Page MenuHomePhabricator

x509-bundle as used by envoy::tlsproxy fails on single certificate file
Open, MediumPublic

Description

Noticed this on pontoon-grafana-01.monitoring.eqiad1.wikimedia.cloud, though the error is the same as T255464: Puppet failing on wikistats.analytics.eqiad.wmflabs: /usr/local/sbin/x509-bundle error. Namely, when /usr/local/sbin/x509-bundle --skip-root --skip-first is called on a file with a single certificate then a failure ensues:

/usr/local/sbin/x509-bundle --skip-root --skip-first -c /etc/ssl/localcerts/grafana.discovery.wmnet.crt -o /etc/ssl/localcerts/grafana.discovery.wmnet.chain.crt
Traceback (most recent call last):
  File "/usr/local/sbin/x509-bundle", line 140, in <module>
    main()
  File "/usr/local/sbin/x509-bundle", line 119, in main
    certpath.pop(0)
IndexError: pop from empty list

I think either the call from puppet is wrong or (more likely) a single-certificate file must be handled differently