cert-gen: minimum fields length are now enforced

[afbjorklund]

Seems like docker was failing to generate a certificate ?

Set the example.com CA to the same as the timezone

[centos-ci]

Can one of the admins verify this patch?

[praveenkumar]

add to whitelist

[afbjorklund]

Seems like it always generated the cert for 127.0.0.1 and not the IP ? But saw you had disabled it (the certain) altogether instead.

[praveenkumar]

retest this please.

[praveenkumar]

@afbjorklund which version of docker it is failing with? We do test this ISO using our CI and it passes without this patch.

[afbjorklund]

@praveenkumar : this was with just docker-machine and started out with minikube-centos-iso (with fedora), and before I noticed that you had commented out the call to the certificate generation in minikube...

https://github.com/minishift/minishift-centos-iso/blob/master/centos-7.template#L130:L131

But I can try it again with the actual ISO, if you find that it works for you with empty certs. I tried with Fedora 27, maybe something has changed for Fedora 28 or something ? But I got an openssl error.

Was trying the ISO out as a basis for podman/buildah, but think that I will just start over instead.

[afbjorklund]

problems making Certificate Request
140600462968640:error:0D07A098:asn1 encoding routines:ASN1_mbstring_ncopy:string too short:crypto/asn1/a_mbstr.c:102:minsize=2

[praveenkumar]

@afbjorklund can you put all info step by step about how you are using this iso and hit this issue, I am still not sure why in the minishift side we are not getting this issue.

[afbjorklund]

I believe that I just ran the cert-gen script, but if it is working for you I can run it again and note details.

I was using docker-machine and not minishift, not sure if that changes anything about this issue ?

https://github.com/minishift/minishift-fedora-iso/blob/master/fedora.template#L124

Couldn't find where you are using the certificate, but will run it again when I have the opportunity...

[afbjorklund]

Waiting for the vagrant files to download, here is what I got when I ran the command in Fedora 28:

+ openssl genrsa -aes256 -passout file:tmp.pass -out ca-key.pem 2048
Generating RSA private key, 2048 bit long modulus
....+++
....................+++
e is 65537 (0x010001)
+ openssl req -new -x509 -passin file:tmp.pass -days 365 -key ca-key.pem -sha256 -out ca.pem -subj /C=/ST=/L=/O=/OU=/CN=example.com
problems making Certificate Request
140693958874944:error:0D07A098:asn1 encoding routines:ASN1_mbstring_ncopy:string too short:crypto/asn1/a_mbstr.c:102:minsize=2
+ openssl genrsa -out server-key.pem 2048
Generating RSA private key, 2048 bit long modulus
..............+++
.........+++
e is 65537 (0x010001)
+ openssl req -subj /CN=example.com -new -key server-key.pem -out server.csr
+ extip=127.0.0.1
+ extipfile=extfile.cnf
+ echo subjectAltName = IP:127.0.0.1
+ openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server.pem -passin file:tmp.pass -extfile extfile.cnf
x509: Cannot open input file ca.pem, No such file or directory
x509: Use -help for summary.

The rest of the script keep on slugging, but there are no ca/cert/key files being generated here.

Since you have removed them from the docker config, I'm not sure it matters. But that's the bug ?

 # update docker.service file to exec the certificate generation script
 sed -i.back 's/ExecStart=/ExecStartPre=\/usr\/local\/bin\/minishift-cert-gen\n&/' /usr/lib/systemd/system/docker.service
 sed -i.back '/After=*/c\After=network.target rc-local.service' /usr/lib/systemd/system/docker.service
 sed -i.back '/After=*/c\After=cloud-init.service rc-local.service' /usr/lib/systemd/system/docker-storage-setup.service

-# update the docker config to listen on TCP as well as unix socket
-sed -i.back '/OPTIONS=*/c\OPTIONS="--selinux-enabled --log-driver=journald -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server.pem --tlskey=/etc/docker/server-key.pem --tlsverify"' /etc/sysconfig/docker
-
 # update docker-storage to use overlay2 as default storage driver
 echo 'DOCKER_STORAGE_OPTIONS="--storage-driver overlay2"' > /etc/sysconfig/docker-storage