Page MenuHomeVyOS Platform
Create Task
Maniphest T6809

System CA Not Updated with Configuration
Open, NormalPublicBUG
Actions

Description

When configuring a certificate using set pki ca <NAME> certificate <CERT>, it should be added to the system trust store. Currently, it does not get added. You can see the cert is there:

trae@cr01a-vyos# show pki ca IPA.TRAE32566.ORG 
 certificate MIIEnTCCAwWgAwIBAgIBATANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKDBFJUEEuVFJBRTMyNTY2Lk9SRzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTIzMDIxMDE3MTUxOFoXDTQzMDIxMDE3MTUxOFowPDEaMBgGA1UECgwRSVBBLlRSQUUzMjU2Ni5PUkcxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMNpjUblDFXxeeDufDqIuYg0c+ZxiBm2lJAj/hROBxD3EivXAPhm1H5G6YxlBaB2TjaJVAWGxxtC0rOm96+HpxkNHw9Q99E9b4ERv6/z9Sr3VlPy5eKUtlNqUaQYvtsAUytAMjJsHn1hCHWH3ShE2uGgKQwnX7qCZZ1dAWYwi713ej6HE6WXjd66hbcGOSJp2aY8muSIJcur+Exqn0BWTC023aP0vJ0uq3ma3hH0R/EL0hcRQAgm9bZGf40sSNsNr+61qsUACzIqN/c55BmjDvstG8l+Rqt3jx1PAWrEZWWp3XHsAgmqxvqYBs9uJ0HRTFOxlvmN9sNWi3WrZlaToijkdsAkO05x9Qqna4MI5NPFROBkbHNiVmC0pq8fJs3qlmX0tu8volTv+31QKe/MlUjSj3AB/coWZ3yuHGGEMr2CpXJYMtsCfZbhBgbKXpq2YiSKI9fbOeD2QPDfwuwx975+QcY7v1g4m3hfv6RK0d4bf41qpAqfVaDWd1177UUkfQIDAQABo4GpMIGmMB8GA1UdIwQYMBaAFAxNuQLHzazZ+/6ebYFYiDsHPbR7MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBQMTbkCx82s2fv+nm2BWIg7Bz20ezBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAGGJ2h0dHA6Ly9pcGEtY2EuaXBhLnRyYWUzMjU2Ni5vcmcvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEAFeDkAjNyIyGGuRZKcww+6Vm7JihevocM3USW4qNiVoItPLIfMVemqveh+x2YGew68ghiDu2y3bcPvCrSWnpimbxaFMR3qX5fOBLPIHETlTMHdWdZUxfIKQ9wCGvMeVaKUkKqMFmCwgvqoyMGQ2x907IG6rCGBwRv4sFI+NNbJMgMqoB+ztjggtudFpIT3NYHOp45Njx+ZkF0IP9Qh/K40A7kwrlCxyyyW027k8WYJbWvYa1YrJqMYm9WHq+pW8UaMLLV6xlJs8nyEGXVRlbRXEnwB2TjfGs1fFvIji2EoPVT+ATi/9NRqsSR55sm+qSX0rZsTuqT3/FvZhlZej89qEbFOrTWKIBaFyeZdnphWCzVVHzSjW4OcL0cP/RhbiNLMPPzdgK9EbE+udDZAXxw034WCMRoqrjbfz9I+UwLnArRU3E1LOmkiVEAUo9FfIfdkct3ooNyicLjYT4Pu9YsccCeWiyeXCePhtodTauT/r57ESLwy93NMzzAtsaXRlXl
[edit]

OpenSSL shows the site to be working with this CA certificate (and it validates fine on other platforms):

trae@cr01a-vyos# echo -e '\n' | openssl s_client -connect artifacts.trae32566.org:443 | head -9
depth=0 O = IPA.TRAE32566.ORG, CN = artifacts.trae32566.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = IPA.TRAE32566.ORG, CN = artifacts.trae32566.org
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 O = IPA.TRAE32566.ORG, CN = artifacts.trae32566.org
verify return:1
CONNECTED(00000007)
---
Certificate chain
DONE
 0 s:O = IPA.TRAE32566.ORG, CN = artifacts.trae32566.org
   i:O = IPA.TRAE32566.ORG, CN = Certificate Authority
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 19 06:29:59 2024 GMT; NotAfter: Aug 20 06:29:59 2026 GMT
---
Server certificate

Yet requests to it fail due to the system CA not being updated:

trae@cr01a-vyos# curl https://artifacts.trae32566.org/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
[edit]

If I manually add the certificate to /usr/local/share/ca-certificates/<name>/ then run update-ca-certificates, it works fine:

trae@cr01a-vyos# ls -alh /usr/local/share/ca-certificates/ipa.trae32566.org/
total 12K
drwxr-xr-x 2 root root 4.0K Oct 23 21:21 .
drwxr-xr-x 1 root root 4.0K Oct 23 21:21 ..
-rw-r--r-- 1 root root 1.7K Oct 23 21:21 ipa.trae32566.org.crt
[edit]
trae@cr01a-vyos# curl -I https://artifacts.trae32566.org/
HTTP/2 200 
server: nginx
date: Thu, 24 Oct 2024 02:30:34 GMT
content-type: text/html
content-length: 8031
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
last-modified: Thu, 24 Oct 2024 02:30:34 GMT
pragma: no-cache
cache-control: no-cache, no-store, max-age=0, must-revalidate, post-check=0, pre-check=0
expires: 0
strict-transport-security: max-age=31536000; includeSubDomains; preload

Note: This is critical for services such as NTS, which use SSL to verify NTP requests, and must validate the certificate against the system trust store.

Details

Difficulty level
Unknown (require assessment)
Version
1.4.0 GA, 1.5-rolling-202410180006
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

trae32566 created this task.Thu, Oct 24, 2:33 AM
trae32566 added a comment.Thu, Oct 24, 2:38 AM

Personally, I would just create a directory in /usr/local/share/ca-certificates/ for each CA certificate named the same as that part of the config node (ex: IPA.TRAE32566.ORG in my example), then run update-ca-certificates...I just don't know how to implement this myself.

vyosbot added a project: Restricted Project.Thu, Oct 24, 6:08 AM
syncer assigned this task to sarthurdev.Thu, Oct 24, 10:33 AM
syncer triaged this task as Normal priority.
syncer added a project: VyOS Rolling.
pasik subscribed.Thu, Oct 24, 10:33 AM