psf-salt icon indicating copy to clipboard operation
psf-salt copied to clipboard
verified publisher icon python

feat: starttls

Open JacobCoffee opened this issue 9 months ago • 1 comments

Description

  • Enables optional (may) starttls for receiving (smptd)

Closes

  • Closes #556

JacobCoffee avatar Mar 18 '25 14:03 JacobCoffee

in e655530 pebble is running

vagrant@salt-master:~$ curl -k https://salt-master.vagrant.psf.io:14000/dir
{
   "keyChange": "https://salt-master.vagrant.psf.io:14000/rollover-account-key",
   "meta": {
      "externalAccountRequired": false,
      "termsOfService": "data:text/plain,Do%20what%20thou%20wilt"
   },
   "newAccount": "https://salt-master.vagrant.psf.io:14000/sign-me-up",
   "newNonce": "https://salt-master.vagrant.psf.io:14000/nonce-plz",
   "newOrder": "https://salt-master.vagrant.psf.io:14000/order-plz",
   "revokeCert": "https://salt-master.vagrant.psf.io:14000/revoke-cert"

but hitting:

2025-04-01 15:15:14,982:ERROR:certbot._internal.log:An unexpected error occurred:
2025-04-01 15:15:14,982:ERROR:certbot._internal.log:requests.exceptions.SSLError: HTTPSConnectionPool(host='salt-master.vagrant.psf.io', port=14000): Max retries exceeded with url: /dir (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)')))

tried with - server: https://salt-master.psf.io:14000/dir and - server: https://localhost:14000/dir and http counterparts

JacobCoffee avatar Apr 01 '25 15:04 JacobCoffee

I had some nit picks (commit by commit) in the pillar data but looks good. I think this is fairly safe to ship since the certificates fetched should only end up being used by the roundup box until we update https://github.com/python/psf-salt/blob/main/salt/haproxy/config/haproxy.cfg.jinja#L100-L103

ewdurbin avatar Oct 10 '25 19:10 ewdurbin