2021-06-07 22:37:18 |
Noah Meyerhans |
description |
Forwarded from https://bugs.debian.org/989575
From the original report:
I use "ca-certs" to supply additional certificates. With just one certiticate everything
works as expected, however when provided more than one, cloud-init adds them into a single
file which causes "openssl rehash" to fail as it expects exactly one certificate per file.
As the result programmes using openssl doen not trus certificates issued by provided CAs.
The issue was reported against 20.2, but I have confirmed that the behavior is unchanged in 21.2.
One possible approach to the solution would be to store each certificate individually in files named something like cloud-init-ca-cert-0.pem, cloud-init-ca-cert-1.pem, etc.
Note that this breaks certificate usage only when performing verification using openssl's path-based verification functionality. Since all certificates in /etc/ssl/certs/ are concatenated into /etc/ssl/certs/ca-certificates.pem, that file can still be used to perform file-based verification. (See https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_default_verify_file.html for a description of these two modes, if you're not familiar.) |
Forwarded from https://bugs.debian.org/989575
From the original report:
I use "ca-certs" to supply additional certificates. With just one
certiticate everything works as expected, however when provided
more than one, cloud-init adds them into a single file which causes
"openssl rehash" to fail as it expects exactly one certificate per
file. As the result programmes using openssl doen not trus
certificates issued by provided CAs.
The issue was reported against 20.2, but I have confirmed that the behavior is unchanged in 21.2.
One possible approach to the solution would be to store each certificate individually in files named something like cloud-init-ca-cert-0.pem, cloud-init-ca-cert-1.pem, etc.
Note that this breaks certificate usage only when performing verification using openssl's path-based verification functionality. Since all certificates in /etc/ssl/certs/ are concatenated into /etc/ssl/certs/ca-certificates.pem, that file can still be used to perform file-based verification. (See https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_default_verify_file.html for a description of these two modes, if you're not familiar.) |
|