Module: check_mk
Branch: master
Commit: 08c1bc0e9114c6cb60d70c542c75e1fb2ee9878d
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=08c1bc0e9114c6…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Thu Jul 19 17:21:49 2018 +0200
6355 FIX Fix possible activation warning message about /etc/ssl/certs/localhost.crt
certificate
During configuration activation the "trusted certificates file"
var/ssl/ca-certificates.crt is
computed based on the configured global settings. In case the system certificates are
trusted
all certificates in /etc/ssl/certs are read.
We found several RH/CentOS distros to have a /etc/ssl/certs/localhost.crt which seems to
be some
kind of default certificate for local servers. The files may have a permission of 600
which makes
it not readable for the site user.
This results in an activation warning like this: ca-certificates: Failed to add
certificate
'/etc/ssl/certs/localhost.crt' to trusted CA certificates. See web.log for details
and these
entries in the var/log/web.log:
2018-06-21 03:55:52,120 [40] [cmk.web 19066] /master/check_mk/wato.py Internal error:
Traceback (most recent call last):
File "/omd/sites/master/share/check_mk/web/htdocs/watolib.py", line 501, in
_get_system_wide_trusted_ca_certificates
trusted_cas.update(self._get_certificates_from_file(os.path.join(cert_path, entry)))
File "/omd/sites/master/share/check_mk/web/htdocs/watolib.py", line 514, in
_get_certificates_from_file
return [ match.group(0) for match in self._PEM_RE.finditer(open(path).read()) ]
IOError: [Errno 13] Permission denied: '/etc/ssl/certs/localhost.crt'
Because this may be a standard configuration and affect a lot of users we decided to
remove this
warning for the /etc/ssl/certs/localhost.crt.
In case you need this /etc/ssl/certs/localhost.crt to be added to the trusted CA
certificates
simply chown it to 644. It is a public certificate and not a secret.
Change-Id: I7b9708929670a328085cb17dcb5b60fabbd62919
---
.werks/6355 | 33 +++++++++++++++++++++++++++++++++
cmk/gui/watolib.py | 17 +++++++++++++++--
2 files changed, 48 insertions(+), 2 deletions(-)
diff --git a/.werks/6355 b/.werks/6355
new file mode 100644
index 0000000..3d89147
--- /dev/null
+++ b/.werks/6355
@@ -0,0 +1,33 @@
+Title: Fix possible activation warning message about /etc/ssl/certs/localhost.crt
certificate
+Level: 1
+Component: wato
+Compatible: compat
+Edition: cre
+Version: 1.5.0b9
+Date: 1532013352
+Class: fix
+
+During configuration activation the "trusted certificates file"
var/ssl/ca-certificates.crt is
+computed based on the configured global settings. In case the system certificates are
trusted
+all certificates in /etc/ssl/certs are read.
+
+We found several RH/CentOS distros to have a /etc/ssl/certs/localhost.crt which seems to
be some
+kind of default certificate for local servers. The files may have a permission of 600
which makes
+it not readable for the site user.
+
+This results in an activation warning like this: ca-certificates: Failed to add
certificate
+'/etc/ssl/certs/localhost.crt' to trusted CA certificates. See web.log for
details and these
+entries in the var/log/web.log:
+
+ 2018-06-21 03:55:52,120 [40] [cmk.web 19066] /master/check_mk/wato.py Internal error:
Traceback (most recent call last):
+ File "/omd/sites/master/share/check_mk/web/htdocs/watolib.py", line 501, in
_get_system_wide_trusted_ca_certificates
+ trusted_cas.update(self._get_certificates_from_file(os.path.join(cert_path, entry)))
+ File "/omd/sites/master/share/check_mk/web/htdocs/watolib.py", line 514, in
_get_certificates_from_file
+ return [ match.group(0) for match in self._PEM_RE.finditer(open(path).read()) ]
+IOError: [Errno 13] Permission denied: '/etc/ssl/certs/localhost.crt'
+
+Because this may be a standard configuration and affect a lot of users we decided to
remove this
+warning for the /etc/ssl/certs/localhost.crt.
+
+In case you need this /etc/ssl/certs/localhost.crt to be added to the trusted CA
certificates
+simply chown it to 644. It is a public certificate and not a secret.
diff --git a/cmk/gui/watolib.py b/cmk/gui/watolib.py
index 0e8b050..c93b028 100644
--- a/cmk/gui/watolib.py
+++ b/cmk/gui/watolib.py
@@ -529,16 +529,29 @@ class ConfigDomainCACertificates(ConfigDomain):
continue
for entry in os.listdir(cert_path):
+ cert_file_path = os.path.join(cert_path, entry)
try:
ext = os.path.splitext(entry)[-1]
if ext not in [ ".pem", ".crt" ]:
continue
-
trusted_cas.update(self._get_certificates_from_file(os.path.join(cert_path, entry)))
+ trusted_cas.update(self._get_certificates_from_file(cert_file_path))
except IOError:
logger.exception()
+
+ # This error is shown to the user as warning message during
"activate changes".
+ # We keep this message for the moment because we think that it is a
helpful
+ # trigger for further checking web.log when a really needed
certificate can
+ # not be read.
+ #
+ # We know a permission problem with some files that are created by
default on
+ # some distros. We simply ignore these files because we assume that
they are
+ # not needed.
+ if cert_file_path == "/etc/ssl/certs/localhost.crt":
+ continue
+
errors.append("Failed to add certificate '%s' to trusted
CA certificates. "
- "See web.log for details." %
os.path.join(cert_path, entry))
+ "See web.log for details." % cert_file_path)
break