2023-02-24 06:32:06 |
Chi Wai CHAN |
bug |
|
|
added bug |
2023-02-24 06:33:53 |
Chi Wai CHAN |
description |
Currently, "trusted_ssl_ca" is only effective when there's only one certificate in it. If a combined certificate is set in "trusted_ssl_ca", the certificates' symbolic links will not be properly created in "/etc/ssl/certs" because `update-ca-certificates` [0] does not support more than one certificates (see man page of `update-ca-certificates`). However, the symbolic links are important to `check_ssl_cert` in verifying the certificates chain.
We need supports for setting multiple certificates in "trusted_ssl_ca". For example, the charm code should be able to split the combined certificates input into multiple files containing single certificates.
[0] https://git.launchpad.net/charm-openstack-service-checks/tree/src/reactive/openstack_service_checks.py#n207 |
Currently, "trusted_ssl_ca" is only effective when there's only one certificate in it. If a combined certificate is set in "trusted_ssl_ca", the certificates' symbolic links will not be properly created in "/etc/ssl/certs" because `update-ca-certificates` [0] does not support more than one certificates (see man page of `update-ca-certificates` and `openssl rehash`; the latter is used internally in `update-ca-certificates`). However, the symbolic links are important to `check_ssl_cert` in verifying the certificates chain.
We need supports for setting multiple certificates in "trusted_ssl_ca". For example, the charm code should be able to split the combined certificates input into multiple files containing single certificates.
[0] https://git.launchpad.net/charm-openstack-service-checks/tree/src/reactive/openstack_service_checks.py#n207 |
|
2023-02-24 06:35:48 |
Chi Wai CHAN |
summary |
Need to support combined certificate in "trusted_ssl_cert" option |
Need to support combined certificate in "trusted_ssl_ca" option |
|
2023-02-24 08:08:40 |
Eric Chen |
charm-openstack-service-checks: status |
New |
Triaged |
|
2023-02-24 08:20:52 |
Chi Wai CHAN |
summary |
Need to support combined certificate in "trusted_ssl_ca" option |
Need to support multiple certificate in "trusted_ssl_ca" option |
|
2023-02-24 09:01:34 |
Chi Wai CHAN |
description |
Currently, "trusted_ssl_ca" is only effective when there's only one certificate in it. If a combined certificate is set in "trusted_ssl_ca", the certificates' symbolic links will not be properly created in "/etc/ssl/certs" because `update-ca-certificates` [0] does not support more than one certificates (see man page of `update-ca-certificates` and `openssl rehash`; the latter is used internally in `update-ca-certificates`). However, the symbolic links are important to `check_ssl_cert` in verifying the certificates chain.
We need supports for setting multiple certificates in "trusted_ssl_ca". For example, the charm code should be able to split the combined certificates input into multiple files containing single certificates.
[0] https://git.launchpad.net/charm-openstack-service-checks/tree/src/reactive/openstack_service_checks.py#n207 |
Currently, "trusted_ssl_ca" is only effective when there's only one certificate in it. If multiple certificates are set in "trusted_ssl_ca", the certificates', for example by doing
```
cat root_ca_1.crt root_ca_2.crt > multiple_root_cas.crt
```
, the symbolic links will not be properly created in "/etc/ssl/certs" because `update-ca-certificates` [0] does not support more than one certificate (see man page of `update-ca-certificates` and `openssl rehash`; the latter is used internally in `update-ca-certificates`).
However, the symbolic links are important to `check_ssl_cert` in verifying the certificate chain. If the symbolic links are missing, it will cause `check_ssl_cert` to report errors like "unable to get local issuer certificate".
We need supports for setting multiple certificates in "trusted_ssl_ca". For example, the charm code should be able to split the "trusted_ssl_ca" content containing multiple certificates into multiple files containing single certificate. This will allow symbolic links to be created properly.
[0] https://git.launchpad.net/charm-openstack-service-checks/tree/src/reactive/openstack_service_checks.py#n207 |
|