Generated certificate is not trusted by Chrome 58+ #10
Comments
|
Is this related to #8 ? |
|
Ah yes that's the same issue. The fix there is only partial though. The upstream change to the cert.cnf.erb file in puppet-openssl is needed. |
|
Yup. I see you've opened the PR on it. As soon as that's merged (note to self: voxpupuli/puppet-openssl#89), I'll update the submodule and create a new tag. |
|
I might not have explained myself very well. The latest version of puppet-openssl isn't compatible with Chassis (AFAICT). It'll need testing, and if it's not then we'll need a fork. |
|
Oh right... hm... will need to test, but due to client projects, side projects, and other stuff this is halfway down on my things to do list :/ |
|
Woop, this has been merged upstream! Testing still needs to happen |
|
I've done a fair bit of testing this afternoon and unfortunately with the current Chassis image we have Puppet version
I believe we need at least Puppet 4.x as a minimum requirement to fix this upstream in Chassis. |
|
I'm not entirely sure if that's visible in the convo that we have a temporary fix, possibly because @johnbillion 's fork of openssl module ( and the fix branch ) is based on the latest version and thus is not compatible with Chassis for the reason mentioned above. Tempo fix is to just copy the change outline by @johnbillion in https://github.com/johnbillion/puppet-openssl/commit/ec9df7e8ac79293a024cfae46344b7c584243e49 and NOT to checkout the fork/branch ( Guilty of doing that multiple times, hence this note. ). ie: just adding the line manually. |
|
Could also add a custom cnf template in the meantime, will work on that angle. |
|
@roborourke Did you get around to looking into this? |
|
@johnbillion yeah I did sorry, my fork of this repo does that - I forked
and made a puppet v3 compatible version of the OpenSSL dependency to use
with chassis. I’ll make a PR for that when I’m back off holiday
…On Mon, 2 Jul 2018 at 14:46, John Blackbourn ***@***.***> wrote:
@roborourke <https://github.com/roborourke> Did you get around to looking
into this?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#10 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AABbeSefMm3PvK-Mht4raiAdzJdZk_yFks5uChYOgaJpZM4NrXbG>
.
|
|
Archiving the repository. Apparently Chassis has their own fork / maintained functionality of adding SSL certs to it per #14: https://github.com/Chassis/chassis_openssl I am no longer maintaining this repository. |
Since version 58, Chrome no longer trusts certificates that don't contain a SAN. This means Chrome now displays a security error for the Chassis-generated certificate (even after you've added it to your trust store) because it doesn't include a SAN.
chassis-opensslusespuppet-opensslto generate its certificates.puppet-openssldoesn't support generating certificates that include a SAN (Can't add SAN records voxpupuli/puppet-openssl#44).chassis-openssluses an old version ofpuppet-opensslvia its submodule. The current version ofpuppet-opensslno longer supports the version of Puppet that Chassis uses, so even ifpuppet-openssladded support for SAN thenchassis-opensslcouldn't updatepuppet-opensslbecause it's not compatible.puppet-openssl, apply the SAN fix, and change the submodule reference used inchassis-opensslto point to this fork and reference.Thoughts?
This change appears to be all that's needed for the SAN fix: https://github.com/johnbillion/puppet-openssl/commit/ec9df7e8ac79293a024cfae46344b7c584243e49
CC @BronsonQuick @rmccue @shadyvb because why not.
The text was updated successfully, but these errors were encountered: