Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS Guide #2923

Merged
merged 13 commits into from
Aug 12, 2017
Merged

TLS Guide #2923

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
abc006c
WIP tls guide
schmichael Jul 27, 2017
a72e59a
Improve verify_https_clients wording
schmichael Jul 27, 2017
c2dc7f4
Switch to cfssl and get everything working
schmichael Jul 27, 2017
1676f10
Add serf section and clean it up
schmichael Jul 27, 2017
cb2b3ff
Remove old example tls config
schmichael Jul 27, 2017
4fa4344
Lots of fixes from @sethvargo
schmichael Aug 1, 2017
3ff3d3e
Missed a mention of 127.0.0.1 as a SAN
schmichael Aug 1, 2017
3bb3ff7
Sort filenames
schmichael Aug 2, 2017
295ef10
Reflow
schmichael Aug 2, 2017
a7346e1
Add $ prefix to shell examples
schmichael Aug 2, 2017
69d561e
Add openssl rand example; reword intermediate CAs
schmichael Aug 12, 2017
bec5519
Oops! Forgot demo/vagrant/cfssl.json file
schmichael Aug 12, 2017
cadbe7a
Rename guide from tls to securing-nomad
schmichael Aug 12, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions demo/vagrant/Vagrantfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,13 @@ EOF
sudo systemctl enable consul.service
sudo systemctl start consul

for bin in cfssl cfssl-certinfo cfssljson
do
echo "Installing $bin..."
curl -sSL https://pkg.cfssl.org/R1.2/${bin}_linux-amd64 > /tmp/${bin}
sudo install /tmp/${bin} /usr/local/bin/${bin}
done

SCRIPT

Vagrant.configure(2) do |config|
Expand Down
89 changes: 5 additions & 84 deletions website/source/docs/agent/encryption.html.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ With that key, you can enable gossip encryption on the agent.

Nomad supports using TLS to verify the authenticity of servers and clients. To
enable this, Nomad requires that all clients and servers have key pairs that are
generated and signed by a Certificate Authority. This can be a private CA.
generated and signed by a private Certificate Authority (CA).

TLS can be used to verify the authenticity of the servers and clients. The
configuration option [`verify_server_hostname`][tls] causes Nomad to verify that
Expand Down Expand Up @@ -82,89 +82,10 @@ connections as well as verify proper names on all other certificates.
Consul will not attempt to health check agents with `verify_https_client` set
as it is unable to use client certificates.

## Encryption Examples
# Configuring Nomad with TLS

### TLS Configuration using `cfssl`
Read the [Configuring TLS Guide][guide] for details on how to configure
encryption for Nomad.

While [Vault's PKI backend][vault] is an ideal solution for managing
certificates and other secrets in a production environment, it's useful to use
simpler command line tools when learning how to configure TLS and your [PKI].

[`cfssl`][cfssl] is a tool for working with TLS certificates and certificate
authorities similar to [OpenSSL's][openssl] `x509` command line tool.

Once you have the `cfssl` command line tool installed, the first step to
setting up TLS is to create a Certificate Authority (CA) certificate. The
following command will generate a suitable example CA CSR, certificate, and
key:

```shell
# Run in the directory where you want to store certificates
$ cfssl print-defaults csr | cfssl gencert -initca - | cfssljson -bare ca
```

Next create a `nomad-csr.json` which contains the configuration for the actual
certificate you'll be using in Nomad:

```json
{
"CN": "global.nomad",
"hosts": [
"server.global.nomad",
"client.global.nomad",
"localhost"
]
}
```

This will create a certificate suitable for both clients and servers in the
`global` (default) region.

In production Nomad agents should have a certificate valid for the name
`${ROLE}.${REGION}.nomad` where role is either `client` or `server` depending
on the node's role.

Create a certificate signed by your CA:

```shell
$ cfssl gencert -ca ca.pem -ca-key ca-key.pem nomad-csr.json | cfssljson -bare nomad
```

You've now successfully generated self-signed certificates! You should see the
following files:

- `ca.pem` - the CA certificate. This corresponds to the Nomad `ca_file`
parameter in the Nomad [`tls` stanza][tls].

- `ca-key.pem` - the CA private key. This is used to sign CSRs and should
**not** be included in the Nomad [`tls` stanza][tls].

- `nomad.pem` - the Nomad certificate for the region. This corresponds to the
`cert_file` parameter in the Nomad [`tls` stanza][tls].

- `nomad-key.pem` - the Nomad private key. This corresponds to the `key_file`
parameter in the Nomad [`tls` stanza][tls].

- `*.csr` - the certificate signing request. This is temporary for generating
certificates and should **not** be included in the Nomad [`tls` stanza][tls].

In your Nomad configuration add the `tls` stanza:

```hcl
tls {
http = true
rpc = true

ca_file = "ca.pem"
cert_file = "nomad.pem"
key_file = "nomad-key.pem"

verify_server_hostname = true
}
```

[vault]: https://www.vaultproject.io/docs/secrets/pki/
[PKI]: https://en.wikipedia.org/wiki/Public_key_infrastructure
[cfssl]: https://cfssl.org/
[openssl]: https://www.openssl.org/
[guide]: /guides/tls.html "Configuring TLS"
[tls]: /docs/agent/configuration/tls.html "Nomad TLS Configuration"
Loading