Support EL 9: Avoid running update-ca-trust twice #69
Conversation
|
As far as I can see there's a difference in how it between the container and a VM. On a VM this is passing but locally in podman I can reproduce the CI failure. On the container: # trust list | grep centos -C 2
pkcs11:id=%C1%E4%5C%1D%01%E0%76%1A%16%3E%21%0B%62%DE%F0%D2%59%97%8C%93;type=cert
type: certificate
label: centos9-64.example.com
trust: anchor
category: other-entryOn a VM: # trust list | grep centos -C 2
pkcs11:id=%43%D0%AF%64%50%AF%2A%A6%58%18%79%C6%E7%8E%B6%21%36%53%5A%94;type=cert
type: certificate
label: centos9-64.example.com
trust: anchor
category: authorityNote the category is When I copy over the certificate from the VM to the certificate it is properly recognized as an authority. That makes me suspect Inspecting it I can see that the container one generates: # openssl x509 -in /etc/pki/ca-trust/source/anchors/test.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
....
X509v3 extensions:
X509v3 Subject Key Identifier:
C1:E4:5C:1D:01:E0:76:1A:16:3E:21:0B:62:DE:F0:D2:59:97:8C:93
...Compared to the VM: # openssl x509 -in /etc/pki/ca-trust/source/anchors/test.crt -noout -text
Certificate:
Data:
Version: 1 (0x0)
...The VM has version 1 and no extension while the container has version with an extension. Looking at The container cert has an extension, so hits the first branch (https://github.com/p11-glue/p11-kit/blob/5332245664f7b82ef190f13894a4a4f4ffb15922/trust/builder.c#L670-L678) while the VM doesn't so hits the second branch (https://github.com/p11-glue/p11-kit/blob/5332245664f7b82ef190f13894a4a4f4ffb15922/trust/builder.c#L686). |
|
I found a difference between my container and vm: Conclusion is that the way we generate certs needs to be adjusted for EL9. |
| @@ -21,11 +21,11 @@ | |||
| apply_manifest(pp, catch_failures: true) | |||
| end | |||
|
|
|||
| describe command("/usr/bin/curl https://#{fact('hostname')}.example.com:443") do | |||
| describe command("/usr/bin/curl https://#{fact('fqdn')}:443") do | |||
There was a problem hiding this comment.
that's not related to the actual code changes, right? should we move it to a dedicated PR?
There was a problem hiding this comment.
I debated that, but consider it part of the "rewrite certs" PR. There I also switched to $(hostname -f)
manifests/params.pp
Outdated
| @@ -6,7 +6,7 @@ | |||
| case $facts['os']['family'] { | |||
| 'RedHat': { | |||
| $path = ['/usr/bin', '/bin'] | |||
| $update_command = 'update-ca-trust enable && update-ca-trust' | |||
| $update_command = 'update-ca-trust' | |||
There was a problem hiding this comment.
Why not
| $update_command = 'update-ca-trust' | |
| $update_command = 'update-ca-trust extract' |
as it's the documented "has to always work" invocation?
I'm fine either way, more curious about the decision.
There was a problem hiding this comment.
Simplicity was my motivation. I don't mind either way.
There was a problem hiding this comment.
From the Fedora man page (and EL9 is being updated to the same now):
COMMANDS
(absent/empty command)
Same as the extract command described below. (However, the command may print fewer warnings, as this command is being run during rpm package
installation, where non-fatal status output is undesired.)
extract
Instruct update-ca-trust to scan the SOURCE CONFIGURATION and produce updated versions of the consolidated configuration files stored below the
/etc/pki/ca-trust/extracted directory hierarchy.
Do we want warnings and errors? The resource is marked as refreshonly so the next Puppet run will simply skip over it. On the other hand, swallowing errors is not a good practice.
There was a problem hiding this comment.
I ended up changing to an explicit parameter.
On both EL 7 & EL 8 the argument is ignored, so the command is effectively running twice. On EL 9 there is argument parsing. There is a difference how the enable argument is handled. In ca-certificates-0:2024.2.69_v8.0.303-91.3.el9 it raises an error while release 91.4 changes it to a a deprecation warning that users should use extract. Extract is almost the behavior when no argument is given, but passing the argument is a bit stricter in showing warnings and errors. This simplifies the command to just plain update-ca-trust extract.
This creates a real CA and a certificate signed by that CA. This is mostly needed for EL 9 which has openssl 3.2 where the self signed certificate is no longer recognized as a CA. It now also properly uses the FQDN fact to make it work everywhere.
On both EL 7 & EL 8 the argument is ignored, so the command is effectively running twice.
On EL 9 there is argument parsing. There is a difference how the enable argument is handled. In
ca-certificates-0:2024.2.69_v8.0.303-91.3.el9it raises an error while release 91.4 changes it to a a deprecation warning that users should use extract. Extract is also the behavior when no argument is given.This simplifies the command to just plain update-ca-trust.
After that we can formally support EL 9.