ci: rework ssl cert generation (SAN usage)

Rework the generation of certificates, in order to make use of the SubjectAltName (SAN) extension, that is required for modern usage of TLS (see RFC 2818, or [1]) and now enforced by default for go version 1.15[2] (Fedora 33). For this a different config file is used, originally written by Lars, and assign SANs to the server and client certificates. Additionally, the correct extensions are used for each of those, so that their usage is limited to the server or client use case. The client certificate is renamed from "worker" to "client". The lifetime of the certificates is increased, as a side effect of the new config file. [1] https://github.com/urllib3/urllib3/issues/497 [2] https://golang.org/doc/go1.15#commonname Co-authored-by: Lars Karlitski <lars@karlitski.net>
2020-11-11 16:40:56 +01:00 · 2020-11-11 16:40:56 +01:00 · 6f439dc34f
commit 6f439dc34f
parent f529ffe394
6 changed files with 107 additions and 48 deletions
--- a/test/container/builder/osbuild-koji.conf
+++ b/test/container/builder/osbuild-koji.conf
@ -1,7 +1,7 @@
 [composer]
 server = https://composer/
-ssl_cert = /share/worker-crt.pem, /share/worker-key.pem
-ssl_verify = /share/worker-ca.pem
+ssl_cert = /share/client-crt.pem, /share/client-key.pem
+ssl_verify = /share/client-ca.pem

 [koji]
 server = https://localhost:4343/kojihub/