Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

de-duplicate CAs added to the CA bundle, returned from .well-known/est/cacerts #1609

Closed
dovholuknf opened this issue Nov 2, 2022 · 2 comments
Closed

de-duplicate CAs added to the CA bundle, returned from .well-known/est/cacerts #1609

dovholuknf opened this issue Nov 2, 2022 · 2 comments

Comments

@dovholuknf
Copy link
Member

If one configures their environment with multiple identity blocks of different types, including the signing cert, the CA pool that is returned from .well-known/est/cacerts can have duplicate certificates listed. while that's not a big deal, it's not necessary.

It'd be better to de-dupe the certs as they are added to the pool.

Steps to reproduce

  • run the host it anywhere quickstart
  • issue curl -sk https://"${ZITI_EDGE_CTRL_ADVERTISED_HOST_PORT}/.well-known/est/cacerts" | openssl base64 -d | openssl pkcs7 -inform DER -outform PEM -print_certs -text | grep -A1 'Serial Number'
  • observe at least two duplicated certificates by serial number (example output below)
curl -sk https://"${ZITI_EDGE_CTRL_ADVERTISED_HOST_PORT}/.well-known/est/cacerts"   | openssl base64 -d   | openssl pkcs7 -inform DER -outform PEM -print_certs -text   | grep -A1 'Serial Number'
        Serial Number:
            70:6b:12:fb:56:d1:ec:65:26:b7:5b:b0:d7:9b:c4:b0
--
        Serial Number:
            62:24:2b:29:81:12:86:21:92:c3:55:68:96:ec:9b:ec
--
        Serial Number:
            7d:e3:4e:05:90:9b:c3:4f:7a:cf:d5:92:00:03:17:26
--
        Serial Number:
            70:6b:12:fb:56:d1:ec:65:26:b7:5b:b0:d7:9b:c4:b0
--
        Serial Number:
            2a:66:d4:f6:95:36:23:fa:0d:02:dd:f8:17:df:72:88
--
        Serial Number:
            2a:66:d4:f6:95:36:23:fa:0d:02:dd:f8:17:df:72:88

same command, grepping for Subject: instead and sorted/counted:

curl -sk https://"${ZITI_EDGE_CTRL_ADVERTISED_HOST_PORT}/.well-known/est/cacerts"   | openssl base64 -d   | openssl pkcs7 -inform DER -outform PEM -print_certs -text   | grep 'Subject:' | sort | uniq -c
      2         Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=ec2-18-225-8-209.us-east-2.compute.amazonaws.com-intermediate
      1         Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=ip-172-31-45-134 server certificate
      1         Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=ip-172-31-45-134-intermediate
      2         Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=ip-172-31-45-134-signing-intermediate
@plorenz plorenz transferred this issue from openziti/edge Dec 14, 2023
@qrkourier
Copy link
Member

qrkourier commented Dec 15, 2023
edited
Loading

This may have been fixed or may not be applicable to ziti edge quickstart.

❯ nohup ziti edge quickstart --home $PWD &> ./quickstart.log &
[1] 1094882

❯  curl -skSf https://127.0.0.1:1280/.well-known/est/cacerts \
  | base64 -d \
  | openssl pkcs7 -inform DER -outform PEM -print_certs \
  > ./bundle.pem

❯ openssl storeutl -certs -noout -text ./bundle.pem 2>/dev/null \
| grep -E '(Subject):'
        Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=intermediate-ca
        Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=root-ca

@ekoby
Copy link
Member

ekoby commented Jul 24, 2024

per @andrewpmartinez it is done

@ekoby ekoby closed this as completed Jul 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@qrkourier @ekoby @dovholuknf