New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Latest cacerts breaks SSL to Amazon / AWS #348
Comments
Are they not working to fix that at the curl url? We've just pinned the version to the prior version before those got yanked, and I thought they were going to do what you're suggesting and then update how they use that script. Its not just omnibus-chef that is affected, anyone else that pulls that bundle will break talking to s3 and will complain to them again, so I would expect that they'll have to fix it sooner or later. |
@lamont-granquist Thanks for the quick reply. I posted a followup to cURL's mailing list (I didn't realize you were the author of the original post). Until this problem is resolved and following the Principle of Least Astonishment, maybe documenting the issue somewhere could contribute to the mental health of omnibus users ? Let me know if I can be of any help. |
Meh... this just bit me, too. I ended up allowing the individual versions to set a |
Omnibus already supports caching in s3, our version of the cacerts that we're using is here: s3://opscode-omnibus-cache/cacerts-2014.07.15-fd48275847fa10a8007008379ee902f1 You can override that bucket in your project and point someplace else and upload that file to your bucket to do your own s3 caching. For production use, you pretty much have to turn on s3 caching because urls to software disappear all the time. |
Here is an example of pinning to the version @lamont-granquist referenced: |
Forcing users to use a pay service to get the software to build seems... weak. Why not follow the docs and use the files from github over HTTPS, which don't change, versus the HTTP website version which does? Here's the last CA bundle from before the cleanup (2014.08.13): Here's the latest from after (2015.02.25): |
@wolf31o2 Thanks for the pointer. Mind opening a PR with fix? |
Done... :-)
|
@wolf31o2 @schisamo Pinning the version using an I'm not sure of the potential side effects, but maybe it could make sense to use the last working version as the default? |
That's an easy change to the PR in #361 which uses the new files.
|
fixed by #554 (plus i think Amazon finally got off the root cert that was using MD5) |
The
cacerts
software is fetching cURL certificates bundle and makes it available to the embedded OpenSSL. The cURL bundle is converted from mozilla.org using the mk-ca-bundle (Perl) script.The issue there is that Mozilla marked some certificates for later removal / deprecation, including Verisign's. The certificates are valid, but the script don't add them to the bundle. Amazon's certificates are generated using this CA thus the newly built packages won't be able to verify any of the Amazon & AWS SSL certificates (including EC2 API, S3, etc):
I've encountered the issue on a gem which uses Amazon S3 amongst other services.
It seems that the perl script allows inclusion of these certificates using the
-p
flag so these are the potential fixes I've identified so far:I'd be glad to create a pull request but I'm not sure of the strategy to adopt.
The text was updated successfully, but these errors were encountered: