sprig icon indicating copy to clipboard operation
sprig copied to clipboard

Published 20 hours ago verified publisher icon Masterminds

genSelfSignedCert cannot verify itself

Open iluminae opened this issue 7 years ago • 2 comments
trafficstars

I don't think this was purposeful, but let me know why if it was a decision made.

Given the following go program:

package main
import (
        "fmt"
        "os"
        "text/template"
        "github.com/Masterminds/sprig"
)
func main() {
        tpl := `{{- $i := genSelfSignedCert "example.com" nil nil 365 }}{{ $i.Cert }}`
        t := template.Must(template.New("test").Funcs(sprig.TxtFuncMap()).Parse(tpl))
        if err := t.Execute(os.Stdout, nil); err != nil {
                fmt.Printf("Error during template execution: %s", err)
                return
        }
}

a certificate is printed to stdout. This certificate is a valid certificate readable by openssl, etc. However, given a verify command, openssl cannot verify this cert using itself:

# openssl verify -CAfile out.crt out.crt
test.crt: CN = example.com
error 20 at 0 depth lookup:unable to get local issuer certificate

It is a common use case of a self signed cert to use for a cert that is verified by itself to encrypt two systems, so I assume this should work for this use case.

The corresponding openssl commands being

# openssl req -x509 -nodes -batch -days 86400 -newkey rsa:2048 -subj "/CN=example.com" -out "./tls.crt" -keyout "./tls.key"
Generating a 2048 bit RSA private key
...+++
.............................+++
writing new private key to './tls.key'
-----
# openssl verify -CAfile tls.crt tls.crt
tls.crt: OK

I would note that making a sprig CA using genCA and using it in genSignedCert will allow you to verify the cert with the CA correctly - as expected.

EDIT: adding x509.KeyUsageCertSign to template.KeyUsage in crypto.go::generateSelfSignedCertificate() here does fix this use case - not sure about all the implications.

iluminae avatar Apr 16 '18 20:04 iluminae

I am also experiencing issues with Self Signed Certificate generated with helm. I am trying to generate certificates for the traefik ingress tcp route. But traefik fails to accept them. looking at a working sefl signed certificate (that succeeds the openssl verify -CAfile test as well as traefik ssl validation) it has 3 extensions

        X509v3 extensions:
            X509v3 Subject Key Identifier:
                D0:18:33:9D:9C:80:3B:00:E2:D0:F9:E5:C7:50:77:CA:2D:58:2B:10
            X509v3 Authority Key Identifier:
                keyid:D0:18:33:9D:9C:80:3B:00:E2:D0:F9:E5:C7:50:77:CA:2D:58:2B:10

Notice the same values for subject and authority key. where certificate created by sprig do not have those extensions

       X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE

I don't know if this is the reason, I am no expert but this issue prevents me to use tcp ingress in Kube right now.

sgandon avatar Mar 30 '20 14:03 sgandon

https://github.com/openssl/openssl/issues/1418 is likely the root of why it doesn't work. Although I'm also in favor of this workaround.

MikaelSmith avatar Jun 10 '20 21:06 MikaelSmith