From c9684641aa714865916d8c6da9bc99ac9245b3fb Mon Sep 17 00:00:00 2001 From: "Sanad Liaquat (Personal)" Date: Tue, 16 Feb 2021 10:13:32 +0500 Subject: [PATCH] Use Custom root CA --- qa/Dockerfile | 10 +++ qa/qa/runtime/browser.rb | 4 - qa/qa/runtime/env.rb | 4 - .../authority/private/rootCAkey.pem | 30 +++++++ qa/tls_certificates/authority/root-ca.crt | 21 +++++ qa/tls_certificates/authority/rootCAcert.pem | 80 +++++++++++++++++++ 6 files changed, 141 insertions(+), 8 deletions(-) create mode 100644 qa/tls_certificates/authority/private/rootCAkey.pem create mode 100644 qa/tls_certificates/authority/root-ca.crt create mode 100644 qa/tls_certificates/authority/rootCAcert.pem diff --git a/qa/Dockerfile b/qa/Dockerfile index 76c81d03071db3..094e9686150f27 100644 --- a/qa/Dockerfile +++ b/qa/Dockerfile @@ -37,6 +37,16 @@ RUN wget -q "https://chromedriver.storage.googleapis.com/${CHROME_DRIVER_VERSION RUN unzip chromedriver_linux64.zip -d /usr/local/bin RUN rm -f chromedriver_linux64.zip +## +# Install root certificate +# + +COPY ./qa/tls_certificates/authority/root-ca.crt /tmp/CA-certs/ +RUN mkdir -p /usr/share/ca-certificates/extra \ + && cp /tmp/CA-certs/*.crt /usr/share/ca-certificates/extra \ + && update-ca-certificates +RUN rm -r /tmp/CA-certs/ + ## # Install gcloud and kubectl CLI used in Auto DevOps test to create K8s # clusters diff --git a/qa/qa/runtime/browser.rb b/qa/qa/runtime/browser.rb index a3fce8bff888ef..5d1dbf9b37e0e8 100644 --- a/qa/qa/runtime/browser.rb +++ b/qa/qa/runtime/browser.rb @@ -73,10 +73,6 @@ def self.configure! server: "ALL" }) - if QA::Runtime::Env.accept_insecure_certs? - capabilities['acceptInsecureCerts'] = true - end - # QA::Runtime::Env.browser.capitalize will work for every driver type except PhantomJS. # We will have no use to use PhantomJS so this shouldn't be a problem. options = Selenium::WebDriver.const_get(QA::Runtime::Env.browser.capitalize, false)::Options.new diff --git a/qa/qa/runtime/env.rb b/qa/qa/runtime/env.rb index 6c4139da83fa0d..118b10b197fb9f 100644 --- a/qa/qa/runtime/env.rb +++ b/qa/qa/runtime/env.rb @@ -120,10 +120,6 @@ def reuse_chrome_profile? enabled?(ENV['CHROME_REUSE_PROFILE'], default: false) end - def accept_insecure_certs? - enabled?(ENV['ACCEPT_INSECURE_CERTS']) - end - def running_in_ci? ENV['CI'] || ENV['CI_SERVER'] end diff --git a/qa/tls_certificates/authority/private/rootCAkey.pem b/qa/tls_certificates/authority/private/rootCAkey.pem new file mode 100644 index 00000000000000..34c0a497eb3eb4 --- /dev/null +++ b/qa/tls_certificates/authority/private/rootCAkey.pem @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQILSHBdbLlml8CAggA +MB0GCWCGSAFlAwQBKgQQhxHwGAFQKXj9hHvlKwGoVQSCBNBpIRcDxQq0OCITwAgU +2md178wMRe0b7JguwgAaE1g/2OSGyHX1KTr5c/RlkPVRyqVry0BJ99MjTHWOOu/R +YkATyuMS3JKrIBular18KGG11Rdjdm64V/Ltf6JDc9McRUBXUakbJ7fW3yHbLtxn +6WGulY/sm7M1VoU1TaFcOd8Z89WpxN9Q2oHCFJc40USGQqOEGbvc113Eo8mt/VLB +x716P/agYDVZl3MOSSk+u2GfesnVuJle/gUNjRcdBX487/qEbUDwwlWYv28RjHLP +U354CCIDEmYeHQJOSghymdvyBbaCZ7poYkmHmVgNlsogZH8H5ckqNiyIXhHca6Q4 +HZu+/pD3jI2YCsNbVzsL+IuG6kqGrQHGYpe7R61VnbOd2nQ7sSuOQYZ6fAowfyhG +GHO1bwNis2mXA983KAUVTmGg+fLUMZvA5p+zuTgzKDVLPCo7HxlAiapui0ZAW+Q+ +iTMeiwxs96g0CDZ8QV/4tlZh22NJLmusfQMIgjV+iX9tAEdMgA5DANUshywtl4vy +vJua3RY48PZOJ40Gx3ms3gzUp9+Vopic6qi1+SudKeGTrjjUdFzxbBBgfPcdlfEC +OUWntbK1HH8PPQOVQbhWBw9xImTqWlxz7RfbqkeqfvanYD2mvMm//F3WoNs9TeDj +04l0qBQGMXz3DxQZ33zTA6t92+PyU2tuV/p80X+JIWlaBJUOC/BdPAnUvbOPrs+F +957r/8wCW892CfZXwDDnjE65W98D9oW915qJu6M/1CdNVtIQfc7yEJvnEnOU2pt9 +duBmwUTT+h9LzrZ4GMFqkNpw14WAE8tOydKFL80+8yF+aCF9SQEBmpHUp9b0qoCR +dFVXI1NONFsJLV1/kX3aYDUSsY7c5CdPZ9slK4kGyjY1dj+FvTxtlCfCb6WojqIk +w1qGWy8mcsz1rSdnbMeWfwtGbjQew1XXTw9Hxc74Mkv4G/J4vPYiMPumD1saYb30 +it//h/tjB+LIQXnJPx+Giif1dCIK/x3ZQNONNnpEt0EF9APssseoBu4tPUdZAADU +Y1MAdxHi4RkKal+70iSRJNSXdreoDuMB3Y6vAqSnDZPUvSFAXFBREqYgcLma1l11 +HAYwd9vwqXro+/mvge6o/hW4PF3cHsWz9GacmQQuB/qB7KZt35b+X920f9f90zTt +V/BS43KZxxBT7JlCVeF9dslErnQUmpbMhCJKCEcIWag284Hn8tyArdDWI0OtvVsK +I4A6hx6xyNqP92K02rOcfZnyMv675kzrPzrOUbsxqfKuWfpHX7rV15QO/y+cr5aa +xnBwBNSFR1RoZnx/aYuRt7Z1XH7kz1TUvNFWuhofLc8vpcPaAVTFePNJkce4qjJS +y3PISEIaNvmn9uzmqlHSAGbFMn7gVuQSBbc5mG51s4xnzm3jciO4MievHuhEHyrA +OG8O0bxQRZIEprm8kIk3lMxWTUEg1zP9qw0if3oLL7x0uzIdAt8Dfui3Y2hUfUqd +fGOiM53to9CpGTQ6LamImBxfSBBHM3Z07s7z55i/3X35P+/NmQicUR9U5zlXiz+K +cnbto9xkzS+zaUvo2AZhynj4eAJwhW71oYZ5WPoY59JCMPviwiQBDoLzdhzHAyDh +yDrmQ0pHHS5CwbI/mWp92NhyAw== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/qa/tls_certificates/authority/root-ca.crt b/qa/tls_certificates/authority/root-ca.crt new file mode 100644 index 00000000000000..3f276d4fbb68be --- /dev/null +++ b/qa/tls_certificates/authority/root-ca.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDiDCCAnCgAwIBAgIJAOx4HbseI/XmMA0GCSqGSIb3DQEBBQUAMFExCzAJBgNV +BAYTAlVTMQswCQYDVQQIDAJUWDEPMA0GA1UECgwGR2l0TGFiMQswCQYDVQQLDAJI +UTEXMBUGA1UEAwwOR2l0TGFiIENBIDIwMjEwHhcNMjEwMjE2MDM0MzUxWhcNMjQw +MjE2MDM0MzUxWjBRMQswCQYDVQQGEwJVUzELMAkGA1UECAwCVFgxDzANBgNVBAoM +BkdpdExhYjELMAkGA1UECwwCSFExFzAVBgNVBAMMDkdpdExhYiBDQSAyMDIxMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0CUvx3qZEfwayvcr0dSX8MYL +NM6iDWHA7Ze0mXiF2yPyPHG+/zGrdYdL/i+HW222F86ByGp2FhMZDZvLbsCZ0sUP +Tbo88aHfECFAu6XlNH85P8EU5jp98wUemHW7ndSHYJXkyHGtCAf+m6XITf3lVc33 +J9WSmYzK/dFAgWM4Ss1SQjFGuIEJCbV4vFu8+4BY9MB+fVfmF2u6C/FhManiL6i5 +47hoSR7lkTTtMaXkCdH64pm7xSFeBnBfssbQIzCdLVvqsMvx95AVxrNr6nMw2d/2 +iLW8Dr3Gbn/OiquYe8qAz+Nc4pGQtK220358BZCFUylVn6yybALLX79bzjqgXQID +AQABo2MwYTAdBgNVHQ4EFgQUYnjTUjuqCTwXSQIvORYY8SfDTxEwHwYDVR0jBBgw +FoAUYnjTUjuqCTwXSQIvORYY8SfDTxEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B +Af8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAEbSRHpPut62qm8iTWE8Pdcdl119 +fWmAQYbJSi6VFQ97eYsr+gAlKpeOI9vOSsLV6qxL3I9xSB5TnvvP6w4D+Z2GrJGe +6rSjNKOs/EHhJ67go2tQMFjv+zhXu3s5z4lrxuNHBs9gl7HiIzRPeozsJE/HQ7Oq +w2NIn8Vz03MX3RZ8TKvA395RA32TqyPyA0sj7qnNi/ngKazGOLyZ3pxCq1U2fyNI +0UhYFafj9bem2c1k7ChYgo/uHmuoVHI8MuTzNevyobfYthGcrHqtf3mZf9nPNJHd +HVVOHavRQ83F0/7vV7n4s7gMv3IPpvILxgueq7O3CRYp13OY1x82b3yJdH8= +-----END CERTIFICATE----- diff --git a/qa/tls_certificates/authority/rootCAcert.pem b/qa/tls_certificates/authority/rootCAcert.pem new file mode 100644 index 00000000000000..0dc7cf39b156e2 --- /dev/null +++ b/qa/tls_certificates/authority/rootCAcert.pem @@ -0,0 +1,80 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 17039401879658034662 (0xec781dbb1e23f5e6) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=TX, O=GitLab, OU=HQ, CN=GitLab CA 2021 + Validity + Not Before: Feb 16 03:43:51 2021 GMT + Not After : Feb 16 03:43:51 2024 GMT + Subject: C=US, ST=TX, O=GitLab, OU=HQ, CN=GitLab CA 2021 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d0:25:2f:c7:7a:99:11:fc:1a:ca:f7:2b:d1:d4: + 97:f0:c6:0b:34:ce:a2:0d:61:c0:ed:97:b4:99:78: + 85:db:23:f2:3c:71:be:ff:31:ab:75:87:4b:fe:2f: + 87:5b:6d:b6:17:ce:81:c8:6a:76:16:13:19:0d:9b: + cb:6e:c0:99:d2:c5:0f:4d:ba:3c:f1:a1:df:10:21: + 40:bb:a5:e5:34:7f:39:3f:c1:14:e6:3a:7d:f3:05: + 1e:98:75:bb:9d:d4:87:60:95:e4:c8:71:ad:08:07: + fe:9b:a5:c8:4d:fd:e5:55:cd:f7:27:d5:92:99:8c: + ca:fd:d1:40:81:63:38:4a:cd:52:42:31:46:b8:81: + 09:09:b5:78:bc:5b:bc:fb:80:58:f4:c0:7e:7d:57: + e6:17:6b:ba:0b:f1:61:31:a9:e2:2f:a8:b9:e3:b8: + 68:49:1e:e5:91:34:ed:31:a5:e4:09:d1:fa:e2:99: + bb:c5:21:5e:06:70:5f:b2:c6:d0:23:30:9d:2d:5b: + ea:b0:cb:f1:f7:90:15:c6:b3:6b:ea:73:30:d9:df: + f6:88:b5:bc:0e:bd:c6:6e:7f:ce:8a:ab:98:7b:ca: + 80:cf:e3:5c:e2:91:90:b4:ad:b6:d3:7e:7c:05:90: + 85:53:29:55:9f:ac:b2:6c:02:cb:5f:bf:5b:ce:3a: + a0:5d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 62:78:D3:52:3B:AA:09:3C:17:49:02:2F:39:16:18:F1:27:C3:4F:11 + X509v3 Authority Key Identifier: + keyid:62:78:D3:52:3B:AA:09:3C:17:49:02:2F:39:16:18:F1:27:C3:4F:11 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + Signature Algorithm: sha1WithRSAEncryption + 46:d2:44:7a:4f:ba:de:b6:aa:6f:22:4d:61:3c:3d:d7:1d:97: + 5d:7d:7d:69:80:41:86:c9:4a:2e:95:15:0f:7b:79:8b:2b:fa: + 00:25:2a:97:8e:23:db:ce:4a:c2:d5:ea:ac:4b:dc:8f:71:48: + 1e:53:9e:fb:cf:eb:0e:03:f9:9d:86:ac:91:9e:ea:b4:a3:34: + a3:ac:fc:41:e1:27:ae:e0:a3:6b:50:30:58:ef:fb:38:57:bb: + 7b:39:cf:89:6b:c6:e3:47:06:cf:60:97:b1:e2:23:34:4f:7a: + 8c:ec:24:4f:c7:43:b3:aa:c3:63:48:9f:c5:73:d3:73:17:dd: + 16:7c:4c:ab:c0:df:de:51:03:7d:93:ab:23:f2:03:4b:23:ee: + a9:cd:8b:f9:e0:29:ac:c6:38:bc:99:de:9c:42:ab:55:36:7f: + 23:48:d1:48:58:15:a7:e3:f5:b7:a6:d9:cd:64:ec:28:58:82: + 8f:ee:1e:6b:a8:54:72:3c:32:e4:f3:35:eb:f2:a1:b7:d8:b6: + 11:9c:ac:7a:ad:7f:79:99:7f:d9:cf:34:91:dd:1d:55:4e:1d: + ab:d1:43:cd:c5:d3:fe:ef:57:b9:f8:b3:b8:0c:bf:72:0f:a6: + f2:0b:c6:0b:9e:ab:b3:b7:09:16:29:d7:73:98:d7:1f:36:6f: + 7c:89:74:7f +-----BEGIN CERTIFICATE----- +MIIDiDCCAnCgAwIBAgIJAOx4HbseI/XmMA0GCSqGSIb3DQEBBQUAMFExCzAJBgNV +BAYTAlVTMQswCQYDVQQIDAJUWDEPMA0GA1UECgwGR2l0TGFiMQswCQYDVQQLDAJI +UTEXMBUGA1UEAwwOR2l0TGFiIENBIDIwMjEwHhcNMjEwMjE2MDM0MzUxWhcNMjQw +MjE2MDM0MzUxWjBRMQswCQYDVQQGEwJVUzELMAkGA1UECAwCVFgxDzANBgNVBAoM +BkdpdExhYjELMAkGA1UECwwCSFExFzAVBgNVBAMMDkdpdExhYiBDQSAyMDIxMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0CUvx3qZEfwayvcr0dSX8MYL +NM6iDWHA7Ze0mXiF2yPyPHG+/zGrdYdL/i+HW222F86ByGp2FhMZDZvLbsCZ0sUP +Tbo88aHfECFAu6XlNH85P8EU5jp98wUemHW7ndSHYJXkyHGtCAf+m6XITf3lVc33 +J9WSmYzK/dFAgWM4Ss1SQjFGuIEJCbV4vFu8+4BY9MB+fVfmF2u6C/FhManiL6i5 +47hoSR7lkTTtMaXkCdH64pm7xSFeBnBfssbQIzCdLVvqsMvx95AVxrNr6nMw2d/2 +iLW8Dr3Gbn/OiquYe8qAz+Nc4pGQtK220358BZCFUylVn6yybALLX79bzjqgXQID +AQABo2MwYTAdBgNVHQ4EFgQUYnjTUjuqCTwXSQIvORYY8SfDTxEwHwYDVR0jBBgw +FoAUYnjTUjuqCTwXSQIvORYY8SfDTxEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B +Af8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAEbSRHpPut62qm8iTWE8Pdcdl119 +fWmAQYbJSi6VFQ97eYsr+gAlKpeOI9vOSsLV6qxL3I9xSB5TnvvP6w4D+Z2GrJGe +6rSjNKOs/EHhJ67go2tQMFjv+zhXu3s5z4lrxuNHBs9gl7HiIzRPeozsJE/HQ7Oq +w2NIn8Vz03MX3RZ8TKvA395RA32TqyPyA0sj7qnNi/ngKazGOLyZ3pxCq1U2fyNI +0UhYFafj9bem2c1k7ChYgo/uHmuoVHI8MuTzNevyobfYthGcrHqtf3mZf9nPNJHd +HVVOHavRQ83F0/7vV7n4s7gMv3IPpvILxgueq7O3CRYp13OY1x82b3yJdH8= +-----END CERTIFICATE----- -- GitLab