[Bug]: citrixadc_sslvserver_sslcertkey_binding error for SNICert: 1093 Argument pre-requisite missing [ocspCheck, CA]

[yakyouk]

Terraform Core Version

1.11.4

citrixadc Provider Version

1.43.1

Operating system

Windows 11

Affected Resource(s)

citrixadc_sslvserver_sslcertkey_binding

Equivalent NetScaler CLI Command

bind ssl vserver cs-api.example.com_https -certkeyName api.example.com_26 -SNICert
unbind ssl vserver cs-api.example.com_https -certkeyName api.example.com_26 -SNICert

Expected Behavior

the binding gets created/deleted correctly

Actual Behavior

Unbinding gives error: Error: [INFO] delete failed: 400 Bad Request ({ "errorcode": 1093, "message": "Argument pre-requisite missing [ocspCheck, CA]", "severity": "ERROR" })
Running the un/binding command manually with flag -ocspCheck Optional/Mandatory produces the same error.

This is because a SNI-enabled cert cannot be ocsp or CA, so when SNICert is set, Netscaler does not accept other flags. -> Other flags should only be passed conditionally.

Relevant Error/Panic Output Snippet

citrixadc_sslvserver_sslcertkey_binding.cert_bindings_fqdn["api.example.com"]: Creating...

Error: [ERROR] nitro-go: Failed to update resource of type sslvserver_sslcertkey_binding,  err=failed: 400 Bad Request ({ "errorcode": 1093, "message": "Argument pre-requisite missing [ocspCheck, CA]", "severity": "ERROR" })

with citrixadc_sslvserver_sslcertkey_binding.cert_bindings_fqdn["api.example.com"],
on main.tf line 562, in resource "citrixadc_sslvserver_sslcertkey_binding" "cert_bindings_fqdn":
562: resource "citrixadc_sslvserver_sslcertkey_binding" "cert_bindings_fqdn" {

Terraform Configuration Files

resource "citrixadc_sslvserver_sslcertkey_binding" "cert_bindings_fqdn" {
  for_each = local.map_fqdn
  vservername = citrixadc_csvserver.cs_vserver.name
  certkeyname = citrixadc_sslcertkey.cert[each.key].certkey
  ca = false
  snicert = true
}

Steps to Reproduce

Create a citrixadc_sslvserver_sslcertkey_binding, passing ocspcheck
OR
Create a citrixadc_sslvserver_sslcertkey_binding withoutocspcheck, then try to delete it

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

[rein-tollevik]

I assume this issue was raised as a result of your comment to my #1252 bug report. And I do not believe the conclusion that snicert cannot be used with ocsp or ca is entirely complete. From my understanding, ocsp is only meaningfull for ca certificates, which I guess is why the vpx require ca when ocsp is specified. And snicert is probably not meaningful for ca certificates.

The fix in the provider should then be to ignore or refuse an ocsp value for non-ca certificates, whether snicert or not is enabled doesn't matter. And similarly ignore or refuse snicert for ca certificates. And it must always silently ignore an ocsp (or snicert) value received from the vpx for the cases where they should not be allowed.

Alternatively, the provider can simply pass the ca=false value in the api call as I suggest in #1252. The above fix should be preferred though, as the need to sometimes specify ocsp with ca=false for the corner case I stumbled upon is confusing.

It is probably a vpx bug that it require ca to be specified when ocsp is specified, but accepts a false ca value. That ocsp is returned by the vpx for non-ca certificates with snicert enablet, when a ca certificate is also bound, is another vpx bug. But fixing the vpx bugs will not solve the provider problem for older vpx releases.

[yakyouk]

The word "missing" in the error message is misleading - that error is not worded correctly. The error happens because those flags are present when they should not.

I tried calling unbind on the appliance - which you can try too. Passing flag -snicert together with -ca or -ocspcheck flags will cause the exact same error.
Same thing via the Nitro api: passing ca=false and ocspcheck=Optional (defaults) will fail too.

Generalizing the issue, it means the provider should conditionally pass only certain flags to the underlying api, omitting incompatible ones altogether. For example:

• if snicert=true, only pass snicert=true, do not pass ca at all, not even ca=false;
• if ca=true, do not pass snicert at all, etc.

Currently the provider always passes all flags - with defaults for those not provided in the plan.