Skip to content

fix(coderd/azureidentity): add Azure IMDS G2 chain certificates#25243

Merged
geokat merged 1 commit into
mainfrom
george/plat-205-azure-instance-identity-verification-is-broken
May 13, 2026
Merged

fix(coderd/azureidentity): add Azure IMDS G2 chain certificates#25243
geokat merged 1 commit into
mainfrom
george/plat-205-azure-instance-identity-verification-is-broken

Conversation

@geokat
Copy link
Copy Markdown
Contributor

@geokat geokat commented May 13, 2026
edited
Loading

Azure IMDS attested data signatures can now chain through
Microsoft TLS G2 RSA CA OCSP intermediates, then through the
cross-signed Microsoft TLS RSA Root G2 certificate, before reaching
DigiCert Global Root G2.

coderd did not bundle the new G2 OCSP intermediates or the
cross-signed Microsoft TLS RSA Root G2 bridge certificate, so it could
fail to build a trusted chain for affected IMDS signatures.

Related to: https://linear.app/codercom/issue/PLAT-205/bug-azure-instance-identity-verification-is-broken

NOTE: I don't have access to Azure at the moment, so I couldn't
reproduce the issue and test the fix. However, I noticed that
creating a workspace on dogfood using the azure-linux template
resulted in an agent connectivity error, so I figured the issue may
be affecting dogfood too:

image

Depending on the urgency, we could merge the fix and see if it fixes
the dogfood issue before we verify it in a dev env.

@geokat
fix(coderd/azureidentity): add Azure IMDS G2 chain certificates
d6a6455 
Azure IMDS attested data signatures can now chain through
Microsoft TLS G2 RSA CA OCSP intermediates, then through the
cross-signed Microsoft TLS RSA Root G2 certificate, before reaching
DigiCert Global Root G2.

coderd did not bundle the new G2 OCSP intermediates or the
cross-signed Microsoft TLS RSA Root G2 bridge certificate, so it could
fail to build a trusted chain for affected IMDS signatures.

Related to: https://linear.app/codercom/issue/PLAT-205/bug-azure-instance-identity-verification-is-broken
@geokat geokat force-pushed the george/plat-205-azure-instance-identity-verification-is-broken branch from fc72831 to d6a6455 Compare May 13, 2026 00:48
@geokat geokat marked this pull request as ready for review May 13, 2026 01:01
@geokat geokat requested review from Emyrk and f0ssel May 13, 2026 01:02
Emyrk
Emyrk approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stamping

@geokat geokat merged commit 49c6191 into main May 13, 2026
35 checks passed
@geokat geokat deleted the george/plat-205-azure-instance-identity-verification-is-broken branch May 13, 2026 16:07
@github-actions github-actions Bot locked and limited conversation to collaborators May 13, 2026
@geokat geokat added cherry-pick/v2.24 Needs to be cherry-picked to the 2.24 release branch cherry-pick/v2.29 Needs to be cherry-picked to the 2.29 release branch cherry-pick/v2.30 Needs to be cherry-picked to the 2.30 release branch cherry-pick/v2.31 Needs to be cherry-picked to the 2.31 release branch cherry-pick/v2.32 cherry-pick backport and removed cherry-pick/v2.24 Needs to be cherry-picked to the 2.24 release branch cherry-pick/v2.29 Needs to be cherry-picked to the 2.29 release branch cherry-pick/v2.30 Needs to be cherry-picked to the 2.30 release branch cherry-pick/v2.31 Needs to be cherry-picked to the 2.31 release branch cherry-pick/v2.32 labels May 14, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@Emyrk Emyrk Emyrk approved these changes

@f0ssel f0ssel f0ssel approved these changes

Assignees

@geokat geokat

Labels

backport cherry-pick

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@geokat @Emyrk @f0ssel