Performing a clean deployment o-s-c with an incorrect trusted_ssl_ca, for example, an empty input or a combined certificates, the update-ca-certificates will skipped creating symbolic links to files named by the hash values (see man openssl rehash), and ends with a missing link
/etc/ssl/certs$ ls -l | grep openstack-service-checks
lrwxrwxrwx 1 root root 61 Feb 22 09:15 openstack-service-checks.pem -> /usr/local/share/ca-certificates/openstack-service-checks.crt
Further re-configuring trusted_ssl_ca will not create the missing link because the charm runs update-ca-certificates without --fresh. This may cause results "in unable to get local issuer certificate" in check_ssl_cert check. The missing link can be recreated by update-ca-certificates --fresh.
/etc/ssl/certs$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
/etc/ssl/certs$ sudo update-ca-certificates --fresh
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
125 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
/etc/ssl/certs$ ls -l | grep openstack-service-checks
lrwxrwxrwx 1 root root 61 Feb 22 09:15 openstack-service-checks.pem -> /usr/local/share/ca-certificates/openstack-service-checks.crt
/etc/ssl/certs$ ls -l | grep openstack-service-checks
lrwxrwxrwx 1 root root 28 Feb 22 09:21 8d2fba8c.0 -> openstack-service-checks.pem
lrwxrwxrwx 1 root root 61 Feb 22 09:21 openstack-service-checks.pem -> /usr/local/share/ca-certificates/openstack-service-checks.crt
Note, the missing symlink is important for check_ssl_cert to find the certificates and work properly. Also, see the attachment for complete stdout output.
sudeephb
commented
6 months ago
Performing a clean deployment o-s-c with an incorrect
trusted_ssl_ca, for example, an empty input or a combined certificates, theupdate-ca-certificateswill skipped creating symbolic links to files named by the hash values (see man openssl rehash), and ends with a missing linkFurther re-configuring
trusted_ssl_cawill not create the missing link because the charm runsupdate-ca-certificateswithout--fresh. This may cause results "in unable to get local issuer certificate" incheck_ssl_certcheck. The missing link can be recreated byupdate-ca-certificates --fresh.Note, the missing symlink is important for
check_ssl_certto find the certificates and work properly. Also, see the attachment for complete stdout output.Imported from Launchpad using lp2gh.
date created: 2023-02-22T09:42:52Z
owner: raychan96
assignee: raychan96
the launchpad url