Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update expired certificates #2701

Merged
merged 2 commits into from
Nov 8, 2024
Merged

Update expired certificates #2701

merged 2 commits into from
Nov 8, 2024

Conversation

bbondy
Copy link
Member

@bbondy bbondy commented Nov 4, 2024

Summary

When I ran the grants container I got these errors:

DBG failed to dial: x509: certificate has expired or is not yet valid: current time 2024-10-29T18:07:57Z is after 2024-04-02T16:18:51Z module=kafka.NewKafkaReader
DBG Unable to establish connection to consumer group coordinator for group grant-bat-skus-local: failed to dial: x509: certificate has expired or is not yet valid: current time 2024-10-29T18:08:02Z is after 2024-04-02T16:18:51Z module=kafka.NewKafkaReader
DBG failed to dial: x509: certificate has expired or is not yet valid: current time 2024-10-29T18:08:02Z is after 2024-04-02T16:18:51Z module=kafka.NewKafkaReader

I verified that the certificates were expired:

$ openssl x509 -in test/secrets/snakeoil-ca-1.crt -noout -text | grep 'Not'
            Not Before: Apr  3 16:18:51 2023 GMT
            Not After : Apr  2 16:18:51 2024 GMT

To regenerate the certificates I used test/secrets/README.md

Type of Change

  • Product feature
  • Bug fix
  • Performance improvement
  • Refactor
  • Other

Tested Environments

  • Development
  • Staging
  • Production

Before Requesting Review

  • Does your code build cleanly without any errors or warnings?
  • Have you squashed all intermediate commits?
  • Is there a clear title that explains what the PR does?
  • Have you performed a self review of this PR?

Not applicable:

  • Have you used auto closing keywords?
  • Have you added tests for new functionality?
  • Have validated query efficiency for new database queries?
  • Have documented new functionality in README or in comments?
  • Have you used intuitive function, variable and other naming?
  • Have you requested security and/or privacy review if needed

Manual Test Plan

@bbondy
Update expired certificates
026118b 
When I ran the grants container I got these errors:
> DBG failed to dial: x509: certificate has expired or is not yet valid: current time 2024-10-29T18:07:57Z is after 2024-04-02T16:18:51Z module=kafka.NewKafkaReader
> DBG Unable to establish connection to consumer group coordinator for group grant-bat-skus-local: failed to dial: x509: certificate has expired or is not yet valid: current time 2024-10-29T18:08:02Z is after 2024-04-02T16:18:51Z module=kafka.NewKafkaReader
> DBG failed to dial: x509: certificate has expired or is not yet valid: current time 2024-10-29T18:08:02Z is after 2024-04-02T16:18:51Z module=kafka.NewKafkaReader

I verified that the certificates were expired:
```
$ openssl x509 -in test/secrets/snakeoil-ca-1.crt -noout -text | grep 'Not'
            Not Before: Apr  3 16:18:51 2023 GMT
            Not After : Apr  2 16:18:51 2024 GMT
```

To regenerate the certificates I used `test/secrets/README.md`
@bbondy bbondy self-assigned this Nov 4, 2024
@bbondy bbondy requested a review from clD11 November 4, 2024 20:06
github-actions[bot]
github-actions bot reviewed Nov 4, 2024
View reviewed changes
test/secrets/consumer.client.key
pG3Y+OzBK0O4VaTM5A+z7zH49FJqeHnPlvixMRlpQ0OFtDWQ6suS2QJAdZm6k1cV
rO3D7HybiU+2H13q7lRc9CUgy9fHMyowU+Ab5nONiZQat4e4G9mG3vC3hCqGl7uK
xtPMeens4rlu1Q==
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAKhWPvrwCl+o74i2
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reported by reviewdog 🐶
[semgrep] Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.

Source: https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key


Cc @thypon @kdenhartog

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test keys and already in the repo and using a script to be generated

test/secrets/snakeoil-ca-1.key
18LOCPjsAUI7g10mCw9n/+nqOXPAYKy7HhDWRxfH2YKmfBln77MEalwtNS9o2NOi
ymoOVH0kfhRmRNzS06zWHS+jYzlgVVod3zZ6VfmzFm2D/mkqjkTRtOiUkkoBzgLc
dC0iOYfxJXHSpPlK/fTFCQ==
MIIFJDBWBgkqhkiG9w0BBQ0wSTAxBgkqhkiG9w0BBQwwJAQQaYTaCPcySarxocpD
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reported by reviewdog 🐶
[semgrep] Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.

Source: https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key


Cc @thypon @kdenhartog

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test keys and already in the repo and using a script to be generated

@kdenhartog
Copy link
Member

These certs are for testing, not concerned.

clD11
clD11 approved these changes Nov 7, 2024
View reviewed changes
Copy link
Contributor

@clD11 clD11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM approved.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 8, 2024

[puLL-Merge] - brave-intl/bat-go@2701

Description

This PR updates various certificates and keys used for testing purposes in the bat-go repository. The changes involve regenerating certificates, keys, and related files with new expiration dates and updated content.

Changes

Changes

  1. test/secrets/broker1-ca1-signed.crt

    • Updated certificate with new expiration date and content

  2. test/secrets/broker1.csr

    • Updated certificate signing request with new content

  3. test/secrets/consumer-ca1-signed.crt

    • Updated certificate with new expiration date and content

  4. test/secrets/consumer-ca1-signed.pem

    • Updated certificate with new expiration date and content

  5. test/secrets/consumer.client.key

    • Updated private key

  6. test/secrets/consumer.client.req

    • Updated certificate request

  7. test/secrets/consumer.csr

    • Updated certificate signing request

  8. test/secrets/kafka.broker1.keystore.jks, kafka.broker1.truststore.jks, kafka.consumer.keystore.jks, kafka.consumer.truststore.jks, kafka.producer.keystore.jks, kafka.producer.truststore.jks

    • Updated Java KeyStore files

  9. test/secrets/producer-ca1-signed.crt

    • Updated certificate with new expiration date and content

  10. test/secrets/producer.csr

    • Updated certificate signing request

  11. test/secrets/snakeoil-ca-1.crt

    • Updated root CA certificate with new expiration date and content

  12. test/secrets/snakeoil-ca-1.key

    • Updated encrypted private key for root CA

  13. test/secrets/snakeoil-ca-1.srl

    • Updated serial number file

These changes appear to be routine updates to test certificates and keys, likely to ensure they remain valid for ongoing testing purposes.

@bbondy bbondy merged commit 890d6f9 into master Nov 8, 2024
13 checks passed
@bbondy bbondy deleted the expired-cert-update branch November 8, 2024 20:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@clD11 clD11 clD11 approved these changes

@kdenhartog kdenhartog kdenhartog approved these changes

Assignees

@bbondy bbondy

Labels
puLL-Merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@bbondy @kdenhartog @clD11 @thypon