/step-ca- In a second terminal, bootstrap
step-cli(after backing up any previous configuration) and create a new provisioner:
$ step-cli ca bootstrap --ca-url https://localhost:9000 --fingerprint <ca-fp> --force
$ docker exec -it step-ca-test bash -c "echo hello > /tmp/password"
$ docker exec -it step-ca-test step ca provisioner add test --type JWK --create --password-file /tmp/password
✔ CA Configuration: /home/step/config/ca.json
Success! Your `step-ca` config has been updated. To pick up the new configuration SIGHUP (kill -1 <pid>) or restart the step-ca process.
$ docker exec -it step-ca-test pgrep step-ca
1
$ docker exec -it step-ca-test kill -1 1- Attempt to recreate the provisioners keys:
docker exec -it step-ca-test step ca provisioner update test --create --password-file /tmp/passwordYour Environment
OS: Arch
Step CLI:
$ step cli version
Smallstep CLI/0.25.0 (linux/amd64)
Release Date: 2023-09-27Step CA: 0.25.0
Expected Behavior
The provisioner gets updated with a newly generated key.
Actual Behavior
Updating the JWK provisioner fails with this error message:
docker exec -it step-ca-test step ca provisioner update test --create --password-file /tmp/password
✔ CA Configuration: /home/step/config/ca.json
error updating provisioner: error updating provisioner 'test' in authority cache: provisioner test:xlByq2UljmiUvKkhL_yg0dOd8ueVBWhoMJBoSVTAifc not foundAdditional Context
I tried looking for information about the authority cache mentioned in the error message, but couldn't find anything in the issues/docs.
I also tried rekeying a provisioner on a long-running step-ca instance but got the same result (though that instance is still on 0.23.2, so it's a little behind).
I'm happy to provide additional details if needed.
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).