Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Salt ignores Windows Certificate Store #65439

Open
2 of 9 tasks
darkpixel opened this issue Oct 20, 2023 · 2 comments
Open
2 of 9 tasks

[BUG] Salt ignores Windows Certificate Store #65439

darkpixel opened this issue Oct 20, 2023 · 2 comments
Assignees
@twangboy
Labels
Bug broken, incorrect, or confusing behavior dependency underlying Salt dependency issue Windows

Comments

@darkpixel
Copy link
Contributor

Description
A client recently rolled out an intercepting web proxy.

They created their own self-signed CA and deployed it to all Windows machines under the "Trusted Root Certification Authorities" store in Windows.

The web proxy intercepts HTTPS (and http) requests for scanning and logging. The HTTPS certs returned are signed by the self-signed CA.

Pretty much everything in Windows "just works" with this configuration because everything pays attention to the Trusted Root Certification Authorities certificate store.

...except salt. Salt appears to ignore the Windows Certificate Store entirely.

    Failed to cache https://dl.google.com/edgedl/chrome/install/GoogleChromeStandaloneEnterprise64.msi
    Error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1007) reading /edgedl/chrome/install/GoogleChromeStandaloneEnterprise64.msi

Ref bug #46644 and abandoned PR #51883

Installing python-certifi-win32 in the onedir environment does not fix this.

Please be as specific as possible and give set-up details.

  • on-prem machine
  • VM (Virtualbox, KVM, etc. please specify)
  • VM running on a cloud service, please be explicit and add details
  • container (Kubernetes, Docker, containerd, etc. please specify)
  • or a combination, please be explicit
  • jails if it is FreeBSD
  • classic packaging
  • onedir packaging
  • used bootstrap to install

Steps to Reproduce the behavior
Use a standard winrepo-ng definition:

chrome:
  'latest':
    full_name: 'Google Chrome'
    {%- if grains['cpuarch'] == 'AMD64' %}
    installer: 'https://dl.google.com/edgedl/chrome/install/GoogleChromeStandaloneEnterprise64.msi'
    uninstaller: 'https://dl.google.com/edgedl/chrome/install/GoogleChromeStandaloneEnterprise64.msi'
    {%- else %}
    installer: 'https://dl.google.com/edgedl/chrome/install/GoogleChromeStandaloneEnterprise.msi'
    uninstaller: 'https://dl.google.com/edgedl/chrome/install/GoogleChromeStandaloneEnterprise.msi'
    {%- endif %}
    install_flags: '/qn /norestart'
    uninstall_flags: '/qn /norestart'
    msiexec: True
    locale: en_US
    reboot: False

Set up a proxy server that intercepts HTTPS requests and signs them with a certificate that's trusted by the Windows Certificate Store (easier said than done).

salt-call -l info pkg.install chrome

Expected behavior
Salt should pay attention to the machine's certificate store

Versions Report

    Salt Version:
              Salt: 3006.3
     
    Python Version:
            Python: 3.10.13 (heads/main:7ee24e6, Sep  6 2023, 02:19:49) [MSC v.1936 64 bit (AMD64)]
     
    Dependency Versions:
              cffi: 1.14.6
          cherrypy: 18.6.1
          dateutil: 2.8.1
         docker-py: Not Installed
             gitdb: 4.0.7
         gitpython: Not Installed
            Jinja2: 3.1.2
           libgit2: Not Installed
      looseversion: 1.0.2
          M2Crypto: Not Installed
              Mako: Not Installed
           msgpack: 1.0.2
      msgpack-pure: Not Installed
      mysql-python: Not Installed
         packaging: 22.0
         pycparser: 2.21
          pycrypto: Not Installed
      pycryptodome: 3.10.1
            pygit2: Not Installed
      python-gnupg: 0.4.8
            PyYAML: 6.0.1
             PyZMQ: 25.0.2
            relenv: 0.13.10
             smmap: 4.0.0
           timelib: 0.2.4
           Tornado: 4.5.3
               ZMQ: 4.3.4
     
    System Versions:
              dist:   
            locale: cp1252
           machine: AMD64
           release: 10
            system: Windows
           version: 10 10.0.22621 SP0 Multiprocessor Free
@darkpixel darkpixel added Bug broken, incorrect, or confusing behavior needs-triage labels Oct 20, 2023
@twangboy twangboy self-assigned this Jan 19, 2024
@twangboy twangboy added dependency underlying Salt dependency issue and removed needs-triage labels Jan 19, 2024
@twangboy
Copy link
Contributor

twangboy commented Feb 6, 2024
edited
Loading

It looks like the way forward is to use https://pypi.org/project/truststore/.
Anywhere we import requests we import truststore and run truststore.inject_into_ssl()
Not sure if this applies to all OS's or if we should gate it for Windows.

Or maybe this: https://stackoverflow.com/a/77577017/4581998

@twangboy
Copy link
Contributor

This may require a rewrite where we use the create_default_context function (here). It does accept some arguments for cafiles and stuff... so maybe we could have it default to the system store, unless ca data is passed in.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@twangboy twangboy

Labels
Bug broken, incorrect, or confusing behavior dependency underlying Salt dependency issue Windows
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@darkpixel @OrangeDog @twangboy