Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DOC] pemtrustedcas_content #7014

Closed
1 of 4 tasks
landon-lengyel opened this issue Apr 23, 2024 · 2 comments · Fixed by #7018
Closed
1 of 4 tasks

[DOC] pemtrustedcas_content #7014

landon-lengyel opened this issue Apr 23, 2024 · 2 comments · Fixed by #7018
Assignees
@stephen-crawford
Labels
3 - Done Issue is done/complete

Comments

@landon-lengyel
Copy link
Contributor

What do you want to do?

  • Request a change to existing documentation
  • Add new documentation
  • Report a technical problem with the documentation
  • Other

Tell us about your request. Provide a summary of the request and all versions that are affected.
The pemtrustedcas_content examples on multiple pages is incorrect, as far as I can tell. I will use OpenID Connect as an example, but this seems to affect anywhere pemtrustedcas_content option is used.

Essentially, the example shows this:

config:
  openid_connect_idp:
    enable_ssl: true
    pemtrustedcas_content: |-
      MIID/jCCAuagAwIBAgIBATANBgkqhkiG9w0BAQUFADCBjzETMBEGCgmSJomT8ixk
      ARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1w
      bGUgQ29tIEluYy4xITAfBgNVBAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTEh
      ...

This example seems to imply that one should remove these lines from the certificate:

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

However in my testing, that is not the case and the security plugin will only work properly with those lines. As such, I believe the example used in the documentation should be:

config:
  openid_connect_idp:
    enable_ssl: true
    pemtrustedcas_content: |-
      -----BEGIN CERTIFICATE-----
      MIID/jCCAuagAwIBAgIBATANBgkqhkiG9w0BAQUFADCBjzETMBEGCgmSJomT8ixk
      ARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1w
      bGUgQ29tIEluYy4xITAfBgNVBAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTEh
      ...
      -----END CERTIFICATE-----

I can submit pull request(s) for these changes if this is in fact the case, and my environment isn't behaving differently for some other reason.

What other resources are available? Provide links to related issues, POCs, steps for testing, etc.
Testing should just require adding/removing those lines and testing if authentications are successful. It is possible that this is actually a bug with the OpenID Connect code, and that the example is correct for the other SSO methods. I do not have a test environment setup to confirm that though.
@hdhalter
Copy link
Contributor

Thanks for submitting this issue, @landon-l8 ! It would be great if you could submit the pull request.

@scrawfor99 - Is this something you can verify? Thanks.

@landon-lengyel landon-lengyel mentioned this issue Apr 24, 2024
Merged
1 task
@landon-lengyel
Copy link
Contributor Author

Pull request submitted. I would assume that the private key behaves the same way, but my environment doesn't work to test this very well. Hopefully @scrawfor99 can confirm if I'm correct there.

@hdhalter hdhalter added the 3 - Done Issue is done/complete label Apr 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stephen-crawford stephen-crawford

Labels
3 - Done Issue is done/complete
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added the begin/end certificate and key comment lines landon-lengyel/documentation-website
3 participants
@stephen-crawford @hdhalter @landon-lengyel