yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1931174] [NEW] ca-certs does not work as expected if multiple certificates are provided

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Noah Meyerhans <1931174@xxxxxxxxxxxxxxxxxx>
Date: Mon, 07 Jun 2021 22:34:31 -0000
Reply-to: Bug 1931174 <1931174@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Forwarded from https://bugs.debian.org/989575

>From the original report:
I use "ca-certs" to supply additional certificates. With just one
certiticate everything works as expected, however when provided
more than one, cloud-init adds them into a single file which causes
"openssl rehash" to fail as it expects exactly one certificate per
file. As the result programmes using openssl doen not trus
certificates issued by provided CAs.

The issue was reported against 20.2, but I have confirmed that the
behavior is unchanged in 21.2.

One possible approach to the solution would be to store each certificate
individually in files named something like cloud-init-ca-cert-0.pem,
cloud-init-ca-cert-1.pem, etc.

Note that this breaks certificate usage only when performing
verification using openssl's path-based verification functionality.
Since all certificates in /etc/ssl/certs/ are concatenated into
/etc/ssl/certs/ca-certificates.pem, that file can still be used to
perform file-based verification. (See
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_default_verify_file.html
for a description of these two modes, if you're not familiar.)

** Affects: cloud-init
Importance: Undecided
Status: New

** Description changed:

Forwarded from https://bugs.debian.org/989575

From the original report:
- I use "ca-certs" to supply additional certificates. With just one certiticate everything
- works as expected, however when provided more than one, cloud-init adds them into a single
- file which causes "openssl rehash" to fail as it expects exactly one certificate per file.
- As the result programmes using openssl doen not trus certificates issued by provided CAs.
+ I use "ca-certs" to supply additional certificates. With just one
+ certiticate everything works as expected, however when provided
+ more than one, cloud-init adds them into a single file which causes
+ "openssl rehash" to fail as it expects exactly one certificate per
+ file. As the result programmes using openssl doen not trus
+ certificates issued by provided CAs.

The issue was reported against 20.2, but I have confirmed that the
behavior is unchanged in 21.2.

One possible approach to the solution would be to store each certificate
individually in files named something like cloud-init-ca-cert-0.pem,
cloud-init-ca-cert-1.pem, etc.

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1931174

Title:
ca-certs does not work as expected if multiple certificates are
provided

Status in cloud-init:
New

Bug description:
Forwarded from https://bugs.debian.org/989575

From the original report:
I use "ca-certs" to supply additional certificates. With just one
certiticate everything works as expected, however when provided
more than one, cloud-init adds them into a single file which causes
"openssl rehash" to fail as it expects exactly one certificate per
file. As the result programmes using openssl doen not trus
certificates issued by provided CAs.

The issue was reported against 20.2, but I have confirmed that the
behavior is unchanged in 21.2.

One possible approach to the solution would be to store each
certificate individually in files named something like cloud-init-ca-
cert-0.pem, cloud-init-ca-cert-1.pem, etc.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1931174/+subscriptions

Follow ups

[Bug 1931174] Re: ca-certs does not work as expected if multiple certificates are provided
From: Alberto Contreras, 2023-02-22