Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl_certificate_info cannot open "TRUSTED CERTIFICATE" #138

Open
gavenkoa opened this issue Nov 4, 2020 · 6 comments
Open

openssl_certificate_info cannot open "TRUSTED CERTIFICATE" #138

gavenkoa opened this issue Nov 4, 2020 · 6 comments
Labels
third-party bug

Comments

@gavenkoa
Copy link

gavenkoa commented Nov 4, 2020

I generated self-signed trusted (means with -trustout) certificate and openssl_certificate_info is unable to load it:

      File "/cygdrive/c/Users/user/AppData/Local/Temp/ansible_openssl_certificate_info_payload_44fbrdw1/ansible_openssl_certificate_info_payload.zip/ansible/module_utils/crypto.py", line 229, in load_certificate
      File "/usr/lib/python3.6/site-packages/cryptography/x509/base.py", line 70, in load_pem_x509_certificate
        return backend.load_pem_x509_certificate(data)
      File "/usr/lib/python3.6/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1310, in load_pem_x509_certificate
        "Unable to load certificate. See https://cryptography.io/en/la"
    ValueError: Unable to load certificate. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details.

The certificate contains prelude / epilogue:

-----BEGIN TRUSTED CERTIFICATE-----
-----END TRUSTED CERTIFICATE-----

after I altered those lines by stripping TRUSTED it is able to work with certificate.

Self contained reproduction script:

- hosts: localhost
  connection: local
  gather_facts: no
  vars:
    stdout_callback: yaml
    client_name: client
    client_pass: 123456
    client_domain: localhost
    client_email: [email protected]

  tasks:
  - shell:
      cmd: >-
        openssl genrsa -out {{ client_name }}.key -passout pass:{{ client_pass }} 2048
      creates: "{{ client_name }}.key"
  - shell:
      cmd: >-
        openssl req -new
        -key {{ client_name }}.key -passin pass:{{ client_pass }}
        -out {{ client_name }}.csr
        -subj /CN="{{ client_domain }}"/O=home/C=UA/emailAddress="{{ client_email }}"
      creates: "{{ client_name }}.csr"
  - shell:
      cmd: >-
        openssl req -new
        -key {{ client_name }}.key -passin pass:{{ client_pass }}
        -out {{ client_name }}.csr
        -subj /CN="{{ client_domain }}"/O=home/C=UA/emailAddress="{{ client_email }}"
      creates: "{{ client_name }}.csr"
  - shell:
      cmd: >-
        openssl x509 -trustout -days 3650
        -signkey {{ client_name }}.key -passin pass:{{ client_pass }}
        -req -in {{ client_name }}.csr -out {{ client_name }}.crt
      creates: "{{ client_name }}.crt"
  - shell:
      cmd: >-
        openssl x509 -text -noout -in "{{ client_name }}.crt"
    register: crt_info

  # Now you can start server with the client certificate & the private key:
  # openssl s_server -no_dhe -accept 8000 -www -key client.key -cert client.crt
  # and connect to server with:
  # curl --cacert client.crt https://localhost:8000

  - debug: var=crt_info

  - openssl_certificate_info:
      path: "{{ client_name }}.csr"
    register: crt_info

  - debug: var=crt_info
@webknjaz
Copy link
Member

webknjaz commented Nov 5, 2020

Do you actually use a module from this collection? Your reproducer doesn't have an FQCN.

@felixfontein
Copy link
Contributor

That might also come from Ansible 2.9, which contains older versions of these modules. It is always helpful to know which versions of the modules are actually used. And also which version of cryptography is used.

In any case, see https://cryptography.io/en/latest/faq.html#why-can-t-i-import-my-pem-file (I created pyca/cryptography#5552 to fix the URLs).

Anyway, you need to file the bug here: https://github.com/pyca/cryptography/issues/new The problem is obviously coming from cryptography, not from our modules.

@MarkusTeufelberger
Copy link
Contributor

The reproducing script also refers to csr, not crt...? In any case, this seems like an issue with cryptography or maybe even their openssl back-end (though running in cygwin definitely doesn't help either).

@felixfontein
Copy link
Contributor

I created #139 to improve the error handling in this case (i.e. fail the module instead of crashing).

@gavenkoa
Copy link
Author

gavenkoa commented Nov 8, 2020

It is always helpful to know which versions of the modules are actually used. And also which version of cryptography is used.

Cygwin:

pip3 list
ansible      2.9.0
asn1crypto   1.4.0
cryptography 3.0

Debian 10 in WSL (also reproduced):

ansible           2.9.13
asn1crypto        0.24.0
cryptography      2.6.1

@gavenkoa
Copy link
Author

gavenkoa commented Nov 8, 2020

Here:

https://www.happyassassin.net/posts/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/

I've read:

Note that GnuTLS cannot handle OpenSSL's 'trusted certificate' format - the one with BEGIN TRUSTED CERTIFICATE - so neither bundles nor directories containing certificates of this type will work.

Looks like it is an openssl extension. not sure if it should be supported by cryptography...

@felixfontein felixfontein mentioned this issue Apr 15, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
third-party bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gavenkoa @webknjaz @MarkusTeufelberger @felixfontein