cert-gen: minimum fields length are now enforced #15
Conversation
Set the example.com CA to the same as the timezone
|
Can one of the admins verify this patch? |
|
add to whitelist |
|
Seems like it always generated the cert for 127.0.0.1 and not the IP ? But saw you had disabled it (the certain) altogether instead. |
|
retest this please. |
|
@afbjorklund which version of docker it is failing with? We do test this ISO using our CI and it passes without this patch. |
| @@ -33,7 +33,7 @@ echo $password > $passfile | |||
|
|
|||
| # Generate the CA | |||
| openssl genrsa -aes256 -passout file:$passfile -out ca-key.pem 2048 | |||
| openssl req -new -x509 -passin file:$passfile -days 365 -key ca-key.pem -sha256 -out ca.pem -subj "/C=/ST=/L=/O=/OU=/CN=example.com" | |||
| openssl req -new -x509 -passin file:$passfile -days 365 -key ca-key.pem -sha256 -out ca.pem -subj "/C=US/ST=NY/L=New York/O=Example/OU=X/CN=example.com" | |||
There was a problem hiding this comment.
right, this was one of my original complaints with the fedora iso, as the same issue happened also with the centos iso. it enforces the information to be 'realistic'.
However, can we at least use minishift.io instead. example.com is an owned/existing domain. Also, the locality can be something like Interwebs that feels less realistic, but acceptable.
There was a problem hiding this comment.
It also complained about the IP (127.0.0.1)
|
@praveenkumar : this was with just docker-machine and started out with minikube-centos-iso (with fedora), and before I noticed that you had commented out the call to the certificate generation in minikube... https://github.com/minishift/minishift-centos-iso/blob/master/centos-7.template#L130:L131 But I can try it again with the actual ISO, if you find that it works for you with empty certs. I tried with Fedora 27, maybe something has changed for Fedora 28 or something ? But I got an openssl error. Was trying the ISO out as a basis for podman/buildah, but think that I will just start over instead. |
|
|
@afbjorklund can you put all info step by step about how you are using this iso and hit this issue, I am still not sure why in the minishift side we are not getting this issue. |
|
I believe that I just ran the I was using https://github.com/minishift/minishift-fedora-iso/blob/master/fedora.template#L124 Couldn't find where you are using the certificate, but will run it again when I have the opportunity... |
|
Waiting for the vagrant files to download, here is what I got when I ran the command in Fedora 28: The rest of the script keep on slugging, but there are no ca/cert/key files being generated here. Since you have removed them from the docker config, I'm not sure it matters. But that's the bug ? # update docker.service file to exec the certificate generation script
sed -i.back 's/ExecStart=/ExecStartPre=\/usr\/local\/bin\/minishift-cert-gen\n&/' /usr/lib/systemd/system/docker.service
sed -i.back '/After=*/c\After=network.target rc-local.service' /usr/lib/systemd/system/docker.service
sed -i.back '/After=*/c\After=cloud-init.service rc-local.service' /usr/lib/systemd/system/docker-storage-setup.service
-# update the docker config to listen on TCP as well as unix socket
-sed -i.back '/OPTIONS=*/c\OPTIONS="--selinux-enabled --log-driver=journald -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server.pem --tlskey=/etc/docker/server-key.pem --tlsverify"' /etc/sysconfig/docker
-
# update docker-storage to use overlay2 as default storage driver
echo 'DOCKER_STORAGE_OPTIONS="--storage-driver overlay2"' > /etc/sysconfig/docker-storage
|
Seems like docker was failing to generate a certificate ?
Set the example.com CA to the same as the timezone