-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Salt Minion Windows Installer uses openssl and own cert chain #46644
Comments
@twangboy Thoughts on this one? |
We currently bundle OpenSSL 1.0.2n and we package @dwoz ? |
@mruepp Could you try installing
or from the master with:
If that works, we'll add that dependency to the Salt installation for future versions. |
ZD-2644 |
I can confirm that installing |
The only thing I can think of to do here is a separate Salt build that uses the system certificate store using |
Can you expand on why this would be (or should be) a separate build? |
Fixed with #48476 |
This fix is causing issues with our tests. We'll need to do a deep dive into the On a Windows system without
|
NOTE: If you install |
So, Python has been using the Windows Certificate Store since 2.7.9 and 3.4. (see here) The problem is another dependency that Salt is using; Tornado. certifi is a requirement for Tornado versions <5. Starting with Tornado 5.0 they dropped the certifi requirement. (see here) However, Salt on Py3 is pinned to using versions of Tornado greater than 4.2.1 and less than 5 (see here). Support for Tornado 5 will be implemented in the Fluorine release (see here). Salt on Py2 does support Tornado 5. So, theoretically, you could install the Py2 version of Salt, uninstall certifi and upgrade Tornado to version 5.1 in the salt installation to work around this issue. Bottom line, this issue should be fixed in Fluorine by updating support for Tornado 5 on Py3. |
@rickh563 ^^^ |
This is dependent on the work being done here: |
@dwoz Yes, correct. Once that is done, we'll need to change the deps for the Py3 windows package to use tornado 5. |
Tornado 5.0 support #51883 should fix this; Pending testing and validation post Tornado 5.0 fix |
Descoping from |
Description of Issue/Question
In Windows we have to add self signed ca chain to the salt minion installer cert.pem
We want salt to use the windows truststore certs which are delivered by active directory, basically use schannel transport or be able to configure this on a case to case base.
This is a problem with all self signed ca environments. Often on Linux we deploy cert chains with salt or other mechanisms, in Windows the cachains are usually as point of truth in AD and deployed with AD
Setup
(Please provide relevant configs and/or SLS files (Be sure to remove sensitive info).)
Default salt minion python 3 amd64 installer
Steps to Reproduce Issue
(Include debug logs if possible and relevant.)
use file.managed from https source with self signed cert will throw ssl not verified error, also archive.extracted
Versions Report
`
Salt Version:
Salt: 2017.7.4
Dependency Versions:
cffi: 1.6.0
cherrypy: Not Installed
dateutil: Not Installed
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.7.2
libgit2: 0.24.6
libnacl: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.4.6
mysql-python: Not Installed
pycparser: 2.14
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: 0.24.2
Python: 2.7.5 (default, Aug 4 2017, 00:39:18)
python-gnupg: Not Installed
PyYAML: 3.11
PyZMQ: 15.3.0
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.2.1
ZMQ: 4.1.4
System Versions:
dist: centos 7.4.1708 Core
locale: UTF-8
machine: x86_64
release: 3.10.0-693.21.1.el7.x86_64
system: Linux
version: CentOS Linux 7.4.1708 Core
`
The text was updated successfully, but these errors were encountered: