[
https://issues.apache.org/jira/browse/KNOX-3333?focusedWorklogId=1023092&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1023092
]
ASF GitHub Bot logged work on KNOX-3333:
----------------------------------------
Author: ASF GitHub Bot
Created on: 01/Jun/26 11:13
Start Date: 01/Jun/26 11:13
Worklog Time Spent: 10m
Work Description: moresandeep commented on PR #1244:
URL: https://github.com/apache/knox/pull/1244#issuecomment-4592025862
> I don't think this is a serious security vulnerability as the added
certificates are public CA roots from Let's Encrypt's official staging
hierarchy, not arbitrary certificates.
>
> However, I've a few questions:
>
> * What use case requires trusting staging roots?
>
> * Is there a real customer scenario?
> * Is this only for automated testing?
> * Can this be made optional?
>
> * For example via build argument or environment variable.
> * Then test users can enable it while production users keep a smaller
trust set.
> * Are all these roots necessary?
>
> * The patch adds multiple generations (X1, X2, YE, YR, cross-signed
variants).
> * It may be worth confirming that all are actually needed.
>
> Adding staging roots increases the set of trusted certificate authorities
and allows Knox to trust certificates issued by Let's Encrypt's testing
infrastructure. Can we clarify the use case and whether this trust should be
enabled only for testing environments rather than all Docker deployments (see
my question above about making them optional)?
Thanks @smolnar82
1. Is there a real customer scenario? -> Yes, in enterprises there are
staging environments which do not have prod certs. This change will help users
test Knox in staging without a need to add staging certs into keystore (which
they do not have to do in prod) mimicking prod env.
2. Can this be made optional? -> This is interesting, the idea is to make
sure the prod and staging are identical in all respects so making it optional
means they will have to have a flag that they use to turn this ON in stage and
OFF in prod so there will be a change in config although not a big one.
3. They are not test related changes these are runtime/config related
changes. These changes do not affect tests.
4. Are all these roots necessary? -> Unfortunately yes. we do not know and
cannot dictate what root CA users are going to use for staging.
5. It may be worth confirming that all are actually needed. -> Yes, this
came up in an internal investigation, we were using a different gen and got
switched to other.
Issue Time Tracking
-------------------
Worklog Id: (was: 1023092)
Time Spent: 40m (was: 0.5h)
> Update Letsencrypt staging certs
> --------------------------------
>
> Key: KNOX-3333
> URL: https://issues.apache.org/jira/browse/KNOX-3333
> Project: Apache Knox
> Issue Type: Task
> Components: Server
> Reporter: Sandeep More
> Assignee: Sandeep More
> Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> There are more staging certs that Letsencrypt has, we need to include them
> all just to be safe.
> [https://letsencrypt.org/docs/staging-environment/]
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
