Skip to content

Remove all usage of cacerts from configuration schemas (backport #14655) #14670

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 2, 2025
Merged

Remove all usage of cacerts from configuration schemas (backport #14655) #14670

merged 1 commit into from
Oct 2, 2025

Conversation

mergify[bot]
Copy link

@mergify mergify bot commented Oct 2, 2025

As mentioned in discussion #14426, the way that cacerts is handled by cuttlefish schemas simply will not work if set.

If cacerts were set to a string value containing one X509 certificate, it would eventually result in a crash because the cacerts ssl option must be of this type:

{cacerts, CACerts :: [public_key:der_encoded()] | [public_key:combined_cert()]}

Neither of those are strings, of course. The certs would have to be decoded via public_key:pem_decode/1 then the resulting term matched to get the actual DER-encoded data.

This PR removes all use of cacerts in cuttlefish schemas. In addition, it filters out cacerts and certs_keys from being JSON-encoded by an HTTP API call to /api/overview. It is technically possible to set cacerts via advanced.config, so, if set, it would crash this API call, as would certs_keys.

This is an automatic backport of pull request #14655 done by Mergify.

@lukebakken @mergify
Remove all usage of cacerts from configuration schemas
55e95f4 
As mentioned in discussion #14426, the way that `cacerts` is handled by
cuttlefish schemas simply will not work if set.

If `cacerts` were set to a string value containing one X509 certificate,
it would eventually result in a crash because the `cacerts` ssl option
must be of [this type](https://www.erlang.org/doc/apps/ssl/ssl.html#t:client_option_cert/0):

```
{cacerts, CACerts :: [public_key:der_encoded()] | [public_key:combined_cert()]}
```

Neither of those are strings, of course.

This PR removes all use of `cacerts` in cuttlefish schemas. In addition,
it filters out `cacerts` and `certs_keys` from being JSON-encoded by an
HTTP API call to `/api/overview`. It _is_ technically possible to set
`cacerts` via `advanced.config`, so, if set, it would crash this API
call, as would `certs_keys`.

(cherry picked from commit ce86fb9)
@michaelklishin michaelklishin added this to the 4.2.0 milestone Oct 2, 2025
@michaelklishin michaelklishin merged commit 0531a33 into v4.2.x Oct 2, 2025
287 of 288 checks passed
@michaelklishin michaelklishin deleted the mergify/bp/v4.2.x/pr-14655 branch October 2, 2025 18:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@lukebakken lukebakken

Labels
None yet
Projects
None yet
Milestone
4.2.0
Development

Successfully merging this pull request may close these issues.
2 participants
@michaelklishin @lukebakken