Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pki: T6481: auto import ACME certificate chain into CLI (backport #4118) #4140

Merged
merged 1 commit into from
Oct 7, 2024

Conversation

mergify[bot]
Copy link
Contributor

@mergify mergify bot commented Oct 7, 2024

Change Summary

When using an ACME based certificate with VyOS we provide the necessary PEM files opaque in the background when using the internal tools. This however will not properly work with the CA chain portion, as the system is based on the "pki certificate acme" CLI node of a certificate but CA chains reside under "pki ca".

This adds support for importing the PEM data of a CA chain issued via ACME into the "pki ca AUTOCHAIN_ certificate" subsystem so it can be queried by other daemons. Importing the chain only happens, when the chain was not already added manually by the user.

ACME certificate chains that are automatically added to the CLI are all prefixed using AUTOCHAIN_certname so they can be consumed by any daemon. This also adds a safeguard when the intermediate CA changes, the referenced name on the CLI stays consitent for any pending daemon updates.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

PKI, ACME

Proposed changes

How to test

Smoketest result

[email protected]:~$ /usr/libexec/vyos/tests/smoke/cli/test_pki.py
test_certificate_eapol_update (__main__.TestPKI.test_certificate_eapol_update) ... ok
test_certificate_https_update (__main__.TestPKI.test_certificate_https_update) ... ok
test_certificate_in_use (__main__.TestPKI.test_certificate_in_use) ... ok
test_invalid_ca_valid_certificate (__main__.TestPKI.test_invalid_ca_valid_certificate) ... ok
test_valid_pki (__main__.TestPKI.test_valid_pki) ... ok

----------------------------------------------------------------------
Ran 5 tests in 17.844s

OK

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

This is an automatic backport of pull request #4118 done by [Mergify](https://mergify.com).

When using an ACME based certificate with VyOS we provide the necessary PEM
files opaque in the background when using the internal tools. This however will
not properly work with the CA chain portion, as the system is based on the
"pki certificate <name> acme" CLI node of a certificate but CA chains reside
under "pki ca".

This adds support for importing the PEM data of a CA chain issued via ACME into
the "pki ca AUTOCHAIN_<name> certificate" subsystem so it can be queried by
other daemons. Importing the chain only happens, when the chain was not already
added manually by the user.

ACME certificate chains that are automatically added to the CLI are all prefixed
using AUTOCHAIN_certname so they can be consumed by any daemon. This also adds
a safeguard when the intermediate CA changes, the referenced name on the CLI
stays consitent for any pending daemon updates.

(cherry picked from commit 875764b)
@mergify mergify bot requested a review from a team as a code owner October 7, 2024 15:10
@mergify mergify bot requested review from dmbaturin, sarthurdev, zdc, jestabro, c-po and fett0 and removed request for a team October 7, 2024 15:10
Copy link

github-actions bot commented Oct 7, 2024

👍
No issues in PR Title / Commit Title

@c-po c-po merged commit 1f9f34f into circinus Oct 7, 2024
9 checks passed
@sever-sever sever-sever deleted the mergify/bp/circinus/pr-4118 branch October 17, 2024 07:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

Successfully merging this pull request may close these issues.

2 participants