https://progress.opensuse.org/https://progress.opensuse.org/themes/openSUSE/favicon/favicon.ico?15829177842018-10-16T09:11:18ZopenSUSE Project Management ToolopenQA Infrastructure - action #37644: [tools] osd SSL certificate is only valid for openqa.suse.de, not for openqa.nue.suse.comhttps://progress.opensuse.org/issues/37644?journal_id=1575082018-10-16T09:11:18Zcoolocoolo@suse.com
<ul><li><strong>Project</strong> changed from <i>openQA Tests</i> to <i>openQA Infrastructure</i></li><li><strong>Category</strong> deleted (<del><i>Infrastructure</i></del>)</li></ul> openQA Infrastructure - action #37644: [tools] osd SSL certificate is only valid for openqa.suse.de, not for openqa.nue.suse.comhttps://progress.opensuse.org/issues/37644?journal_id=1579522018-10-17T07:51:41Znicksingernsinger@suse.com
<ul><li><strong>Assignee</strong> set to <i>nicksinger</i></li></ul> openQA Infrastructure - action #37644: [tools] osd SSL certificate is only valid for openqa.suse.de, not for openqa.nue.suse.comhttps://progress.opensuse.org/issues/37644?journal_id=1580602018-10-17T11:16:43Znicksingernsinger@suse.com
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li></ul><p>I've created the CSR and sent it to infra to sign it:</p>
<pre><code>Hey Guys,
attached is the new CSR for openqa.suse.de. It now also includes
openqa.nue.suse.com (as requested in
https://progress.opensuse.org/issues/37644).
Is it possible to sign this request without invalidating/revoking the
old certificate of openqa.suse.de? I'd like to do a smooth rollover there.
Thanks in advance,
Nick
</code></pre>
<p><a href="https://infra.nue.suse.com/SelfService/Display.html?id=123024" class="external">https://infra.nue.suse.com/SelfService/Display.html?id=123024</a></p>
<p>Waiting for the cert now.</p>
openQA Infrastructure - action #37644: [tools] osd SSL certificate is only valid for openqa.suse.de, not for openqa.nue.suse.comhttps://progress.opensuse.org/issues/37644?journal_id=1580632018-10-17T11:17:01Znicksingernsinger@suse.com
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Feedback</i></li></ul> openQA Infrastructure - action #37644: [tools] osd SSL certificate is only valid for openqa.suse.de, not for openqa.nue.suse.comhttps://progress.opensuse.org/issues/37644?journal_id=1681612018-11-23T09:46:26Znicksingernsinger@suse.com
<ul></ul><p>Ah, forgot to mirror my update from the infra-ticket-system here:</p>
<p>Got the cert, SAN is missing from it (got stripped most likely). Reopened the infra-ticket with the initial request but since it's assigned to fatma (and she is out-of-office) seems like nobody else cares about it.<br>
Maybe with the next deployment then… I'll keep you posted</p>
openQA Infrastructure - action #37644: [tools] osd SSL certificate is only valid for openqa.suse.de, not for openqa.nue.suse.comhttps://progress.opensuse.org/issues/37644?journal_id=2458702019-09-24T19:50:54Zokurzokurz@suse.com
<ul></ul><p>nicksinger wrote:</p>
<blockquote>
<p>[…]<br>
Maybe with the next deployment then… I'll keep you posted</p>
</blockquote>
<p>next thing you tell me the cake is not a lie as well ;)</p>
openQA Infrastructure - action #37644: [tools] osd SSL certificate is only valid for openqa.suse.de, not for openqa.nue.suse.comhttps://progress.opensuse.org/issues/37644?journal_id=2526982019-10-25T06:34:03Znicksingernsinger@suse.com
<ul><li><strong>Copied to</strong> <i><a class="issue tracker-4 status-3 priority-4 priority-default closed" href="/issues/58676">action #58676</a>: [tools] manage certificates by salt (pillars)</i> added</li></ul> openQA Infrastructure - action #37644: [tools] osd SSL certificate is only valid for openqa.suse.de, not for openqa.nue.suse.comhttps://progress.opensuse.org/issues/37644?journal_id=2805252020-02-25T10:55:54Zokurzokurz@suse.com
<ul></ul><p>As discussed in <a href="https://chat.suse.de/group/openqa-dev?msg=3XsRNd5nFtTRBpdsJ" class="external">https://chat.suse.de/group/openqa-dev?msg=3XsRNd5nFtTRBpdsJ</a></p>
<p>We want to manage the complete system configuration in salt hence also certs need to be covered. I suggest to pick whatever is the most easy option frist, everything else as potential improvement for later, i.e. store key in plain text, later optionally look into encrypted pillars, e.g. encrypting the pillars with a password encrypted with (tools-team) employees gpg-key.</p>
openQA Infrastructure - action #37644: [tools] osd SSL certificate is only valid for openqa.suse.de, not for openqa.nue.suse.comhttps://progress.opensuse.org/issues/37644?journal_id=2822862020-03-02T21:07:52Zokurzokurz@suse.com
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>Fixed! <a href="https://openqa.nue.suse.com/" class="external">https://openqa.nue.suse.com/</a> reports as secure now :) See <a class="issue tracker-4 status-3 priority-4 priority-default closed" title="action: [tools] manage certificates by salt (pillars) (Resolved)" href="https://progress.opensuse.org/issues/58676">#58676</a> for details</p>
openQA Infrastructure - action #37644: [tools] osd SSL certificate is only valid for openqa.suse.de, not for openqa.nue.suse.comhttps://progress.opensuse.org/issues/37644?journal_id=2824152020-03-03T08:20:49Zokurzokurz@suse.com
<ul><li><strong>Status</strong> changed from <i>Resolved</i> to <i>Feedback</i></li><li><strong>Priority</strong> changed from <i>Normal</i> to <i>Urgent</i></li></ul><p>Multiple users reported problems. Despite firefox showing that everything is in order and I assume it correctly uses <code>ca-certificates-suse</code> e.g. also <code>curl https://openqa.suse.de</code> does not accept the new certificates. I have reverted to the old certificates for now but a new salt high state might overwrite them again although I have marked the files and dir as read-only for now:</p>
<pre><code>/etc/apache2/
cd ssl.crt/
cp -a openqa.suse.de.crt{,-20200303-broken}
ln -f openqa.suse.de.crt{-20200302,}cd ../ssl.key/
cp -a openqa.suse.de.key{,-20200303-broken} && ln -f openqa.suse.de.key{-20200302,}
systemctl restart apache2
cd ..
chmod -R a-w ssl.{key,crt}/
</code></pre>
<p>For testing I suggest the following command:</p>
<pre><code>podman run --rm -it registry.suse.de/home/okurz/container/images/curl:latest sh -c 'curl -q https://openqa.suse.de -o /dev/null && curl -q https://openqa.nue.suse.com -o /dev/null'
</code></pre> openQA Infrastructure - action #37644: [tools] osd SSL certificate is only valid for openqa.suse.de, not for openqa.nue.suse.comhttps://progress.opensuse.org/issues/37644?journal_id=2825142020-03-03T12:10:03Znicksingernsinger@suse.com
<ul><li><strong>Priority</strong> changed from <i>Urgent</i> to <i>Normal</i></li></ul><p>Firefox is somewhat special when it comes to chain checks. Since we extended the cert to also cover "openqa.nue.suse.com" now we also had to add the trust anchor for "suse.com" in our certificate chain. For this all what was needed is to extend our current chain: <code>curl http://ca.suse.de/certificates/chain/SUSE_CA_suse.com.chain.crt >> SUSE_CA_suse.de.chain.crt</code> (located in <code>/etc/apache2/ssl.crt/</code>) and reload apache afterwards.</p>
<p>btw: I figured this out with <code>echo | openssl s_client -connect openqa.suse.de:443</code> which shows the whole chain and where it fails to validate.</p>
<p>I'll lower the prio but keep the ticket open until we salt the chain too. I see this task blocked by "[RT-ADM #165010] AutoReply: Certificate for ca.suse.de wrong".</p>
openQA Infrastructure - action #37644: [tools] osd SSL certificate is only valid for openqa.suse.de, not for openqa.nue.suse.comhttps://progress.opensuse.org/issues/37644?journal_id=2890442020-03-30T11:28:06Zokurzokurz@suse.com
<ul></ul><p>haven't you included that in salt already?</p>
openQA Infrastructure - action #37644: [tools] osd SSL certificate is only valid for openqa.suse.de, not for openqa.nue.suse.comhttps://progress.opensuse.org/issues/37644?journal_id=2968492020-04-29T09:04:24Zlivdywanliv.dywan@suse.com
<ul></ul><p>Any update on this? Still blocking on getting the new cert?</p>
openQA Infrastructure - action #37644: [tools] osd SSL certificate is only valid for openqa.suse.de, not for openqa.nue.suse.comhttps://progress.opensuse.org/issues/37644?journal_id=2971872020-04-30T11:02:04Znicksingernsinger@suse.com
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Workable</i></li><li><strong>Assignee</strong> deleted (<del><i>nicksinger</i></del>)</li></ul><p>ca.suse.de got a valid SSL certificate in the meantime. Unfortunately it still uses TLS1.0 which is considered insecure by some software - so I will try to ping them once again. However, in general we could start to write this chain generation state now.</p>
openQA Infrastructure - action #37644: [tools] osd SSL certificate is only valid for openqa.suse.de, not for openqa.nue.suse.comhttps://progress.opensuse.org/issues/37644?journal_id=3154712020-07-29T07:14:23Zokurzokurz@suse.com
<ul><li><strong>Target version</strong> set to <i>Ready</i></li></ul><p>nicksinger wrote:</p>
<blockquote>
<p>ca.suse.de got a valid SSL certificate in the meantime. Unfortunately it still uses TLS1.0 which is considered insecure by some software - so I will try to ping them once again. However, in general we could start to write this chain generation state now.</p>
</blockquote>
openQA Infrastructure - action #37644: [tools] osd SSL certificate is only valid for openqa.suse.de, not for openqa.nue.suse.comhttps://progress.opensuse.org/issues/37644?journal_id=3278142020-09-29T14:51:09Zokurzokurz@suse.com
<ul><li><strong>Priority</strong> changed from <i>Normal</i> to <i>Low</i></li></ul> openQA Infrastructure - action #37644: [tools] osd SSL certificate is only valid for openqa.suse.de, not for openqa.nue.suse.comhttps://progress.opensuse.org/issues/37644?journal_id=3449442020-10-29T22:04:40Zokurzokurz@suse.com
<ul><li><strong>Target version</strong> changed from <i>Ready</i> to <i>future</i></li></ul> openQA Infrastructure - action #37644: [tools] osd SSL certificate is only valid for openqa.suse.de, not for openqa.nue.suse.comhttps://progress.opensuse.org/issues/37644?journal_id=7603122024-02-06T07:45:49Zokurzokurz@suse.com
<ul><li><strong>Related to</strong> <i><a class="issue tracker-4 status-3 priority-4 priority-default closed child" href="/issues/117553">action #117553</a>: multiple people can not access openqa.suse.de but can access openqa.nue.suse.com, we should clarify the difference and maybe change our wording</i> added</li></ul> openQA Infrastructure - action #37644: [tools] osd SSL certificate is only valid for openqa.suse.de, not for openqa.nue.suse.comhttps://progress.opensuse.org/issues/37644?journal_id=7603182024-02-06T07:48:46Zokurzokurz@suse.com
<ul><li><strong>Status</strong> changed from <i>Workable</i> to <i>Resolved</i></li><li><strong>Assignee</strong> set to <i>okurz</i></li><li><strong>Target version</strong> changed from <i>future</i> to <i>Ready</i></li></ul><p>Solved with salt-states-openqa commit 9aa3c58, Author: Oliver Kurz <a href="mailto:okurz@suse.de">okurz@suse.de</a>, Date: Mon Nov 29 08:47:27 2021 +0100, Add SSL management with dehydrated</p>