Update CA bundle
Reported by
benjamin...@pantheon.io,
Jun 13 2018
|
||||||||
Issue descriptionChrome OS Platform: Google Kubernetes Engine Affected Product: $ cat /etc/os-release BUILD_ID=10032.71.0 NAME="Container-Optimized OS" KERNEL_COMMIT_ID=c4c6234ae4f384ce00819c41b48ca8f6f1fa3ba8 GOOGLE_CRASH_ID=Lakitu VERSION_ID=63 BUG_REPORT_URL=https://crbug.com/new PRETTY_NAME="Container-Optimized OS from Google" VERSION=63 GOOGLE_METRICS_PRODUCT_ID=26 HOME_URL="https://cloud.google.com/compute/docs/containers/vm-image/" ID=cos What is the impact to the user, and is there a workaround? If so, what is it? Users attempting to connect via TLS to hosts using a certificate signed by an comodo intermediate signed by `COMODO RSA Certification Authority` fail authentication. This CA appears to be missing from the comodo CA's shipped with COS: $ ls *.crt | xargs -Ixx openssl x509 -text -noout -in xx | grep -i comodo | grep Subject Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority Subject: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Trusted Certificate Services Subject: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Secure Certificate Services Subject: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
,
Jun 15 2018
,
Jun 15 2018
Could you indicate which bug report URL you used? I believe wonderfly@ already resolved this in the current trunk. I'm not sure how to map that to build IDs.
,
Jun 15 2018
,
Jun 15 2018
I got the bug report URL from /etc/os-release. A copy of that file can be seen in the original post.
,
Jun 15 2018
,
Jun 15 2018
,
Jun 15 2018
,
Jun 15 2018
@vapier: Yeah, I thought so - but I wasn't sure how to map the BUILD_ID to know whether that was after Issue 320802 's fix had landed
,
Jun 15 2018
go/crosland is an internal tool for mapping release numbers if you look at the public CL, there's integration with that tool too. https://chromium-review.googlesource.com/1087645 -> Landed in 10761.0.0
,
Jun 15 2018
Gotcha. 10761.0.0 has the fix. Sounds like WontFix then :)
,
Jun 15 2018
Thanks for reporting. As other have commented, the next COS milestone (m69) will include the fix, which should be out soon. You can follow our release notes page for new COS releases: https://cloud.google.com/container-optimized-os/docs/release-notes. m63 has been deprecated and is not recommended for production usage. If you are using Google Kubernetes Engine, you can also follow their release notes for the COS version used in each Kubernetes version. https://cloud.google.com/kubernetes-engine/release-notes In the future, questions regarding COS can be posted on StackOverflow with the "google-container-os" tag, or on the mailing lists documented at https://cloud.google.com/container-optimized-os/docs/resources/support-policy#contact_us. We are making a change of the bug report URL in m69 too that will point to that support page.
,
Jun 15 2018
Thanks for the update and the links! I'll share them with my team.
,
Jun 16 2018
|
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by benjamin...@pantheon.io
, Jun 13 2018