diff mbox series

[XEN,3/4] automation: Remove expired root certificates used to be used by let's encrypt

Message ID 20230215120208.35807-4-anthony.perard@citrix.com (mailing list archive)
State Superseded
Headers show
Series automation: Update containers to allow HTTPS access to xenbits | expand

Commit Message

Anthony PERARD Feb. 15, 2023, 12:02 p.m. UTC
While the Let's Encrypt root certificate ISRG_Root_X1.crt is already
present, openssl seems to still check for the root certificate
DST_Root_CA_X3.crt which has expired. This prevent https connections.

Removing DST_Root_CA_X3 fix the issue.

centos: found the filter by looking for "DST Root" in `trust list`.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
---
 automation/build/centos/7.2.dockerfile         | 5 +++++
 automation/build/centos/7.dockerfile           | 5 +++++
 automation/build/debian/jessie-i386.dockerfile | 5 +++++
 automation/build/debian/jessie.dockerfile      | 5 +++++
 automation/build/ubuntu/trusty.dockerfile      | 5 +++++
 5 files changed, 25 insertions(+)

Comments

Andrew Cooper Feb. 15, 2023, 12:41 p.m. UTC | #1
On 15/02/2023 12:02 pm, Anthony PERARD wrote:
> While the Let's Encrypt root certificate ISRG_Root_X1.crt is already
> present, openssl seems to still check for the root certificate
> DST_Root_CA_X3.crt which has expired. This prevent https connections.
>
> Removing DST_Root_CA_X3 fix the issue.
>
> centos: found the filter by looking for "DST Root" in `trust list`.
>
> Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
> ---
>  automation/build/centos/7.2.dockerfile         | 5 +++++
>  automation/build/centos/7.dockerfile           | 5 +++++
>  automation/build/debian/jessie-i386.dockerfile | 5 +++++
>  automation/build/debian/jessie.dockerfile      | 5 +++++
>  automation/build/ubuntu/trusty.dockerfile      | 5 +++++
>  5 files changed, 25 insertions(+)
>
> diff --git a/automation/build/centos/7.2.dockerfile b/automation/build/centos/7.2.dockerfile
> index 4baa097e31..27244fd002 100644
> --- a/automation/build/centos/7.2.dockerfile
> +++ b/automation/build/centos/7.2.dockerfile
> @@ -50,3 +50,8 @@ RUN rpm --rebuilddb && \
>          bzip2 \
>          nasm \
>      && yum clean all
> +
> +# Remove expired certificate that Let's Encrypt certificates used to relie on.

rely.

And really (to all of these modifications)?  This seems outragously
hacky to be deploying into production...

Honestly, I think I'd prefer to drop all of these legacy versions...

~Andrew
Stefano Stabellini Feb. 16, 2023, 12:14 a.m. UTC | #2
On Wed, 15 Feb 2023, Andrew Cooper wrote:
> On 15/02/2023 12:02 pm, Anthony PERARD wrote:
> > While the Let's Encrypt root certificate ISRG_Root_X1.crt is already
> > present, openssl seems to still check for the root certificate
> > DST_Root_CA_X3.crt which has expired. This prevent https connections.
> >
> > Removing DST_Root_CA_X3 fix the issue.
> >
> > centos: found the filter by looking for "DST Root" in `trust list`.
> >
> > Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
> > ---
> >  automation/build/centos/7.2.dockerfile         | 5 +++++
> >  automation/build/centos/7.dockerfile           | 5 +++++
> >  automation/build/debian/jessie-i386.dockerfile | 5 +++++
> >  automation/build/debian/jessie.dockerfile      | 5 +++++
> >  automation/build/ubuntu/trusty.dockerfile      | 5 +++++
> >  5 files changed, 25 insertions(+)
> >
> > diff --git a/automation/build/centos/7.2.dockerfile b/automation/build/centos/7.2.dockerfile
> > index 4baa097e31..27244fd002 100644
> > --- a/automation/build/centos/7.2.dockerfile
> > +++ b/automation/build/centos/7.2.dockerfile
> > @@ -50,3 +50,8 @@ RUN rpm --rebuilddb && \
> >          bzip2 \
> >          nasm \
> >      && yum clean all
> > +
> > +# Remove expired certificate that Let's Encrypt certificates used to relie on.
> 
> rely.
> 
> And really (to all of these modifications)?  This seems outragously
> hacky to be deploying into production...
> 
> Honestly, I think I'd prefer to drop all of these legacy versions...

Good timing! It just so happens that we need to shave some of the old
container tests as we have too many build tests on x86 :-)

I would remove Jessie as it reached EOL years ago. Do we really need
both Centos 7 and 7.2? If not, we could remove 7.

That leaves us with Trusty and Centos 7.2 among these. I would be
tempted to keep Trusty and add the sed hack of this patch to make it
work. For Centos 7.2, the hack looks even worse. Would it solve the
problem to upgrade to the latest Centos 7.x subrelease? Is there really
no other way to solve the problem?
Anthony PERARD Feb. 16, 2023, 11:34 a.m. UTC | #3
On Wed, Feb 15, 2023 at 04:14:53PM -0800, Stefano Stabellini wrote:
> On Wed, 15 Feb 2023, Andrew Cooper wrote:
> > Honestly, I think I'd prefer to drop all of these legacy versions...
> 
> Good timing! It just so happens that we need to shave some of the old
> container tests as we have too many build tests on x86 :-)
> 
> I would remove Jessie as it reached EOL years ago. Do we really need
> both Centos 7 and 7.2? If not, we could remove 7.

Actually, 7.2 is older than 7, so I would remove 7.2. (7 would be 7.x so
latest 7 which is 7.9.)

> That leaves us with Trusty and Centos 7.2 among these. I would be
> tempted to keep Trusty and add the sed hack of this patch to make it
> work. For Centos 7.2, the hack looks even worse. Would it solve the
> problem to upgrade to the latest Centos 7.x subrelease? Is there really
> no other way to solve the problem?

So for centos7, the blacklist of the expired root certificate isn't
needed if we simply run `yum update` which for some reason is missing
from the dockerfile...

Thanks,
Stefano Stabellini Feb. 16, 2023, 8:19 p.m. UTC | #4
On Thu, 16 Feb 2023, Anthony PERARD wrote:
> On Wed, Feb 15, 2023 at 04:14:53PM -0800, Stefano Stabellini wrote:
> > On Wed, 15 Feb 2023, Andrew Cooper wrote:
> > > Honestly, I think I'd prefer to drop all of these legacy versions...
> > 
> > Good timing! It just so happens that we need to shave some of the old
> > container tests as we have too many build tests on x86 :-)
> > 
> > I would remove Jessie as it reached EOL years ago. Do we really need
> > both Centos 7 and 7.2? If not, we could remove 7.
> 
> Actually, 7.2 is older than 7, so I would remove 7.2. (7 would be 7.x so
> latest 7 which is 7.9.)

Sounds good


> > That leaves us with Trusty and Centos 7.2 among these. I would be
> > tempted to keep Trusty and add the sed hack of this patch to make it
> > work. For Centos 7.2, the hack looks even worse. Would it solve the
> > problem to upgrade to the latest Centos 7.x subrelease? Is there really
> > no other way to solve the problem?
> 
> So for centos7, the blacklist of the expired root certificate isn't
> needed if we simply run `yum update` which for some reason is missing
> from the dockerfile...

That's much better!
diff mbox series

Patch

diff --git a/automation/build/centos/7.2.dockerfile b/automation/build/centos/7.2.dockerfile
index 4baa097e31..27244fd002 100644
--- a/automation/build/centos/7.2.dockerfile
+++ b/automation/build/centos/7.2.dockerfile
@@ -50,3 +50,8 @@  RUN rpm --rebuilddb && \
         bzip2 \
         nasm \
     && yum clean all
+
+# Remove expired certificate that Let's Encrypt certificates used to relie on.
+# (Not needed anymore)
+RUN trust extract --filter=pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10\;type=cert --format=pem-bundle /etc/pki/ca-trust/source/blacklist/DST_Root_CA_X3.pem && \
+    update-ca-trust
diff --git a/automation/build/centos/7.dockerfile b/automation/build/centos/7.dockerfile
index e688a4cece..b370068e3c 100644
--- a/automation/build/centos/7.dockerfile
+++ b/automation/build/centos/7.dockerfile
@@ -49,3 +49,8 @@  RUN yum -y install \
         nasm \
     && yum clean all && \
     rm -rf /var/cache/yum
+
+# Remove expired certificate that Let's Encrypt certificates used to relie on.
+# (Not needed anymore)
+RUN trust extract --filter=pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10\;type=cert --format=pem-bundle /etc/pki/ca-trust/source/blacklist/DST_Root_CA_X3.pem && \
+    update-ca-trust
diff --git a/automation/build/debian/jessie-i386.dockerfile b/automation/build/debian/jessie-i386.dockerfile
index c617b6fbfb..84135230d0 100644
--- a/automation/build/debian/jessie-i386.dockerfile
+++ b/automation/build/debian/jessie-i386.dockerfile
@@ -51,3 +51,8 @@  RUN apt-get update && \
         apt-get autoremove -y && \
         apt-get clean && \
         rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/*
+
+# Remove expired certificate that Let's Encrypt certificates used to relie on.
+# (Not needed anymore)
+RUN sed -i '/mozilla\/DST_Root_CA_X3\.crt/d' /etc/ca-certificates.conf && \
+    update-ca-certificates
diff --git a/automation/build/debian/jessie.dockerfile b/automation/build/debian/jessie.dockerfile
index 8918b26d75..d11dd48e17 100644
--- a/automation/build/debian/jessie.dockerfile
+++ b/automation/build/debian/jessie.dockerfile
@@ -50,3 +50,8 @@  RUN apt-get update && \
         apt-get autoremove -y && \
         apt-get clean && \
         rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/*
+
+# Remove expired certificate that Let's Encrypt certificates used to relie on.
+# (Not needed anymore)
+RUN sed -i '/mozilla\/DST_Root_CA_X3\.crt/d' /etc/ca-certificates.conf && \
+    update-ca-certificates
diff --git a/automation/build/ubuntu/trusty.dockerfile b/automation/build/ubuntu/trusty.dockerfile
index b4b2f85e73..16d08ca931 100644
--- a/automation/build/ubuntu/trusty.dockerfile
+++ b/automation/build/ubuntu/trusty.dockerfile
@@ -49,3 +49,8 @@  RUN apt-get update && \
         apt-get autoremove -y && \
         apt-get clean && \
         rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/*
+
+# Remove expired certificate that Let's Encrypt certificates used to relie on.
+# (Not needed anymore)
+RUN sed -i 's#mozilla/DST_Root_CA_X3\.crt#!\0#' /etc/ca-certificates.conf && \
+    update-ca-certificates