Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Duplicate alias issue in __cacert_entrypoint.sh when distributing new intermediate certificates #640

Closed
sighanse opened this issue Aug 26, 2024 · 4 comments · Fixed by #642
Closed

[Bug]: Duplicate alias issue in __cacert_entrypoint.sh when distributing new intermediate certificates #640

sighanse opened this issue Aug 26, 2024 · 4 comments · Fixed by #642
Assignees
@gdams
Labels
bug Something isn't working

Comments

@sighanse
Copy link

Please add the exact image (with tag) that you are using

eclipse-temurin:17-jdk-alpine

Please add the version of Docker you are running

containerd://1.6.28

What happened?

We encountered an issue during the renewal process of our internal intermediate certificate. As part of this process, both the old and new certificates are distributed. However, the newer __cacert_entrypoint.sh script generates the alias from the Subject's CN. Since both our old and new intermediate certificates have the same CN, the keytool command is failing with the following error:

keytool error: java.lang.Exception: Certificate not imported, alias <NAME OF INTERMEDIATE CERT> already exists.

Steps to Reproduce:

Distribute both the old and new intermediate certificates, ensuring both have the same Subject CN.
Run the __cacert_entrypoint.sh script, which triggers the keytool command to import the certificates.
Expected Behavior:

The script should handle the import of both certificates, even if they share the same Subject CN, without throwing an error.

Actual Behavior:

The script fails with a keytool error because it tries to create an alias using the Subject CN, which results in a duplicate alias.

Temporary Workaround:

Removing one of the intermediate certificates temporarily resolves the issue. However, we need both certificates to be present during the transition period.

Proposed Solution:

Consider modifying the __cacert_entrypoint.sh script to generate unique aliases, potentially by incorporating additional certificate details (such as the serial number or a timestamp) into the alias.

Additional Information:

Impact:

This issue impacts our certificate renewal process, as we need both the old and new intermediate certificates to coexist until the transition is complete.

Relevant log output

No response
@sighanse sighanse added the bug Something isn't working label Aug 26, 2024
@jerboaa
Copy link

jerboaa commented Aug 27, 2024

@rassie Perhaps something you would be interested in looking into?

@gdams gdams mentioned this issue Aug 27, 2024
Merged
@gdams
Copy link
Member

gdams commented Oct 21, 2024

@sighanse would you be able to try ghcr.io/gdams/17-jdk-alpine which contains the fix in #642?

@sighanse
Copy link
Author

sighanse commented Oct 21, 2024
edited
Loading

@sighanse would you be able to try ghcr.io/gdams/17-jdk-alpine which contains the fix in #642?

lgtm. We have tested your image, and it works fine. Both intermediate certificates are installed. Thanks.

@gdams
Copy link
Member

gdams commented Oct 21, 2024

Great! I'll try and get this fix include in the upcoming release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gdams gdams

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix Certificate Import Issue by Generating Unique Aliases in cacert script gdams/containers
3 participants
@jerboaa @gdams @sighanse