update-ca-certificates doesn't concatenate properly certificates if trailing newline is missing #1601
Labels
kind/bug
Something isn't working
Comments
github-project-automation
bot
moved this to 📝 Needs Triage
in Flatcar tactical, release planning, and roadmap
|
Flatcar's implementation of update-ca-certificates. It should be changed to a for loop with sed (https://github.com/ClusterHQ/gentoo/blob/master/usr/sbin/update-ca-certificates#L80C3-L80C15) or cat+echo. |
jepio
added a commit
to flatcar/scripts
that referenced
this issue
Feb 14, 2025
Concatenating certificates missing newlines naively with cat results in broken bundle. Fix the issue by using a sed expression that appends a trailing newline after the lastline if it is missing. Issue: flatcar/Flatcar#1601 Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
2 tasks
jepio
added a commit
to flatcar/scripts
that referenced
this issue
Feb 18, 2025
Concatenating certificates missing newlines naively with cat results in broken bundle. Fix the issue by using a sed expression that appends a trailing newline after the lastline if it is missing. Issue: flatcar/Flatcar#1601 Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
jepio
added a commit
to flatcar/scripts
that referenced
this issue
Feb 24, 2025
Concatenating certificates missing newlines naively with cat results in broken bundle. Fix the issue by using a sed expression that appends a trailing newline after the lastline if it is missing. Issue: flatcar/Flatcar#1601 Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
jepio
added a commit
to flatcar/scripts
that referenced
this issue
Feb 24, 2025
Concatenating certificates missing newlines naively with cat results in broken bundle. Fix the issue by using a sed expression that appends a trailing newline after the lastline if it is missing. Issue: flatcar/Flatcar#1601 Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
jepio
added a commit
to flatcar/scripts
that referenced
this issue
Feb 24, 2025
Concatenating certificates missing newlines naively with cat results in broken bundle. Fix the issue by using a sed expression that appends a trailing newline after the lastline if it is missing. Issue: flatcar/Flatcar#1601 Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
jepio
added a commit
to flatcar/scripts
that referenced
this issue
Feb 24, 2025
Concatenating certificates missing newlines naively with cat results in broken bundle. Fix the issue by using a sed expression that appends a trailing newline after the lastline if it is missing. Issue: flatcar/Flatcar#1601 Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
|
@adam-bartlett-sp this change is now in main and cherry-picked to all release branches, will be part of the nearest release. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
update-ca-certificatesblindly concats certificates without concern for a newline at the end of the file. This is concerning in environments where certificates are provided by enterprise teams that may not always have a newline. This issue was fixed in Debian 13 years ago and in Alpine 6 years ago.Impact
ca-certificates bundle will be invalid, which breaks a number of services.
Environment and steps to reproduce
a. write an valid x.509 PEM file into /etc/ssl/certs with no new line before EOF
b. Execute
sudo /usr/sbin/update-ca-certificatesc.
curl https://flatcar.orgcurl: (77) error setting certificate file: /etc/ssl/certs/ca-certificates.crtExpected behavior
We would expect curl to complete and show a 301 Moved Permanently.
Additional information
Bugs in Debian & Alpine:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635570
https://gitlab.alpinelinux.org/alpine/aports/-/issues/8379
The text was updated successfully, but these errors were encountered: