Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-4315

cert_install.sh script incorrectly parses certificates in certain situations

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • quay-v3.6.10
    • quay-v3.6.9
    • quay

      Script location: https://github.com/quay/quay/blob/master/conf/init/certs_install.sh

      Adding certs to the system store seems to work fine, but adding them to the Python store fails in certain situations. It seems that the script is not applying the new line correctly when going through the cert list. This causes the following:

      -----BEGIN CERTIFICATE-----
      MIIDfzCCAmegAwIBAgIBADANBgkqhkiG9w0BAQsFADB3MS0wKwYDVQQuEyQ5OWVh
      ...
      P+HJ1lPpvWItsfwJIRJwGIWYKLRXzUi9gGaXd9jN3F+x9+aSJzP6SfBcYwKt5exM
      XNIURF1JeFuj2lfdWfZ1aqnh5zbO9yw734qyZ5nhAL+teb0=
      -----END CERTIFICATE----------BEGIN CERTIFICATE-----
      MIIDUTCCAjmgAwIBAgIIbb5SXoMm9n8wDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE
      ...
      gTv00Wg5O3bvlV4V0I2HP9787Hjd739mPsr6aS2Iqu0KOTx+ag==
      -----END CERTIFICATE-----
      

      to be added to /usr/local/lib/python3.8/site-packages/certifi/cacert.pem bundle. When Python encounters this, it fails to decode the certificate and the following stack is observed:

      gunicorn-registry stdout | ssl.SSLError: [X509] PEM lib (_ssl.c:4265)
      gunicorn-registry stdout | urllib3.exceptions.SSLError: [X509] PEM lib (_ssl.c:4265)
      gunicorn-registry stdout | botocore.exceptions.SSLError: SSL validation failed for https://storage.googleapis.com/quay-tecpr01s-globpc-tesertoolsocp [X509] PEM lib (_ssl.c:4265)
      

      The end result is that pull fails with a 502 error.

        1. ipa.crt
          1 kB
          Dave O'Connor

              sleesinc Kenny Lee Sin Cheong
              rhn-support-ibazulic Ivan Bazulic
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: