You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/02/17 09:59:52 UTC

[GitHub] [pulsar] sijie opened a new pull request #9607: Fix expired tls certs for cpp tests

sijie opened a new pull request #9607:
URL: https://github.com/apache/pulsar/pull/9607


   *Problem*
   
   The current master is broken due to an expired CA cert is used in CPP tests.
   
   *Modification*
   
   Use the certs we used for integration tests to keep it consistent across the rep.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] sijie commented on pull request #9607: Fix expired tls certs for cpp tests

Posted by GitBox <gi...@apache.org>.

sijie commented on pull request #9607:
URL: https://github.com/apache/pulsar/pull/9607#issuecomment-780732048


   @merlimat thank you!


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] eolivelli commented on pull request #9607: Fix expired tls certs for cpp tests

Posted by GitBox <gi...@apache.org>.

eolivelli commented on pull request #9607:
URL: https://github.com/apache/pulsar/pull/9607#issuecomment-780617830


   /pulsarbot run-failure-checks


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] merlimat merged pull request #9607: Fix expired tls certs for cpp tests

Posted by GitBox <gi...@apache.org>.

merlimat merged pull request #9607:
URL: https://github.com/apache/pulsar/pull/9607


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] BewareMyPower commented on a change in pull request #9607: Fix expired tls certs for cpp tests

Posted by GitBox <gi...@apache.org>.

BewareMyPower commented on a change in pull request #9607:
URL: https://github.com/apache/pulsar/pull/9607#discussion_r577500669



##########
File path: pulsar-broker/src/test/resources/authentication/tls/cacert.pem
##########
@@ -1,62 +1,29 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            88:08:98:b3:13:d8:00:94
-        Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=US, ST=CA, O=Apache, OU=Pulsar Incubator, CN=localhost
-        Validity
-            Not Before: Feb 17 01:37:33 2018 GMT
-            Not After : Feb 16 01:37:33 2021 GMT

Review comment:
       I'm not familiar with TLS certificate but just have a question. The original `Certificate - Data - Validity` block has the `Not After` field that might lead to the broken CI. After this change, should we also keep the header-like  block to record the `Not After` time?
   
   I think the root cause is #1244 that intended to create certs which will expire after year 2030. However, the `cacert.pem` still expired after 2021-02-16.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] eolivelli commented on pull request #9607: Fix expired tls certs for cpp tests

Posted by GitBox <gi...@apache.org>.

eolivelli commented on pull request #9607:
URL: https://github.com/apache/pulsar/pull/9607#issuecomment-780653081


   /pulsarbot run-failure-checks


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] merlimat commented on pull request #9607: Fix expired tls certs for cpp tests

Posted by GitBox <gi...@apache.org>.

merlimat commented on pull request #9607:
URL: https://github.com/apache/pulsar/pull/9607#issuecomment-780676576


   @sijie There are still test failing because clients are validating the "hostname" with the CN of the certificate. The tests expect the certificates to be issued with CN `localhost`. 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] lhotari commented on pull request #9607: Fix expired tls certs for cpp tests

Posted by GitBox <gi...@apache.org>.

lhotari commented on pull request #9607:
URL: https://github.com/apache/pulsar/pull/9607#issuecomment-780474663


   btw. Some of the previous test keys/certificates weren't TLS 1.3 compatible. I assume that this problem gets also fixed? 
   TLS 1.3 dropped support for SHA-1 signature hashes and DSA keys and will reject those. The rejection error message might be about invalid certificate.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] jiazhai commented on pull request #9607: Fix expired tls certs for cpp tests

Posted by GitBox <gi...@apache.org>.

jiazhai commented on pull request #9607:
URL: https://github.com/apache/pulsar/pull/9607#issuecomment-780518003


   /pulsarbot run-failure-checks


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] merlimat commented on pull request #9607: Fix expired tls certs for cpp tests

Posted by GitBox <gi...@apache.org>.

merlimat commented on pull request #9607:
URL: https://github.com/apache/pulsar/pull/9607#issuecomment-780716075


   I've regenerated the certs with "localhost" for broker CN


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org