-
Notifications
You must be signed in to change notification settings - Fork 823
Description
Summary
The root CA certificate that is generated does not have the keyUsage defined (see https://github.com/canonical/microk8s/blob/master/microk8s-resources/actions/common/utils.sh#L689)
an example CA cert extension has:
X509v3 extensions:
X509v3 Subject Key Identifier:
0E:EF:10:1C:40:F6:85:87:76:23:A4:40:C7:D7:73:41:AB:F4:9E:A8
X509v3 Authority Key Identifier:
0E:EF:10:1C:40:F6:85:87:76:23:A4:40:C7:D7:73:41:AB:F4:9E:A8
X509v3 Basic Constraints: critical
CA:TRUE
Python 3.13 now has:
Changed in version 3.13: The context now uses VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT in its default verify flags.
An example error, when running kopf via python 3.13, sees:
[2025-02-11 21:16:16,609] kopf._core.reactor.o [ERROR ] Request attempt #9/9 failed; escalating: GET https://10.152.183.1:443/api -> ClientConnectorCertificateError(ConnectionKey(host='10.152.183.1', port=443, is_ssl=True, ssl=True, proxy=None, proxy_auth=None, proxy_headers_hash=None), SSLCertVerificationError(1,
'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: CA cert does not include key usage extension (_ssl.c:1028)'))
In order to workaround this issue, the strict setting must be removed in order to establish an SSL connection to microk8s with the CA certificate, which is not ideal (there could be multiple packages, for example, kopf, kubernetes client, etc), and less secure.
What Should Happen Instead?
Generate a CA certificate with keyUsage defined.
Is there another way to update the openssl.cnf file and its defaults? I see in:
and it refers to
export OPENSSL_CONF="${SNAP}/etc/ssl/openssl.cnf"
however, I don't believe this is a file that users can update/modify.