WPK Root CA Expiry - Next Month

[jjrbg]

Hi all,

I notice the built-in shipped WPK Root CA etc/wpk_root.pem will expire in 3 weeks time. Is that going to cause remote agent upgrades to fail as the certificate won't be valid? Or is the validity period ignored?

[jamesg@laptop wazuh]$ openssl x509 -in etc/wpk_root.pem -dates -noout
notBefore=Sep  7 14:47:13 2017 GMT
notAfter=Sep  6 14:47:13 2022 GMT

I'm not sure how important the expiry is or it's impact, but I thought the heads up might be useful!

James

[vikman90]

Hi @jjrbg,

Thank you for reporting this. Indeed, we need to update the WPK root CA in the agents. We have planned this in version 4.3.7.

Thank you again.
Best regards.

[jjrbg]

Hi Vikman,

What will happen if we try to remotely upgrade v4.3.6 agents AFTER the certificate expires? Will they fail to trust the WPK and need to be manually upgraded?

James

[vikman90]

Hi @jjrbg,

Yes, I'm afraid that agents will reject the WPK packages. Agents need to get the new certificate (which we will re-sign the WPK packages with).

I've explained this at #14715. Should you have any questions, we're available to clarify them.

Best regards.

[vikman90]

Hi @jjrbg, I've just merged PR #14696 renewing the root CA certificate for WPK packages. As explained at #14715, we will resign the currently released WPKs to let them work with the new CA, which will require the user to install it on their agents.

Let me close this issue.
Thank you very much.