tctl and webapi auth export commands fail with multiple active CAs

[programmerq]

Expected behavior:

When using tctl auth export --type windows or accessing https://<proxy_address>/webapi/auth/export?type=windows, even when two active CAs of type 'user' are present, the export should handle and allow for exporting each CA.

Current behavior:

Executing tctl auth export --type windows or accessing the webapi endpoint when two active CAs of type 'user' are present results in an error: expected one TLS key pair, got 2. This prevents exporting the necessary certificates for external service configuration, such as Windows service integration.

Bug details:

• Teleport version: 14.1.0
• Recreation steps:
  1. Setup Teleport with HSM and ensure two active CAs of type 'user' are present.
  2. Attempt to export the 'user' type CA using tctl auth export --type windows.
  3. Alternatively, attempt to export the CA through the webapi endpoint https://<proxy_address>/webapi/auth/export?type=windows.
• Debug logs:

  % tctl -d auth export --type windows
  2023-12-05T22:01:51Z DEBU [SQLITE]    Connected to: file:/var/lib/teleport/proc/sqlite.db?_busy_timeout=10000&_sync=FULL&_txlock=immediate, poll stream period: 1s lite/lite.go:254
  2023-12-05T22:01:51Z DEBU [SQLITE]    journal_mode=delete, synchronous=2, busy_timeout=10000 lite/lite.go:305
  2023-12-05T22:01:51Z DEBU             Connecting to: [{0.0.0.0:3025 tcp }]. authclient/authclient.go:61
  ERROR REPORT:
  Original Error: *trace.BadParameterError expected one TLS key pair, got 2
  Stack Trace:
          github.com/gravitational/teleport/lib/client/ca_export.go:257 github.com/gravitational/teleport/lib/client.exportTLSAuthority
          github.com/gravitational/teleport/lib/client/ca_export.go:126 github.com/gravitational/teleport/lib/client.exportAuth
          github.com/gravitational/teleport/lib/client/ca_export.go:75 github.com/gravitational/teleport/lib/client.ExportAuthorities
          github.com/gravitational/teleport/tool/tctl/common/auth_command.go:215 github.com/gravitational/teleport/tool/tctl/common.(*AuthCommand).ExportAuthorities
          github.com/gravitational/teleport/tool/tctl/common/auth_command.go:170 github.com/gravitational/teleport/tool/tctl/common.(*AuthCommand).TryRun
          github.com/gravitational/teleport/tool/tctl/common/tctl.go:224 github.com/gravitational/teleport/tool/tctl/common.TryRun
          github.com/gravitational/teleport/tool/tctl/common/tctl.go:98 github.com/gravitational/teleport/tool/tctl/common.Run
          github.com/gravitational/teleport/e/tool/tctl/main.go:20 main.main
          runtime/proc.go:267 runtime.main
          runtime/asm_amd64.s:1650 runtime.goexit
  User Message: expected one TLS key pair, got 2

[programmerq]

I was able to find the following workaround in case anyone else runs into this when setting up Desktop Access with Active Directory:

tctl get cert_authority - this will dump all the cert authorities on this auth service, even if there are multiple of the same time.

For the cert authorities of type user, there will be a tls section:

  spec:
    active_keys:
      tls:
      - public_key: c3N...
      - cert: LS0tL...

The cert field is what you want. base64 decode that value, and you will be left with an x509 PEM formatted cert.

To convert that to DER format, to match what the tctl auth export --type windows does for you:

openssl x509 -in user.pem -inform PEM -outform DER -out windows.cer

If those two certificate authorities are at all different, you will want to import both during the setup step for importing the cert during desktop access setup.

tctl auth export appends a newline at the end of its output, but the OpenSSL command does not. This should not pose a problem, but you can append a newline to make it match.

[GavinFrazar]

during CA rotation there are additional trusted keys that (imo) should also be exported, but we only export a single active key.