ETCD server certificate incorrectly created
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Low
|
João Victor Portal |
Bug Description
Brief Description
-----------------
ETCD endpoint is unreachable due to an erroneous ETCD server certificate.
Server cert seems to be missing keyEncipherment:
X509v3 extensions:
X509v3 Subject Alternative Name:
X509v3 Key Usage:
X509v3 Basic Constraints: critical
Severity
--------
Minor
Steps to Reproduce
------------------
Run curl command to hit etcd listen client endpoint
curl --cert /etc/etcd/
curl --cacert /etc/etcd/ca.crt --cert /etc/etcd/
Expected Behavior
------------------
The secured endpoint should be accessible and health check result should be returned
Actual Behavior
----------------
Certificate error message is received:
Password:
curl: (60) Certificate key usage inadequate for attempted operation.
More details here: http://
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Reproducibility
---------------
100% reproducible
System Configuration
-------
All
Branch/Pull Time/Commit
-------
N/A.
Last Pass
---------
N/A.
Timestamp/Logs
--------------
curl --cacert /etc/etcd/ca.crt --cert /etc/etcd/
curl: (60) Certificate key usage inadequate for attempted operation.
More details here: http://
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Test Activity
-------------
N/A
Workaround
----------
Run curl command with -k
curl -k --cacert /etc/etcd/ca.crt --cert /etc/etcd/
tags: | added: stx.security |
Changed in starlingx: | |
status: | Fix Committed → In Progress |
Screening: This doesn't appear to have an end user impact, but should be cleaned up in the stx master branch. It should be an easy fix.