[jira] [Work logged] (KNOX-3333) Update Letsencrypt staging certs

Mon, 01 Jun 2026 01:56:09 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-3333?focusedWorklogId=1023071&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1023071
 ]

ASF GitHub Bot logged work on KNOX-3333:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 01/Jun/26 08:55
            Start Date: 01/Jun/26 08:55
    Worklog Time Spent: 10m 
      Work Description: smolnar82 commented on PR #1244:
URL: https://github.com/apache/knox/pull/1244#issuecomment-4591034586

   I don't think this is a serious security vulnerability as the added 
certificates are public CA roots from Let's Encrypt's official staging 
hierarchy, not arbitrary certificates.
   
   However, I've a few questions:
   
   - What use case requires trusting staging roots?
     - Is there a real customer scenario?
     - Is this only for automated testing?
   - Can this be made optional?
     - For example via build argument or environment variable.
     - Then test users can enable it while production users keep a smaller 
trust set.
   - Are all these roots necessary?
     - The patch adds multiple generations (X1, X2, YE, YR, cross-signed 
variants).
     - It may be worth confirming that all are actually needed.
   
   Adding staging roots increases the set of trusted certificate authorities 
and allows Knox to trust certificates issued by Let's Encrypt's testing 
infrastructure. Can we clarify the use case and whether this trust should be 
enabled only for testing environments rather than all Docker deployments (see 
my question above about making them optional)?




Issue Time Tracking
-------------------

    Worklog Id:     (was: 1023071)
    Time Spent: 0.5h  (was: 20m)

> Update Letsencrypt staging certs
> --------------------------------
>
>                 Key: KNOX-3333
>                 URL: https://issues.apache.org/jira/browse/KNOX-3333
>             Project: Apache Knox
>          Issue Type: Task
>          Components: Server
>            Reporter: Sandeep More
>            Assignee: Sandeep More
>            Priority: Major
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> There are more staging certs that Letsencrypt has, we need to include them 
> all just to be safe. 
> [https://letsencrypt.org/docs/staging-environment/]
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to