Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated NGINX Signing Keys cause "Add NGINX signing key" task to fail #720

Closed
statio opened this issue May 30, 2024 · 3 comments · Fixed by #719
Closed

Updated NGINX Signing Keys cause "Add NGINX signing key" task to fail #720

statio opened this issue May 30, 2024 · 3 comments · Fixed by #719

Comments

@statio
Copy link

statio commented May 30, 2024

Describe the bug

A recent update to NGINX signing keys, which appears to have introduced an rsa4096 signing key in addition to still providing the original rsa2048 signing key, is causing the Red Hat/SLES OSs Add NGINX signing key task to fail due to a mismatch in the fingerprint. The default fingerprint provided for comparison in the task is: 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62

Per a download of the nginx_signing_key URL in the main.yml file of the role, the 4096-bit keys were either added or updated yesterday?

pub rsa4096 2024-05-29 [SC]
8540A6F18833A80E9C1653A42FD21310B49F6B46
uid nginx signing key [email protected]

pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid nginx signing key [email protected]

pub rsa4096 2024-05-29 [SC]
9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3
uid nginx signing key [email protected]

On a Rocky Linux 9 target system, this task now fails as a result of this apparent "mismatch".

To reproduce

Steps to reproduce the behavior:

  1. Run the latest release of this role, which still includes the 2048 bit key as it's sole signing key, against a RHEL9-esque target.
  2. View output for error on task RHEL/SLES OSs Add Nginx signing key for error.

Expected behavior

Updating this key directly in the task to the rsa4096 key provided in the signing key fixes this. The expected behavior is that the signing key matches the URL-determined key.

Your environment

  • Rocky Linux 9.4 Source/Target
  • ansible-core-1:2.14.9-1.el9.x86_64

Additional context

Happy to create a merge request here, but given I've just started using the module and haven't had time to dig through all the components, I don't know if there's an expectation that this isn't where you manage the source key ID.
@thresheek
Copy link

We are indeed rolling out a couple new keys that will be used in the future to sign the packages.

This project needs to be adapted to support that indeed

@pfuntner
Copy link

pfuntner commented May 31, 2024
edited
Loading

My team is eager for a fix to this... just sayin'. Various distros in the Redhat family are affected: Redhat, AlmaLinux, Amazon Linux, CentOS. 😢

@alessfg alessfg linked a pull request May 31, 2024 that will close this issue
Update list of supported NGINX versions #719
Merged
4 tasks
@alessfg
Copy link
Collaborator

alessfg commented May 31, 2024

#719 should fix this issue :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update list of supported NGINX versions nginxinc/ansible-role-nginx
4 participants
@thresheek @alessfg @statio @pfuntner