update-ca-certificates should be used with --fresh when changing trusted_ssl_ca

Bug #2008065 reported by Chi Wai CHAN
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
charm-openstack-service-checks
Fix Released
Undecided
Chi Wai CHAN

Bug Description

Performing a clean deployment o-s-c with an incorrect `trusted_ssl_ca`, for example, an empty input or a combined certificates, the `update-ca-certificates` will skipped creating symbolic links to files named by the hash values (see man openssl rehash), and ends with a missing link

```
/etc/ssl/certs$ ls -l | grep openstack-service-checks
lrwxrwxrwx 1 root root 61 Feb 22 09:15 openstack-service-checks.pem -> /usr/local/share/ca-certificates/openstack-service-checks.crt
```

Further re-configuring `trusted_ssl_ca` will not create the missing link because the charm runs `update-ca-certificates` without `--fresh`. This may cause results "in unable to get local issuer certificate" in `check_ssl_cert` check. The missing link can be recreated by `update-ca-certificates --fresh`.

```
/etc/ssl/certs$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
/etc/ssl/certs$ sudo update-ca-certificates --fresh
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
125 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
/etc/ssl/certs$ ls -l | grep openstack-service-checks
lrwxrwxrwx 1 root root 61 Feb 22 09:15 openstack-service-checks.pem -> /usr/local/share/ca-certificates/openstack-service-checks.crt
/etc/ssl/certs$ ls -l | grep openstack-service-checks
lrwxrwxrwx 1 root root 28 Feb 22 09:21 8d2fba8c.0 -> openstack-service-checks.pem
lrwxrwxrwx 1 root root 61 Feb 22 09:21 openstack-service-checks.pem -> /usr/local/share/ca-certificates/openstack-service-checks.crt
```

Note, the missing symlink is important for `check_ssl_cert` to find the certificates and work properly. Also, see the attachment for complete stdout output.

Tags: bseng-935

Related branches

Revision history for this message
Chi Wai CHAN (raychan96) wrote :
Eric Chen (eric-chen)
tags: added: bseng-935
Chi Wai CHAN (raychan96)
Changed in charm-openstack-service-checks:
assignee: nobody → Chi Wai CHAN (raychan96)
status: New → Fix Committed
Changed in charm-openstack-service-checks:
milestone: none → 23.04
Changed in charm-openstack-service-checks:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.