| noonedeadpunk | jrosser: one way for sure | 07:07 |
|---|---|---|
| noonedeadpunk | for one way they also set ssl_ca (which is not really required but we use it throughout the roles) | 07:07 |
| noonedeadpunk | and public CA we generate with PKI role doesn't satisfy mysql client because of missing authority_cert_issuer | 07:08 |
| noonedeadpunk | But it feels that client verify this filed only when CA is explicitly provided. And if not and taken from system trust store - it's fine | 07:09 |
| noonedeadpunk | https://mariadb.com/kb/en/secure-connections-overview/#server-certificate-verification doesn't mention it though.... | 07:10 |
| *** sshnaidm is now known as sshnaidm|off | 08:04 | |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-rabbitmq_server master: Fix PKI certificates regeneration https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/808021 | 08:28 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/ansible-role-pki master: Ensure key and certificate when pki_regen_cert is defined https://review.opendev.org/c/openstack/ansible-role-pki/+/808022 | 08:30 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-haproxy_server master: Fix PKI regen behaviour https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/808023 | 08:36 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/ansible-role-pki master: Ensure key and certificate regenerated when pki_regen_cert is defined https://review.opendev.org/c/openstack/ansible-role-pki/+/808022 | 08:44 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server master: Use ansible-role-pki to generate SSL certificates https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/807717 | 10:18 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/ansible-role-pki master: Ensure key and certificate regenerated when pki_regen_cert is defined https://review.opendev.org/c/openstack/ansible-role-pki/+/808022 | 10:42 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/ansible-role-pki master: Ensure key and certificate regenerated when pki_regen_cert is defined https://review.opendev.org/c/openstack/ansible-role-pki/+/808022 | 10:56 |
| jrosser | feels like i missed something in the CSR which would make the cert be regenerated just by a new CSR | 12:49 |
| jrosser | for the CA cert i think incrementing the serial number makes this happen automatically | 12:50 |
| noonedeadpunk | yeah, eventually you just need to do force for key and cert generation if key is set | 13:16 |
| noonedeadpunk | it works for me now in aio at least | 13:16 |
| noonedeadpunk | still trying to understand how to generate authority_key_identifier https://docs.ansible.com/ansible/latest/collections/community/crypto/openssl_csr_module.html#parameter-authority_key_identifier | 13:18 |
| noonedeadpunk | I tried just to set create_subject_key_identifier (hoped it can be fine to have that instead), but it's not | 13:19 |
| jrosser | i think there was complexity with that | 13:36 |
| noonedeadpunk | So to get that you kind of need to have subjectPublicKey generated and only then alter already issued certificate with KeyIdentifier? | 13:41 |
| noonedeadpunk | if I understood https://stackoverflow.com/questions/22888574/how-to-get-authoritykeyidentifier-from-certificate correctly | 13:42 |
| noonedeadpunk | if yes, I'd say the best thing to do would be alter all roles to drop ca specification from connection string | 13:42 |
| noonedeadpunk | or we would need to create openssl.conf? | 13:43 |
| noonedeadpunk | hm... | 13:51 |
| noonedeadpunk | It feels that it's present... https://paste.opendev.org/show/809190/ | 13:52 |
| noonedeadpunk | oh, damn | 13:56 |
| noonedeadpunk | well, I guess whatever... let's maybe jsut repalce ssl-ca in connection string just to ssl? | 14:45 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server master: Use ansible-role-pki to generate SSL certificates https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/807717 | 14:47 |
| noonedeadpunk | I feel too stupid to understand what should be done here to solve the issue... | 14:48 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server master: Use ansible-role-pki to generate SSL certificates https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/807717 | 15:21 |
| noonedeadpunk | damn... we can't define just ssl option https://github.com/PyMySQL/PyMySQL/blob/main/pymysql/connections.py#L266-L284 | 15:28 |
| noonedeadpunk | because then pymysql expects it to be object.... | 15:28 |
| jrosser | hrm sorry not being much help here | 15:28 |
| mgariepy | fun : https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/ | 15:29 |
| noonedeadpunk | so we must fix [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)) | 15:29 |
| noonedeadpunk | damn | 15:30 |
| noonedeadpunk | thankfully it doesn;t affect <2.0 | 15:31 |
| noonedeadpunk | jrosser: I just had some progress. So instead of placing intermediate as CA I placed root cert and it worked for mysql | 15:35 |
| jrosser | right | 15:36 |
| jrosser | i think thats expected? | 15:36 |
| mgariepy | noonedeadpunk, don't you have 20.04 clusters ? | 15:36 |
| jrosser | normally the intermediate is bundled with the server cert | 15:36 |
| noonedeadpunk | oh... | 15:36 |
| jrosser | i suspect that we have never used the galera ssl stuff before with cert + intermediate + root | 15:36 |
| noonedeadpunk | and in system trust store we put also root+intermediate right? | 15:39 |
| mgariepy | there is a workaround in this post: https://www.haproxy.com/blog/september-2021-duplicate-content-length-header-fixed/ | 15:39 |
| noonedeadpunk | mgariepy: jsut upgraded first one to 20.04 | 15:42 |
| noonedeadpunk | but we have amphoras on 20.04 :( | 15:42 |
| mgariepy | neutron also have haproxy stuff irrc.. | 15:43 |
| mgariepy | for the metadata agent i thinkg | 15:43 |
| noonedeadpunk | yep | 15:44 |
| mgariepy | not sure if there is vulnerable config there tho. | 15:45 |
| mgariepy | amphora would probably be tho. | 15:45 |
| noonedeadpunk | I wonder if ubuntu has already patches this... | 15:46 |
| noonedeadpunk | it is according to https://linuxsecurity.com/advisories/ubuntu/ubuntu-5063-1-haproxy-vulnerabilities-09-14-10 | 15:46 |
| noonedeadpunk | And I already have 2.0.13-2ubuntu0.3 | 15:47 |
| noonedeadpunk | https://ubuntu.com/security/notices/USN-5063-1 | 15:47 |
| mgariepy | ho nice :D | 15:49 |
| mgariepy | the 2 ones for neutron are a pain also. | 15:51 |
| mgariepy | dnsmask from aug 31st and the memory leak from this morning | 15:52 |
| mgariepy | er.. i meant .. dnsmasq** lol | 15:52 |
| noonedeadpunk | mgariepy: thanks for sharing actually! | 16:09 |
| noonedeadpunk | Because I haven't noticed this one | 16:10 |
| noonedeadpunk | regarding ssl and mariadb - I guess I made some mistake in the role.... | 16:30 |
| noonedeadpunk | because I was copying only intermediate as ca... | 16:30 |
| *** frenzy_friday is now known as anbanerj|ruck | 17:21 | |
| mgariepy | noonedeadpunk, no worries . i'm just lurking in #openstack-security. | 18:16 |
| mgariepy | noonedeadpunk, shall we bump the neutron sha a bit ? to fix both issue in patched release ? | 19:06 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!