System allows to install ssl certificate as ssl_ca certificate

Bug #1954302 reported by Alexandre Horst
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Alexandre Horst

Bug Description

Brief Description
-----------------
System allow to install ssl certificate as ssl_ca certificate. There was no failure or error installation as below.

[root@controller-0 (keystone_admin)]# system certificate-install -m ssl_ca my-server-cert.pem

WARNING: For security reasons, the original certificate,
containing the private key, will be removed,
once the private key is processed.

-------------------------------------------------+
Property Value
-------------------------------------------------+
uuid 71b35de7-93bc-4e31-92d2-244571d7ce5e
certtype ssl_ca
signature ssl_ca_15565961408580913386
start_date 2021-10-28 18:35:30+00:00
expiry_date 2022-10-28 18:35:30+00:00
-------------------------------------------------+

Severity
--------
Minor

Steps to Reproduce
------------------
Generate Certificate as per documentation Certificate Configuration (https://docs.starlingx.io/configuration/cert_config.html)
Install certificate SSL as SSL CA certificate:
system certificate-install -m ssl_ca my-server-cert.pem

Expected Behavior
-----------------
Failure to install

Actual Behavior
----------------
As per the description, there was no failure installed successfully

Reproducibility
---------------
Not sure seen once

System Configuration
--------------------
IPv6, AIO-DX subcloud

Branch/Pull Time/Commit
-----------------------
StarlingX 5.0

Last Pass
---------
Not sure. This was tested

Timestamp/Logs
--------------
/fo

Alarms
------
No alarms

Test Activity
-------------
This issue was found during the upgrade test setup

Workaround
----------
Reinstall the with ssl_ca certificate

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/config/+/821235

Changed in starlingx:
status: New → In Progress
Alexandre Horst (ahorst)
description: updated
Ghada Khalil (gkhalil)
Changed in starlingx:
assignee: nobody → Alexandre Horst (ahorst)
importance: Undecided → Low
tags: added: stx.7.0 stx.security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/c/starlingx/config/+/821235
Committed: https://opendev.org/starlingx/config/commit/c605b620c39e5caca97f8729f216a86ab727f56b
Submitter: "Zuul (22348)"
Branch: master

commit c605b620c39e5caca97f8729f216a86ab727f56b
Author: Alexandre Horst <email address hidden>
Date: Thu Dec 9 12:43:18 2021 -0300

    Add validation for a non CA certificate

    The user is being able to install SSL certificate as SSL CA
    certificate using the system-certificate-install. This should
    not be permitted by the system.

    So this validation blocks the installation of SSL certificate
    if it is passing the mode ssl_ca and using a certificate
    that is not CA.

    Test Plan:
      PASS: Verify SSL certificate is not being installed as SSL CA
      certificate

    Closes-bug: 1954302
    Signed-off-by: Alexandre Horst <email address hidden>
    Change-Id: I036bd1898cf608dd75c521e9d7508960096561e2

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.