ca-certs does not work as expected if multiple certificates are provided

Bug #1931174 reported by Noah Meyerhans
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-init
Wishlist
Unassigned

Bug Description

Forwarded from https://bugs.debian.org/989575

From the original report:
    I use "ca-certs" to supply additional certificates. With just one
    certiticate everything works as expected, however when provided
    more than one, cloud-init adds them into a single file which causes
    "openssl rehash" to fail as it expects exactly one certificate per
    file. As the result programmes using openssl doen not trus
    certificates issued by provided CAs.

The issue was reported against 20.2, but I have confirmed that the behavior is unchanged in 21.2.

One possible approach to the solution would be to store each certificate individually in files named something like cloud-init-ca-cert-0.pem, cloud-init-ca-cert-1.pem, etc.

Note that this breaks certificate usage only when performing verification using openssl's path-based verification functionality. Since all certificates in /etc/ssl/certs/ are concatenated into /etc/ssl/certs/ca-certificates.pem, that file can still be used to perform file-based verification. (See https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_default_verify_file.html for a description of these two modes, if you're not familiar.)

Noah Meyerhans (noahm)
description: updated
James Falcon (falcojr)
Changed in cloud-init:
status: New → Triaged
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers