Server and Signer Certificates Expired

[stefan-zh]

The Notary server and signer certificates expired today and as a result running a local instance of Notary fails with
ERRO[0000] could not reach https://localhost:4443: Get "https://localhost:4443/v2/": x509: certificate has expired or is not yet valid: current time 2021-04-01T13:54:15+03:00 is after 2021-04-01T03:38:34Z

The certificates expired on: Thu Apr 01 03:38:34 UTC 2021

I checked all certificates in the repository and these are all certificates that have expired:

• https://github.com/theupdateframework/notary/blob/master/fixtures/notary-escrow.crt
• https://github.com/theupdateframework/notary/blob/master/fixtures/notary-server.crt
• https://github.com/theupdateframework/notary/blob/master/fixtures/notary-signer.crt
• https://github.com/theupdateframework/notary/blob/master/fixtures/secure.example.com.crt
• https://github.com/theupdateframework/notary/blob/master/fixtures/self-signed_docker.com-notary.crt
• https://github.com/theupdateframework/notary/blob/master/fixtures/self-signed_secure.example.com.crt
• https://github.com/theupdateframework/notary/blob/master/trustpinning/test.crt

PS: I find it amusing that the certificates expired exactly on April Fool's Day :)

[cokieffebah]

running ./fixture/regenerateTestingCerts.sh gets the following errors:

Installing cfssl tools
go get: github.com/coreos/bbolt@v1.3.2 updating to
	github.com/coreos/bbolt@v1.3.5: parsing go.mod:
	module declares its path as: go.etcd.io/bbolt
	        but was required as: github.com/coreos/bbolt

Not a go expert. I think it may be affected by github.com/coreos/bbolt now redirects to github.com/etcd-io/bbolt or the github.com/etcd-io/bbolt/
go.mod defines module go.etcd.io/bbolt

[cokieffebah]

git clone https://github.com/cloudflare/cfssl.git
cd cfssl
make
added ../bin to $PATH
also added a replace github.com/coreos/bbolt => go.etcd.io/bbolt v1.3.5 to notary/go.mod but not sure its needed
cd $NOTARY_CLONE/fixtures
./regenerateTestingCerts.sh

[scottbuckel]

After regenerating certificates using the regenerateTestingCerts.sh, make sure to remove the old images so that they're rebuilt next time you run a docker-compose up

[cokieffebah]

can run docker-compose down --rmi all to take containers down and remove images

[stefan-zh]

git clone https://github.com/cloudflare/cfssl.git
cd cfssl
make
added ../bin to $PATH
also added a replace github.com/coreos/bbolt => go.etcd.io/bbolt v1.3.5 to notary/go.mod but not sure its needed
cd $NOTARY_CLONE/fixture
./regenerateTestingCerts.sh

As far as is noted in this comment and issues (cloudflare/cfssl#1183 (comment)), removing the -u on this line L174 solves the problem.

command -v cfssljson >/dev/null 2>&1 || {
echo >&2 "Installing cfssl tools"; go get -u github.com/cloudflare/cfssl/cmd/...;
}

One also must cd into the fixtures directory to run ./regenerateTestingCerts.sh because of some expected relative paths.

[stefan-zh]

This issue was resolved in here: #1594