-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ca: set the correct SigningKeyID after config update with Vault provider #11672
Conversation
|
||
cert, err = connect.ParseCert(newRoot.LeafSigningCert()) | ||
require.NoError(t, err) | ||
require.Equal(t, connect.HexString(cert.SubjectKeyId), newRoot.SigningKeyID) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the line that failed before this fix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 📦 !
d155347
to
b631479
Compare
398a805
to
0373c1b
Compare
0373c1b
to
bea9b46
Compare
b631479
to
28a8a64
Compare
bea9b46
to
df8618d
Compare
The test added in this commit shows the problem. Previously the SigningKeyID was set to the RootCert not the local leaf signing cert. This same bug was fixed in two other places back in 2019, but this last one was missed. While fixing this bug I noticed I had the same few lines of code in 3 places, so I extracted a new function for them. There would be 4 places, but currently the InitializeCA flow sets this SigningKeyID in a different way, so I've left that alone for now.
df8618d
to
17a2d14
Compare
🍒 If backport labels were added before merging, cherry-picking will start automatically. To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/514121. |
…d-post-update ca: set the correct SigningKeyID after config update with Vault provider
Fixes #11662
Branched from #11671
Two other instance of this same bug were fixed a year+ ago in #6513 and #7012, but this last one remained.
The test failed before the fix, and I extracted a new function for this since the logic is the same in all places, and the method name helps indicate the significance of this intermediate certificate.
We already have logic to fix the
SigningKeyID
on storedCARoot
when theCAMananger
is initialized, so we don't need to add more logic for it.