cp-ansible icon indicating copy to clipboard operation
cp-ansible copied to clipboard

Published 20 hours ago verified publisher icon confluentinc

Undocumented non-standard certificate chain order

Open juresaht2 opened this issue 3 years ago • 0 comments

Describe the issue In custom certificates if a certificate chain is provided under ssl_signed_cert_filepath , then the code assumes a non-standard order of certificates.

The standard order of a certificate chain (as used by nginx, apache, letsencrypt, etc) is with the client certificate first, followed by the signing certificates (intermediary, root). The Ansible code ( https://github.com/confluentinc/cp-ansible/blob/6.2.0-post/roles/confluent.ssl/tasks/custom_certs.yml#L14 ) however assumes a non-standard order where the client certificate is last.

The documentation does not provide any information or warning, regarding this functionality.

Furthermore the Ansible tests do not detect anything is amiss, if an invalid certificate is loaded for Zookeeper, etc.

Environment (please complete the following information):

  • OS: CentOS 8
  • CP-Ansible Branch: 5.5.0-post
  • Ansible Version ansible 2.10.6

juresaht2 avatar Aug 03 '21 12:08 juresaht2