New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signing the X509 CA certificate does not work on Debian 8 #27326
Comments
@ralphvanetten, thanks for reporting this issue. This looks like a bug to me. |
Does anyone know a work around or at least can tell me what the error message means? Thanks. |
Ping @clinta. |
I'm checking this out now, not seen this before, but not tested on Debian, though I can't see why that would make a difference, you have the same version of M2Crypto that I'm running in production. |
Using your exact configs works for me with Salt 2015.8.0 and M2Crypto 0.21.1 on Ubuntu 14.04. I'll need to build a Debian vm to test further. |
@clinta, thanks for working on this. Let me know if you need any help. |
I did some searching and I think this is a similar problem which appeared after upgrading openssl to 1.0.1i : http://comments.gmane.org/gmane.comp.encryption.openssl.user/52604 Since Ubuntu 14.04 seems to be using openssl 1.0.1f and Debian 8 is using 1.0.1k I think it could be caused by a change in openssl. |
Take a look at https://gitlab.com/m2crypto/m2crypto/merge_requests/1, I think we have fixed stuff like this for RHEL, and all Fedora/RHEL patches are in that merge request, which is going to be the next M2Crypto release hopefully soon. |
@mcepl, thanks. I'll test in Fedora to make sure these patches do correct the issue. |
So it looks like this issue is not fixed in Fedora 22 with M2Crypto 0.21.1. Going to have to narrow this down further. |
I'm testing a fix now. It looks like recent versions of OpenSSL refuse to import incompelete PEM formatted certificates. I believe I have fixed this by avoiding unnecessary exporint/importing as PEM. |
So, whose fault it is? OpenSSL, M2Crypto? Could I get some the smallest testcase reproducing this problem, please? |
@mcepl here is a small test case. It's entirely possible that the behavior I was using was never intended, so I'm going to fix it in the salt module. In versions of OpenSSL <= 1.0.1f this gist runs without error. In newer versions it gives the following traceback:
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue. |
Hmm, with
I will have to investigate. |
Thank you for updating this issue. It is no longer marked as stale. |
I've copied the sample from https://docs.saltstack.com/en/latest/ref/states/all/salt.states.x509.html but it does not work and I get this error:
It is a fresh Debian 8.2 install with salt installed from repo.saltstack.com
The only states I have is:
top.sls
ca.sls
What is wrong?
The text was updated successfully, but these errors were encountered: