Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] HostnameError when providing a Thumbprint is no longer ignored #3600

Closed
chrischdi opened this issue Oct 23, 2024 · 2 comments · Fixed by #3601
Closed

[BUG] HostnameError when providing a Thumbprint is no longer ignored #3600

chrischdi opened this issue Oct 23, 2024 · 2 comments · Fixed by #3601

Comments

@chrischdi
Copy link
Member

Describe the bug

The PR #3547 changed the function func IsCertificateUntrusted(err error) bool in how it detects errors.

Since bumping govmomi, CAPV is no longer able to talk to servers where the certificate does not provide the correct IP addresses (e.g. vcsim when not using localhost / 127.0.0.1) resulting in the following error:

failed to create client: Post \"[https://10.244.0.13:37283/sdk\":](https://10.244.0.13:37283/sdk/%22:) tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, ::1, not 10.244.0.13

To Reproduce
Steps to reproduce the behavior:

Using the following unit test which is green on v0.43.0 but fails for >= v0.44.0:

package soap

import (
	"crypto/tls"
	"crypto/x509"
	"testing"
)

func TestIsCertificateUntrusted(t *testing.T) {
	type args struct {
	}
	tests := []struct {
		name string
		err  error
		want bool
	}{
		{
			name: "tls.CertificateVerificationError",
			err: x509.HostnameError{
				Certificate: &x509.Certificate{},
				Host:        "1.1.1.1",
			},
			want: true,
		},
		{
			name: "tls.CertificateVerificationError",
			err: &tls.CertificateVerificationError{
				UnverifiedCertificates: []*x509.Certificate{
					&x509.Certificate{},
				},
				Err: x509.HostnameError{
					Certificate: &x509.Certificate{},
					Host:        "1.1.1.1",
				},
			},
			want: true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if got := IsCertificateUntrusted(tt.err); got != tt.want {
				t.Errorf("IsCertificateUntrusted() = %v, want %v", got, tt.want)
			}
		})
	}
}

Expected behavior
A clear and concise description of what you expected to happen.

The error to be ignored.

Affected version
Please provide details on the version used, e.g. release tag, commit, module version, etc.

Fails for >= v0.44.0

Change was introduced in #3547

Screenshots/Debug Output
If applicable, add screenshots or debug output to help explain your problem.

image

Additional context
Add any other context about the problem here.
@chrischdi
Copy link
Member Author

I think instead of using errors.Is we should use errors.As instead !

@chrischdi chrischdi mentioned this issue Oct 23, 2024
Merged
@dougm
Copy link
Member

dougm commented Oct 23, 2024

Thanks @chrischdi , do you want to open PR that reverts IsCertificateUntrusted to using errors.As and include your test?

@chrischdi chrischdi mentioned this issue Oct 23, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix error assertion in IsCertificateUntrusted chrischdi/govmomi
2 participants
@dougm @chrischdi