Ticket #1127 (closed defect: fixed)
SSLCA certificate validation is being carried out with the CA specified as `untrusted'
| Reported by: | Michael Fincham <[email protected]…> | Owned by: | https://www.google.com/accounts/o8/id?id=AItOawnSjgovXZr-_V3vGkvMSR0pc5LDykRc1Nc |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | bcfg2-server | Version: | 1.0 |
| Keywords: | Cc: | Chris St. Pierre <[email protected]…> |
Description
On my installation SSLCA managed certificates are only valid during the client run in which they are created, subsequent runs declare the certificate as invalid and delete it.
I see that diff:src/lib/Server/Plugins/[email protected]:f379b0e43cfa0137379ad0f78f48223eba7db61a on line 187 the way openssl is called was changed:
- res = Popen(["openssl", "verify", "-CAfile", chaincert, cert],
+ res = Popen(["openssl", "verify", "-untrusted", chaincert, "-purpose", + "sslserver", cert],
This seems to cause validation of the stored cert to always fail:
Aug 27 18:26:48 manager bcfg2-server[29849]: SSLCA: /etc/stunnel/mysql-client-cert.pem failed verification against CA: /var/lib/bcfg2/SSLCA/etc/stunnel/mysql-client-cert.pem/mysql-client-cert.pem.H_test.example.com: /C=NZ/O=Example/CN=example.com#012error 19 at 1 depth lookup:self signed cer
Changing "-untrusted" back to "-CAfile" allows validation to succeed:
SSLCA/etc/stunnel/mysql-client-cert.pem/mysql-client-cert.pem.H_test.example.com: OK
Is there some reason I can't discern for why this was changed to "-untrusted"?
Attachments
Change History
comment:1 Changed 11 years ago by https://www.google.com/accounts/o8/id?id=AItOawnSjgovXZr-_V3vGkvMSR0pc5LDykRc1Nc
- Owner changed from desai to https://www.google.com/accounts/o8/id?id=AItOawnSjgovXZr-_V3vGkvMSR0pc5LDykRc1Nc
- Status changed from new to accepted
comment:2 Changed 11 years ago by https://www.google.com/accounts/o8/id?id=AItOawnSjgovXZr-_V3vGkvMSR0pc5LDykRc1Nc
- Status changed from accepted to closed
- Resolution set to fixed
Fixed in:
https://github.com/Bcfg2/bcfg2/commit/f0a75666bfe2d101ac5b99534680047b47ec1224 https://github.com/Bcfg2/bcfg2/commit/fde8bdfdfbe77e1bcd714b45dc443dcd9eb7cb7c
-CAfile was changed to -untrusted to support verifying against an intermediate cert, but it broke verification against a root CA cert. If you are verifying against a root CA cert, you will need to either apply the patch above and set root_ca = true in bcfg2.conf, or keep the change you've already made. If you're verifying against a cert bundle (i.e., a file that contains both the root cert and an intermediate cert), then you can split the root cert out and add it to your ca-bundle.crt, and just set chaincert to your intermediate cert.
comment:3 Changed 11 years ago by Michael Fincham <[email protected]…>
Thanks! I cannot tell you how much I appreciate your speedy patch for this :)
