Skip to content

Commit

Permalink
Fixes #37828: Ignore system CA trust when verifying certificates
Browse files Browse the repository at this point in the history 
(cherry picked from commit d54d28a)
  • Loading branch information
@ehelms @ekohl
ehelms authored and ekohl committed Oct 11, 2024
1 parent 3c2d385 commit a25324c
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion bin/katello-certs-check
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ function check-priv-key () {
function check-ca-bundle () {
printf "Checking CA bundle against the certificate file: "
ERROR_PATTERN="error [0-9]+ at"
CHECK=$(openssl verify -CAfile $CA_BUNDLE_FILE -purpose sslserver -verbose $CERT_FILE 2>&1)
CHECK=$(openssl verify -no-CApath -no-CAstore -CAfile $CA_BUNDLE_FILE -purpose sslserver -verbose $CERT_FILE 2>&1)
CHECK_STATUS=$?

if [[ $CHECK_STATUS != "0" || $CHECK =~ $ERROR_PATTERN ]]; then
Expand Down

2 comments on commit a25324c

@mbartusiak
Copy link

@mbartusiak mbartusiak commented on a25324c Nov 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,
Could you please tell me what version of openssl was this tested with? This breaks the migration to 3.11.4 on my machine

Checking CA bundle against the certificate file:
[FAIL]
<redacted>
verify: Option unknown option -no-CAstore

# openssl version
OpenSSL 1.1.1k  FIPS 25 Mar 2021

@ekohl
Copy link
Member

@ekohl ekohl commented on a25324c Nov 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for reminding me to revisit #991.

Please sign in to comment.