Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug tls certs not created with correct SANs #16959

Merged
merged 16 commits into from
May 22, 2023
Merged

Bug tls certs not created with correct SANs #16959

merged 16 commits into from
May 22, 2023

Conversation

lhaig
Copy link
Contributor

@lhaig lhaig commented Apr 21, 2023

The nomad tls cert command did not create certificates with the correct SANs for them to work with non default domain and region names.
This PR updates the code to support non default domains and regions in the certificates.

@tgross tgross self-requested a review April 21, 2023 17:23
tgross
tgross requested changes Apr 21, 2023
View reviewed changes
Copy link
Member

@tgross tgross left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @lhaig! I've left comments on some areas that need work. Also, we have a bunch of TLS certs used for unit testing in helper/tlsutil/testdata. To really make sure this is all right, let's do the following:

  • Regenerate all the certs in helper/tlsutil/testdata
  • Make sure all the unit tests pass with those new certs
  • Add a README.md to helper/tlsutil/testdata that describes the exact commands used to generate those certs.

command/tls_cert_create.go Outdated Show resolved Hide resolved
command/tls_cert_create.go Outdated Show resolved Hide resolved
command/tls_cert_create.go Outdated Show resolved Hide resolved
command/tls_cert_create_test.go Outdated Show resolved Hide resolved
@tgross tgross added this to the 1.5.x milestone Apr 21, 2023
@tgross tgross added the backport/1.5.x backport to 1.5.x release line label Apr 21, 2023
@lhaig lhaig requested a review from tgross May 19, 2023 13:22
lhaig added 12 commits May 19, 2023 15:27
@lhaig
fix bug where default records were not being created
595d059 
Nomad requires there to be a `server.global.nomad` alternative name in the certificate when you enable TLS on a cluster.
@lhaig
Add logic for non default region and domain configuration.
0a8e645 
Added logic to detect custom domain and region configuration.
Ad tests for custom domains
@lhaig
Update tls_cert_create.go
95fc85b 
Refactor record preparation to make things simpler
@lhaig
Add changelog file
b15610a
@lhaig
Update tls_cert_create.go
ec415da 
Fix lint errors
@lhaig
Replace CFSSL certs with nomad tls ones
5991033
@lhaig
Update missed certificate changes
bd3f9f2
@lhaig
Update path for failing tests
6873d95
@lhaig
More Test Failures
535d84f
@lhaig
Update http_test.go
381a694 
Fix Errors due to crypto/x509 verify being updated to require ServerName
@lhaig
Update server_test.go
b0a02a6 
Add a server certificate for testing the server.
@lhaig
Update Tests for recordPreperation.
6679bd2 
Fix recordPreperation that was overwriting additional domains
Improved tests as per suggestion from @tgross
@lhaig lhaig force-pushed the b-tls-cert-domain branch from d9b0c17 to 6679bd2 Compare May 19, 2023 13:27
schmichael
schmichael approved these changes May 19, 2023
View reviewed changes
Copy link
Member

@schmichael schmichael left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple minor corrections but otherwise looks good to me. Thanks Lance!

command/tls_cert_create.go Outdated Show resolved Hide resolved
website/content/docs/commands/tls/cert-create.mdx Outdated Show resolved Hide resolved
tgross
tgross approved these changes May 19, 2023
View reviewed changes
Copy link
Member

@tgross tgross left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great @lhaig! Just a few minor items to pick up and I think we can get this merged.

.changelog/16959.txt Outdated Show resolved Hide resolved
command/agent/http_test.go Outdated Show resolved Hide resolved
command/agent/http_test.go Outdated Show resolved Hide resolved
website/content/docs/commands/tls/cert-create.mdx Show resolved Hide resolved
helper/tlsutil/testdata/README.md Show resolved Hide resolved
helper/tlsutil/testdata/README.md Outdated Show resolved Hide resolved
helper/tlsutil/testdata/README.md Outdated Show resolved Hide resolved
lhaig and others added 2 commits May 19, 2023 21:50
@lhaig @tgross
Update .changelog/16959.txt
512fbd1 
Co-authored-by: Tim Gross <[email protected]>
@lhaig @tgross
Update command/agent/http_test.go
42553b0 
remove debug code

Co-authored-by: Tim Gross <[email protected]>
lhaig added 2 commits May 20, 2023 08:17
@lhaig
Replace last cfssl certificates
2c690bf 
Generated additional certificates for testing TLS misconfiguration.
Removed last cfssl generated certificates.
updated testdata readme with new instructions.
@lhaig
Make Updates as per comments
c23de27 
Added the Key usage to the cli certificate. Updated the tests to match
Updated the cert-crete.mdx file
added some notes to the upgrade-specific.mdx file for the deprecation
@lhaig lhaig requested review from schmichael and tgross May 20, 2023 06:54
@tgross tgross merged commit 7e93f15 into main May 22, 2023
@tgross tgross deleted the b-tls-cert-domain branch May 22, 2023 13:31
@hc-github-team-nomad-core hc-github-team-nomad-core mentioned this pull request May 22, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@schmichael schmichael Awaiting requested review from schmichael

@tgross tgross Awaiting requested review from tgross

Assignees
No one assigned
Labels
backport/1.5.x backport to 1.5.x release line theme/cli type/bug
Projects
None yet
Milestone
1.5.x
Development

Successfully merging this pull request may close these issues.
3 participants
@lhaig @schmichael @tgross