JBevillC opened a new pull request #3041: CIAB: Update to SSL/TLS shared CA generation script URL: https://github.com/apache/trafficcontrol/pull/3041 #### What does this PR do? Updates to the x509v3 shared CA certificate generation script. Bugs Fixed: 1) Shared CA x509 SSL/TLS certificate no longer generated with 30 day expiration. 2) X509_CA_* environment variables always used the defaults 3) X509 CA certificate was missing the "basicConstraints=CA:FALSE" directive causing some browsers not to validate 4) Misc fixes to the script and cleaned up syntax/indenting. #### Which TC components are affected by this PR? - [ ] Documentation - [ ] Grove - [ ] Traffic Analytics - [ ] Traffic Monitor - [ ] Traffic Ops - [ ] Traffic Ops ORT - [ ] Traffic Portal - [ ] Traffic Router - [ ] Traffic Stats - [ ] Traffic Vault - [X] Other __CDN-In-A-Box _______ #### What is the best way to verify this PR? 1) Remove the existing traffic_ops CA directory: ``` rm -rf $traffic_control_src/infrastructure/cdn-in-a-box/traffic_ops/ca ``` 2) Rebuild traffic_ops perl docker container and start CIAB ``` # from cdn-in-a-box docker-compose -f docker-compose.yml build trafficops-perl trafficops docker-compose up ``` 3) Verify that the SSL certificates contain the correct dates of validity: ``` # FROM cdn-in-a-box directory $ openssl x509 -in traffic_ops/ca/CIAB-CA.crt -noout -text | grep 'Signature Algo' -A 6 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Colorado, L=Denver, O=CDN-in-a-Box, OU=CDN-in-a-Box, CN=CDN-in-a-Box Root CA (CA)/[email protected] Validity Not Before: Nov 6 21:45:03 2018 GMT Not After : Nov 4 21:45:03 2019 GMT Subject: C=US, ST=Colorado, L=Denver, O=CDN-in-a-Box, OU=CDN-in-a-Box, CN=CDN-in-a-Box Root CA (CA)/[email protected] Subject Public Key Info: ``` 4) Verify that at least one other signed cert has correct dates of validity: ``` $ openssl x509 -in traffic_ops/ca/infra.ciab.test.crt -noout -text | grep 'Signature Algo' -A 6 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Colorado, L=Denver, O=CDN-in-a-Box, OU=CDN-in-a-Box, CN=CDN-in-a-Box Root CA (CA)/[email protected] Validity Not Before: Nov 8 21:30:47 2018 GMT Not After : Nov 5 21:30:47 2019 GMT Subject: C=ZZ, ST=SomeState, L=SomeCity, O=SomeOrganization, CN=*.infra.ciab.test Subject Public Key Info: ``` #### Check all that apply - [ ] This PR includes tests - [ ] This PR includes documentation updates - [ ] This PR includes an update to CHANGELOG.md - [ ] This PR includes all required license headers - [ ] This PR includes a database migration (ensure that migration sequence is correct) - [ ] This PR fixes a serious security flaw. Read more: [www.apache.org/security](http://www.apache.org/security/) <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -->
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
