Cannot install multiple trusted CA during bootstrap
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Medium
|
Andy |
Bug Description
Brief Description
-----------------
providing multiple CA certs in the file specified by "ssl_ca_cert" during ansible bootstraps installs only the first CA cert
Severity
--------
Provide the severity of the defect.
Minor
Steps to Reproduce
------------------
Generate 2 CA and concat their certificates together. Specify this file during bootstrap under "ssl_ca_cert".
Run bootstrap.
Have each CA sign something (a public key for a docker registry for example, or create a dummy key for the CAs to sign)
use "openssl verify <cert you created in previous step>" to try and verify the certificate.
Expected Behavior
------------------
openssl verify should say the certificate is OK
Actual Behavior
----------------
When verifying the certificate signed by the second CA specified by "ssl_ca_cert" during bootstrap, verification fails with "unable to get local issuer certificate".
The system does not recognize the second CA specified during bootstrap under "ssl_ca_cert" as a trusted CA
we know this because if you specify the CA file when running openssl verify (openssl verify -CAfile ca-cert.pem server.pem, where ca-cert.pem is the CA's certificate and server.pem is the dummy file that the CA signed), the verification is successful.
Reproducibility
---------------
100% reproducible
System Configuration
-------
Multi-node system
Branch/Pull Time/Commit
-------
Master as of Jan 27
Last Pass
---------
Timestamp/Logs
--------------
Test Activity
-------------
Developer Testing
Workaround
----------
copy ca-cert.pem to /etc/pki/
run update-ca-trust
restart whatever processes need the CA to be trusted
This needs to be done to different nodes depending on where your process that needs the CA to be trusted runs on, potentially controllers, potentially controllers and computes
Also, this workaround could be undone when nodes reboot, I did not test that.
tags: | added: stx.security |
stx.4.0 / medium priority as there is a workaround for this issue