Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] CA used to generate certs is expired #4047

Closed
seiimonn opened this issue Feb 2, 2024 · 6 comments · Fixed by #4061
Closed

[BUG] CA used to generate certs is expired #4047

seiimonn opened this issue Feb 2, 2024 · 6 comments · Fixed by #4061
Assignees
@DarshitChanpura
Labels
bug Something isn't working

Comments

@seiimonn
Copy link

seiimonn commented Feb 2, 2024
edited
Loading

What is the bug?

The cert used by the container is signed by the CA found in config/root-ca.pem. This CA is expired but the certs are valid for 10 years.

The CA:

openssl x509 -in root-ca.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            77:e4:af:3e:fc:da:9f:93:f6:4d:06:c4:67:8c:e3:e0:6b:7a:15:8a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = com, DC = example, O = Example Com Inc., OU = Example Com Inc. Root CA, CN = Example Com Inc. Root CA
        Validity
            Not Before: Aug 29 04:20:03 2023 GMT
            Not After : Sep 28 04:20:03 2023 GMT
        Subject: DC = com, DC = example, O = Example Com Inc., OU = Example Com Inc. Root CA, CN = Example Com Inc. Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)

The cert:

openssl x509 -in esnode.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            66:3a:e5:0c:f3:fc:6b:34:43:3d:97:21:03:f5:c4:b3:1d:17:da:22
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = com, DC = example, O = Example Com Inc., OU = Example Com Inc. Root CA, CN = Example Com Inc. Root CA
        Validity
            Not Before: Aug 29 04:23:12 2023 GMT
            Not After : Aug 26 04:23:12 2033 GMT
        Subject: C = de, L = test, O = node, OU = node, CN = node-0.example.com
        Subject Public Key Info:

How can one reproduce the bug?

Pull the lastest image and check the cerst.

What is the expected behavior?

Is would be nice if the default certs could be used for a testing use case without having to generate our own certs.

What is your host/environment?

https://hub.docker.com/layers/opensearchproject/opensearch/latest/images/sha256-5495aa4f6ce16c689918846a6e8acc5ef991141693ff7ce3d09c151e25f19e9d?context=explore&tab=vulnerabilities

Do you have any screenshots?

See the outputs from openssl above.

Do you have any additional context?

This worked for previous versions of the image, I do not know when it broke.
@seiimonn seiimonn added bug Something isn't working untriaged Require the attention of the repository maintainers and may need to be prioritized labels Feb 2, 2024
@seiimonn seiimonn changed the title [BUG] CA generating [BUG] CA used to generate certs is expired Feb 2, 2024
@rishabh6788
Copy link

Transferring to security repo to update the CA.

@rishabh6788 rishabh6788 transferred this issue from opensearch-project/docker-images Feb 13, 2024
@peternied peternied removed the untriaged Require the attention of the repository maintainers and may need to be prioritized label Feb 13, 2024
@peternied
Copy link
Member

@DarshitChanpura Could you look into this?

@DarshitChanpura
Copy link
Member

I will provide an update once I dive deep into this.

@jeffcourtade
Copy link

I am experiencing the same issue.
I am unable to trust the cert chain in other applications because of this.

Is someone assigned to update the docker image for this issue?

Is there a guide for replacing these certificates in the docker images?

@jeffcourtade
Copy link

I will provide an update once I dive deep into this.

can you please let me know if there is any progress on this?

We are blocked in a deployment because of this bug

@DarshitChanpura DarshitChanpura self-assigned this Feb 19, 2024
@DarshitChanpura DarshitChanpura mentioned this issue Feb 20, 2024
Merged
3 tasks
@DarshitChanpura
Copy link
Member

@seiimonn @jeffcourtade This bug will be addressed via: #4061

DarshitChanpura added a commit that referenced this issue Feb 22, 2024
@DarshitChanpura
Regenerates root-ca, kirk and esnode certificates to address already …
9a6a018 
…expired root ca certificate (#4061)

### Description

During the last renewal of certs
#3268, the option
`-days 3650` was missed for root-ca.pem cert causing it to set the
default expiry of 30 days. This PR regenerates the public cert
root-ca.pem, using the same private-key, and it also regenerate public
certs `es-node.pem` and `kirk.pem` so that they can be verified with
this new certificate.
* Category : Bug fix
* Why these changes are required?
    - To ensure the expiry is in 10 years from now
* What is the old behavior before changes and new behavior after
changes?
- root-ca is currently expired, and this change will set expiry to 2034

### Issues Resolved
- Resolves #4047


### Testing
- Automated testing + [Manual
Testing](#4061 (comment))



---------

Signed-off-by: Darshit Chanpura <[email protected]>
opensearch-trigger-bot bot pushed a commit that referenced this issue Feb 22, 2024
@github-actions
Regenerates root-ca, kirk and esnode certificates to address already …
3631c5a 
…expired root ca certificate (#4061)

### Description

During the last renewal of certs
#3268, the option
`-days 3650` was missed for root-ca.pem cert causing it to set the
default expiry of 30 days. This PR regenerates the public cert
root-ca.pem, using the same private-key, and it also regenerate public
certs `es-node.pem` and `kirk.pem` so that they can be verified with
this new certificate.
* Category : Bug fix
* Why these changes are required?
    - To ensure the expiry is in 10 years from now
* What is the old behavior before changes and new behavior after
changes?
- root-ca is currently expired, and this change will set expiry to 2034

### Issues Resolved
- Resolves #4047

### Testing
- Automated testing + [Manual
Testing](#4061 (comment))

---------

Signed-off-by: Darshit Chanpura <[email protected]>
(cherry picked from commit 9a6a018)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
dlin2028 pushed a commit to dlin2028/security that referenced this issue May 1, 2024
@DarshitChanpura @dlin2028
Regenerates root-ca, kirk and esnode certificates to address already …
357a78b 
…expired root ca certificate (opensearch-project#4061)

### Description

During the last renewal of certs
opensearch-project#3268, the option
`-days 3650` was missed for root-ca.pem cert causing it to set the
default expiry of 30 days. This PR regenerates the public cert
root-ca.pem, using the same private-key, and it also regenerate public
certs `es-node.pem` and `kirk.pem` so that they can be verified with
this new certificate.
* Category : Bug fix
* Why these changes are required?
    - To ensure the expiry is in 10 years from now
* What is the old behavior before changes and new behavior after
changes?
- root-ca is currently expired, and this change will set expiry to 2034

### Issues Resolved
- Resolves opensearch-project#4047


### Testing
- Automated testing + [Manual
Testing](opensearch-project#4061 (comment))



---------

Signed-off-by: Darshit Chanpura <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DarshitChanpura DarshitChanpura

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
5 participants
@peternied @seiimonn @rishabh6788 @DarshitChanpura @jeffcourtade