Skip to content

Fix bootstrap config failing on missing ECDH cert#5775

Merged
eriknordmark merged 1 commit intolf-edge:masterfrom
milan-zededa:fix-bootstrap
Apr 9, 2026
Merged

Fix bootstrap config failing on missing ECDH cert#5775
eriknordmark merged 1 commit intolf-edge:masterfrom
milan-zededa:fix-bootstrap

Conversation

@milan-zededa
Copy link
Copy Markdown
Contributor

@milan-zededa milan-zededa commented Apr 8, 2026
edited
Loading

Description

Commit d28f531 (PR #5584) renamed VerifySigningCertChain to VerifyLeavesCertChain and added a check requiring an ECDH exchange certificate to be present. The bootstrap config verification was updated to call this new function, but BootstrapConfig.ControllerCerts only contains a signing cert chain and never includes an ECDH cert, causing bootstrap config loading to always fail with failed to acquire ECDH cert.

Make the ECDH requirement optional via a requireECDH parameter. The bootstrap config path passes false (signing cert only), while the normal controller cert paths (fetched from /certs endpoint and used for auth container verification) pass true.

How to test and validate this PR

Install EVE OS using an installer with a baked-in bootstrap configuration (aka “single-use EVE installer”) on a device that requires a static IP (or proxy configuration, or VLAN subinterface) to reach the controller. Power on the device and verify that it successfully onboards.

PR Backports

Should be included in the backports for the PR: #5584

Checklist

  • I've provided a proper description
  • I've added the proper documentation
  • I've tested my PR on amd64 device
  • I've tested my PR on arm64 device
  • I've written the test verification instructions
  • I've set the proper labels to this PR
  • I've checked the boxes above, or I've provided a good reason why I didn't check them.

@milan-zededa @claude
Fix bootstrap config failing on missing ECDH cert
d469e57 
Commit d28f531 renamed VerifySigningCertChain to VerifyLeavesCertChain
and added a check requiring an ECDH exchange certificate to be present.
The bootstrap config verification was updated to call this new function,
but BootstrapConfig.ControllerCerts only contains a signing cert chain
and never includes an ECDH cert, causing bootstrap config loading to
always fail with "failed to acquire ECDH cert".

Make the ECDH requirement optional via a requireECDH parameter.
The bootstrap config path passes false (signing cert only), while
the normal controller cert paths (fetched from /certs endpoint and
used for auth container verification) pass true.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Milan Lenco <milan@zededa.com>
@milan-zededa milan-zededa added the bug Something isn't working label Apr 8, 2026
@milan-zededa milan-zededa requested a review from rouming as a code owner April 8, 2026 18:52
@milan-zededa milan-zededa mentioned this pull request Apr 8, 2026
Merged
9 tasks
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 8, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 29.87%. Comparing base (2281599) to head (d469e57).
⚠️ Report is 453 commits behind head on master.

Additional details and impacted files 
@@             Coverage Diff             @@
##           master    #5775       +/-   ##
===========================================
+ Coverage   19.52%   29.87%   +10.34%     
===========================================
  Files          19       18        -1     
  Lines        3021     2417      -604     
===========================================
+ Hits          590      722      +132     
+ Misses       2310     1549      -761     
- Partials      121      146       +25

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@eriknordmark eriknordmark added the stable Should be backported to stable release(s) label Apr 8, 2026
eriknordmark
eriknordmark approved these changes Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@eriknordmark eriknordmark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for finding and fixing this. I'll add it to the backport PRs.

@eriknordmark eriknordmark merged commit f0c009f into lf-edge:master Apr 9, 2026
45 of 51 checks passed
@eriknordmark eriknordmark mentioned this pull request Apr 9, 2026
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eriknordmark eriknordmark eriknordmark approved these changes

@rouming rouming Awaiting requested review from rouming rouming is a code owner

@christoph-zededa christoph-zededa Awaiting requested review from christoph-zededa

@OhmSpectator OhmSpectator Awaiting requested review from OhmSpectator

@uncleDecart uncleDecart Awaiting requested review from uncleDecart

Assignees

No one assigned

Labels

bug Something isn't working stable Should be backported to stable release(s)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@milan-zededa @eriknordmark