Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Only RSA key is accepted for custom certificate #6937

Closed
stephdl opened this issue May 28, 2024 · 5 comments
Closed

Only RSA key is accepted for custom certificate #6937

stephdl opened this issue May 28, 2024 · 5 comments
Assignees
Labels
verified All test cases were verified successfully

Comments

@stephdl
Copy link

stephdl commented May 28, 2024

Steps to reproduce

  • Initiate a NS8 cluster
  • try to upload a custom certificate that is not a RSA certificate

Expected behavior

I expect that my certificate that it could be a RSA or a DSA or a EC certs is accepted

Actual behavior

only RSA certs are accepted

Components

traefik 2.2.2

See also


thank @nrauso

@stephdl stephdl added the bug label May 28, 2024
@stephdl stephdl self-assigned this May 28, 2024
@github-project-automation github-project-automation bot moved this to 🆕 New in NethServer May 28, 2024
@DavidePrincipi DavidePrincipi moved this from 🆕 New to 🏗 In progress in NethServer May 28, 2024
stephdl added a commit to NethServer/ns8-traefik that referenced this issue May 29, 2024
@stephdl
Copy link
Author

stephdl commented May 29, 2024

QA

Test traefik from ghcr.io/nethserver/traefik:2.2.3-dev.2
test that you can use a rsa or dsa or ec key

@stephdl stephdl added the testing Packages are available from testing repositories label May 29, 2024
@DavidePrincipi DavidePrincipi moved this from 🏗 In progress to 👀 Testing in NethServer May 29, 2024
@nrauso nrauso self-assigned this May 29, 2024
@nrauso
Copy link

nrauso commented May 29, 2024

test case: FAILED

The check added with the PR#89 is not enough.
After the key check, the action script try to calculate the modulus of certificate and key to verify if they match each other:

# check if cert is provided by key
cert_hash="$(openssl x509 -noout -modulus -in $CERT_FILE | openssl md5)"
key_hash="$(openssl $TYPE_KEY -noout -modulus -in $KEY_FILE | openssl md5)"
if [ "$cert_hash" != "$key_hash" ]; then
    echo "Key didn't generate certificate."
    del_certs
    exit 3
fi

but modulus is not available for EC keys, so the action fails:

ec: Unknown cipher: modulus
ec: Use -help for summary.
809BA672C07F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (modulus : 0), Properties (<null>)

stephdl added a commit to NethServer/ns8-traefik that referenced this issue May 30, 2024
Compare md5 of public keys for certificate validation NethServer/dev#6937
@stephdl
Copy link
Author

stephdl commented May 30, 2024

new version to test @nrauso ghcr.io/nethserver/traefik:2.2.3-dev.2

@nrauso
Copy link

nrauso commented May 31, 2024

test case: VERIFIED

@nrauso nrauso added verified All test cases were verified successfully and removed testing Packages are available from testing repositories labels May 31, 2024
@DavidePrincipi
Copy link
Member

@github-project-automation github-project-automation bot moved this from 👀 Testing to ✅ Done in NethServer Jun 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
verified All test cases were verified successfully
Projects
Archived in project
Development

No branches or pull requests

3 participants