Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pki: T6481: auto import ACME certificate chain into CLI #4118

Merged
merged 1 commit into from
Oct 7, 2024
Merged

pki: T6481: auto import ACME certificate chain into CLI #4118

merged 1 commit into from
Oct 7, 2024

Conversation

c-po
Copy link
Member

@c-po c-po commented Oct 1, 2024
edited
Loading

Change Summary

When using an ACME based certificate with VyOS we provide the necessary PEM files opaque in the background when using the internal tools. This however will not properly work with the CA chain portion, as the system is based on the "pki certificate acme" CLI node of a certificate but CA chains reside under "pki ca".

This adds support for importing the PEM data of a CA chain issued via ACME into the "pki ca AUTOCHAIN_ certificate" subsystem so it can be queried by other daemons. Importing the chain only happens, when the chain was not already added manually by the user.

ACME certificate chains that are automatically added to the CLI are all prefixed using AUTOCHAIN_certname so they can be consumed by any daemon. This also adds a safeguard when the intermediate CA changes, the referenced name on the CLI stays consitent for any pending daemon updates.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

PKI, ACME

Proposed changes

How to test

Smoketest result

[email protected]:~$ /usr/libexec/vyos/tests/smoke/cli/test_pki.py
test_certificate_eapol_update (__main__.TestPKI.test_certificate_eapol_update) ... ok
test_certificate_https_update (__main__.TestPKI.test_certificate_https_update) ... ok
test_certificate_in_use (__main__.TestPKI.test_certificate_in_use) ... ok
test_invalid_ca_valid_certificate (__main__.TestPKI.test_invalid_ca_valid_certificate) ... ok
test_valid_pki (__main__.TestPKI.test_valid_pki) ... ok

----------------------------------------------------------------------
Ran 5 tests in 17.844s

OK

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 1, 2024
edited
Loading

👍
No issues in PR Title / Commit Title

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 1, 2024
edited
Loading

✅ No issues found in unused-imports check.. Please refer the workflow run

@c-po
pki: T6481: auto import ACME certificate chain into CLI
875764b 
When using an ACME based certificate with VyOS we provide the necessary PEM
files opaque in the background when using the internal tools. This however will
not properly work with the CA chain portion, as the system is based on the
"pki certificate <name> acme" CLI node of a certificate but CA chains reside
under "pki ca".

This adds support for importing the PEM data of a CA chain issued via ACME into
the "pki ca AUTOCHAIN_<name> certificate" subsystem so it can be queried by
other daemons. Importing the chain only happens, when the chain was not already
added manually by the user.

ACME certificate chains that are automatically added to the CLI are all prefixed
using AUTOCHAIN_certname so they can be consumed by any daemon. This also adds
a safeguard when the intermediate CA changes, the referenced name on the CLI
stays consitent for any pending daemon updates.
@c-po c-po marked this pull request as ready for review October 7, 2024 10:34
@c-po c-po requested a review from a team as a code owner October 7, 2024 10:34
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 7, 2024

CI integration 👍 passed!

Details

CI logs

  • CLI Smoketests (no interfaces) 👍 passed
  • CLI Smoketests (interfaces only) 👍 passed
  • Config tests 👍 passed
  • RAID1 tests 👍 passed
  • TPM tests 👍 passed

@dmbaturin dmbaturin merged commit 09a4b46 into vyos:current Oct 7, 2024
19 of 20 checks passed
@c-po
Copy link
Member Author

c-po commented Oct 7, 2024

@Mergifyio backport circinus

@c-po c-po deleted the acme-ca-cert branch October 7, 2024 15:09
@mergify Mergify
Copy link
Contributor

mergify bot commented Oct 7, 2024
edited
Loading

backport circinus

✅ Backports have been created

@mergify mergify bot mentioned this pull request Oct 7, 2024
Merged
12 tasks
c-po added a commit that referenced this pull request Oct 7, 2024
@c-po
Merge pull request #4140 from vyos/mergify/bp/circinus/pr-4118
1f9f34f 
pki: T6481: auto import ACME certificate chain into CLI (backport #4118)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmbaturin dmbaturin dmbaturin approved these changes

@jestabro jestabro jestabro approved these changes

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev is a code owner automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc is a code owner automatically assigned from vyos/reviewers

@sever-sever sever-sever Awaiting requested review from sever-sever sever-sever is a code owner automatically assigned from vyos/reviewers

@fett0 fett0 Awaiting requested review from fett0 fett0 is a code owner automatically assigned from vyos/reviewers

Assignees

@c-po c-po

Labels
backport current
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@c-po @dmbaturin @jestabro