Skip to content

[v7r3] Tests: remove the email address of the self generated certificates#5046

Merged
atsareg merged 1 commit into
DIRACGrid:integrationfrom
chaen:rel-v7r3_FIX_testUserMail
Mar 31, 2021
Merged

[v7r3] Tests: remove the email address of the self generated certificates#5046
atsareg merged 1 commit into
DIRACGrid:integrationfrom
chaen:rel-v7r3_FIX_testUserMail

Conversation

@chaen

@chaen chaen commented Mar 18, 2021

Copy link
Copy Markdown
Contributor

The proxies generated with the self signed test users were not following the RFC3820 (see details bellow). This went unnoticed because this specific part of the RFC is only enforced since openssl 1.1 series (openssl/openssl@c822353.

The specific part we are not respecting is section 3.4

   The subject field of a Proxy Certificate MUST be the issuer field
   (that is the subject of the Proxy Issuer) appended with a single
   Common Name component.

This is the certificate we were generating:

[dirac@server user]$ openssl x509 -in /home/dirac/ServerInstallDIR/user/client.pem -noout -subject -issuer
subject=C = ch, O = DIRAC, OU = DIRAC CI, CN = ciuser, emailAddress = lhcb-dirac-ci@cern.ch
issuer=O = DIRAC CI, CN = DIRAC CI Signing Certification Authority

And this is the proxy that comes out of it

[dirac@server user]$ openssl x509 -in /tmp/x509up_u1000 -noout -subject -issuer
subject=C = ch, O = DIRAC, OU = DIRAC CI, CN = ciuser/emailAddress=lhcb-dirac-ci@cern.ch, CN = 4091627920
issuer=C = ch, O = DIRAC, OU = DIRAC CI, CN = ciuser, emailAddress = lhcb-dirac-ci@cern.ch

As you can see, it does not follow the description above.

So to fix this, I just removed the email bit from the test config.

it should fix #5003

BEGINRELEASENOTES
*Test
CHANGE: don't use mail in the self generated certificates

ENDRELEASENOTES

@atsareg atsareg merged commit 0825e91 into DIRACGrid:integration Mar 31, 2021
@chaen chaen deleted the rel-v7r3_FIX_testUserMail branch June 11, 2024 11:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Unable to connect to a sever running Python 3

4 participants