Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kola/test/locksmith: update the cert generation #237

Merged
merged 2 commits into from
Oct 4, 2021
Merged

kola/test/locksmith: update the cert generation #237

merged 2 commits into from
Oct 4, 2021

Conversation

tormath1
Copy link
Contributor

@tormath1 tormath1 commented Oct 1, 2021
edited
Loading

With OpenSSLv3, there is a tiny regression in the cert generation. The
issuer entry is modified after the check for self-signed certificate.

So it fails with:

subject=CN = localhost
Error with certificate - error 20 at depth 0
unable to get local issuer certificate
subject=CN = localhost
Error with certificate - error 21 at depth 0
unable to verify the first certificate
Error with certificate to be certified - should be self-signed

workaround is to use intermediate CSR and generate after the cert based
on this CSR and by providing the associated extension in order to not
lost the SANs.

Signed-off-by: Mathieu Tortuyaux mtortuyaux@microsoft.com

Testing done

More details here: openssl/openssl#16720
Related-to: flatcar-archive/coreos-overlay#1305

@tormath1 tormath1 requested a review from a team October 1, 2021 09:48
@tormath1 tormath1 self-assigned this Oct 1, 2021
@tormath1
kola/test/locksmith: update the cert generation
e7765ed 
With OpenSSLv3, there is a tiny regression in the cert generation. The
issuer entry is modified _after_ the check for self-signed certificate.

So it fails with:
```
subject=CN = localhost
Error with certificate - error 20 at depth 0
unable to get local issuer certificate
subject=CN = localhost
Error with certificate - error 21 at depth 0
unable to verify the first certificate
Error with certificate to be certified - should be self-signed
```

workaround is to use intermediate CSR and generate after the cert based
on this CSR and by providing the associated extension in order to not
lost the SANs.

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
jepio
jepio approved these changes Oct 4, 2021
View reviewed changes
Copy link
Member

@jepio jepio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good and thanks for reporting upstream

@tormath1
changelog: add entry
cbe4d43 
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1 tormath1 force-pushed the tormath1/opensslv3-workaround branch from ebc2cda to cbe4d43 Compare October 4, 2021 08:54
@tormath1 tormath1 merged commit a3866dc into flatcar-master Oct 4, 2021
@tormath1 tormath1 deleted the tormath1/opensslv3-workaround branch October 4, 2021 09:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jepio jepio jepio approved these changes

Assignees

@tormath1 tormath1

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tormath1 @jepio