Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

root CA certificate does not include key usage extension #4864

Open
mfmarche opened this issue Feb 11, 2025 · 2 comments
Open

root CA certificate does not include key usage extension #4864

mfmarche opened this issue Feb 11, 2025 · 2 comments

Comments

@mfmarche
Copy link

Summary

The root CA certificate that is generated does not have the keyUsage defined (see https://github.com/canonical/microk8s/blob/master/microk8s-resources/actions/common/utils.sh#L689)

an example CA cert extension has:

    X509v3 extensions:
        X509v3 Subject Key Identifier: 
            0E:EF:10:1C:40:F6:85:87:76:23:A4:40:C7:D7:73:41:AB:F4:9E:A8
        X509v3 Authority Key Identifier: 
            0E:EF:10:1C:40:F6:85:87:76:23:A4:40:C7:D7:73:41:AB:F4:9E:A8
        X509v3 Basic Constraints: critical
            CA:TRUE

Python 3.13 now has:

Changed in version 3.13: The context now uses VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT in its default verify flags.

An example error, when running kopf via python 3.13, sees:

[2025-02-11 21:16:16,609] kopf._core.reactor.o [ERROR ] Request attempt #9/9 failed; escalating: GET https://10.152.183.1:443/api -> ClientConnectorCertificateError(ConnectionKey(host='10.152.183.1', port=443, is_ssl=True, ssl=True, proxy=None, proxy_auth=None, proxy_headers_hash=None), SSLCertVerificationError(1,
'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: CA cert does not include key usage extension (_ssl.c:1028)'))

In order to workaround this issue, the strict setting must be removed in order to establish an SSL connection to microk8s with the CA certificate, which is not ideal (there could be multiple packages, for example, kopf, kubernetes client, etc), and less secure.

What Should Happen Instead?

Generate a CA certificate with keyUsage defined.

Is there another way to update the openssl.cnf file and its defaults? I see in:

https://github.com/canonical/microk8s/blob/master/microk8s-resources/wrappers/openssl.wrapper#L9C1-L10C1

and it refers to
export OPENSSL_CONF="${SNAP}/etc/ssl/openssl.cnf"

however, I don't believe this is a file that users can update/modify.
@mfmarche
Copy link
Author

In case anyone else hits this, I resolved it by creating and installing a CA:

mkdir cadir
openssl genrsa -out cadir/ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 360 -out cadir/ca.crt -addext "keyUsage=critical,digitalSignature,keyCertSign"
microk8s.refresh-certs cadir

@eaudetcobello
Copy link
Contributor

Hi @mfmarche,

I've notified the team and we'll schedule work to add the -addext "keyUsage=critical,digitalSignature,keyCertSign" as suggested.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mfmarche @eaudetcobello