[Bug 1077020] Re: cloud-init ca-certs leaves a blank line in /etc/ca-certificates.conf

Scott Moser smoser at ubuntu.com
Sun Dec 2 02:36:56 UTC 2012 

** Description changed:

+ == Begin SRU Information ==
+ [Impact] 
+  * a documented feature of cloud-init, for adding ca-certificates does not function as it should.  Instead, certificates added in this manner simply are ignored.  This is because apparently, a line directly following a blank line in /etc/ca-certificates.conf is ignored.
+ 
+ [Test Case]
+   - start a cloud instance with no user-data
+   - add content below to /etc/cloud/cloud.cfg.d/99-local-certs.cfg
+   - run the ca-certs code through cloud-init single
+     you will see output from update-ca-certificates indicating no
+     new certificates were added
+     $ sudo cloud-init single --name=ca_certs --frequency=always
+     Cloud-init v. 0.7 running 'single' at Sun, 02 Dec 2012 02:23:21 +0000. Up 2429.68 seconds.
+     Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
+     Running hooks in /etc/ca-certificates/update.d....done.
+ 
+     # this can be fixed by removing the blank line and re-running
+     # update-ca-certificates
+     Also, note that the following has no output:
+     $ ls -l /usr/lib/ssl/certs/ | grep -i cloud
+   - edit /etc/ca-certificates.conf, remove cloud-init added entry
+     $ sed -i '/cloud-init-ca-certs.crt/d'
+   - upgrade cloud-init, re-run the ca_certs
+     $ sudo dpkg -i cloud-init_all.deb
+     $ sudo cloud-init single --name=ca_certs --frequency=always
+ 
+     This time, you will see output containing: "1 added, 0 removed; done."
+     Also, (trimmed output), you will see:
+     $ ls -l /usr/lib/ssl/certs/ | grep -i cloud
+     lrwxrwxrwx b1d2b355.0 -> cloud-init-ca-certs.pem    
+     lrwxrwxrwx cbbf81bb.0 -> cloud-init-ca-certs.pem    
+     lrwxrwxrwx cloud-init-ca-certs.pem -> /usr/share/ca-certificates/cloud-init-ca-certs.crt
+ 
+ [Regression Potential] 
+  * regression potential is low.  It could break the ca_certs module further, but the module is not functional as it is. Tracebacks are caught when modules are executed, so there is really no potential for further harm.
+ 
+ == End   SRU Information ==
+ 
  Using a cloud-init yaml file adding a certificate like this:
  
+ # BEGIN /etc/cloud/cloud.cfg.d/99-local-certs.cfg
  ca-certs:
-   # If present, the 'trusted' parameter should contain a certificate (or list
-   # of certificates) to add to the system as trusted CA certificates.
-   # Pay close attention to the YAML multiline list syntax.  The example shown
-   # here is for a list of multiline certificates.
-   # - Amazon RDS SSL Certificate (http://s3.amazonaws.com/rds-downloads/mysql-ssl-ca-cert.pem)
-   trusted:
-     - |
-       -----BEGIN CERTIFICATE-----
-       MIIDQzCCAqygAwIBAgIJAOd1tlfiGoEoMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV
-       BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRMw
-       EQYDVQQKEwpBbWF6b24uY29tMQwwCgYDVQQLEwNSRFMxHDAaBgNVBAMTE2F3cy5h
-       bWF6b24uY29tL3Jkcy8wHhcNMTAwNDA1MjI0NDMxWhcNMTUwNDA0MjI0NDMxWjB1
-       MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2Vh
-       dHRsZTETMBEGA1UEChMKQW1hem9uLmNvbTEMMAoGA1UECxMDUkRTMRwwGgYDVQQD
-       ExNhd3MuYW1hem9uLmNvbS9yZHMvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
-       gQDKhXGU7tizxUR5WaFoMTFcxNxa05PEjZaIOEN5ctkWrqYSRov0/nOMoZjqk8bC
-       med9vPFoQGD0OTakPs0jVe3wwmR735hyVwmKIPPsGlaBYj1O6llIpZeQVyupNx56
-       UzqtiLaDzh1KcmfqP3qP2dInzBfJQKjiRudo1FWnpPt33QIDAQABo4HaMIHXMB0G
-       A1UdDgQWBBT/H3x+cqSkR/ePSIinPtc4yWKe3DCBpwYDVR0jBIGfMIGcgBT/H3x+
-       cqSkR/ePSIinPtc4yWKe3KF5pHcwdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh
-       c2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAoTCkFtYXpvbi5jb20x
-       DDAKBgNVBAsTA1JEUzEcMBoGA1UEAxMTYXdzLmFtYXpvbi5jb20vcmRzL4IJAOd1
-       tlfiGoEoMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAvguZy/BDT66x
-       GfgnJlyQwnFSeVLQm9u/FIvz4huGjbq9dqnD6h/Gm56QPFdyMEyDiZWaqY6V08lY
-       LTBNb4kcIc9/6pc0/ojKciP5QJRm6OiZ4vgG05nF4fYjhU7WClUx7cxq1fKjNc2J
-       UCmmYqgiVkAGWRETVo+byOSDZ4swb10=
-       -----END CERTIFICATE-----
+   # If present, the 'trusted' parameter should contain a certificate (or list
+   # of certificates) to add to the system as trusted CA certificates.
+   # Pay close attention to the YAML multiline list syntax.  The example shown
+   # here is for a list of multiline certificates.
+   # - Amazon RDS SSL Certificate (http://s3.amazonaws.com/rds-downloads/mysql-ssl-ca-cert.pem)
+   trusted:
+     - |
+       -----BEGIN CERTIFICATE-----
+       MIIDQzCCAqygAwIBAgIJAOd1tlfiGoEoMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV
+       BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRMw
+       EQYDVQQKEwpBbWF6b24uY29tMQwwCgYDVQQLEwNSRFMxHDAaBgNVBAMTE2F3cy5h
+       bWF6b24uY29tL3Jkcy8wHhcNMTAwNDA1MjI0NDMxWhcNMTUwNDA0MjI0NDMxWjB1
+       MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2Vh
+       dHRsZTETMBEGA1UEChMKQW1hem9uLmNvbTEMMAoGA1UECxMDUkRTMRwwGgYDVQQD
+       ExNhd3MuYW1hem9uLmNvbS9yZHMvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+       gQDKhXGU7tizxUR5WaFoMTFcxNxa05PEjZaIOEN5ctkWrqYSRov0/nOMoZjqk8bC
+       med9vPFoQGD0OTakPs0jVe3wwmR735hyVwmKIPPsGlaBYj1O6llIpZeQVyupNx56
+       UzqtiLaDzh1KcmfqP3qP2dInzBfJQKjiRudo1FWnpPt33QIDAQABo4HaMIHXMB0G
+       A1UdDgQWBBT/H3x+cqSkR/ePSIinPtc4yWKe3DCBpwYDVR0jBIGfMIGcgBT/H3x+
+       cqSkR/ePSIinPtc4yWKe3KF5pHcwdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh
+       c2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAoTCkFtYXpvbi5jb20x
+       DDAKBgNVBAsTA1JEUzEcMBoGA1UEAxMTYXdzLmFtYXpvbi5jb20vcmRzL4IJAOd1
+       tlfiGoEoMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAvguZy/BDT66x
+       GfgnJlyQwnFSeVLQm9u/FIvz4huGjbq9dqnD6h/Gm56QPFdyMEyDiZWaqY6V08lY
+       LTBNb4kcIc9/6pc0/ojKciP5QJRm6OiZ4vgG05nF4fYjhU7WClUx7cxq1fKjNc2J
+       UCmmYqgiVkAGWRETVo+byOSDZ4swb10=
+       -----END CERTIFICATE-----
+ # END /etc/cloud/cloud.cfg.d/99-local-certs.cfg
  
  The certificate is added to the /etc/ca-certificates.conf file but there
  is a blank line between the previous content and the line added by
  cloud-init.  In this situation running update-ca-certificates doesn't
  take the cloud-init certificates into account.  Removing the blank line
  and running update-ca-certificates again fixes the issue.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: cloud-init 0.6.3-0ubuntu1.1
  ProcVersionSignature: User Name 3.2.0-31.50-virtual 3.2.28
  Uname: Linux 3.2.0-31-virtual x86_64
  ApportVersion: 2.0.1-0ubuntu14
  Architecture: amd64
  Date: Fri Nov  9 15:01:03 2012
  Ec2AMI: ami-3d4ff254
  Ec2AMIManifest: (unknown)
  Ec2AvailabilityZone: us-east-1d
  Ec2InstanceType: m1.medium
  Ec2Kernel: aki-825ea7eb
  Ec2Ramdisk: unavailable
  PackageArchitecture: all
  ProcEnviron:
-  TERM=screen
-  PATH=(custom, user)
-  LANG=en_US.UTF-8
-  SHELL=/bin/bash
+  TERM=screen
+  PATH=(custom, user)
+  LANG=en_US.UTF-8
+  SHELL=/bin/bash
  SourcePackage: cloud-init
  UpgradeStatus: No upgrade log present (probably fresh install)

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cloud-init in Ubuntu.
https://bugs.launchpad.net/bugs/1077020

Title:
  cloud-init ca-certs leaves a blank line in /etc/ca-certificates.conf

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1077020/+subscriptions

More information about the Ubuntu-server-bugs mailing list