-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Salt ignores Windows Certificate Store #65439
Comments
It looks like the way forward is to use https://pypi.org/project/truststore/. Or maybe this: https://stackoverflow.com/a/77577017/4581998 |
This may require a rewrite where we use the |
Description
A client recently rolled out an intercepting web proxy.
They created their own self-signed CA and deployed it to all Windows machines under the "Trusted Root Certification Authorities" store in Windows.
The web proxy intercepts HTTPS (and http) requests for scanning and logging. The HTTPS certs returned are signed by the self-signed CA.
Pretty much everything in Windows "just works" with this configuration because everything pays attention to the Trusted Root Certification Authorities certificate store.
...except salt. Salt appears to ignore the Windows Certificate Store entirely.
Ref bug #46644 and abandoned PR #51883
Installing
python-certifi-win32
in the onedir environment does not fix this.Please be as specific as possible and give set-up details.
Steps to Reproduce the behavior
Use a standard winrepo-ng definition:
Set up a proxy server that intercepts HTTPS requests and signs them with a certificate that's trusted by the Windows Certificate Store (easier said than done).
salt-call -l info pkg.install chrome
Expected behavior
Salt should pay attention to the machine's certificate store
Versions Report
The text was updated successfully, but these errors were encountered: