Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cert-gen: minimum fields length are now enforced #15

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

afbjorklund
Copy link

Seems like docker was failing to generate a certificate ?

Set the example.com CA to the same as the timezone

Set the example.com CA to the same as the timezone
@centos-ci
Copy link
Collaborator

Can one of the admins verify this patch?

@praveenkumar
Copy link
Contributor

add to whitelist

@afbjorklund
Copy link
Author

Seems like it always generated the cert for 127.0.0.1 and not the IP ? But saw you had disabled it (the certain) altogether instead.

@praveenkumar
Copy link
Contributor

retest this please.

@praveenkumar
Copy link
Contributor

@afbjorklund which version of docker it is failing with? We do test this ISO using our CI and it passes without this patch.

@@ -33,7 +33,7 @@ echo $password > $passfile

# Generate the CA
openssl genrsa -aes256 -passout file:$passfile -out ca-key.pem 2048
openssl req -new -x509 -passin file:$passfile -days 365 -key ca-key.pem -sha256 -out ca.pem -subj "/C=/ST=/L=/O=/OU=/CN=example.com"
openssl req -new -x509 -passin file:$passfile -days 365 -key ca-key.pem -sha256 -out ca.pem -subj "/C=US/ST=NY/L=New York/O=Example/OU=X/CN=example.com"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right, this was one of my original complaints with the fedora iso, as the same issue happened also with the centos iso. it enforces the information to be 'realistic'.

However, can we at least use minishift.io instead. example.com is an owned/existing domain. Also, the locality can be something like Interwebs that feels less realistic, but acceptable.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It also complained about the IP (127.0.0.1)

Copy link
Member

@gbraad gbraad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See previous comment (as submit accidently happened ;-)

@afbjorklund
Copy link
Author

@praveenkumar : this was with just docker-machine and started out with minikube-centos-iso (with fedora), and before I noticed that you had commented out the call to the certificate generation in minikube...

https://github.com/minishift/minishift-centos-iso/blob/master/centos-7.template#L130:L131

But I can try it again with the actual ISO, if you find that it works for you with empty certs. I tried with Fedora 27, maybe something has changed for Fedora 28 or something ? But I got an openssl error.

Was trying the ISO out as a basis for podman/buildah, but think that I will just start over instead.

@afbjorklund
Copy link
Author

problems making Certificate Request
140600462968640:error:0D07A098:asn1 encoding routines:ASN1_mbstring_ncopy:string too short:crypto/asn1/a_mbstr.c:102:minsize=2

@praveenkumar
Copy link
Contributor

@afbjorklund can you put all info step by step about how you are using this iso and hit this issue, I am still not sure why in the minishift side we are not getting this issue.

@afbjorklund
Copy link
Author

I believe that I just ran the cert-gen script, but if it is working for you I can run it again and note details.

I was using docker-machine and not minishift, not sure if that changes anything about this issue ?

https://github.com/minishift/minishift-fedora-iso/blob/master/fedora.template#L124

Couldn't find where you are using the certificate, but will run it again when I have the opportunity...

@afbjorklund
Copy link
Author

Waiting for the vagrant files to download, here is what I got when I ran the command in Fedora 28:

+ openssl genrsa -aes256 -passout file:tmp.pass -out ca-key.pem 2048
Generating RSA private key, 2048 bit long modulus
....+++
....................+++
e is 65537 (0x010001)
+ openssl req -new -x509 -passin file:tmp.pass -days 365 -key ca-key.pem -sha256 -out ca.pem -subj /C=/ST=/L=/O=/OU=/CN=example.com
problems making Certificate Request
140693958874944:error:0D07A098:asn1 encoding routines:ASN1_mbstring_ncopy:string too short:crypto/asn1/a_mbstr.c:102:minsize=2
+ openssl genrsa -out server-key.pem 2048
Generating RSA private key, 2048 bit long modulus
..............+++
.........+++
e is 65537 (0x010001)
+ openssl req -subj /CN=example.com -new -key server-key.pem -out server.csr
+ extip=127.0.0.1
+ extipfile=extfile.cnf
+ echo subjectAltName = IP:127.0.0.1
+ openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server.pem -passin file:tmp.pass -extfile extfile.cnf
x509: Cannot open input file ca.pem, No such file or directory
x509: Use -help for summary.

The rest of the script keep on slugging, but there are no ca/cert/key files being generated here.

Since you have removed them from the docker config, I'm not sure it matters. But that's the bug ?

 # update docker.service file to exec the certificate generation script
 sed -i.back 's/ExecStart=/ExecStartPre=\/usr\/local\/bin\/minishift-cert-gen\n&/' /usr/lib/systemd/system/docker.service
 sed -i.back '/After=*/c\After=network.target rc-local.service' /usr/lib/systemd/system/docker.service
 sed -i.back '/After=*/c\After=cloud-init.service rc-local.service' /usr/lib/systemd/system/docker-storage-setup.service
 
-# update the docker config to listen on TCP as well as unix socket
-sed -i.back '/OPTIONS=*/c\OPTIONS="--selinux-enabled --log-driver=journald -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server.pem --tlskey=/etc/docker/server-key.pem --tlsverify"' /etc/sysconfig/docker
-
 # update docker-storage to use overlay2 as default storage driver
 echo 'DOCKER_STORAGE_OPTIONS="--storage-driver overlay2"' > /etc/sysconfig/docker-storage
 

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants