Unable to upload PEM for JWT CA using UI

[roadSurfer]

Describe the bug
It is not possible to create a JWT authentication method that requires a JWT CA PEM to be uploaded. Probably due to new lines being stripped/incorrectly encoded and thus leading to the PEM being unreadable. This is appears very similar to issue #32.

To Reproduce

1. Navigate to authentication methods, click on "Enabled new method +", select "JWT", click on "Next", and "Enable method"
2. On the configuration screen, set "Jwks url" and paste in the required CA PEM
3. Click on "Save"
4. Observe that an error is reported about jwks_ca_pem (a proper cert was used when testing):
   
   and the following is shown in the logs:

2023-08-14T08:24:27.605Z [ERROR] auth.jwt.auth_jwt_3363a771: error checking jwks_ca_pem: error="could not parse CA PEM value successfully"

Expected behavior
The CA PEM to be accepted and JWT method created, just as happens when using the Vault CLI.

Environment:

• Vault Server Version): 1.14.1
• Vault CLI Version: 1.14.1
• Server Operating System/Architecture: Docker image

Vault server configuration file(s):

Very crude, this is bascially ablank instance:

{
	"storage": {
		"file": {
			"path": "/vault/file"
		}
	},
	"listener": [{
		"tcp": {
			"address": "0.0.0.0:8200",
			"tls_disable": true
		}
	}],
	"default_lease_ttl": "168h",
	"max_lease_ttl": "720h",
	"ui": true
}

Additional context
I could not find a workaround other than the CLI. Replacing the new lines with \n simply resulted in double escaping (\\n was transmitted) and the CA PEM remaining unreadable.

The same values work perfectly to create the JWT method when using the Vault CLI and the UI will display them. I presume the failure is caused by the input being a single line text box and not a file-upload/multi-line as with OIDC discovery CA PEM.

Also of interest is that the CLI does not seem to trigger the same validation as the UI, I was able to create a JWT authentication method with just the HTTPS URL without the required CA PEM to verify the endpoint; meaning that the configuration is invalid and will fail if an attempt is made to use it.

[beatkind]

Hey, is there any traction on this issue? We are having the same issue

[austingebauer]

Tagging @hashicorp/vault-ui for visibility. Thanks for the report!

[hellobontempo]

@beatkind - The fix has been backported to the following minor releases: 1.13.13, 1.14.9, and 1.15.5 which should be available later this month. Please reopen this issue if for some reason the problem persists. Thank you for reporting!

[jarias-korewireless]

I'm on version Vault 1.11.0 and getting this error using the API:

"error checking jwks_ca_pem: could not parse CA PEM value successfully"

Will the fix cover the API too?

[hellobontempo]

@jarias-korewireless this fix was for submitting the form in the UI. If you are using the CLI or CURL that sounds like a separate issue.