Skip to content

Commit

Permalink
tasks: Mark OpenSSL basicConstraints extension as critical
Browse files Browse the repository at this point in the history 
This is a requirement with OpenSSL 3, otherwise it rejects our generated
certificates:

> ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED]
> certificate verify failed: Basic Constraints of CA cert not marked
> critical (_ssl.c:1020)
  • Loading branch information
@martinpitt
martinpitt committed Dec 13, 2024
1 parent 29cd96e commit de95a7b
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions tasks/credentials/openssl.cnf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ organizationalUnitName = optional
domainComponent = optional

[ certificate_extensions ]
basicConstraints = CA:false
basicConstraints = critical, CA:false

[ req ]
default_bits = 2048
Expand All @@ -39,16 +39,16 @@ x509_extensions = root_ca_extensions
commonName = hostname

[ root_ca_extensions ]
basicConstraints = CA:true
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign

[ client_ca_extensions ]
basicConstraints = CA:false
basicConstraints = critical, CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ server_ca_extensions ]
basicConstraints = CA:false
basicConstraints = critical, CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
subjectAltName=DNS:*.apps.ocp.ci.centos.org,DNS:*.cockpit-project.org,DNS:cockpit-tests,DNS:cockpituous,DNS:*.compute-1.amazonaws.com,DNS:localhost,DNS:localhost.localdomain

0 comments on commit de95a7b

Please sign in to comment.