Page MenuHomePhabricator

x509-bundle as used by envoy::tlsproxy fails on single certificate file
Open, MediumPublic


Noticed this on, though the error is the same as T255464: Puppet failing on /usr/local/sbin/x509-bundle error. Namely, when /usr/local/sbin/x509-bundle --skip-root --skip-first is called on a file with a single certificate then a failure ensues:

/usr/local/sbin/x509-bundle --skip-root --skip-first -c /etc/ssl/localcerts/grafana.discovery.wmnet.crt -o /etc/ssl/localcerts/grafana.discovery.wmnet.chain.crt
Traceback (most recent call last):
  File "/usr/local/sbin/x509-bundle", line 140, in <module>
  File "/usr/local/sbin/x509-bundle", line 119, in main
IndexError: pop from empty list

I think either the call from puppet is wrong or (more likely) a single-certificate file must be handled differently