-
Bug
-
Resolution: Done
-
Major
-
quay-v3.7.0
-
False
-
None
-
False
-
Quay Enterprise
Script location: https://github.com/quay/quay/blob/master/conf/init/certs_install.sh
Adding certs to the system store seems to work fine, but adding them to the Python store fails in certain situations. It seems that the script is not applying the new line correctly when going through the cert list. This causes the following:
-----BEGIN CERTIFICATE----- MIIDfzCCAmegAwIBAgIBADANBgkqhkiG9w0BAQsFADB3MS0wKwYDVQQuEyQ5OWVh ... P+HJ1lPpvWItsfwJIRJwGIWYKLRXzUi9gGaXd9jN3F+x9+aSJzP6SfBcYwKt5exM XNIURF1JeFuj2lfdWfZ1aqnh5zbO9yw734qyZ5nhAL+teb0= -----END CERTIFICATE----------BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIIbb5SXoMm9n8wDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE ... gTv00Wg5O3bvlV4V0I2HP9787Hjd739mPsr6aS2Iqu0KOTx+ag== -----END CERTIFICATE-----
to be added to /usr/local/lib/python3.8/site-packages/certifi/cacert.pem bundle. When Python encounters this, it fails to decode the certificate and the following stack is observed:
gunicorn-registry stdout | ssl.SSLError: [X509] PEM lib (_ssl.c:4265)
gunicorn-registry stdout | urllib3.exceptions.SSLError: [X509] PEM lib (_ssl.c:4265)
gunicorn-registry stdout | botocore.exceptions.SSLError: SSL validation failed for https://storage.googleapis.com/quay-tecpr01s-globpc-tesertoolsocp [X509] PEM lib (_ssl.c:4265)
The end result is that pull fails with a 502 error.
- is cloned by
-
PROJQUAY-4315 cert_install.sh script incorrectly parses certificates in certain situations
- Closed
- mentioned on