Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update expired SCT certificates #18444

Closed
wants to merge 1 commit into from
Closed

Update expired SCT certificates #18444

wants to merge 1 commit into from

Conversation

t8m
Copy link
Member

@t8m t8m commented Jun 1, 2022

Fixes #15179

@t8m t8m added branch: master Merge to master branch approval: review pending This pull request needs review by a committer branch: 1.1.1 Merge to OpenSSL_1_1_1-stable branch approval: otc review pending triaged: bug The issue/pr is/fixes a bug severity: urgent Fixes an urgent issue (exempt from 24h grace period) branch: 3.0 Merge to openssl-3.0 branch labels Jun 1, 2022
@mattcaswell
Copy link
Member

Is it worth documenting somewhere how you generated these?

@mattcaswell
Copy link
Member

(Agree urgent)

@t8m
Copy link
Member Author

t8m commented Jun 1, 2022

Aargh something more is needed.

@t8m t8m removed the branch: 1.1.1 Merge to OpenSSL_1_1_1-stable branch label Jun 1, 2022
@t8m
Copy link
Member Author

t8m commented Jun 1, 2022

This won't apply to 1.1.1. We'll need another PR for that branch.

@t8m t8m mentioned this pull request Jun 1, 2022
Closed
@t8m t8m requested a review from mattcaswell June 1, 2022 10:50
@t8m
Copy link
Member Author

t8m commented Jun 1, 2022

@mattcaswell can you please re-approve.
Also please approve the 1.1.1 PR linked above.

@t8m
Copy link
Member Author

t8m commented Jun 1, 2022

Ping for second review.

beldmit
beldmit approved these changes Jun 1, 2022
View reviewed changes
Copy link
Member

@beldmit beldmit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, agree it's urgent

@beldmit beldmit added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels Jun 1, 2022
mattcaswell
mattcaswell approved these changes Jun 1, 2022
View reviewed changes
Copy link
Member

@mattcaswell mattcaswell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reconfirm

@mattcaswell
Copy link
Member

Why is there so much less in this PR compared to the 1.1.1 version?

@Bo98
Copy link

Bo98 commented Jun 1, 2022
edited
Loading

Why is there so much less in this PR compared to the 1.1.1 version?

Because of b98efeb. Some certificates were regenerated to be SHA256 signed and have an expiry of Jan 26 11:50:13 2120 GMT.

It originally landed to 1.1.1 but soon got reverted.

@mattcaswell mattcaswell mentioned this pull request Jun 1, 2022
Closed
@t8m t8m added approval: ready to merge The 24 hour grace period has passed, ready to merge and removed approval: done This pull request has the required number of approvals labels Jun 1, 2022
openssl-machine pushed a commit that referenced this pull request Jun 1, 2022
@t8m
Update expired SCT issuer certificate
770aea8 
Fixes #15179

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from #18444)
openssl-machine pushed a commit that referenced this pull request Jun 1, 2022
@t8m
Update expired SCT issuer certificate
338123c 
Fixes #15179

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from #18444)

(cherry picked from commit 770aea8)
@t8m
Copy link
Member Author

t8m commented Jun 1, 2022

Merged to master and 3.0 branches. Thank you for the reviews.

@t8m t8m closed this Jun 1, 2022
@t8m
Copy link
Member Author

t8m commented Jun 1, 2022

Is it worth documenting somewhere how you generated these?

I just renewed the existing cert with openssl x509 -in <existingcert> -signkey <privatekey> -days 36500 -extensions v3_ca -out <newcert>

@rsbeckerca
Copy link
Contributor

This appears to have broken the build for 3.0. See #18447 for details.

@Bo98
Copy link

Bo98 commented Jun 1, 2022

That'll be f9f3096 rather than this one.

@DDvO
Copy link
Contributor

DDvO commented Jun 4, 2022

I just renewed the existing cert with openssl x509 -in <existingcert> -signkey <privatekey> -days 36500 -extensions v3_ca -out <newcert>

Well, due to leap years, 100 years lifetime would have been 24 days more 😉

@h-vetinari h-vetinari mentioned this pull request Jun 7, 2022
Closed
tmshort pushed a commit to tmshort/openssl that referenced this pull request Nov 7, 2022
@t8m @tmshort
Update expired SCT issuer certificate
02a0b16 
Fixes openssl#15179

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from openssl#18444)

(cherry picked from commit 770aea8)
(cherry picked from commit 338123c)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattcaswell mattcaswell mattcaswell approved these changes

@beldmit beldmit beldmit approved these changes

Assignees
No one assigned
Labels
approval: ready to merge The 24 hour grace period has passed, ready to merge branch: master Merge to master branch branch: 3.0 Merge to openssl-3.0 branch severity: urgent Fixes an urgent issue (exempt from 24h grace period) triaged: bug The issue/pr is/fixes a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Test certificates will expire soon
6 participants
@t8m @mattcaswell @Bo98 @rsbeckerca @DDvO @beldmit