| Message ID | 20230215120208.35807-4-anthony.perard@citrix.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | automation: Update containers to allow HTTPS access to xenbits | expand |
On 15/02/2023 12:02 pm, Anthony PERARD wrote: > While the Let's Encrypt root certificate ISRG_Root_X1.crt is already > present, openssl seems to still check for the root certificate > DST_Root_CA_X3.crt which has expired. This prevent https connections. > > Removing DST_Root_CA_X3 fix the issue. > > centos: found the filter by looking for "DST Root" in `trust list`. > > Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> > --- > automation/build/centos/7.2.dockerfile | 5 +++++ > automation/build/centos/7.dockerfile | 5 +++++ > automation/build/debian/jessie-i386.dockerfile | 5 +++++ > automation/build/debian/jessie.dockerfile | 5 +++++ > automation/build/ubuntu/trusty.dockerfile | 5 +++++ > 5 files changed, 25 insertions(+) > > diff --git a/automation/build/centos/7.2.dockerfile b/automation/build/centos/7.2.dockerfile > index 4baa097e31..27244fd002 100644 > --- a/automation/build/centos/7.2.dockerfile > +++ b/automation/build/centos/7.2.dockerfile > @@ -50,3 +50,8 @@ RUN rpm --rebuilddb && \ > bzip2 \ > nasm \ > && yum clean all > + > +# Remove expired certificate that Let's Encrypt certificates used to relie on. rely. And really (to all of these modifications)? This seems outragously hacky to be deploying into production... Honestly, I think I'd prefer to drop all of these legacy versions... ~Andrew
On Wed, 15 Feb 2023, Andrew Cooper wrote: > On 15/02/2023 12:02 pm, Anthony PERARD wrote: > > While the Let's Encrypt root certificate ISRG_Root_X1.crt is already > > present, openssl seems to still check for the root certificate > > DST_Root_CA_X3.crt which has expired. This prevent https connections. > > > > Removing DST_Root_CA_X3 fix the issue. > > > > centos: found the filter by looking for "DST Root" in `trust list`. > > > > Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> > > --- > > automation/build/centos/7.2.dockerfile | 5 +++++ > > automation/build/centos/7.dockerfile | 5 +++++ > > automation/build/debian/jessie-i386.dockerfile | 5 +++++ > > automation/build/debian/jessie.dockerfile | 5 +++++ > > automation/build/ubuntu/trusty.dockerfile | 5 +++++ > > 5 files changed, 25 insertions(+) > > > > diff --git a/automation/build/centos/7.2.dockerfile b/automation/build/centos/7.2.dockerfile > > index 4baa097e31..27244fd002 100644 > > --- a/automation/build/centos/7.2.dockerfile > > +++ b/automation/build/centos/7.2.dockerfile > > @@ -50,3 +50,8 @@ RUN rpm --rebuilddb && \ > > bzip2 \ > > nasm \ > > && yum clean all > > + > > +# Remove expired certificate that Let's Encrypt certificates used to relie on. > > rely. > > And really (to all of these modifications)? This seems outragously > hacky to be deploying into production... > > Honestly, I think I'd prefer to drop all of these legacy versions... Good timing! It just so happens that we need to shave some of the old container tests as we have too many build tests on x86 :-) I would remove Jessie as it reached EOL years ago. Do we really need both Centos 7 and 7.2? If not, we could remove 7. That leaves us with Trusty and Centos 7.2 among these. I would be tempted to keep Trusty and add the sed hack of this patch to make it work. For Centos 7.2, the hack looks even worse. Would it solve the problem to upgrade to the latest Centos 7.x subrelease? Is there really no other way to solve the problem?
On Wed, Feb 15, 2023 at 04:14:53PM -0800, Stefano Stabellini wrote: > On Wed, 15 Feb 2023, Andrew Cooper wrote: > > Honestly, I think I'd prefer to drop all of these legacy versions... > > Good timing! It just so happens that we need to shave some of the old > container tests as we have too many build tests on x86 :-) > > I would remove Jessie as it reached EOL years ago. Do we really need > both Centos 7 and 7.2? If not, we could remove 7. Actually, 7.2 is older than 7, so I would remove 7.2. (7 would be 7.x so latest 7 which is 7.9.) > That leaves us with Trusty and Centos 7.2 among these. I would be > tempted to keep Trusty and add the sed hack of this patch to make it > work. For Centos 7.2, the hack looks even worse. Would it solve the > problem to upgrade to the latest Centos 7.x subrelease? Is there really > no other way to solve the problem? So for centos7, the blacklist of the expired root certificate isn't needed if we simply run `yum update` which for some reason is missing from the dockerfile... Thanks,
On Thu, 16 Feb 2023, Anthony PERARD wrote: > On Wed, Feb 15, 2023 at 04:14:53PM -0800, Stefano Stabellini wrote: > > On Wed, 15 Feb 2023, Andrew Cooper wrote: > > > Honestly, I think I'd prefer to drop all of these legacy versions... > > > > Good timing! It just so happens that we need to shave some of the old > > container tests as we have too many build tests on x86 :-) > > > > I would remove Jessie as it reached EOL years ago. Do we really need > > both Centos 7 and 7.2? If not, we could remove 7. > > Actually, 7.2 is older than 7, so I would remove 7.2. (7 would be 7.x so > latest 7 which is 7.9.) Sounds good > > That leaves us with Trusty and Centos 7.2 among these. I would be > > tempted to keep Trusty and add the sed hack of this patch to make it > > work. For Centos 7.2, the hack looks even worse. Would it solve the > > problem to upgrade to the latest Centos 7.x subrelease? Is there really > > no other way to solve the problem? > > So for centos7, the blacklist of the expired root certificate isn't > needed if we simply run `yum update` which for some reason is missing > from the dockerfile... That's much better!
diff --git a/automation/build/centos/7.2.dockerfile b/automation/build/centos/7.2.dockerfile index 4baa097e31..27244fd002 100644 --- a/automation/build/centos/7.2.dockerfile +++ b/automation/build/centos/7.2.dockerfile @@ -50,3 +50,8 @@ RUN rpm --rebuilddb && \ bzip2 \ nasm \ && yum clean all + +# Remove expired certificate that Let's Encrypt certificates used to relie on. +# (Not needed anymore) +RUN trust extract --filter=pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10\;type=cert --format=pem-bundle /etc/pki/ca-trust/source/blacklist/DST_Root_CA_X3.pem && \ + update-ca-trust diff --git a/automation/build/centos/7.dockerfile b/automation/build/centos/7.dockerfile index e688a4cece..b370068e3c 100644 --- a/automation/build/centos/7.dockerfile +++ b/automation/build/centos/7.dockerfile @@ -49,3 +49,8 @@ RUN yum -y install \ nasm \ && yum clean all && \ rm -rf /var/cache/yum + +# Remove expired certificate that Let's Encrypt certificates used to relie on. +# (Not needed anymore) +RUN trust extract --filter=pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10\;type=cert --format=pem-bundle /etc/pki/ca-trust/source/blacklist/DST_Root_CA_X3.pem && \ + update-ca-trust diff --git a/automation/build/debian/jessie-i386.dockerfile b/automation/build/debian/jessie-i386.dockerfile index c617b6fbfb..84135230d0 100644 --- a/automation/build/debian/jessie-i386.dockerfile +++ b/automation/build/debian/jessie-i386.dockerfile @@ -51,3 +51,8 @@ RUN apt-get update && \ apt-get autoremove -y && \ apt-get clean && \ rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/* + +# Remove expired certificate that Let's Encrypt certificates used to relie on. +# (Not needed anymore) +RUN sed -i '/mozilla\/DST_Root_CA_X3\.crt/d' /etc/ca-certificates.conf && \ + update-ca-certificates diff --git a/automation/build/debian/jessie.dockerfile b/automation/build/debian/jessie.dockerfile index 8918b26d75..d11dd48e17 100644 --- a/automation/build/debian/jessie.dockerfile +++ b/automation/build/debian/jessie.dockerfile @@ -50,3 +50,8 @@ RUN apt-get update && \ apt-get autoremove -y && \ apt-get clean && \ rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/* + +# Remove expired certificate that Let's Encrypt certificates used to relie on. +# (Not needed anymore) +RUN sed -i '/mozilla\/DST_Root_CA_X3\.crt/d' /etc/ca-certificates.conf && \ + update-ca-certificates diff --git a/automation/build/ubuntu/trusty.dockerfile b/automation/build/ubuntu/trusty.dockerfile index b4b2f85e73..16d08ca931 100644 --- a/automation/build/ubuntu/trusty.dockerfile +++ b/automation/build/ubuntu/trusty.dockerfile @@ -49,3 +49,8 @@ RUN apt-get update && \ apt-get autoremove -y && \ apt-get clean && \ rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/* + +# Remove expired certificate that Let's Encrypt certificates used to relie on. +# (Not needed anymore) +RUN sed -i 's#mozilla/DST_Root_CA_X3\.crt#!\0#' /etc/ca-certificates.conf && \ + update-ca-certificates
While the Let's Encrypt root certificate ISRG_Root_X1.crt is already present, openssl seems to still check for the root certificate DST_Root_CA_X3.crt which has expired. This prevent https connections. Removing DST_Root_CA_X3 fix the issue. centos: found the filter by looking for "DST Root" in `trust list`. Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> --- automation/build/centos/7.2.dockerfile | 5 +++++ automation/build/centos/7.dockerfile | 5 +++++ automation/build/debian/jessie-i386.dockerfile | 5 +++++ automation/build/debian/jessie.dockerfile | 5 +++++ automation/build/ubuntu/trusty.dockerfile | 5 +++++ 5 files changed, 25 insertions(+)