** Description changed: + == Begin SRU Information == + [Impact] + * a documented feature of cloud-init, for adding ca-certificates does not function as it should. Instead, certificates added in this manner simply are ignored. This is because apparently, a line directly following a blank line in /etc/ca-certificates.conf is ignored. + + [Test Case] + - start a cloud instance with no user-data + - add content below to /etc/cloud/cloud.cfg.d/99-local-certs.cfg + - run the ca-certs code through cloud-init single + you will see output from update-ca-certificates indicating no + new certificates were added + $ sudo cloud-init single --name=ca_certs --frequency=always + Cloud-init v. 0.7 running 'single' at Sun, 02 Dec 2012 02:23:21 +0000. Up 2429.68 seconds. + Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. + Running hooks in /etc/ca-certificates/update.d....done. + + # this can be fixed by removing the blank line and re-running + # update-ca-certificates + Also, note that the following has no output: + $ ls -l /usr/lib/ssl/certs/ | grep -i cloud + - edit /etc/ca-certificates.conf, remove cloud-init added entry + $ sed -i '/cloud-init-ca-certs.crt/d' + - upgrade cloud-init, re-run the ca_certs + $ sudo dpkg -i cloud-init_all.deb + $ sudo cloud-init single --name=ca_certs --frequency=always + + This time, you will see output containing: "1 added, 0 removed; done." + Also, (trimmed output), you will see: + $ ls -l /usr/lib/ssl/certs/ | grep -i cloud + lrwxrwxrwx b1d2b355.0 -> cloud-init-ca-certs.pem + lrwxrwxrwx cbbf81bb.0 -> cloud-init-ca-certs.pem + lrwxrwxrwx cloud-init-ca-certs.pem -> /usr/share/ca-certificates/cloud-init-ca-certs.crt + + [Regression Potential] + * regression potential is low. It could break the ca_certs module further, but the module is not functional as it is. Tracebacks are caught when modules are executed, so there is really no potential for further harm. + + == End SRU Information == + Using a cloud-init yaml file adding a certificate like this: + # BEGIN /etc/cloud/cloud.cfg.d/99-local-certs.cfg ca-certs: - # If present, the 'trusted' parameter should contain a certificate (or list - # of certificates) to add to the system as trusted CA certificates. - # Pay close attention to the YAML multiline list syntax. The example shown - # here is for a list of multiline certificates. - # - Amazon RDS SSL Certificate (http://s3.amazonaws.com/rds-downloads/mysql-ssl-ca-cert.pem) - trusted: - - | - -----BEGIN CERTIFICATE----- - MIIDQzCCAqygAwIBAgIJAOd1tlfiGoEoMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV - BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRMw - EQYDVQQKEwpBbWF6b24uY29tMQwwCgYDVQQLEwNSRFMxHDAaBgNVBAMTE2F3cy5h - bWF6b24uY29tL3Jkcy8wHhcNMTAwNDA1MjI0NDMxWhcNMTUwNDA0MjI0NDMxWjB1 - MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2Vh - dHRsZTETMBEGA1UEChMKQW1hem9uLmNvbTEMMAoGA1UECxMDUkRTMRwwGgYDVQQD - ExNhd3MuYW1hem9uLmNvbS9yZHMvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB - gQDKhXGU7tizxUR5WaFoMTFcxNxa05PEjZaIOEN5ctkWrqYSRov0/nOMoZjqk8bC - med9vPFoQGD0OTakPs0jVe3wwmR735hyVwmKIPPsGlaBYj1O6llIpZeQVyupNx56 - UzqtiLaDzh1KcmfqP3qP2dInzBfJQKjiRudo1FWnpPt33QIDAQABo4HaMIHXMB0G - A1UdDgQWBBT/H3x+cqSkR/ePSIinPtc4yWKe3DCBpwYDVR0jBIGfMIGcgBT/H3x+ - cqSkR/ePSIinPtc4yWKe3KF5pHcwdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh - c2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAoTCkFtYXpvbi5jb20x - DDAKBgNVBAsTA1JEUzEcMBoGA1UEAxMTYXdzLmFtYXpvbi5jb20vcmRzL4IJAOd1 - tlfiGoEoMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAvguZy/BDT66x - GfgnJlyQwnFSeVLQm9u/FIvz4huGjbq9dqnD6h/Gm56QPFdyMEyDiZWaqY6V08lY - LTBNb4kcIc9/6pc0/ojKciP5QJRm6OiZ4vgG05nF4fYjhU7WClUx7cxq1fKjNc2J - UCmmYqgiVkAGWRETVo+byOSDZ4swb10= - -----END CERTIFICATE----- + # If present, the 'trusted' parameter should contain a certificate (or list + # of certificates) to add to the system as trusted CA certificates. + # Pay close attention to the YAML multiline list syntax. The example shown + # here is for a list of multiline certificates. + # - Amazon RDS SSL Certificate (http://s3.amazonaws.com/rds-downloads/mysql-ssl-ca-cert.pem) + trusted: + - | + -----BEGIN CERTIFICATE----- + MIIDQzCCAqygAwIBAgIJAOd1tlfiGoEoMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV + BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRMw + EQYDVQQKEwpBbWF6b24uY29tMQwwCgYDVQQLEwNSRFMxHDAaBgNVBAMTE2F3cy5h + bWF6b24uY29tL3Jkcy8wHhcNMTAwNDA1MjI0NDMxWhcNMTUwNDA0MjI0NDMxWjB1 + MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2Vh + dHRsZTETMBEGA1UEChMKQW1hem9uLmNvbTEMMAoGA1UECxMDUkRTMRwwGgYDVQQD + ExNhd3MuYW1hem9uLmNvbS9yZHMvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB + gQDKhXGU7tizxUR5WaFoMTFcxNxa05PEjZaIOEN5ctkWrqYSRov0/nOMoZjqk8bC + med9vPFoQGD0OTakPs0jVe3wwmR735hyVwmKIPPsGlaBYj1O6llIpZeQVyupNx56 + UzqtiLaDzh1KcmfqP3qP2dInzBfJQKjiRudo1FWnpPt33QIDAQABo4HaMIHXMB0G + A1UdDgQWBBT/H3x+cqSkR/ePSIinPtc4yWKe3DCBpwYDVR0jBIGfMIGcgBT/H3x+ + cqSkR/ePSIinPtc4yWKe3KF5pHcwdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh + c2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAoTCkFtYXpvbi5jb20x + DDAKBgNVBAsTA1JEUzEcMBoGA1UEAxMTYXdzLmFtYXpvbi5jb20vcmRzL4IJAOd1 + tlfiGoEoMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAvguZy/BDT66x + GfgnJlyQwnFSeVLQm9u/FIvz4huGjbq9dqnD6h/Gm56QPFdyMEyDiZWaqY6V08lY + LTBNb4kcIc9/6pc0/ojKciP5QJRm6OiZ4vgG05nF4fYjhU7WClUx7cxq1fKjNc2J + UCmmYqgiVkAGWRETVo+byOSDZ4swb10= + -----END CERTIFICATE----- + # END /etc/cloud/cloud.cfg.d/99-local-certs.cfg The certificate is added to the /etc/ca-certificates.conf file but there is a blank line between the previous content and the line added by cloud-init. In this situation running update-ca-certificates doesn't take the cloud-init certificates into account. Removing the blank line and running update-ca-certificates again fixes the issue. ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: cloud-init 0.6.3-0ubuntu1.1 ProcVersionSignature: User Name 3.2.0-31.50-virtual 3.2.28 Uname: Linux 3.2.0-31-virtual x86_64 ApportVersion: 2.0.1-0ubuntu14 Architecture: amd64 Date: Fri Nov 9 15:01:03 2012 Ec2AMI: ami-3d4ff254 Ec2AMIManifest: (unknown) Ec2AvailabilityZone: us-east-1d Ec2InstanceType: m1.medium Ec2Kernel: aki-825ea7eb Ec2Ramdisk: unavailable PackageArchitecture: all ProcEnviron: - TERM=screen - PATH=(custom, user) - LANG=en_US.UTF-8 - SHELL=/bin/bash + TERM=screen + PATH=(custom, user) + LANG=en_US.UTF-8 + SHELL=/bin/bash SourcePackage: cloud-init UpgradeStatus: No upgrade log present (probably fresh install)
-- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1077020 Title: cloud-init ca-certs leaves a blank line in /etc/ca-certificates.conf To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1077020/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
