Skip to content

Make --attestation-uri incompatible with --kms #1516

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
maraino merged 1 commit into from
Nov 12, 2025
Merged

Make --attestation-uri incompatible with --kms #1516

maraino merged 1 commit into from
Nov 12, 2025

Conversation

@maraino
Copy link
Collaborator

@maraino maraino commented Nov 11, 2025

The ACME-DA flow in the step ca certificate command expects all KMS parameters to be provided through the --attestation-uri flag. Using the --kms flag at the same time can lead to errors. For example, if the YubiKey PIN is set with the --kms flag, the flow will ignore it and use the default one instead, resulting in a PIN retry error.

Fixes #1492

@maraino
Make --attestation-uri incompatible with --kms
9686d6f 
The ACME-DA flow in the step ca certificate command expects all KMS parameters
to be provided through the `--attestation-uri` flag. Using the `--kms` flag at the
same time can lead to errors. For example, if the YubiKey PIN is set with the
`--kms` flag, the flow will ignore it and use the default one instead, resulting
in a PIN retry error.

Fixes #1492
@github-actions github-actions bot added the needs triage Waiting for discussion / prioritization by team label Nov 11, 2025
@maraino maraino requested review from dopey and hslatman and removed request for dopey November 11, 2025 22:14
hslatman
hslatman approved these changes Nov 12, 2025
View reviewed changes
Copy link
Member

@hslatman hslatman left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change looks OK.

Is it possible the behavior changed at some point? I remember we've done some changes to KMS URI parsing and using the KMS plugin, and things like that. Carl's blog does show the pin-value being set through --kms: https://smallstep.com/blog/access-your-homelab-anywhere/#testing-it-out, so presumably it worked like that at some point, and is why #1492 happened.

@hslatman hslatman added this to the v0.28.8 milestone Nov 12, 2025
@hslatman
Copy link
Member

hslatman commented Nov 12, 2025

@tashian ☝️

@maraino
Copy link
Collaborator Author

maraino commented Nov 12, 2025

I haven't seen any use of --kms at least in the history of acmeutils.go, we might have been using a YubiKey with the default pin.

@maraino maraino merged commit 142c0b1 into master Nov 12, 2025
16 of 18 checks passed
@maraino maraino deleted the mariano/fix-1492 branch November 12, 2025 19:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hslatman hslatman hslatman approved these changes

Assignees

No one assigned

Labels

needs triage Waiting for discussion / prioritization by team

Projects

None yet

Milestone

v0.29.0

Development

Successfully merging this pull request may close these issues.

[Bug]: Trying to following the mTLS YubiKey tutorial

3 participants

@maraino @hslatman