Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] SecuritySSLReloadCertsActionTests is using outdated certificates #2675

Closed
stephen-crawford opened this issue Apr 12, 2023 · 3 comments
Closed

[BUG] SecuritySSLReloadCertsActionTests is using outdated certificates #2675

stephen-crawford opened this issue Apr 12, 2023 · 3 comments
Labels
bug Something isn't working triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@stephen-crawford
Copy link
Contributor

stephen-crawford commented Apr 12, 2023
edited
Loading

What is the bug?
The recent tenancy changes have broken all builds. When CI tries to run, it eventually fails on the TransportUserInjectorIntegTest, TenancyMultitenancyEnabledTests, and others. This behavior can be seen in PR's which make no code changes such as #2660 which shows the change is part of the existing code base.

How can one reproduce the bug?
Steps to reproduce the behavior:
Run any builds on the GitHub runners.

What is the expected behavior?
Runners should pass by default and only fail when a PR is introducing a new issue.

Do you have any additional context?
The tenancy feature was recently modified as part of #2607. This is likely the cause.
@stephen-crawford stephen-crawford added bug Something isn't working untriaged Require the attention of the repository maintainers and may need to be prioritized labels Apr 12, 2023
@stephen-crawford stephen-crawford changed the title [BUG] Tenancy changes break CI-- [BUG] Tenancy changes break CI Apr 12, 2023
@cwperks
Copy link
Member

cwperks commented Apr 12, 2023

@scrawfor99 It's not related to the tenancy changes. Some of the certificates used in SecuritySSLReloadCertsActionTests are expired.

openssl x509 -in src/test/resources/ssl/reload/node.crt.pem -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1618186026013 (0x178c3673c1d)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = com, DC = example, O = Example Com Inc., OU = Example Com Inc. Signing CA, CN = Example Com Inc. Signing CA
        Validity
            Not Before: Apr 12 00:07:08 2021 GMT
            Not After : Apr 12 00:07:08 2023 GMT
        Subject: C = DE, L = Test, O = Test, OU = SSL, CN = node-1.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ad:6c:05:f7:a1:84:2f:7e:0b:f0:43:9f:3b:78:
                    4b:e7:bd:50:b5:cf:c0:dd:eb:70:d1:42:22:78:77:
                    48:d6:81:e3:e3:dd:ae:4d:5e:8d:35:3a:4f:9a:e4:
                    2a:84:64:10:17:a8:ed:cb:ee:c7:79:c5:61:e3:3b:
                    a0:e0:db:d4:43:f3:3b:cc:99:c1:c7:42:0b:56:fa:
                    63:92:d6:63:dd:78:cd:7f:c9:68:36:32:fc:71:98:
                    7a:8a:50:8e:41:3b:12:51:2b:82:95:73:88:f2:62:
                    f9:e9:fc:19:ec:f4:01:2f:18:a6:ff:2a:8e:fd:61:
                    93:8e:8e:cd:2c:c7:68:8d:c4:a2:0f:92:f3:93:b5:
                    11:3c:fe:d6:b7:1f:51:b7:f9:ef:0d:74:33:79:b2:
                    eb:9a:5d:5d:fa:04:70:3c:e7:bb:2a:83:c9:31:07:
                    15:cf:c0:c1:77:e8:38:74:2f:ab:42:50:1f:28:c4:
                    b4:8f:a8:08:18:e9:e4:0d:84:2e:9c:a6:b6:65:f2:
                    b4:25:79:c8:53:ac:eb:30:38:05:53:a5:2d:2d:85:
                    ab:f9:64:5a:d7:e8:8d:4c:0f:9e:ce:e8:4a:2c:01:
                    a1:3a:0b:70:f8:a5:8f:c5:b1:7c:8e:87:13:ae:02:
                    fa:3e:1f:c2:b8:3b:97:5d:03:24:3c:31:e1:2f:9e:
                    c3:05
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:D2:D3:61:E1:E9:A7:5C:60:55:69:B0:74:81:00:66:58:32:FA:06:44
                DirName:/DC=com/DC=example/O=Example Com Inc./OU=Example Com Inc. Root CA/CN=Example Com Inc. Root CA
                serial:02
            X509v3 Subject Key Identifier:
                25:2D:12:49:EC:47:4B:88:42:55:C1:B3:4C:D7:96:9F:ED:25:B7:17
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name:
                Registered ID:1.2.3.4.5.5, othername: commonName::node-1.example.com, DNS:node-1.example.com, DNS:localhost, IP Address:127.0.0.1
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        11:aa:24:d7:e8:c1:9a:5b:af:d0:a2:7c:bf:c6:27:98:f0:65:
        93:c0:99:a7:20:db:d7:73:d7:84:ce:c1:cb:f5:35:8e:a5:0f:
        f4:c3:32:43:7b:39:7a:09:43:68:a4:b4:52:54:30:2c:d6:94:
        a7:9f:e5:a6:31:a2:6d:83:57:98:6c:48:0b:0f:9e:84:c2:cd:
        74:ad:31:bc:89:03:1f:83:26:28:61:53:c1:c9:69:00:5e:99:
        9b:d7:05:da:7d:08:40:89:f0:f4:81:9b:75:21:93:54:58:16:
        f2:68:d1:53:f7:ee:c2:ce:f4:6d:66:12:38:5d:0e:8d:6e:58:
        3d:17:cd:49:11:4e:5a:c9:f6:85:b4:f9:3d:7d:51:d0:0e:08:
        60:e0:c2:52:40:99:af:25:ca:3b:87:18:74:d3:dd:73:23:40:
        9c:54:7e:a4:8b:cd:e6:ff:13:b7:66:13:4c:f2:2e:9d:c1:e4:
        e1:ee:d6:d9:b6:1c:90:e2:ef:67:8d:36:5d:c2:0d:63:7f:2a:
        bd:a8:f2:ca:13:e9:f9:69:48:8a:51:29:59:77:73:ec:15:d5:
        a1:b1:08:23:ec:05:5e:11:59:ee:e1:ac:dd:3f:3f:af:d4:35:
        d0:25:6d:96:d9:93:b5:de:36:f8:5a:d9:bf:48:81:81:cf:b9:
        37:5f:8c:72
-----BEGIN CERTIFICATE-----
MIIE5DCCA8ygAwIBAgIGAXjDZzwdMA0GCSqGSIb3DQEBCwUAMIGVMRMwEQYKCZIm
iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ
RXhhbXBsZSBDb20gSW5jLjEkMCIGA1UECwwbRXhhbXBsZSBDb20gSW5jLiBTaWdu
aW5nIENBMSQwIgYDVQQDDBtFeGFtcGxlIENvbSBJbmMuIFNpZ25pbmcgQ0EwHhcN
MjEwNDEyMDAwNzA4WhcNMjMwNDEyMDAwNzA4WjBWMQswCQYDVQQGEwJERTENMAsG
A1UEBwwEVGVzdDENMAsGA1UECgwEVGVzdDEMMAoGA1UECwwDU1NMMRswGQYDVQQD
DBJub2RlLTEuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCtbAX3oYQvfgvwQ587eEvnvVC1z8Dd63DRQiJ4d0jWgePj3a5NXo01Ok+a
5CqEZBAXqO3L7sd5xWHjO6Dg29RD8zvMmcHHQgtW+mOS1mPdeM1/yWg2MvxxmHqK
UI5BOxJRK4KVc4jyYvnp/Bns9AEvGKb/Ko79YZOOjs0sx2iNxKIPkvOTtRE8/ta3
H1G3+e8NdDN5suuaXV36BHA857sqg8kxBxXPwMF36Dh0L6tCUB8oxLSPqAgY6eQN
hC6cprZl8rQlechTrOswOAVTpS0thav5ZFrX6I1MD57O6EosAaE6C3D4pY/FsXyO
hxOuAvo+H8K4O5ddAyQ8MeEvnsMFAgMBAAGjggF2MIIBcjCBvAYDVR0jBIG0MIGx
gBTS02Hh6adcYFVpsHSBAGZYMvoGRKGBlaSBkjCBjzETMBEGCgmSJomT8ixkARkW
A2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1wbGUg
Q29tIEluYy4xITAfBgNVBAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTEhMB8G
A1UEAwwYRXhhbXBsZSBDb20gSW5jLiBSb290IENBggECMB0GA1UdDgQWBBQlLRJJ
7EdLiEJVwbNM15af7SW3FzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAg
BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwUgYDVR0RBEswSYgFKgME
BQWgGwYDVQQDoBQMEm5vZGUtMS5leGFtcGxlLmNvbYISbm9kZS0xLmV4YW1wbGUu
Y29tgglsb2NhbGhvc3SHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBABGqJNfowZpb
r9CifL/GJ5jwZZPAmacg29dz14TOwcv1NY6lD/TDMkN7OXoJQ2iktFJUMCzWlKef
5aYxom2DV5hsSAsPnoTCzXStMbyJAx+DJihhU8HJaQBemZvXBdp9CECJ8PSBm3Uh
k1RYFvJo0VP37sLO9G1mEjhdDo1uWD0XzUkRTlrJ9oW0+T19UdAOCGDgwlJAma8l
yjuHGHTT3XMjQJxUfqSLzeb/E7dmE0zyLp3B5OHu1tm2HJDi72eNNl3CDWN/Kr2o
8soT6flpSIpRKVl3c+wV1aGxCCPsBV4RWe7hrN0/P6/UNdAlbZbZk7XeNvha2b9I
gYHPuTdfjHI=
-----END CERTIFICATE-----

@cwperks
Copy link
Member

cwperks commented Apr 12, 2023

Certs were updated in opendistro-1.13 for these tests. Details for generating new certs can be found here: #1943 (comment)

@cwperks cwperks changed the title [BUG] Tenancy changes break CI [BUG] SecuritySSLReloadCertsActionTests is using outdated certificates Apr 12, 2023
@cwperks cwperks mentioned this issue Apr 13, 2023
Merged
3 tasks
@stephen-crawford stephen-crawford added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Apr 17, 2023
@stephen-crawford
Copy link
Contributor Author

[Triaging] Closing this issue since #2679 was merged as a fix. Thank you @cwperks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cwperks @stephen-crawford