Closed reneradoi closed 1 month ago
What I see is the following:
ubuntu@vm-lxd2:~$ juju show-secret --reveal cqprnloqjdij98nicrh0
cqprnloqjdij98nicrh0:
revision: 3
owner: opensearch/0
label: opensearch:unit:0:unit-transport
created: 2024-08-07T18:24:25Z
updated: 2024-08-07T18:24:37Z
content:
ca-cert: |-
-----BEGIN CERTIFICATE-----
MIIDLzCCAhegAwIBAgIUIbA8dOTJrMYafkU/tCiU0P86DT0wDQYJKoZIhvcNAQEL
BQAwHTELMAkGA1UEBhMCVVMxDjAMBgNVBAMMBUNOX0NBMB4XDTI0MDgwNzE3MjM1
M1oXDTI1MDgwNzE3MjM1M1owHTELMAkGA1UEBhMCVVMxDjAMBgNVBAMMBUNOX0NB
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo/fY05X0x9aaTE1YI4LW
tWWrQx5te+es/AiqAXih1TGVTMGsdkvGh7cGR7yqZJ+yZDwf3kuCZyHdJ1SubTjd
FMuJAyO90ZNrTZ1djyRt4CXeeer5oIIdkUWjZzc1A4wde0FPCZpvatqfTmKX2Vz5
JZeUyAQteluJgiUPy0n4LdogP9QztuI/psIqKdFcTu9tSBDS3U2Foryc1FG3qfU8
hcvuu9ENXa/hJAtwfnWT3rAL1kfPzZW2iqPbTs7YvAZsoz2W2uvDZUopfkl4pfcI
6ij6SL1NhSddEkW2LP+hgDb+O+4/12UAj53b/F1+YqJi0cuCF3sr2XbhRi9LOHPZ
2QIDAQABo2cwZTAfBgNVHQ4EGAQWBBTcs/ACtcqZQSKkYZolsfTSctLB7jAhBgNV
HSMEGjAYgBYEFNyz8AK1yplBIqRhmiWx9NJy0sHuMA4GA1UdDwEB/wQEAwICpDAP
BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAVt/f2BkBGN8a9dtF6
vlPwBb9x+e1v+UNimYwIqAaTo1t66S727dsOHdTgaDMTpmTY0NAbRJ4c3waHaUcw
9cyusZiYtH4laE8L7L2WBYXCGxYqiGMohcEorXD8Dvjbv1gt7KqV+O2hjMO+CkDh
fYOYa3r7Jqx3Em1IEuA/JqAfJwHSEbv54cwYiXXjZ8dbym4wGCyo6IYGuNFHRC4m
SiBGDdAHPbxVV0ccfMSRXRksxxUpAWtWm0k3JCprHApAiUc5a8oahSviYvv+1Ink
JJEWaUvU/FmjiN4fQqJMXsSlJCZP5N8MOhzgKShy+nWKoNysEpRa/QBHieifb3yH
qGd/
-----END CERTIFICATE-----
cert: |-
-----BEGIN CERTIFICATE-----
MIIDeTCCAmGgAwIBAgIUUAp2tFjIN7gIJM+JtfvAcXaYPUwwDQYJKoZIhvcNAQEL
BQAwHTELMAkGA1UEBhMCVVMxDjAMBgNVBAMMBUNOX0NBMB4XDTI0MDgwNzE4MjQy
NloXDTI1MDgwNzE4MjQyNlowLjESMBAGA1UEAwwJMTAuOC42Mi40MRgwFgYDVQQK
DA9vcGVuc2VhcmNoLXd5enowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDRndwZ9qcoLKfItfYC6mCoHZialfCBDLd2t/BVDGtckV1zNNYnXFukZ15SCkVW
vVczj5OoAybOmQoSU//ZgWzdpb8qIJbPPyr+Fieu0Vvrs4+4ERBSySlUrra61IcS
e2olON7J7Ub0oq/2LLzZKOT9BtJZ3Pbh5XcZEMVLYOE1VlZM8Jnt4uqYoAiyJQPu
JwwpBkt+4MCto0AwDcYIlX+5Ovk5Yz62OBd00DEmokuN+Qr6htuRJ8USh5GkGRaV
uHBLB5PV3hMYqE+CyOEktazRM7EWdV79aaU42tbsRr19FL5qU+kPEug/DfGFsexc
v3kn0GSMwQItW/GmO7xiwuDZAgMBAAGjgZ8wgZwwIQYDVR0jBBowGIAWBBTcs/AC
tcqZQSKkYZolsfTSctLB7jAdBgNVHQ4EFgQUEbXxEL8NNUssHcz4Cs3aGRM4d4cw
DAYDVR0TAQH/BAIwADBKBgNVHREEQzBBghFqdWp1LTc2NWEwYS0yLmx4ZIIQb3Bl
bnNlYXJjaC0wLmNlZoINanVqdS03NjVhMGEtMocECgg+BIgFKgMEBQUwDQYJKoZI
hvcNAQELBQADggEBAAD8tkUNvAd080aQIWzwiuZuom/vldWZ0yC8Bej8fvFuDKF1
5C42nzkU9jNySXgqSCQrD94/nylAl9bIHgUStI3iMGLvw6KrMgTMCJxHI3WOq9+B
o2gaNRs7J7AVN2UuiVEZSVNzxre+TjE0TVBKNzHTx3JKwmXSRQk72resMofiF6XA
P99Arckm4A5Vt2p6+2Cx+mfdCbgdegKrfoYJsJ64WFMQVVHIqUdTJc38kFVIlhHJ
tx3rVR9V7htMie9ATpLLr0+PEndQZwEbJUBoHyaZNQjY1G3fo8HBNMHVUlIa7Atz
jdzSI5nD+ApN44i1OZDO+ZW2IhyXimTVQFEZPkA=
-----END CERTIFICATE-----
chain: |-
-----BEGIN CERTIFICATE-----
MIIDeTCCAmGgAwIBAgIUUAp2tFjIN7gIJM+JtfvAcXaYPUwwDQYJKoZIhvcNAQEL
BQAwHTELMAkGA1UEBhMCVVMxDjAMBgNVBAMMBUNOX0NBMB4XDTI0MDgwNzE4MjQy
NloXDTI1MDgwNzE4MjQyNlowLjESMBAGA1UEAwwJMTAuOC42Mi40MRgwFgYDVQQK
DA9vcGVuc2VhcmNoLXd5enowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDRndwZ9qcoLKfItfYC6mCoHZialfCBDLd2t/BVDGtckV1zNNYnXFukZ15SCkVW
vVczj5OoAybOmQoSU//ZgWzdpb8qIJbPPyr+Fieu0Vvrs4+4ERBSySlUrra61IcS
e2olON7J7Ub0oq/2LLzZKOT9BtJZ3Pbh5XcZEMVLYOE1VlZM8Jnt4uqYoAiyJQPu
JwwpBkt+4MCto0AwDcYIlX+5Ovk5Yz62OBd00DEmokuN+Qr6htuRJ8USh5GkGRaV
uHBLB5PV3hMYqE+CyOEktazRM7EWdV79aaU42tbsRr19FL5qU+kPEug/DfGFsexc
v3kn0GSMwQItW/GmO7xiwuDZAgMBAAGjgZ8wgZwwIQYDVR0jBBowGIAWBBTcs/AC
tcqZQSKkYZolsfTSctLB7jAdBgNVHQ4EFgQUEbXxEL8NNUssHcz4Cs3aGRM4d4cw
DAYDVR0TAQH/BAIwADBKBgNVHREEQzBBghFqdWp1LTc2NWEwYS0yLmx4ZIIQb3Bl
bnNlYXJjaC0wLmNlZoINanVqdS03NjVhMGEtMocECgg+BIgFKgMEBQUwDQYJKoZI
hvcNAQELBQADggEBAAD8tkUNvAd080aQIWzwiuZuom/vldWZ0yC8Bej8fvFuDKF1
5C42nzkU9jNySXgqSCQrD94/nylAl9bIHgUStI3iMGLvw6KrMgTMCJxHI3WOq9+B
o2gaNRs7J7AVN2UuiVEZSVNzxre+TjE0TVBKNzHTx3JKwmXSRQk72resMofiF6XA
P99Arckm4A5Vt2p6+2Cx+mfdCbgdegKrfoYJsJ64WFMQVVHIqUdTJc38kFVIlhHJ
tx3rVR9V7htMie9ATpLLr0+PEndQZwEbJUBoHyaZNQjY1G3fo8HBNMHVUlIa7Atz
jdzSI5nD+ApN44i1OZDO+ZW2IhyXimTVQFEZPkA=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDLzCCAhegAwIBAgIUIbA8dOTJrMYafkU/tCiU0P86DT0wDQYJKoZIhvcNAQEL
BQAwHTELMAkGA1UEBhMCVVMxDjAMBgNVBAMMBUNOX0NBMB4XDTI0MDgwNzE3MjM1
M1oXDTI1MDgwNzE3MjM1M1owHTELMAkGA1UEBhMCVVMxDjAMBgNVBAMMBUNOX0NB
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo/fY05X0x9aaTE1YI4LW
tWWrQx5te+es/AiqAXih1TGVTMGsdkvGh7cGR7yqZJ+yZDwf3kuCZyHdJ1SubTjd
FMuJAyO90ZNrTZ1djyRt4CXeeer5oIIdkUWjZzc1A4wde0FPCZpvatqfTmKX2Vz5
JZeUyAQteluJgiUPy0n4LdogP9QztuI/psIqKdFcTu9tSBDS3U2Foryc1FG3qfU8
hcvuu9ENXa/hJAtwfnWT3rAL1kfPzZW2iqPbTs7YvAZsoz2W2uvDZUopfkl4pfcI
6ij6SL1NhSddEkW2LP+hgDb+O+4/12UAj53b/F1+YqJi0cuCF3sr2XbhRi9LOHPZ
2QIDAQABo2cwZTAfBgNVHQ4EGAQWBBTcs/ACtcqZQSKkYZolsfTSctLB7jAhBgNV
HSMEGjAYgBYEFNyz8AK1yplBIqRhmiWx9NJy0sHuMA4GA1UdDwEB/wQEAwICpDAP
BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAVt/f2BkBGN8a9dtF6
vlPwBb9x+e1v+UNimYwIqAaTo1t66S727dsOHdTgaDMTpmTY0NAbRJ4c3waHaUcw
9cyusZiYtH4laE8L7L2WBYXCGxYqiGMohcEorXD8Dvjbv1gt7KqV+O2hjMO+CkDh
fYOYa3r7Jqx3Em1IEuA/JqAfJwHSEbv54cwYiXXjZ8dbym4wGCyo6IYGuNFHRC4m
SiBGDdAHPbxVV0ccfMSRXRksxxUpAWtWm0k3JCprHApAiUc5a8oahSviYvv+1Ink
JJEWaUvU/FmjiN4fQqJMXsSlJCZP5N8MOhzgKShy+nWKoNysEpRa/QBHieifb3yH
qGd/
-----END CERTIFICATE-----
csr: |
-----BEGIN CERTIFICATE REQUEST-----
MIIC0DCCAbgCAQAwLjESMBAGA1UEAwwJMTAuOC42Mi40MRgwFgYDVQQKDA9vcGVu
c2VhcmNoLXd5enowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRndwZ
9qcoLKfItfYC6mCoHZialfCBDLd2t/BVDGtckV1zNNYnXFukZ15SCkVWvVczj5Oo
AybOmQoSU//ZgWzdpb8qIJbPPyr+Fieu0Vvrs4+4ERBSySlUrra61IcSe2olON7J
7Ub0oq/2LLzZKOT9BtJZ3Pbh5XcZEMVLYOE1VlZM8Jnt4uqYoAiyJQPuJwwpBkt+
4MCto0AwDcYIlX+5Ovk5Yz62OBd00DEmokuN+Qr6htuRJ8USh5GkGRaVuHBLB5PV
3hMYqE+CyOEktazRM7EWdV79aaU42tbsRr19FL5qU+kPEug/DfGFsexcv3kn0GSM
wQItW/GmO7xiwuDZAgMBAAGgXTBbBgkqhkiG9w0BCQ4xTjBMMEoGA1UdEQRDMEGI
BSoDBAUFghFqdWp1LTc2NWEwYS0yLmx4ZIcECgg+BIIQb3BlbnNlYXJjaC0wLmNl
ZoINanVqdS03NjVhMGEtMjANBgkqhkiG9w0BAQsFAAOCAQEAUr6gXodcp4GvGgSe
w0iMsQbrx/pg0eYl0IztAn6rr+vTAgNNuUJF/Swbx5Ppai5J+izL2ZnJJODB+Kdu
MkTPH9ZkENkbqBTgSsvLNU6xS4h6OMe8elxgmXr+X9Q/0zsceC/xHH7AcxZ4plNu
ymD+Skezp54l0rks7OUI5LW2H/75f/wnUlEfjcU0TZ8kbhebM/GoG9c9DyUoUQq1
ilN+OKv1z2dH6dAyPzWT/1tcMiX6InBcl92W9uZIydvE9ptTgS8EEsqo7V0qaRzg
Sibt4rM+Sx6tMBIgfn9YfSJIDf/rYXTmaH20/x/TY4ZDFW2WbhCKU+O5f/vQ9sc8
G0T+Yw==
-----END CERTIFICATE REQUEST-----
key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA0Z3cGfanKCynyLX2AupgqB2YmpXwgQy3drfwVQxrXJFdczTW
J1xbpGdeUgpFVr1XM4+TqAMmzpkKElP/2YFs3aW/KiCWzz8q/hYnrtFb67OPuBEQ
UskpVK62utSHEntqJTjeye1G9KKv9iy82Sjk/QbSWdz24eV3GRDFS2DhNVZWTPCZ
7eLqmKAIsiUD7icMKQZLfuDAraNAMA3GCJV/uTr5OWM+tjgXdNAxJqJLjfkK+obb
kSfFEoeRpBkWlbhwSweT1d4TGKhPgsjhJLWs0TOxFnVe/WmlONrW7Ea9fRS+alPp
DxLoPw3xhbHsXL95J9BkjMECLVvxpju8YsLg2QIDAQABAoIBABOcYp0RutALBHwG
TRC3A4m68h3lUQHL0ibC3PLiBXHcvjrS6sW2MfMywgvoHtZXgr7ly/1MJS9vOTZf
gjhjz875TKYY9C8JxICOy1HjT6egrh2dCBNMs2eTLHCUhVoM7pByroJDBxBIX7DG
/PiOp0TGZHvojLbz6EVxsJmlo9BA2wQ4IWc5pxMB3FmgtA/+y/jmWKXofXezGyv7
SnZnFerGFRU3y/nKwyeA2ItlKwsdrGxUDh+ym8lFz4vm1j2xIkY2wfDWqZLWqv+M
SZEc+Z0A13YBZ74nqAjqDLJeyRU4NkFSm0bhC16JZGotzeEhEmHh5Y6eGkDFnUbN
WAKpBTECgYEA91DibYrggyVSSE+4q0fTQOgI8m05QT9tQw0fDPAuzYizBhf2sbEf
J+iHDAsx/pSKd4magEbEi4Udu3NcG6IF1R+0KWp4x2csh1/AQhh85VU9oXmisiVy
DxXDT9SwBn60Ds0Wa46RxDA0YdSijUf+ood95u5oWnWI4O9u4cnrnkkCgYEA2PoY
6LpKY3TUlNT4CBnWDsprk+CK2wWzjzrZCPMCg2lsjOnIkLC/W6pTnMUl+TJU3CnT
L+TcrEcHxzPr5hxtXcX8bwN0LyEdQtKZ7kLzyhw9hZXYbo6PYUvgFL2flCf/b2Rr
vhqkISXJgRifg54EO0nDUEetXFLWBcCXYyNKbhECgYAWzPQzGSydqqEtXXwu/k4x
m7LHdt5ib5CJL/p+3N3TwRiQJUFvHF889KkOqTGQwO0LHDqMPPn9yuX01CvXuFZF
UcjwUIqWB6MJUACPl2ZcVkF6U5Z2ShF75ou9HmSkFKZQ/wNkIx65MaCCrHHYCJ0n
KsqmsbAZNuDJrAlS86SvUQKBgC1LYEHNCdRjQjFjl/eQ9SeXSAfRuwrn0MkYntAI
csDeFCQCdbUGwJuxHc0/NqMjx6VCMezwmMR5+3yxMRCTZJ1LxFukW++uuP4HGs0r
Ots5M/qcAldp+TJ1dWy+/P4fr2ogi4Fe7F5jFgKWEk6WgQmjZ1tt6xm3zSfcQX4X
kuURAoGAbIcEaU7HqT1KW8Yr7jS0OVZ+ofUZ71tYeGny61Xal2wTfYp7u6+7zYeb
oCtiHY6tDhLZ7pZ2FFFgXlCVjT/WCv/qliloHzU437ehTapEjyOWFuCsvrvT0zal
6TzpYmzde+t7tJn/9qZm2fAJU1/+eqRor4Bv//jRaraa4Ug/NAY=
-----END RSA PRIVATE KEY-----
keystore-password: 8fevQVODEmx9Xi86MbD2qNEAlY3IaY7r
subject: /O=opensearch-wyzz/CN=10.8.62.4
self-signed-certificates
look as the following:
ubuntu@vm-lxd2:~$ juju show-secret --reveal cqprnn0qjdij98nicrmg
cqprnn0qjdij98nicrmg:
revision: 1
expires: 2025-04-08T02:24:26Z
owner: opensearch/0
label: afd8c2bccf834997afce12c2706d2ede-0cb2360652301f85a906d2c4f52b94fbfbd49248cd2c4ef994b0987f9d23b85e
created: 2024-08-07T18:24:32Z
updated: 2024-08-07T18:24:37Z
content:
certificate: |-
-----BEGIN CERTIFICATE-----
MIIDeTCCAmGgAwIBAgIUUAp2tFjIN7gIJM+JtfvAcXaYPUwwDQYJKoZIhvcNAQEL
BQAwHTELMAkGA1UEBhMCVVMxDjAMBgNVBAMMBUNOX0NBMB4XDTI0MDgwNzE4MjQy
NloXDTI1MDgwNzE4MjQyNlowLjESMBAGA1UEAwwJMTAuOC42Mi40MRgwFgYDVQQK
DA9vcGVuc2VhcmNoLXd5enowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDRndwZ9qcoLKfItfYC6mCoHZialfCBDLd2t/BVDGtckV1zNNYnXFukZ15SCkVW
vVczj5OoAybOmQoSU//ZgWzdpb8qIJbPPyr+Fieu0Vvrs4+4ERBSySlUrra61IcS
e2olON7J7Ub0oq/2LLzZKOT9BtJZ3Pbh5XcZEMVLYOE1VlZM8Jnt4uqYoAiyJQPu
JwwpBkt+4MCto0AwDcYIlX+5Ovk5Yz62OBd00DEmokuN+Qr6htuRJ8USh5GkGRaV
uHBLB5PV3hMYqE+CyOEktazRM7EWdV79aaU42tbsRr19FL5qU+kPEug/DfGFsexc
v3kn0GSMwQItW/GmO7xiwuDZAgMBAAGjgZ8wgZwwIQYDVR0jBBowGIAWBBTcs/AC
tcqZQSKkYZolsfTSctLB7jAdBgNVHQ4EFgQUEbXxEL8NNUssHcz4Cs3aGRM4d4cw
DAYDVR0TAQH/BAIwADBKBgNVHREEQzBBghFqdWp1LTc2NWEwYS0yLmx4ZIIQb3Bl
bnNlYXJjaC0wLmNlZoINanVqdS03NjVhMGEtMocECgg+BIgFKgMEBQUwDQYJKoZI
hvcNAQELBQADggEBAAD8tkUNvAd080aQIWzwiuZuom/vldWZ0yC8Bej8fvFuDKF1
5C42nzkU9jNySXgqSCQrD94/nylAl9bIHgUStI3iMGLvw6KrMgTMCJxHI3WOq9+B
o2gaNRs7J7AVN2UuiVEZSVNzxre+TjE0TVBKNzHTx3JKwmXSRQk72resMofiF6XA
P99Arckm4A5Vt2p6+2Cx+mfdCbgdegKrfoYJsJ64WFMQVVHIqUdTJc38kFVIlhHJ
tx3rVR9V7htMie9ATpLLr0+PEndQZwEbJUBoHyaZNQjY1G3fo8HBNMHVUlIa7Atz
jdzSI5nD+ApN44i1OZDO+ZW2IhyXimTVQFEZPkA=
-----END CERTIFICATE-----
csr: |-
-----BEGIN CERTIFICATE REQUEST-----
MIIC0DCCAbgCAQAwLjESMBAGA1UEAwwJMTAuOC42Mi40MRgwFgYDVQQKDA9vcGVu
c2VhcmNoLXd5enowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRndwZ
9qcoLKfItfYC6mCoHZialfCBDLd2t/BVDGtckV1zNNYnXFukZ15SCkVWvVczj5Oo
AybOmQoSU//ZgWzdpb8qIJbPPyr+Fieu0Vvrs4+4ERBSySlUrra61IcSe2olON7J
7Ub0oq/2LLzZKOT9BtJZ3Pbh5XcZEMVLYOE1VlZM8Jnt4uqYoAiyJQPuJwwpBkt+
4MCto0AwDcYIlX+5Ovk5Yz62OBd00DEmokuN+Qr6htuRJ8USh5GkGRaVuHBLB5PV
3hMYqE+CyOEktazRM7EWdV79aaU42tbsRr19FL5qU+kPEug/DfGFsexcv3kn0GSM
wQItW/GmO7xiwuDZAgMBAAGgXTBbBgkqhkiG9w0BCQ4xTjBMMEoGA1UdEQRDMEGI
BSoDBAUFghFqdWp1LTc2NWEwYS0yLmx4ZIcECgg+BIIQb3BlbnNlYXJjaC0wLmNl
ZoINanVqdS03NjVhMGEtMjANBgkqhkiG9w0BAQsFAAOCAQEAUr6gXodcp4GvGgSe
w0iMsQbrx/pg0eYl0IztAn6rr+vTAgNNuUJF/Swbx5Ppai5J+izL2ZnJJODB+Kdu
MkTPH9ZkENkbqBTgSsvLNU6xS4h6OMe8elxgmXr+X9Q/0zsceC/xHH7AcxZ4plNu
ymD+Skezp54l0rks7OUI5LW2H/75f/wnUlEfjcU0TZ8kbhebM/GoG9c9DyUoUQq1
ilN+OKv1z2dH6dAyPzWT/1tcMiX6InBcl92W9uZIydvE9ptTgS8EEsqo7V0qaRzg
Sibt4rM+Sx6tMBIgfn9YfSJIDf/rYXTmaH20/x/TY4ZDFW2WbhCKU+O5f/vQ9sc8
G0T+Yw==
-----END CERTIFICATE REQUEST-----
It is indeed misleading that self-signed-certificates
is creating secrets in a way that the owner is the requestor. I'm not sure how this may be possible.
Yet I find the exact same pattern for Opensearch Dashboards. While there are no secrets owned by self-signed-certificates
(despite them using secrets.)
And indeed: they are using these kinds of secret labels: https://github.com/canonical/self-signed-certificates-operator/blob/main/lib/charms/tls_certificates_interface/v3/tls_certificates.py#L1880-L1881
We can safely close this bug.
When deploying opensearch, some secrets for certificate signing requests are not stored correctly. Instead of storing the csr as content of a secret, it is stored in the label:
Also, the actual name of the secret is missing.