Use wget/curl for testing Custom CA trust
Problem
The current testing approach of trusting Custom CA Cert is masking the actual issue in the underlying logic for UBI-based images. As outlined here, the recommended approach for trusting the Self-signed CA certificate is different depending on the OS of the image. However, the current test implementation(via ssl-test.go
) passes all the time regardless of whether the Custom CA is in the trusted list which gave us the false confirmation on the correctness of the Trusting Custom CA Cert feature.
Solution
I tried multiple approaches to resolve the issue in ssl-test.go
. However, the recommended approach for the fix was effortful and the changes also involved in the regeneration of server certificates in the Test SSL Server repository, just to make it compatible with Go SSL lib. So I tried it using good 'ol curl
and wget
libs and their behavior matches as expected. So I decided to go with curl
and wget
approach to confirm the tests since either of them comes pre-installed with most of the Linux-based images we use except Debian-based, which I'm installing wget
on demand.
Here's the sample output when invoked with wget
on UBI-based images
sh-4.4$ wget https://ssl-test/
...
ERROR: The certificate of 'ssl-test' is not trusted.
ERROR: The certificate of 'ssl-test' hasn't got a known issuer.
Whereas the sample output when invoked with wget
on Non UBI-based images(Alpine, Debian, etc)
sh-4.4$ wget https://ssl-test/
...
Resolving ssl-test (ssl-test)... 192.168.228.2
Connecting to ssl-test (ssl-test)|192.168.228.2|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 615 [text/html]
What does this MR do?
- Replaces Go binary with a Bash Script(
check-cert.sh
) that contains acurl
andwget
ping to the test server URL(https://ssl-test
) to verify if Custom CA certificate is trusted. - Adds missing FIPS variants of Gemnasium Analyzers (Gemnasium, Maven and Python)