encrypted key with kid was not found [!help]

[SpiderUnderUrBed]

Hi! I am trying to set up step-ca for my homelab, I have been trying to use ansible but the issue IS NOT ANSIBLE RELATED, I am having difficulty adding a jwk provider, my ansible config will manually add the entry to my providers array in ca.json by running:
step crypto jwk create ...
I also tried doing the more proper way of using the command to add the jwk provider, however when i try to make a cert, it says kid is not found, i am not having any better luck with ACME either, and on the client side it says:
The requested resource could not be found. Please see the certificate authority logs for more info.

Refering to the encrypted key given by the kid,

Here is my ca.json:
https://pastebin.com/KbvwDCGT

Ansible configuration:
https://pastebin.com/WrxKidLG

Running step-ca (without ansible)

`spiderunderurbed@raspberrypi:~/ansible/step-ca $ sudo STEPDEBUG=1  step-ca --password-file /home/spiderunderurbed/ansible/step-ca/certs/intermediate_password.txt ca.json
2024/05/28 17:02:05 Building new tls configuration using step-ca x509 Signer Interface
2024/05/28 17:02:05 Starting Smallstep CA/0.26.1 (linux/arm64)
2024/05/28 17:02:05 Documentation: https://u.step.sm/docs/ca
2024/05/28 17:02:05 Community Discord: https://u.step.sm/discord
2024/05/28 17:02:05 Config file: ca.json
2024/05/28 17:02:05 The primary server URL is https://localhost:9000
2024/05/28 17:02:05 Root certificates are available at https://localhost:9000/roots.pem
2024/05/28 17:02:05 X.509 Root Fingerprint: 430160b6a8a710d4d8d3808a591f8cd7c244a2d545a5fec167a470baecf12a60
2024/05/28 17:02:05 Serving HTTPS on :9000 ...
INFO[0011]                                               duration="519.75µs" duration-ns=519750 fields.time="2024-05-28T17:02:16+12:00" method=GET name=ca path="/provisioners?limit=100" protocol=HTTP/2.0 referer= remote-address="::1" request-id=af663fb6-2397-41fd-a150-f402e71a5cf4 size=676 status=200 user-agent="Smallstep CLI/0.26.1 (linux/amd64)" user-id=
WARN[0011]                                               duration="303.272µs" duration-ns=303272 error="encrypted key with kid 7SGIkZbTLUzPwz6UKCXJv6UyKm1b31SvABgsK0em20Q was not found" fields.time="2024-05-28T17:02:17+12:00" method=GET name=ca path=/provisioners/7SGIkZbTLUzPwz6UKCXJv6UyKm1b31SvABgsK0em20Q/encrypted-key protocol=HTTP/2.0 referer= remote-address="::1" request-id=afccf14b-2990-46ac-8fa8-28ea7032ace3 size=127 status=404 user-agent="Smallstep CLI/0.26.1 (linux/amd64)" user-id=

Client side certificate generation, (without ansible)

`spiderunderurbed@raspberrypi:~/ansible/step-ca $ sudo STEPDEBUG=1 step ca certificate --provisioner [email protected] spidershomelab.net /home/spiderunderurbed/ansible/step-ca/spidershomelab/spidershomelab.crt /home/spiderunderurbed/ansible/step-ca/spidershomelab/spidershomelab.key --ca-url=https://localhost:9000 --root=/home/spiderunderurbed/ansible/step-ca/certs/root_ca.crt
✔ Provisioner: [email protected] (JWK) [kid: 7SGIkZbTLUzPwz6UKCXJv6UyKm1b31SvABgsK0em20Q]
The requested resource could not be found. Please see the certificate authority logs for more info.

The requested resource could not be found. Please see the certificate authority logs for more info.`

If there are any extra logs or info needed, i would be happy to give, the domain i am trying to certify for my homelab is, spidershomelab.net

[hslatman]

Hey @SpiderUnderUrBed, in your Ansible config you calculate the provisioner_enckey_value, but it doesn't seem to be set in the ca.json. It'll need to go into a property like this "encryptedKey": <provisioner_enckey_value> in the JWK provisioner (at the same level as the "key" object; not within it).

[SpiderUnderUrBed]

This is actually the issue i stumbled upon, I was worried it was unrelated, encrypted_key provided by private.jwk looks like this:
f8avMxP2Bdri3wI7rEDx8a6J-CjEmJdZ4bcwahRWC1qzvCXFDa4VFw

The one provided on the website as a exmaple is in this format:

eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiTlV6MjlEb3hKMVdOaFI3dUNjaGdYZyJ9.YN7xhz6RAbz_9bcuXoymBOj8bOg23ETAdmSCRyHpxGekkV0q3STYYg.vo1oBnZsZjgRu5Ln.Xop8AvZ74h_im2jxeaq-hYYWnaK_eF7MGr4xcZGodMUxp-hGPqS85oWkyprkQLYt1-jXTURfpejtmPeB4-sxgj7OFxMYYus84BdkG9BZgSBmMN9SqZItOv4pqg_NwQA0bv9g9A_e-N6QUFanxuYQsEPX_-IwWBDbNKyN9bXbpEQa0FKNVsTvFahGzOxQngXipi265VADkh8MJLjYerplKIbNeOJJbLd9CbS9fceLvQUNr3ACGgAejSaWmeNUVqbho1lY4882iS8QVx1VzjluTXlAMdSUUDHArHEihz008kCyF0YfvNdGebyEDLvTmF6KkhqMpsWn3zASYBidc9k._ch9BtvRRhcLD838itIQlw

So clearly something is wrong here, i tried adding the ciphertext but that returned with a error, so does putting the key given by private.jwk:
spiderunderurbed@raspberrypi:~/ansible/step-ca $ sudo STEPDEBUG=1 step ca certificate --provisioner [email protected] spidershomelab.net /home/spiderunderurbed/ansible/step-ca/spidershomelab/spidershomelab.crt /home/spiderunderurbed/ansible/step-ca/spidershomelab/spidershomelab.key --ca-url=https://localhost:9000 --root=/home/spiderunderurbed/ansible/step-ca/certs/root_ca.crt ✔ Provisioner: [email protected] (JWK) [kid: -rJPdpziql7w6eO6JrIF4OED6TFuu1rToHFIOvfsHus] invalid character '8' in literal false (expecting 'a')
I also tried chaining togeather all the values of my private jwk key seperated by a ., it wasnt that either.
So how should I go about obtaining the encrypted key? am i using the wrong algorithim for my encryptedKey?

[hslatman]

After generation of the JWK, you can reformat the private key in /home/spiderunderurbed/ansible/step-ca/certs/private.jwk to the compact format using step crypto jose format /home/spiderunderurbed/ansible/step-ca/certs/private.jwk. It'll be printed, so you'll have to redirect the output. That should give you a similar output as the one in the example.

[SpiderUnderUrBed]

Ah that command, step crypte jose helped! I got it all working now, i just reformatted this to a ansible block:
sudo cat /home/spiderunderurbed/ansible/step-ca/certs/private.jwk | step crypto jose format
And i got it working,

Thanks! I'll close this discussion