Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use a 2-letters ISO 3166 country code, as required by RFC 2459 #17

Merged
merged 1 commit into from
Nov 16, 2023
Merged

Use a 2-letters ISO 3166 country code, as required by RFC 2459 #17

merged 1 commit into from
Nov 16, 2023

Conversation

bgandon
Copy link
Contributor

@bgandon bgandon commented Oct 26, 2023

Hi there,

In order to fix cloudfoundry/bosh#2473 and cloudfoundry/bosh-cli#632, here is a small patch so that the generated certificates have a valid 2-letters ISO 3166 country code, as required by RFC 2459 in Appendix A.

I’ve also written some short instructions for running unit and integration tests, based on my experience doing it today. About golangci-lint, I also wonder if this installation code is still relevant :
https://github.com/cloudfoundry/config-server/blob/master/bin/lint#L6-L11
Indeed, this way of doing is no more recommended, see https://golangci-lint.run/usage/install/#install-from-source, and I’ve not been able to run golangci-lint this way.

Cheers

@bgandon bgandon mentioned this pull request Oct 26, 2023
Closed
@rkoster rkoster requested review from a team, ragaskar and ystros and removed request for a team October 26, 2023 15:00
@rkoster
Copy link
Contributor

rkoster commented Oct 26, 2023

DO NOT MERGE!! We first need to figure out a way to roll out these changes without breaking director ← NATS → agent communication: https://github.com/cloudfoundry/bosh/blob/main/src/bosh-nats-sync/lib/nats_sync/nats_auth_config.rb#L32C1-L43C8

@rkoster rkoster requested a review from jpalermo October 26, 2023 15:18
@bgandon
Copy link
Contributor Author

bgandon commented Nov 2, 2023

On-going discussion in #2473.

jpalermo
jpalermo approved these changes Nov 16, 2023
View reviewed changes
Copy link
Member

@jpalermo jpalermo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe we decided there was no risk to these changes.

This code is pulled in by the bosh-cli and it will change how certificate variables are generated when doing a bosh create-env, but that will at most impact the CA/server cert generated for NATS, not any of the client certs, and the clients don't use the country for any sort of server validation.

@rkoster rkoster merged commit ad3db39 into master Nov 16, 2023
5 checks passed
@rkoster rkoster deleted the fix-certs-country-code branch November 16, 2023 15:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jpalermo jpalermo jpalermo approved these changes

@rkoster rkoster rkoster approved these changes

@ragaskar ragaskar Awaiting requested review from ragaskar ragaskar was automatically assigned from cloudfoundry/wg-foundational-infrastructure-vm-deployment-lifecycle-bosh-approvers

@ystros ystros Awaiting requested review from ystros ystros was automatically assigned from cloudfoundry/wg-foundational-infrastructure-vm-deployment-lifecycle-bosh-approvers

Assignees
No one assigned
Labels
None yet
Projects
Foundational Infrastructure Working Group
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Default bosh generated x509 certificates have invalid 3 digits USA country code
3 participants
@bgandon @rkoster @jpalermo