Skip to content

Documentation Bug: AWS STS docs for migrating from public S3 bucket to CloudFront Distribution computes incorrect leaf certificate. #1044

Description

@xinkecf35

For the doc at docs/sts-migrate-to-private-bucket.md covering how one can update an existing OpenShift AWS cluster from using a public S3 bucket to a CloudFront distribution to distribute the required JWKS key there is a step that asks the user to compute the fingerprint for the an certificate issued to CloudFront distribution to allow AWS IAM to verify trust certificates issued by that CA without having to update the trust trusts when the signing certificate is rotated.

However, the openssl command example in the doc appears to compute the fingerprint of the leaf/server certificate for the CloudFront distribution, since openssl x509 consumes only the first PEM certificate from the output openssl s_client is invoked.

The documentation issue is of minimal impact as the linked documentation to obtaining the fingerprint states that if the certificate is issued by one of the CA that AWS owns/trusts, fingerprint verification is skipped, i.e., for CloudFront distributions using the default certificates or a certificate issued by AWS ACM the incorrect fingerprint does not impact validation.

For verification purposes, the example should be updated to reflect AWS documentation on that the correct thumbprint to obtain is for the intermediate CA certificate that issued the leaf certificate used to secure the CloudFront distribution.

For the creation of the OIDC IAM Provider, could instead recommend is relying on AWS IAM to obtain the fingerprint as the same linked doc explains AWS IAM will attempt to automatically obtain the intermediate CA fingerprint for the given server/leaf certificate.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions