certificate checks do not detect intermediate CA expiration
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
charm-openstack-service-checks |
Fix Released
|
High
|
Unassigned |
Bug Description
I have discovered it is possible for both the CA and the Server Cert to be valid and pass checks, but an intermediate cert to be expired causing the chain of trust to be broken.
$ date
Fri Aug 21 14:15:10 UTC 2020
Here is a simple failure to pull versions for the keystone API:
$ curl --cacert $OS_CACERT https:/
curl: (60) SSL certificate problem: certificate has expired
If I inspect both the CA and the server certs, they're both valid during above noted date:
$ openssl x509 -in $OS_CACERT -noout -enddate
notAfter=Dec 31 23:59:59 2030 GMT
$ juju config keystone ssl_ca | base64 -d | openssl x509 -noout -enddate
notAfter=Dec 31 23:59:59 2030 GMT
$ juju config keystone ssl_cert | base64 -d | openssl x509 -noout -enddate
notAfter=Jun 23 23:59:59 2021 GMT
This command returns the specific error to STDERR showing the intermediate cert being expired:
$ echo / |openssl s_client -showcerts -servername keystone.mysite.com -connect keystone.
depth=3 C = CTRY, O = SOME_ORG, OU = SOME OU OR ANOTHER, CN = SOME External CA Root
verify error:num=
notAfter=May 30 10:48:38 2020 GMT
DONE
Unfortunately, when I start walking the certs up the issuer path, I'm only able to find certs expiring well into 2028 and later, so I'm not sure where this intermediate cert that's expired is coming from, unless it's flowing through a proxy.
Related branches
- 🤖 prod-jenkaas-bootstack (community): Approve (continuous-integration)
- Robert Gildein: Approve
- Erhan Sunar (community): Approve
- Martin Kalcok: Pending requested
- BootStack Reviewers: Pending requested
-
Diff: 7086 lines (+6960/-65)4 files modifiedsrc/files/plugins/check_ssl_cert (+6551/-0)
src/lib/lib_openstack_service_checks.py (+89/-65)
src/tests/unit/conftest.py (+56/-0)
src/tests/unit/test_lib.py (+264/-0)
Changed in charm-openstack-service-checks: | |
status: | New → Confirmed |
importance: | Undecided → High |
tags: | added: bseng-336 |
Changed in charm-openstack-service-checks: | |
status: | Confirmed → Fix Committed |
Changed in charm-openstack-service-checks: | |
milestone: | none → 23.01 |
Changed in charm-openstack-service-checks: | |
status: | Fix Committed → Fix Released |
This was related to comodo self-signed cert CA expiration.
https:/ /support. sectigo. com/articles/ Knowledge/ Sectigo- AddTrust- External- CA-Root- Expiring- May-30- 2020