fix(packaging): convert CA key from SEC1 to PKCS#8 for Rust pm-ca parser (#71)
Some checks failed
CI Pipeline / Rust Format Check (push) Successful in 3s
CI Pipeline / Clippy Lints (push) Successful in 52s
CI Pipeline / Rust Unit Tests (push) Failing after 1m21s
CI Pipeline / Security Audit (push) Successful in 5s
CI Pipeline / Frontend Lint & Type Check (push) Successful in 16s
CI Pipeline / Build .deb & Release (push) Has been skipped
Some checks failed
CI Pipeline / Rust Format Check (push) Successful in 3s
CI Pipeline / Clippy Lints (push) Successful in 52s
CI Pipeline / Rust Unit Tests (push) Failing after 1m21s
CI Pipeline / Security Audit (push) Successful in 5s
CI Pipeline / Frontend Lint & Type Check (push) Successful in 16s
CI Pipeline / Build .deb & Release (push) Has been skipped
The Rust pm-ca crate (crates/pm-ca/src/ca.rs) only parses PKCS#8 format private keys. openssl ecparam -genkey produces SEC1 format (BEGIN EC PRIVATE KEY), which the Rust ring/RSA parser rejects with "parse CA private-key PEM", causing the service to crash-loop on startup. Proven on LPM: converting ca.key with openssl pkcs8 -topk8 -nocrypt and restarting patch-manager-web results in: Root CA loaded successfully Listening (HTTPS) on 0.0.0.0:443
This commit is contained in:
Draco-Lunaris-Echo
committed by
GitHub
GitHub
parent
f9ca15f7d9
commit
27716af5d7
2
debian/postinst
vendored
2
debian/postinst
vendored
@ -277,6 +277,8 @@ generate_tls_certs() {
|
||||
if [[ ! -f "${ca_cert}" ]]; then
|
||||
info "Generating internal Certificate Authority (ECDSA P-256, 10-year validity)..."
|
||||
openssl ecparam -genkey -name prime256v1 -noout -out "${ca_key}"
|
||||
# Convert SEC1 → PKCS#8 (the Rust pm-ca crate only parses PKCS#8).
|
||||
openssl pkcs8 -topk8 -nocrypt -in "${ca_key}" -out "${ca_key}.tmp" && mv "${ca_key}.tmp" "${ca_key}"
|
||||
openssl req -new -x509 -key "${ca_key}" -out "${ca_cert}" \
|
||||
-days 3650 \
|
||||
-subj "/CN=Patch Manager Root CA/O=Patch Manager" \
|
||||
|
||||
Reference in New Issue
Block a user