Page MenuHomeVyOS Platform

System CA Not Updated with Configuration
Closed, ResolvedPublicBUG

Description

When configuring a certificate using set pki ca <NAME> certificate <CERT>, it should be added to the system trust store. Currently, it does not get added. You can see the cert is there:

trae@cr01a-vyos# show pki ca IPA.TRAE32566.ORG 
 certificate MIIEnTCCAwWgAwIBAgIBATANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKDBFJUEEuVFJBRTMyNTY2Lk9SRzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTIzMDIxMDE3MTUxOFoXDTQzMDIxMDE3MTUxOFowPDEaMBgGA1UECgwRSVBBLlRSQUUzMjU2Ni5PUkcxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMNpjUblDFXxeeDufDqIuYg0c+ZxiBm2lJAj/hROBxD3EivXAPhm1H5G6YxlBaB2TjaJVAWGxxtC0rOm96+HpxkNHw9Q99E9b4ERv6/z9Sr3VlPy5eKUtlNqUaQYvtsAUytAMjJsHn1hCHWH3ShE2uGgKQwnX7qCZZ1dAWYwi713ej6HE6WXjd66hbcGOSJp2aY8muSIJcur+Exqn0BWTC023aP0vJ0uq3ma3hH0R/EL0hcRQAgm9bZGf40sSNsNr+61qsUACzIqN/c55BmjDvstG8l+Rqt3jx1PAWrEZWWp3XHsAgmqxvqYBs9uJ0HRTFOxlvmN9sNWi3WrZlaToijkdsAkO05x9Qqna4MI5NPFROBkbHNiVmC0pq8fJs3qlmX0tu8volTv+31QKe/MlUjSj3AB/coWZ3yuHGGEMr2CpXJYMtsCfZbhBgbKXpq2YiSKI9fbOeD2QPDfwuwx975+QcY7v1g4m3hfv6RK0d4bf41qpAqfVaDWd1177UUkfQIDAQABo4GpMIGmMB8GA1UdIwQYMBaAFAxNuQLHzazZ+/6ebYFYiDsHPbR7MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBQMTbkCx82s2fv+nm2BWIg7Bz20ezBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAGGJ2h0dHA6Ly9pcGEtY2EuaXBhLnRyYWUzMjU2Ni5vcmcvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEAFeDkAjNyIyGGuRZKcww+6Vm7JihevocM3USW4qNiVoItPLIfMVemqveh+x2YGew68ghiDu2y3bcPvCrSWnpimbxaFMR3qX5fOBLPIHETlTMHdWdZUxfIKQ9wCGvMeVaKUkKqMFmCwgvqoyMGQ2x907IG6rCGBwRv4sFI+NNbJMgMqoB+ztjggtudFpIT3NYHOp45Njx+ZkF0IP9Qh/K40A7kwrlCxyyyW027k8WYJbWvYa1YrJqMYm9WHq+pW8UaMLLV6xlJs8nyEGXVRlbRXEnwB2TjfGs1fFvIji2EoPVT+ATi/9NRqsSR55sm+qSX0rZsTuqT3/FvZhlZej89qEbFOrTWKIBaFyeZdnphWCzVVHzSjW4OcL0cP/RhbiNLMPPzdgK9EbE+udDZAXxw034WCMRoqrjbfz9I+UwLnArRU3E1LOmkiVEAUo9FfIfdkct3ooNyicLjYT4Pu9YsccCeWiyeXCePhtodTauT/r57ESLwy93NMzzAtsaXRlXl
[edit]

OpenSSL shows the site to be working with this CA certificate (and it validates fine on other platforms):

trae@cr01a-vyos# echo -e '\n' | openssl s_client -connect artifacts.trae32566.org:443 | head -9
depth=0 O = IPA.TRAE32566.ORG, CN = artifacts.trae32566.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = IPA.TRAE32566.ORG, CN = artifacts.trae32566.org
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 O = IPA.TRAE32566.ORG, CN = artifacts.trae32566.org
verify return:1
CONNECTED(00000007)
---
Certificate chain
DONE
 0 s:O = IPA.TRAE32566.ORG, CN = artifacts.trae32566.org
   i:O = IPA.TRAE32566.ORG, CN = Certificate Authority
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 19 06:29:59 2024 GMT; NotAfter: Aug 20 06:29:59 2026 GMT
---
Server certificate

Yet requests to it fail due to the system CA not being updated:

trae@cr01a-vyos# curl https://artifacts.trae32566.org/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
[edit]

If I manually add the certificate to /usr/local/share/ca-certificates/<name>/ then run update-ca-certificates, it works fine:

trae@cr01a-vyos# ls -alh /usr/local/share/ca-certificates/ipa.trae32566.org/
total 12K
drwxr-xr-x 2 root root 4.0K Oct 23 21:21 .
drwxr-xr-x 1 root root 4.0K Oct 23 21:21 ..
-rw-r--r-- 1 root root 1.7K Oct 23 21:21 ipa.trae32566.org.crt
[edit]
trae@cr01a-vyos# curl -I https://artifacts.trae32566.org/
HTTP/2 200 
server: nginx
date: Thu, 24 Oct 2024 02:30:34 GMT
content-type: text/html
content-length: 8031
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
last-modified: Thu, 24 Oct 2024 02:30:34 GMT
pragma: no-cache
cache-control: no-cache, no-store, max-age=0, must-revalidate, post-check=0, pre-check=0
expires: 0
strict-transport-security: max-age=31536000; includeSubDomains; preload

Note: This is critical for services such as NTS, which use SSL to verify NTP requests, and must validate the certificate against the system trust store.

Details

Version
1.4.0 GA, 1.5-rolling-202410180006
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

Personally, I would just create a directory in /usr/local/share/ca-certificates/ for each CA certificate named the same as that part of the config node (ex: IPA.TRAE32566.ORG in my example), then run update-ca-certificates...I just don't know how to implement this myself.

syncer triaged this task as Normal priority.
syncer added a project: VyOS Rolling.

This works!:

trae@cr01b-vyos# set pki ca IPA.TRAE32566.ORG system-install 
[edit]
trae@cr01b-vyos# commit
Archiving config...
  sftp://stor01a-rh9.int.trae32566.org/int/cr01b-vyos [edit]
trae@cr01b-vyos# run restart ntp
[edit]
trae@cr01b-vyos# run show ntp sources
.-- Source mode  '^' = server, '=' = peer, '#' = local clock.
 / .- Source state '*' = current best, '+' = combined, '-' = not combined,
| /             'x' = may be in error, '~' = too variable, '?' = unusable.
||                                                 .- xxxx [ yyyy ] +/- zzzz
||      Reachability register (octal) -.           |  xxxx = adjusted offset,
||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
||                                \     |          |  zzzz = estimated error.
||                                 |    |           \
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^* ns02.ac.trae32566.org         2   6     7     0     +2ns[ -188ms] +/- 5513us
^- ns01.ac.trae32566.org         2   6     7     0   +120us[ -188ms] +/- 5598us

I tested after reboot as well and internally certified NTS servers work correctly, meaning the certificates are being updated in the correct order (prior to chrony starting):

 255 trae@jump01-rh9:~$ ssh cr01b-vyos.int.rtr
[email protected]'s password: 
Welcome to VyOS!

   ┌── ┐
   . VyOS 1.5-rolling-202412031443
   └ ──┘  current

 * Documentation:  https://docs.vyos.io/en/latest
 * Project news:   https://blog.vyos.io
 * Bug reports:    https://vyos.dev

You can change this banner using "set system login banner post-login" command.

VyOS is a free software distribution that includes multiple components,
you can check individual component licenses under /usr/share/doc/*/copyright

---
WARNING: This VyOS system is not a stable long-term support version and
         is not intended for production use.
trae@cr01b-vyos:~$ show ntp sources
.-- Source mode  '^' = server, '=' = peer, '#' = local clock.
 / .- Source state '*' = current best, '+' = combined, '-' = not combined,
| /             'x' = may be in error, '~' = too variable, '?' = unusable.
||                                                 .- xxxx [ yyyy ] +/- zzzz
||      Reachability register (octal) -.           |  xxxx = adjusted offset,
||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
||                                \     |          |  zzzz = estimated error.
||                                 |    |           \
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^* ns02.ac.trae32566.org         2   6    17    33   +188ns[  -15us] +/- 5914us
^- ns01.ac.trae32566.org         2   6    17    33   +190us[ +190us] +/- 4957us
trae@cr01b-vyos:~$ sudo chronyc authdata
Name/IP address             Mode KeyID Type KLen Last Atmp  NAK Cook CLen
=========================================================================
ns02.ac.trae32566.org        NTS     1   15  256  685    0    0    8   96
ns01.ac.trae32566.org        NTS     1   15  256  685    0    0    8   96