Anchor

Example in readme does not work with default config

Bug #1437703 reported by Doug Chivers on 2015-03-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Anchor	Fix Released	High	Stanislaw Pitucha

Bug Description

The example given in the readme to issue a certificate using the test CRL does not work because it fails network validation using the default config:

"Now generate a valid CSR
that should pass validation and check that it is issued, by specifying a
common name of 'anchor-test.example.com' when prompted:

openssl req -text -newkey rsa:4096 -nodes \
-out anchor-test.example.com.csr

curl http://127.0.0.1:5000/sign -F user='woot' -F secret='woot' \
-F encoding=pem -F 'csr=<anchor-test.example.com.csr'

If Anchor is correctly configured, the CA will return a certificate."

This fails the network validation stage for common_name:
2015-03-28 19:45:10,713 DEBUG [anchor.certificate_ops][94526/MainThread] validate_csr: checking default
2015-03-28 19:45:10,713 DEBUG [anchor.certificate_ops][94526/MainThread] _run_validator: checking common_name with args: {u'allowed_domains': [u'.example.com']}
2015-03-28 19:45:10,713 DEBUG [anchor.certificate_ops][94526/MainThread] _run_validator: checking common_name
2015-03-28 19:45:10,713 WARNI [anchor.validators][94526/MainThread] No valid network IP ranges were given, skipping
2015-03-28 19:45:10,713 DEBUG [anchor.certificate_ops][94526/MainThread] _run_validator: success

...

2015-03-28 19:45:10,714 DEBUG [anchor.certificate_ops][94526/MainThread] validate_csr: checking ip
2015-03-28 19:45:10,715 DEBUG [anchor.certificate_ops][94526/MainThread] _run_validator: checking common_name with args: {u'allowed_networks': [u'127.0.0.0/8']}
2015-03-28 19:45:10,715 DEBUG [anchor.certificate_ops][94526/MainThread] _run_validator: checking common_name
2015-03-28 19:45:10,715 ERROR [anchor.certificate_ops][94526/MainThread] _run_validator: validation failed Domain 'anchor-test.example.com' not allowed (doesn't match known domains (.example.com]) or networks(127.0.0.0/8))

Revision history for this message

Tim Kelsey (tim-kelsey) wrote on 2015-04-22:

OK, I have reproduced this. I will fix the default configuration.

Changed in anchor:
assignee:	nobody → Tim Kelsey (tim-kelsey)

Stanislaw Pitucha (stanislaw-pitucha) on 2015-06-04

Changed in anchor:
importance:	Undecided → High
status:	New → Confirmed

Revision history for this message

Stanislaw Pitucha (stanislaw-pitucha) wrote on 2015-06-10:

I'm writing the new README / docs right now. I'll make sure the config is in line with the docs / getting started section.

Changed in anchor:
assignee:	Tim Kelsey (tim-kelsey) → Stanislaw Pitucha (stanislaw-pitucha)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-11: Fix proposed to anchor (master)

Fix proposed to branch: master
Review: https://review.openstack.org/190503

Changed in anchor:
status:	Confirmed → In Progress

OpenStack Infra (hudson-openstack) on 2015-07-01

Changed in anchor:
status:	In Progress → Fix Committed

Stanislaw Pitucha (stanislaw-pitucha) on 2015-08-25

Changed in anchor:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.