Bug#989575: cloud-init: ca-certs are not getting properly installed if provided more than one

2021-06-07 Thread Noah Meyerhans 
On Mon, Jun 07, 2021 at 11:00:42PM +0200, Vladimir Tiukhtin wrote:
> I use "ca-certs" to supply additional certificates. With just one certiticate 
> everything
> works as expected, however when provided more than one, cloud-init adds them 
> into a single
> file which causes "openssl rehash" to fail as it expects exactly one 
> certificate per file.
> As the result programmes using openssl doen not trus certificates issued by 
> provided CAs.

The certificates do still get added to
/etc/ssl/certs/ca-certificates.crt, so you should still be able to do
file-based verification even if path-based verification doesn't work.
(See
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_default_verify_file.html
and the -CApath and -CAfile options to "openssl verify")

> The bug is confirmed on Hetzner Cloud. I did not try other clouds

There's nothing provider specific about this functionality, so it will
impact people regardless of where cloud-init is running.

I've forwarded your report upstream. See
https://bugs.launchpad.net/cloud-init/+bug/1931174

noah

Bug#989575: cloud-init: ca-certs are not getting properly installed if provided more than one

2021-06-07 Thread Vladimir Tiukhtin 
Package: cloud-init
Version: 20.2-2~deb10u2
Severity: important

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

I use "ca-certs" to supply additional certificates. With just one certiticate 
everything
works as expected, however when provided more than one, cloud-init adds them 
into a single
file which causes "openssl rehash" to fail as it expects exactly one 
certificate per file.
As the result programmes using openssl doen not trus certificates issued by 
provided CAs.
The bug is confirmed on Hetzner Cloud. I did not try other clouds

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 10.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-16-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages cloud-init depends on:
ii  fdisk   2.33.1-0.1
ii  gdisk   1.0.3-1.1
ii  ifupdown0.8.35
ii  locales 2.28-10
ii  lsb-base10.2019051400
ii  lsb-release 10.2019051400
ii  net-tools   1.60+git20180626.aebd88e-1
ii  procps  2:3.3.15-2
ii  python3 3.7.3-1
ii  python3-configobj   5.0.6-3
ii  python3-jinja2  2.10-2
ii  python3-jsonpatch   1.21-1
ii  python3-jsonschema  2.6.0-4
ii  python3-oauthlib2.1.0-1
ii  python3-requests2.21.0-1
ii  python3-yaml3.13-2
ii  util-linux  2.33.1-0.1

Versions of packages cloud-init recommends:
ii  cloud-guest-utils  0.29-1
ii  eatmydata  105-7
ii  sudo   1.8.27-1+deb10u3

Versions of packages cloud-init suggests:
ii  btrfs-progs  4.20.1-2
ii  e2fsprogs1.44.5-1+deb10u3
ii  xfsprogs 4.20.0-1

-- no debconf information