Page MenuHomeVyOS Platform
Create Task
Maniphest T4127

Upgrading from pre-certstore image to certstore image does not handle CA files with multiple certs
Needs testing, NormalPublicBUG
Actions

Description

I am currently running VyOS 1.4-rolling-202107122017, which uses files and file paths in the config for certificates. For me, I am using the ethernet eapol option. When upgrading to a release that uses certstore (for me, specifically VyOS 1.4-rolling-202112310821, the upgrade attempts to convert but I noticed that the conversion produces a single ca in the certstore. This cert is in a format of (shortened to reduce text wall).

-----BEGIN CERTIFICATE-----
PublicKeyHere01
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
PublicKeyHere02
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
PublicKeyHere03
-----END CERTIFICATE-----

The upgrade process does not seem to recognize a single file with multiple certificates in it, it treats it as a single certificate no matter what.

Additionally, eapol eventually kicks off a wpa_supplicant command and somehow passes the certificates to that binary (when running by hand, I pre-populate a file with file paths, I am not sure if VyOS does the same or not). I suspect this could also be an issue since the certificates would no longer be in a single "file".

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202112310821
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

dcplaya created this task.Jan 1 2022, 11:09 PM
pasik added a subscriber: pasik.Jan 2 2022, 3:37 PM
dcplaya added a comment.Jan 3 2022, 5:35 PM

I was able to test and get a screenshot of the exact error eapol spits out when using certstore as well.

image.png (820×1 px, 59 KB)

image.png (870×1 px, 59 KB)

chenxiaolong added a subscriber: chenxiaolong.Sep 2 2022, 10:52 PM

In case anyone comes across this bug report, I submitted a couple PRs to fix this earlier this year: https://phabricator.vyos.net/T4245

With the new changes, the way to set it up is:

  1. Import each CA as a separate PKI entry: set pki ca <name> <contents>. <contents> is everything between BEGIN CERTIFICATE and END CERTIFICATE with the newlines removed. Once all the certificates are imported, in show pki, the intermediate CA's will point to the root CAs in the Parent column.
  2. Set the interface to use the intermediate CA: set interfaces ethernet <interface> eapol <intermediate ca>. VyOS will now automatically append the needed root CAs to wpa_supplicant's cert PEM file. For ATT Fiber specifically, the relevant intermediate CA is the Device Intermediate CA one (see show pki).
Viacheslav changed the task status from Open to Needs testing.Jan 20 2024, 3:08 AM
Viacheslav triaged this task as Normal priority.