Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Egeria shipped self-signed certificates will expire soon #7503

Closed
9 of 12 tasks
planetf1 opened this issue Mar 9, 2023 · 7 comments
Closed
9 of 12 tasks

Egeria shipped self-signed certificates will expire soon #7503

planetf1 opened this issue Mar 9, 2023 · 7 comments
Assignees
@dwolfson @mandy-chessell @lpalashevski
Labels
no-issue-activity Issues automatically marked as stale because they have not had recent activity. pinned Keep open (do not time out)

Comments

@planetf1
Copy link
Member

planetf1 commented Mar 9, 2023
edited
Loading

Our egeria self-signed certificates will expire shortly (see #6326 from 2022)

➜  certificates git:(main) ls
EgeriaClient.cert.pem        EgeriaReactUIClient.cert.pem EgeriaReactUIServer.csr.pem  EgeriaServerChassis.cert.pem EgeriaUIChassis.csr.pem      openssl.cnf
EgeriaClient.csr.pem         EgeriaReactUIClient.csr.pem  EgeriaReactUIServer.key.pem  EgeriaServerChassis.csr.pem  EgeriaUIChassis.key.pem
EgeriaClient.key.pem         EgeriaReactUIClient.key.pem  EgeriaReactUIServer.p12      EgeriaServerChassis.key.pem  EgeriaUIChassis.p12
EgeriaClient.p12             EgeriaReactUIClient.p12      EgeriaRootCA                 EgeriaServerChassis.p12      README.md
EgeriaIntermediateCA         EgeriaReactUIServer.cert.pem EgeriaRootCA.p12             EgeriaUIChassis.cert.pem     gensamplecerts.sh
➜  certificates git:(main) find . -name '*.cert.pem' -exec openssl x509 -enddate -noout -in {} \;
notAfter=Mar 26 11:25:19 2023 GMT
notAfter=Mar 26 11:25:18 2023 GMT
notAfter=Mar 26 11:25:19 2023 GMT
notAfter=Mar 26 11:25:18 2023 GMT
notAfter=Mar 13 11:25:17 2032 GMT
notAfter=Mar 13 11:25:18 2032 GMT
notAfter=Mar 26 11:25:19 2023 GMT

Short term actions

  • Alert dev team
  • update certs in main (v4)
  • Identify/update certs in additional components
  • Assess impact on users of 3.15
    • Local build
    • Local running of chassis
    • Helm charts
  • External communication

Longer term actions
@planetf1
Copy link
Member Author

planetf1 commented Mar 9, 2023

Our self-signed CA will remain valid until 2032. However individual certificates for various components will expire on Mar 26.

The impact of this will vary. In many cases in test environments, certificate validity is not checked, so egeria will continue to work. In production environment propert certs should be used, so again no impact

Last year we saw FVTs failing, as they were configured correctly to validate certs ..

planetf1 added a commit to planetf1/egeria that referenced this issue Mar 9, 2023
@planetf1
odpi#7503 update cert gen script to retain existing CAs
277c645 
Signed-off-by: Nigel Jones <[email protected]>
planetf1 added a commit to planetf1/egeria that referenced this issue Mar 9, 2023
@planetf1
odpi#7503 Allow for dup certs - due to time overlap
d4b0bad 
Signed-off-by: Nigel Jones <[email protected]>
planetf1 added a commit to planetf1/egeria that referenced this issue Mar 9, 2023
@planetf1
odpi#7503 refresh self signed/example certs
8026c6a 
Signed-off-by: Nigel Jones <[email protected]>
@planetf1 planetf1 mentioned this issue Mar 9, 2023
Merged
@planetf1
Copy link
Member Author

planetf1 commented Mar 9, 2023

New certs pushed in PR:

 certificates git:(issue7503) find . -name '*.cert.pem' -exec openssl x509 -enddate -noout -in {} \;
notAfter=Mar 18 12:30:49 2024 GMT
notAfter=Mar 18 12:30:48 2024 GMT
notAfter=Mar 18 12:30:48 2024 GMT
notAfter=Mar 18 12:30:48 2024 GMT
notAfter=Mar 13 11:25:17 2032 GMT
notAfter=Mar 13 11:25:18 2032 GMT
notAfter=Mar 18 12:30:49 2024 GMT

planetf1 added a commit to planetf1/egeria that referenced this issue Mar 9, 2023
@planetf1
odpi#7503 correct script re: sonatype lift recommendations
c0d2aeb 
Signed-off-by: Nigel Jones <[email protected]>
@planetf1
Copy link
Member Author

planetf1 commented Mar 9, 2023

  • helm charts only contain truststore - unmodified

@planetf1 planetf1 mentioned this issue Mar 9, 2023
Closed
@github-actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the no-issue-activity Issues automatically marked as stale because they have not had recent activity. label May 23, 2023
@planetf1 planetf1 added the pinned Keep open (do not time out) label May 23, 2023
@planetf1
Copy link
Member Author

This will need some action, and incorporation into the process or they will expire again.

@mandy-chessell
Copy link
Contributor

I think this is complete

@planetf1
Copy link
Member Author

Although self-signed certs are a little looser coupled into the tree now, they're still used & in demos.
At a minimum (and perhaps this is done) I'd recommend updating the certs as part of the release cycle

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dwolfson dwolfson

@mandy-chessell mandy-chessell

@lpalashevski lpalashevski

Labels
no-issue-activity Issues automatically marked as stale because they have not had recent activity. pinned Keep open (do not time out)
Projects
No open projects
Egeria V4.0 Planning
Status: No status
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dwolfson @planetf1 @mandy-chessell @lpalashevski