Bug 2310947 - dnssec-trigger-control status does not work
Summary: dnssec-trigger-control status does not work
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: dnssec-trigger
Version: rawhide
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Petr Menšík
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-09-09 20:45 UTC by Petr Menšík
Modified: 2024-09-21 01:36 UTC (History)
5 users (show)

Fixed In Version: dnssec-trigger-0.17-36.fc41 dnssec-trigger-0.17-35.fc40
Clone Of:
Environment:
Last Closed: 2024-09-21 00:16:04 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
dnssec_trigger_server.pem (1.37 KB, application/octet-stream)
2024-09-10 12:06 UTC, Petr Menšík
no flags Details
dnssec_trigger_control.pem (1.43 KB, application/octet-stream)
2024-09-10 12:08 UTC, Petr Menšík
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Fedora Package Sources dnssec-trigger pull-request 11 0 None None None 2024-09-10 14:36:55 UTC

Description Petr Menšík 2024-09-09 20:45:54 UTC
# dnssec-trigger-control status
error: could not SSL_write


Reproducible: Always

Steps to Reproduce:
1. systemctl restart dnssec-triggerd
2. dnssec-trigger-control status
3. cd /etc/dnssec-trigger && openssl verify -show_chain -CAfile dnssec_trigger_server.pem dnssec_trigger_control.pem
Actual Results:  
error: could not SSL_write

in logs:
error: remote control failed ssl crypto error:0A000086:SSL routines::certificate verify failed

Expected Results:  
no error, just status

It still works on F39, with openssl-libs-3.1.4-3.fc39.x86_64. openssl-libs-3.2.2-5.fc41.x86_64 in current rawhide does not work.

Question is, whether 3072 bits key is okay. Signature Algorithm: sha256WithRSAEncryption should be okay.

In F39:
# openssl verify -show_chain -CAfile dnssec_trigger_server.pem dnssec_trigger_control.pem 
dnssec_trigger_control.pem: OK
Chain:
depth=0: CN = dnssec-trigger-control (untrusted)
depth=1: CN = dnssec-trigger
# openssl verify -show_chain -CAfile dnssec_trigger_server.pem dnssec_trigger_control.pem 
dnssec_trigger_control.pem: OK
Chain:
depth=0: CN = dnssec-trigger-control (untrusted)
depth=1: CN = dnssec-trigger


In F41 rawhide:
# openssl verify -show_chain -CAfile dnssec_trigger_server.pem dnssec_trigger_control.pem
CN=dnssec-trigger
error 79 at 1 depth lookup: invalid CA certificate
error dnssec_trigger_control.pem: verification failed

Comment 1 Petr Menšík 2024-09-10 12:02:30 UTC
Strange is the same version in both certs.

# for F in *.pem; do echo "# $F"; openssl x509 -text -noout -in $F; done

# dnssec_trigger_control.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6d:f7:fb:12:43:50:29:88:58:85:9d:fb:29:85:c6:50:c4:05:79:9d
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=dnssec-trigger
        Validity
            Not Before: Sep 10 11:14:28 2024 GMT
            Not After : May 28 11:14:28 2044 GMT
        Subject: CN=dnssec-trigger-control
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (3072 bit)
                Modulus:
                    00:a3:26:1b:3f:bf:28:74:87:04:2e:47:95:6c:2b:
                    6f:6a:31:d3:74:57:f3:2f:a0:3f:3d:c4:9e:ae:d2:
                    09:22:26:2a:2a:a1:98:40:4d:1a:b7:c9:2d:5c:b8:
                    fd:62:29:a3:76:38:4d:78:e1:05:16:fb:83:4a:f0:
                    fe:0d:86:57:b1:b0:9e:ac:1a:37:72:02:29:08:6a:
                    a5:20:01:8f:fb:1f:c8:50:4e:2a:3f:5b:6a:e0:68:
                    3f:08:85:e4:e7:34:c4:b3:b0:8f:08:0d:6f:57:56:
                    a9:d1:5b:c2:28:23:a4:c4:4f:ce:0e:51:d3:dd:e8:
                    bd:ce:ce:73:e6:66:1e:da:7a:9f:35:1c:d0:6f:7b:
                    26:e1:79:78:ec:46:61:af:24:80:b5:88:be:1a:ba:
                    a7:a7:11:9b:05:7c:dd:68:d5:0b:82:50:ae:64:6f:
                    f4:4a:fc:32:1e:00:e9:1a:f4:e4:c3:83:75:49:bd:
                    c8:b3:f8:1d:18:1f:3b:c4:aa:68:3f:7a:ae:ed:81:
                    6d:c7:2a:bb:ae:8e:38:56:16:84:c1:0f:85:73:03:
                    4d:f7:8b:1b:e0:2a:7b:0e:ba:ba:d2:04:20:8f:5d:
                    72:d7:db:10:8f:f0:df:6b:f0:e0:c6:3b:0b:68:99:
                    dd:14:ff:d5:0d:ae:95:7c:db:14:cd:2f:cb:ad:49:
                    ad:fa:03:f8:70:0a:31:59:00:5c:1b:fd:60:f7:00:
                    3f:90:80:b0:e7:dc:ec:9a:ed:dc:94:cb:68:f1:e6:
                    29:36:5d:0e:30:45:77:6d:db:15:b9:7f:65:fe:b1:
                    45:b0:b2:ae:f9:0a:9b:37:88:77:a7:a8:86:8a:c4:
                    d9:7a:45:e6:45:6b:c3:b4:72:26:51:ec:91:36:cc:
                    f5:2a:55:b6:2d:9a:03:3c:7c:21:20:e1:f4:ca:6f:
                    f3:df:24:97:70:39:eb:14:91:f8:e6:5f:07:30:c6:
                    a3:ad:78:30:3c:d3:04:c2:f8:f2:5a:b0:f6:1e:8d:
                    b4:1d:31:ea:4e:25:2b:f6:b0:f5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                11:D9:63:4C:3E:90:6D:20:26:50:6C:75:2B:D6:A6:FA:C7:DF:58:CC
            X509v3 Authority Key Identifier: 
                55:A2:06:CA:74:5B:8A:C2:B7:AF:B1:5C:F8:17:38:4C:5A:F3:FD:DD
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        48:86:08:b5:5b:9e:d5:fa:ea:a1:34:0f:f9:9d:fe:b7:02:b9:
        ca:ae:e6:ee:2e:7f:0b:62:47:1f:0a:82:a2:22:10:18:94:78:
        41:7e:b1:1e:c7:fb:ee:fc:7c:2d:07:99:70:2b:8a:cc:e7:cd:
        eb:48:99:31:59:60:20:21:7f:36:cc:21:81:41:41:f2:ae:2a:
        d2:69:b6:bf:b0:c5:00:4a:f2:42:70:57:b4:16:b0:05:99:3a:
        30:af:2d:76:1a:1e:69:37:3d:a1:6f:12:95:11:0e:b2:98:33:
        e7:2a:36:43:a2:85:b0:f3:81:b2:d5:f8:25:c5:c9:f2:4c:20:
        2f:08:f9:45:b4:1c:00:24:ac:9e:01:9a:f0:7d:8d:c3:e0:ff:
        3b:79:02:36:0b:04:e4:b1:c5:6d:4a:77:97:d0:ba:a4:b6:3c:
        24:25:18:fd:67:96:71:e7:07:db:2a:13:ca:01:99:56:ad:12:
        53:61:63:a5:c8:3d:06:31:2e:36:82:08:bf:ff:e6:c0:f0:ca:
        44:2b:f9:38:cf:03:c3:41:8c:4e:73:68:27:f2:0d:76:3c:9e:
        0d:db:04:98:39:09:ac:95:e3:e3:97:9c:f7:37:fe:3b:bf:c7:
        96:46:71:86:82:f2:9d:64:cd:a3:25:53:df:b6:f0:91:20:a5:
        46:b5:1a:cb:14:10:26:4a:cb:77:cc:63:df:ba:bd:7c:3f:35:
        b3:41:5c:ae:05:e1:60:78:df:09:eb:82:af:ab:c1:c1:dd:25:
        8a:9a:49:84:9f:0d:ad:e1:7a:62:52:c2:04:0e:fe:26:3f:bc:
        56:65:11:92:3f:2a:62:12:cf:40:24:a4:84:99:4d:41:5a:b6:
        b3:65:87:5c:f2:d1:4d:ea:25:84:ca:5a:63:05:9a:ad:f2:b0:
        93:32:2d:5c:57:fd:3b:53:b1:3a:df:6d:a5:26:e9:ed:85:42:
        39:ed:b4:bc:05:d8:58:4f:75:14:c9:5d:d8:e9:f0:5f:1b:14:
        c1:43:e7:21:3d:d0
# dnssec_trigger_server.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            49:a6:63:37:6e:e7:f2:1d:58:69:e3:7b:2a:4c:c9:6f:d7:6d:9f:e8
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=dnssec-trigger
        Validity
            Not Before: Sep 10 11:14:28 2024 GMT
            Not After : May 28 11:14:28 2044 GMT
        Subject: CN=dnssec-trigger
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (3072 bit)
                Modulus:
                    00:e2:92:66:96:0e:b9:5f:25:1c:cf:05:af:1c:0a:
                    7a:17:2a:47:02:38:59:d3:5d:d4:ba:7f:7a:9f:97:
                    f8:86:09:87:3c:bd:7b:e9:28:50:9e:44:8d:92:4c:
                    1f:0a:18:c1:68:28:49:f3:80:2d:33:bd:e8:21:b9:
                    9d:02:71:46:93:d4:ee:3b:ca:bc:67:5c:e3:f5:41:
                    d1:d9:13:6b:2a:2c:cc:2c:5c:63:7e:f2:2a:1a:71:
                    e3:92:ae:a1:a1:9c:ea:32:80:19:87:af:a3:51:36:
                    af:89:34:7f:6c:24:de:be:a0:0c:a4:f3:cb:4d:bf:
                    86:c1:b5:a2:b6:b5:f5:18:3d:b6:9c:aa:64:44:80:
                    bc:fc:96:17:1e:27:e3:76:b8:22:09:f4:e1:54:f8:
                    04:59:4c:46:14:d5:30:bd:e5:f4:26:7d:50:4f:eb:
                    ea:0e:75:b0:c5:bb:54:8e:57:01:9d:7a:c6:51:0b:
                    e4:62:38:4b:0f:61:30:04:d3:89:d7:00:38:98:14:
                    0b:99:db:27:14:a2:92:f7:1c:37:f0:4e:7d:10:82:
                    b3:96:e5:1d:79:b9:3f:80:ea:e2:55:c7:6f:42:cc:
                    5f:ee:47:da:01:1e:b2:06:09:4d:c8:3c:1f:7a:61:
                    69:ae:d4:e5:1e:68:9e:39:29:6a:2a:62:81:1d:8f:
                    ce:f3:41:3f:1f:ce:f7:5b:71:bf:27:59:ab:1f:56:
                    40:cd:b1:5d:d8:38:a4:99:8e:7e:23:03:46:b9:d7:
                    49:a2:91:1f:64:17:1f:40:27:65:84:af:3d:ee:27:
                    d2:19:ef:0f:d7:dd:43:b0:ef:3f:c3:a1:81:e9:9d:
                    af:3b:c6:d6:40:f6:60:46:82:7f:f6:74:26:68:1b:
                    24:c9:b4:78:a3:89:35:8e:8e:90:33:3e:e4:a7:9f:
                    2e:2c:be:6c:6a:6c:9b:9e:1c:dd:58:a1:48:a4:d3:
                    2d:dc:a6:c7:e1:77:9e:37:ad:c8:da:a3:f7:f0:72:
                    6a:8c:b0:fc:a3:b3:55:02:65:8d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                55:A2:06:CA:74:5B:8A:C2:B7:AF:B1:5C:F8:17:38:4C:5A:F3:FD:DD
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        c0:a6:70:b3:e2:6c:9d:f9:da:14:44:e0:46:23:6f:1f:25:32:
        69:38:0e:60:c7:fd:42:8d:1d:a6:9f:9c:9a:c4:65:8e:1f:21:
        e7:fa:91:66:9d:f9:9f:9e:e9:50:32:61:74:5b:6d:88:29:df:
        1f:71:a1:60:08:b1:76:cf:a6:f8:96:b5:37:f0:73:91:00:aa:
        01:70:c1:53:40:3d:41:47:de:c7:7a:b1:dc:91:8d:61:9b:ec:
        d9:36:18:df:98:83:41:31:9e:41:a0:00:47:7b:ea:dc:2d:2e:
        4e:41:cf:04:e0:7d:97:ea:f1:1d:31:0c:3d:d4:d0:bc:e7:77:
        66:17:fa:69:b7:c5:19:42:e5:01:d1:79:40:1e:42:0a:06:0d:
        fc:fe:7e:b1:b3:53:83:17:2a:f2:76:25:ec:ad:a9:39:fe:39:
        98:93:9f:76:3e:14:07:80:c5:7f:bd:0d:5b:ff:17:f8:10:ef:
        45:8a:5c:cd:0b:61:f8:26:95:30:46:2a:98:07:32:8d:d3:a2:
        34:07:38:93:56:ac:ba:9f:c5:5b:d1:82:b9:6e:7c:1b:50:b2:
        53:df:6e:60:2f:65:c6:bc:23:0b:4d:98:cc:ce:fc:ad:92:14:
        81:11:6a:5a:b5:88:12:f3:9b:74:76:64:f7:3e:09:69:50:52:
        34:2e:51:a7:60:bd:46:3e:b2:f0:82:ba:69:b7:25:be:37:70:
        4c:62:b0:6f:c5:8a:c5:ad:37:d8:06:f7:6e:ae:d8:3c:a5:6b:
        c5:de:58:f6:a8:09:80:e7:a7:be:dc:89:74:e5:74:6d:32:6e:
        ca:74:69:fc:66:b3:8d:83:ed:47:62:b6:ce:72:71:b5:21:fe:
        1b:a5:09:16:01:4d:bb:2e:80:b9:f4:9c:17:57:15:0a:7b:c8:
        6a:e7:da:b9:5d:3d:df:8a:ad:f8:43:f5:f5:83:92:a1:11:17:
        67:ef:2b:10:80:9d:28:76:09:5a:f3:27:ad:7f:84:a3:45:82:
        98:df:8f:95:6a:18

Comment 2 Petr Menšík 2024-09-10 12:06:41 UTC
Created attachment 2046102 [details]
dnssec_trigger_server.pem

Comment 3 Petr Menšík 2024-09-10 12:08:49 UTC
Created attachment 2046103 [details]
dnssec_trigger_control.pem

Comment 4 Clemens Lang 2024-09-10 12:26:13 UTC
I can reproduce this in rawhide:

[root@952460bb418c /]# rpm -q dnssec-trigger
dnssec-trigger-0.17-35.fc41.aarch64
[root@952460bb418c /]# /usr/sbin/dnssec-trigger-control-setup -d /etc/dnssec-trigger/
[…]
[root@952460bb418c /]# openssl verify -CAfile /etc/dnssec-trigger/dnssec_trigger_server.pem /etc/dnssec-trigger/dnssec_trigger_control.pem
CN=dnssec-trigger
error 79 at 1 depth lookup: invalid CA certificate
error /etc/dnssec-trigger/dnssec_trigger_control.pem: verification failed

The problem vanishes if I make sure the CA has a valid X509v3 BasicConstraints extension that marks it as a CA:

[root@952460bb418c /]# rm -rf /etc/dnssec-trigger
[root@952460bb418c /]# dnf reinstall -y dnssec-trigger
[…]
[root@952460bb418c /]# diff -u /usr/sbin/dnssec-trigger-control-setup{.orig,}
--- /usr/sbin/dnssec-trigger-control-setup.orig 2024-09-10 12:23:24.155394070 +0000
+++ /usr/sbin/dnssec-trigger-control-setup      2024-09-10 12:23:45.249706836 +0000
@@ -200,7 +200,7 @@
 test -f request.cfg || error "could not create request.cfg"

 echo "create $SVR_BASE.pem (self signed certificate)"
-openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
+openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -addext "basicConstraints=critical,CA:TRUE,pathlen:0" -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
 # create trusted usage pem
 openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"

[root@952460bb418c /]# /usr/sbin/dnssec-trigger-control-setup -d /etc/dnssec-trigger/
[…]
[root@952460bb418c /]# openssl verify -CAfile /etc/dnssec-trigger/dnssec_trigger_server.pem /etc/dnssec-trigger/dnssec_trigger_control.pem
/etc/dnssec-trigger/dnssec_trigger_control.pem: OK

Comment 5 Petr Menšík 2024-09-10 14:36:56 UTC
Thank you Clemens!

Prepared test PR https://src.fedoraproject.org/rpms/dnssec-trigger/pull-request/11

There is some chaos with trying to use -addtrust wrong way. It may make sense to add into client key:
-addext extendedKeyUsage=clientAuth -addext basicConstraints=critical,CA:FALSE"

The question is after all, what is encryption used for? Client key is word readable, probably just unix socket would work the same way. Tuning of any certificates does not seem to be very useful. But until someone finds a time for its updates, it should work again. We are planning to use dnsconfd integrated with NetworkManager instead anyway, as a way to offer DNS over TLS.

Comment 6 Fedora Update System 2024-09-12 08:23:36 UTC
FEDORA-2024-3545266a31 (dnssec-trigger-0.17-36.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-3545266a31

Comment 7 Fedora Update System 2024-09-12 08:25:23 UTC
FEDORA-2024-862d1d8686 (dnssec-trigger-0.17-35.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-862d1d8686

Comment 8 Fedora Update System 2024-09-13 02:41:43 UTC
FEDORA-2024-862d1d8686 has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-862d1d8686`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-862d1d8686

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2024-09-13 04:28:24 UTC
FEDORA-2024-3545266a31 has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-3545266a31`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-3545266a31

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2024-09-21 00:16:04 UTC
FEDORA-2024-3545266a31 (dnssec-trigger-0.17-36.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 11 Fedora Update System 2024-09-21 01:36:49 UTC
FEDORA-2024-862d1d8686 (dnssec-trigger-0.17-35.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.