Skip to content

plugins: generate certificates with required extensions #8495

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 26, 2025
Merged

plugins: generate certificates with required extensions #8495

merged 1 commit into from
Aug 26, 2025

Conversation

whitslack
Copy link
Collaborator

@whitslack whitslack commented Aug 23, 2025
edited
Loading

Recent versions of urllib3 fail certificate verification if certificates lack the Authority Key Identifier or Key Usages extensions:

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1032)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: CA cert does not include key usage extension (_ssl.c:1032)

Luckily, rcgen offers parameters in its CertificateParams structure to add these extensions. Let's use them.

Changelog-Fixed: Certificates auto-generated by grpc-plugin, rest-plugin, and wss-proxy-plugin now include the required Authority Key Identifier and Key Usages extensions.

Checklist

Before submitting the PR, ensure the following tasks are completed. If an item is not applicable to your PR, please mark it as checked:

  • The changelog has been updated in the relevant commit(s) according to the guidelines.
  • Tests have been added or modified to reflect the changes.
  • Documentation has been reviewed and updated as needed.
  • Related issues have been listed and linked, including any that this PR closes. None found.

@whitslack whitslack requested a review from cdecker as a code owner August 23, 2025 23:24
@whitslack whitslack marked this pull request as draft August 23, 2025 23:42
@whitslack whitslack force-pushed the grpc-plugin/use-authority-key-id branch from 211eda4 to 9d54804 Compare August 24, 2025 00:39
@whitslack whitslack marked this pull request as ready for review August 24, 2025 00:41
@whitslack whitslack marked this pull request as draft August 24, 2025 00:45
@whitslack
plugins: generate certificates with required extensions
e62a271 
Recent versions of urllib3 fail certificate verification if certificates
lack the Authority Key Identifier or Key Usages extensions:

```
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1032)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: CA cert does not include key usage extension (_ssl.c:1032)
```

Luckily, rcgen offers parameters in its CertificateParams structure to
add these extensions. Let's use them.

Changelog-Fixed: Certificates auto-generated by grpc-plugin, rest-plugin, and wss-proxy-plugin now include the required Authority Key Identifier and Key Usages extensions.
@whitslack whitslack force-pushed the grpc-plugin/use-authority-key-id branch from 9d54804 to e62a271 Compare August 24, 2025 02:48
@whitslack whitslack marked this pull request as ready for review August 24, 2025 02:49
@whitslack whitslack changed the title grpc-plugin: generate CA cert with Authority Key Identifier plugins: generate certificates with required extensions Aug 24, 2025
@rustyrussell rustyrussell added this to the v25.09 milestone Aug 26, 2025
@rustyrussell
Copy link
Contributor

Thanks for diagnosing!

@rustyrussell rustyrussell merged commit d635f19 into ElementsProject:master Aug 26, 2025
70 of 76 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cdecker cdecker Awaiting requested review from cdecker cdecker is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v25.09
Development

Successfully merging this pull request may close these issues.
2 participants
@whitslack @rustyrussell