diff --git a/lib/auth/auth.go b/lib/auth/auth.go index 02d3b5cbc67d0..6ff1ec7b8f412 100644 --- a/lib/auth/auth.go +++ b/lib/auth/auth.go @@ -2152,11 +2152,11 @@ func (a *Server) GenerateHostCerts(ctx context.Context, req *proto.HostCertsRequ NotAfter: a.clock.Now().UTC().Add(defaults.CATTL), DNSNames: append([]string{}, req.AdditionalPrincipals...), } + // API requests need to specify a DNS name, which must be present in the certificate's DNS Names. // The target DNS is not always known in advance so we add a default one to all certificates. - if (types.SystemRoles{req.Role}).IncludeAny(types.RoleAuth, types.RoleAdmin, types.RoleProxy, types.RoleKube, types.RoleApp) { - certRequest.DNSNames = append(certRequest.DNSNames, "*."+constants.APIDomain, constants.APIDomain) - } + certRequest.DNSNames = append(certRequest.DNSNames, DefaultDNSNamesForRole(req.Role)...) + // Unlike additional principals, DNS Names is x509 specific and is limited // to services with TLS endpoints (e.g. auth, proxies, kubernetes) if (types.SystemRoles{req.Role}).IncludeAny(types.RoleAuth, types.RoleAdmin, types.RoleProxy, types.RoleKube, types.RoleWindowsDesktop) { @@ -3764,3 +3764,14 @@ func WithClusterCAs(tlsConfig *tls.Config, ap AccessCache, currentClusterName st return tlsCopy, nil } } + +// DefaultDNSNamesForRole returns default DNS names for the specified role. +func DefaultDNSNamesForRole(role types.SystemRole) []string { + if (types.SystemRoles{role}).IncludeAny(types.RoleAuth, types.RoleAdmin, types.RoleProxy, types.RoleKube, types.RoleApp, types.RoleDatabase, types.RoleWindowsDesktop) { + return []string{ + "*." + constants.APIDomain, + constants.APIDomain, + } + } + return nil +} diff --git a/lib/service/service.go b/lib/service/service.go index 7f952a828cd6b..edaab149c8144 100644 --- a/lib/service/service.go +++ b/lib/service/service.go @@ -2364,6 +2364,11 @@ func (process *TeleportProcess) getAdditionalPrincipals(role types.SystemRole) ( principals = append(principals, process.Config.Hostname) } var addrs []utils.NetAddr + + // Add default DNSNames to the dnsNames list. + // For identities generated by teleport <= v6.1.6 the teleport.cluster.local DNS is not present + dnsNames = append(dnsNames, auth.DefaultDNSNamesForRole(role)...) + switch role { case types.RoleProxy: addrs = append(process.Config.Proxy.PublicAddrs, diff --git a/lib/service/service_test.go b/lib/service/service_test.go index 0b7fa5fedc04e..c6260a31d81ef 100644 --- a/lib/service/service_test.go +++ b/lib/service/service_test.go @@ -347,6 +347,8 @@ func TestGetAdditionalPrincipals(t *testing.T) { "proxy-kube-public-2", }, wantDNS: []string{ + "*.teleport.cluster.local", + "teleport.cluster.local", "*.proxy-public-1", "*.proxy-public-2", "*.proxy-kube-public-1", @@ -360,7 +362,10 @@ func TestGetAdditionalPrincipals(t *testing.T) { "auth-public-1", "auth-public-2", }, - wantDNS: []string{}, + wantDNS: []string{ + "*.teleport.cluster.local", + "teleport.cluster.local", + }, }, { role: types.RoleAdmin, @@ -369,7 +374,10 @@ func TestGetAdditionalPrincipals(t *testing.T) { "auth-public-1", "auth-public-2", }, - wantDNS: []string{}, + wantDNS: []string{ + "*.teleport.cluster.local", + "teleport.cluster.local", + }, }, { role: types.RoleNode, @@ -393,7 +401,10 @@ func TestGetAdditionalPrincipals(t *testing.T) { "kube-public-1", "kube-public-2", }, - wantDNS: []string{}, + wantDNS: []string{ + "*.teleport.cluster.local", + "teleport.cluster.local", + }, }, { role: types.RoleApp, @@ -401,7 +412,10 @@ func TestGetAdditionalPrincipals(t *testing.T) { "global-hostname", "global-uuid", }, - wantDNS: []string{}, + wantDNS: []string{ + "*.teleport.cluster.local", + "teleport.cluster.local", + }, }, { role: types.SystemRole("unknown"), diff --git a/lib/tlsca/ca.go b/lib/tlsca/ca.go index 4d5b215f7870c..ee56515458f50 100644 --- a/lib/tlsca/ca.go +++ b/lib/tlsca/ca.go @@ -29,14 +29,15 @@ import ( "strconv" "time" + "github.com/gravitational/trace" + "github.com/jonboulle/clockwork" + "github.com/sirupsen/logrus" + "github.com/gravitational/teleport" "github.com/gravitational/teleport/api/types" "github.com/gravitational/teleport/api/types/events" "github.com/gravitational/teleport/api/types/wrappers" - - "github.com/gravitational/trace" - "github.com/jonboulle/clockwork" - "github.com/sirupsen/logrus" + "github.com/gravitational/teleport/api/utils" ) var log = logrus.WithFields(logrus.Fields{ @@ -772,6 +773,9 @@ func (c *CertificateRequest) CheckAndSetDefaults() error { if c.KeyUsage == 0 { c.KeyUsage = x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature } + + c.DNSNames = utils.Deduplicate(c.DNSNames) + return nil }