Trust/client certificate without newline at the end is causing openssl problem

Setup

Linkerd: v1.3.1
Env: kubernetes v1.7
Configuration: Mutual Auth b/w client server

Description

I am observing OpenSSL problem when my trust/client certs don’t have a newline at the end. But generally when I make request (using curl) to my endpoints without proxing through linkerd I don’t have any issues.

through linkerd:
http_proxy=$L5D:4140 curl -v http://foo.bar.com --> OPENSSL PROBLEM

without linkerd:

curl -v http://foo.bar.com --cacert cert-with-newline.pem --> SUCCESS
curl -v http://foo.bar.com --cacert cert-with-OUT-newline.pem --> SUCCESS

sample cert without newline in the end:
certificate.pem (1.4 KB)

Why does linkerd considers cert to be invalid without a new line in the end as certificate can be properly reviewed using openssl

openssl x509 -text -noout -in certificate.pem

linkerd-config
linkerd2.yml (4.0 KB)
configmap.yml (649 Bytes)

Hi. Thanks for the bug report. It does seem like linkerd is likely being too strict here. I filed https://github.com/linkerd/linkerd/issues/1772 so that the issue can be prioritized against other product development.

1 Like