-
Notifications
You must be signed in to change notification settings - Fork 6
Generated certificate is not trusted by Chrome 58+ #10
Comments
Is this related to #8 ? |
Ah yes that's the same issue. The fix there is only partial though. The upstream change to the cert.cnf.erb file in puppet-openssl is needed. |
Yup. I see you've opened the PR on it. As soon as that's merged (note to self: voxpupuli/puppet-openssl#89), I'll update the submodule and create a new tag. |
I might not have explained myself very well. The latest version of puppet-openssl isn't compatible with Chassis (AFAICT). It'll need testing, and if it's not then we'll need a fork. |
Oh right... hm... will need to test, but due to client projects, side projects, and other stuff this is halfway down on my things to do list :/ |
Woop, this has been merged upstream! Testing still needs to happen |
I've done a fair bit of testing this afternoon and unfortunately with the current Chassis image we have Puppet version
I believe we need at least Puppet 4.x as a minimum requirement to fix this upstream in Chassis. |
I'm not entirely sure if that's visible in the convo that we have a temporary fix, possibly because @johnbillion 's fork of openssl module ( and the fix branch ) is based on the latest version and thus is not compatible with Chassis for the reason mentioned above. Tempo fix is to just copy the change outline by @johnbillion in https://github.com/johnbillion/puppet-openssl/commit/ec9df7e8ac79293a024cfae46344b7c584243e49 and NOT to checkout the fork/branch ( Guilty of doing that multiple times, hence this note. ). ie: just adding the line manually. |
Could also add a custom cnf template in the meantime, will work on that angle. |
@roborourke Did you get around to looking into this? |
@johnbillion yeah I did sorry, my fork of this repo does that - I forked
and made a puppet v3 compatible version of the OpenSSL dependency to use
with chassis. I’ll make a PR for that when I’m back off holiday
…On Mon, 2 Jul 2018 at 14:46, John Blackbourn ***@***.***> wrote:
@roborourke <https://github.com/roborourke> Did you get around to looking
into this?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#10 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AABbeSefMm3PvK-Mht4raiAdzJdZk_yFks5uChYOgaJpZM4NrXbG>
.
|
Archiving the repository. Apparently Chassis has their own fork / maintained functionality of adding SSL certs to it per #14: https://github.com/Chassis/chassis_openssl I am no longer maintaining this repository. |
Since version 58, Chrome no longer trusts certificates that don't contain a SAN. This means Chrome now displays a security error for the Chassis-generated certificate (even after you've added it to your trust store) because it doesn't include a SAN.
chassis-openssl
usespuppet-openssl
to generate its certificates.puppet-openssl
doesn't support generating certificates that include a SAN (Can't add SAN records voxpupuli/puppet-openssl#44).chassis-openssl
uses an old version ofpuppet-openssl
via its submodule. The current version ofpuppet-openssl
no longer supports the version of Puppet that Chassis uses, so even ifpuppet-openssl
added support for SAN thenchassis-openssl
couldn't updatepuppet-openssl
because it's not compatible.puppet-openssl
, apply the SAN fix, and change the submodule reference used inchassis-openssl
to point to this fork and reference.Thoughts?
This change appears to be all that's needed for the SAN fix: https://github.com/johnbillion/puppet-openssl/commit/ec9df7e8ac79293a024cfae46344b7c584243e49
CC @BronsonQuick @rmccue @shadyvb because why not.
The text was updated successfully, but these errors were encountered: