Renew samba fixture expired test certificates#68985
Conversation
Add a README file for how these certificates can be renewed in the future, when the need arises again.
|
Pinging @elastic/es-security (Team:Security) |
|
Due to the cryptic failure, it took time to find the root cause, this was the error message: It would therefore be nice to e.g. add something like: to update: requires adding the installation of |
Agreed, but I think we can do a better job with the fixture and I don't want us to block intake for more than necessary while we think/iterate on solutions. If you don't mind @hendrikmuhs , I'll merge this with just the certificate changes and open an issue to properly address the fixture's resilience |
👍, improvements can be done in a follow-up |
| [source,shell] | ||
| ----------------------------------------------------------------------------------------------------------- | ||
| elasticsearch-certutil cert --pem --ca-cert ${PWD}/ca.pem --ca-key ${PWD}/ca.key \ | ||
| --dns localhost --ip 127.0.0.1,0:0:0:0:0:0:0:1 --name samba4 |
There was a problem hiding this comment.
| --dns localhost --ip 127.0.0.1,0:0:0:0:0:0:0:1 --name samba4 | |
| --dns localhost --ip 127.0.0.1,0:0:0:0:0:0:0:1 --name samba4 --out ${PWD}/samba4.zip |
There was a problem hiding this comment.
Thanks, it's good to be explicit
|
|
||
| === Generate certificates for the Samba server | ||
|
|
||
| These keys and certificates are copied by installsmb.sh for the Samba server to use for TLS. See `../resources/installsmb.sh` |
There was a problem hiding this comment.
| These keys and certificates are copied by installsmb.sh for the Samba server to use for TLS. See `../resources/installsmb.sh` | |
| These keys and certificates are copied by installsmb.sh for the Samba server to use for TLS. See `../provision/installsmb.sh` |
| keytool -keystore ../../../../../../../x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/authc/ldap/support/ADtrust.jks -storepass changeit -delete -noprompt -alias smb_cert | ||
| keytool -keystore ../../../../../../../x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/authc/ldap/support/ADtrust.jks -storepass changeit -importcert -file cert.pem -alias smb_cert -noprompt | ||
| keytool -keystore ../../../../../../../x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/authc/ldap/support/ADtrust.jks -storepass changeit -delete -noprompt -alias mykey | ||
| keytool -keystore ../../../../../../../x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/authc/ldap/support/ADtrust.jks -storepass changeit -importcert -file cert.pem -alias mykey -noprompt |
There was a problem hiding this comment.
I've tested UserAttributeGroupsResolverTests and ActiveDirectoryGroupsResolverTests (the only users of ADtrust.jks) with only the smb_ca entry in the truststore (no smb_cert and no mykey entries) and they pass.
Might be worth adjusting the truststore while we're at it.
There was a problem hiding this comment.
Can do since I'll respin this eitherway, but we definitely need to clean our key/cert resources up soon. I think we have an open issue about this somewhere too
Renew our smb-fixture expired test certificates that are in use in the fixture and in various tests for LDAP and AD. Add a README file for how these certificates can be renewed in the future, when the need arises again.
Renew our smb-fixture expired test certificates that are in use in the fixture and in various tests for LDAP and AD. Add a README file for how these certificates can be renewed in the future, when the need arises again.
Renew our smb-fixture expired test certificates that are in use in the fixture and in various tests for LDAP and AD. Add a README file for how these certificates can be renewed in the future, when the need arises again.
Add a README file for how these certificates can be renewed in the
future, when the need arises again.