Bug#989575: cloud-init: ca-certs are not getting properly installed if provided more than one
On Mon, Jun 07, 2021 at 11:00:42PM +0200, Vladimir Tiukhtin wrote:
> I use "ca-certs" to supply additional certificates. With just one certiticate everything
> works as expected, however when provided more than one, cloud-init adds them into a single
> file which causes "openssl rehash" to fail as it expects exactly one certificate per file.
> As the result programmes using openssl doen not trus certificates issued by provided CAs.
The certificates do still get added to
/etc/ssl/certs/ca-certificates.crt, so you should still be able to do
file-based verification even if path-based verification doesn't work.
(See
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_default_verify_file.html
and the -CApath and -CAfile options to "openssl verify")
> The bug is confirmed on Hetzner Cloud. I did not try other clouds
There's nothing provider specific about this functionality, so it will
impact people regardless of where cloud-init is running.
I've forwarded your report upstream. See
https://bugs.launchpad.net/cloud-init/+bug/1931174
noah
Reply to: