You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description
Salt is not picking up my custom installed ca certificates and any http query to any hosts with issued certificates of that ca are unable to be verified.
$ sudo salt "myhost" http.query "https://vault:8200/v1/sys/seal-status"
Error running 'http.query': HTTPSConnectionPool(host='vault', port=8200): Max retries exceeded with url: /v1/sys/seal-status (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)')))
The same does work for example with curl from the same host
$ curl -X GET 'https://vault:8200/v1/sys/seal-status'
{"type":"shamir","initialized":true,"sealed":false,...}
Setup
I have a self signed pki with the ca certificates installed on the host in /usr/local/share/ca-certificates/ and ran the command for linking to the local ca store with
$ sudo update-ca-certificates --verbose --fresh
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
Doing .
...
link intranet0.pem -> 0c84b26d.0
link intranet1.pem -> 0c84b26d.1
...
Steps to Reproduce the behavior
Install self signed ca certificates. Do a http request with salt to an endpoint which has an issued certificate of that ca.
Expected behavior
Salt is able to pick up the ca certificates which have been linked to /etc/ssl/certs by the operating system to verify any issued certificates.
Versions Report
salt --versions-report
(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)
Salt Version:
Salt: 3002.2
Dependency Versions:
cffi: Not Installed
cherrypy: 8.9.1
dateutil: 2.7.3
docker-py: Not Installed
gitdb: 2.0.5
gitpython: 2.1.11
Jinja2: 2.11.2
libgit2: 0.27.7
M2Crypto: 0.35.2
Mako: Not Installed
msgpack: 1.0.0
msgpack-pure: Not Installed
mysql-python: Not Installed
pycparser: 2.19
pycrypto: 2.6.1
pycryptodome: 3.9.9
pygit2: 0.27.4
Python: 3.7.3 (default, Jul 25 2020, 13:03:44)
python-gnupg: Not Installed
PyYAML: 5.3.1
PyZMQ: 20.0.0
smmap: 2.0.5
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.3.3
System Versions:
dist: raspbian 10 buster
locale: UTF-8
machine: armv7l
release: 4.19.75-v7l+
system: Linux
version: Raspbian GNU/Linux 10 buster
Additional context
It worked with v2019. I guess it stopped working since some dependencies got bundled with salt?
Which certificate store is saltstack using?
The text was updated successfully, but these errors were encountered:
Never mind. Since saltstack is using request for the http request I had to export the environment variable REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt to use the ca store of the operating system instead of the bundled ca store of request.
Description
Salt is not picking up my custom installed ca certificates and any http query to any hosts with issued certificates of that ca are unable to be verified.
The same does work for example with curl from the same host
Setup
I have a self signed pki with the ca certificates installed on the host in /usr/local/share/ca-certificates/ and ran the command for linking to the local ca store with
Steps to Reproduce the behavior
Install self signed ca certificates. Do a http request with salt to an endpoint which has an issued certificate of that ca.
Expected behavior
Salt is able to pick up the ca certificates which have been linked to /etc/ssl/certs by the operating system to verify any issued certificates.
Versions Report
salt --versions-report
(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)Additional context
It worked with v2019. I guess it stopped working since some dependencies got bundled with salt?
Which certificate store is saltstack using?
The text was updated successfully, but these errors were encountered: