From 27ff71093f32cfbf7e6eba6d0a9a9a9862914377 Mon Sep 17 00:00:00 2001 From: Matthias Veit Date: Fri, 6 Oct 2023 11:59:18 +0200 Subject: [PATCH] [fix][resotocore] Add additional CA to bundle (#1797) --- resotocore/resotocore/__main__.py | 4 ++-- resotocore/resotocore/db/db_access.py | 2 +- resotocore/resotocore/system_start.py | 2 +- resotocore/resotocore/web/certificate_handler.py | 3 ++- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/resotocore/resotocore/__main__.py b/resotocore/resotocore/__main__.py index 4165639cf..f6c67e17f 100644 --- a/resotocore/resotocore/__main__.py +++ b/resotocore/resotocore/__main__.py @@ -154,8 +154,8 @@ def run_process(args: Namespace) -> None: deps.add(ServiceNames.config, evolve(config, run=RunConfig(temp, verify))) # in case of tls: connect again with the correct certificate settings use_tls = args.graphdb_server.startswith("https://") - db = DbAccess.connect(args, timedelta(seconds=30), verify=verify)[2] if use_tls else sdb - deps.add(ServiceNames.system_database, db) + sdb = DbAccess.connect(args, timedelta(seconds=30), verify=verify)[2] if use_tls else sdb + deps.add(ServiceNames.system_database, sdb) event_sender = deps.add( ServiceNames.event_sender, PostHogEventSender(deps.system_data) if config.runtime.usage_metrics else NoEventSender(), diff --git a/resotocore/resotocore/db/db_access.py b/resotocore/resotocore/db/db_access.py index 422ed63bd..d761e2ae2 100644 --- a/resotocore/resotocore/db/db_access.py +++ b/resotocore/resotocore/db/db_access.py @@ -188,7 +188,7 @@ def create_database() -> None: try: # try to access the system database with default credentials. # this only works if arango has been started with default settings. - http_client = ArangoHTTPClient(args.graphdb_request_timeout, not args.graphdb_no_ssl_verify) + http_client = ArangoHTTPClient(args.graphdb_request_timeout, False) root_pw = args.graphdb_root_password secure_root = not args.graphdb_bootstrap_do_not_secure root_db = ArangoClient(hosts=args.graphdb_server, http_client=http_client).db(password=root_pw) diff --git a/resotocore/resotocore/system_start.py b/resotocore/resotocore/system_start.py index 5d2f216ed..5c983dac9 100644 --- a/resotocore/resotocore/system_start.py +++ b/resotocore/resotocore/system_start.py @@ -62,7 +62,7 @@ def check_file(path: str) -> str: if os.path.isfile(path): return path else: - raise AttributeError(f"{message}: path {path} is not a directory!") + raise AttributeError(f"{message}: path {path} is not a file!") return check_file diff --git a/resotocore/resotocore/web/certificate_handler.py b/resotocore/resotocore/web/certificate_handler.py index e2047cd51..dc98f92c0 100644 --- a/resotocore/resotocore/web/certificate_handler.py +++ b/resotocore/resotocore/web/certificate_handler.py @@ -51,6 +51,7 @@ def __init__( super().__init__() self.config = config self._ca_cert = ca_cert + self._trusted_authorities = [self._ca_cert] + (additional_trusted_authorities or []) self._ca_cert_bytes = cert_to_bytes(ca_cert) self._ca_cert_fingerprint = cert_fingerprint(ca_cert) self._ca_bundle = temp_dir / "ca-bundle.crt" @@ -68,7 +69,7 @@ async def stop(self) -> None: await self._ca_cert_recreate.stop() def __recreate_ca_file(self) -> None: - write_ca_bundle(self._ca_cert, str(self._ca_bundle)) + write_ca_bundle(self._trusted_authorities, str(self._ca_bundle)) @property def ca_cert(self) -> Certificate: