-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
etcd v3.2.5 tls broken or a breaking change is introduced #8534
Comments
@raoofm what was the version when it was last working? |
OK, I see 3.1.8. Nevermind |
@heyitsanthony v3.1.8 works |
@heyitsanthony did you get a chance to check this |
Why some DNS names don't have |
@gyuho sorry it is the formatting issue. It italicized it from 1 star to the other |
@raoofm you filed the bug friday afternoon at 3:40PM, it's monday morning now. Did you expect me to work after hours on this? |
😄 no clue on what time zone you work on dude. It was just a friendly reminder to check if it is something that changed with etcd or have I messed up something with my certs. You can take your time and of-course your time and work is greatly appreciated. |
It could work on my machine with v3.2.7 & v3.1.8, but it could not work with v3.2.0 with v3.2.7
with v3.1.8
with v3.2.0
And I generate key pair with ca-csr.json{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 8192
},
"names": [
{
"C": "TW",
"ST": "Some City",
"L": "MINE",
"O": "k8s",
"OU": "System"
}
]
} kubenetes-csr.json{
"CN": "kubernetes",
"hosts": [
"192.168.254.100",
"192.168.254.110",
"192.168.254.120",
"192.168.254.130",
"kubernetes.mine.tw",
"k8s.mine.tw",
"127.0.0.1",
"10.254.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.k8s.mine.tw",
"kubernetes.default.svc.k8s.mine.tw"
],
"key": {
"algo": "rsa",
"size": 8192
},
"names": [
{
"C": "TW",
"ST": "Some City",
"L": "MINE",
"O": "k8s",
"OU": "System"
}
]
} |
@rockwyc992 there were TLS changes in 3.2 that were not in 3.1 that introduced some bugs, 3.2.0 isn't expected to work and there have been patch releases since then that fixes it. |
@heyitsanthony v3.2.7 fails with the same reasosn as well |
|
@raoofm it looks like rdns isn't set up right, what does |
|
@raoofm |
@heyitsanthony agree, thnx probably etcd-operator needs to correct their doc for cluster-tls |
https://github.com/coreos/etcd-operator/blob/master/doc/user/cluster_tls.md
|
Closing since this is not an etcd bug. |
doc: cluster_tls, wildcard domain correction based on the discussion etcd-io/etcd#8534 (comment)
Reverse DNS lookup like this will give the full domain name, even if before expanded it ends with ".svc" only. That's not an evidence for the URL the peer is talking to. Can you print out the etcd container's command line to show the etcd peers' URLs ? |
@hongchaodeng @heyitsanthony @xiang90 my current setup, using cfssl
client.json
peer.json
server.json
etcd-operator logs
etcd -0000 logs
etcd-0001 logs
etcd-0002 logs
bacup sidecar logs
|
@hongchaodeng @heyitsanthony @xiang90 please note that I removed .cluster.local suffix entry from the host and used the newly generated certs and tls seems to fail |
DNS is still misconfigured. |
this is being done by etcd-operator @hongchaodeng ? |
@heyitsanthony @hongchaodeng the exact same certs work with 3.1.10 |
@raoofm sure, 3.2 added stricter SAN checking. This is an operator bug. |
@hongchaodeng any timeline to test etcd-operator against etcd 3.2.*? |
@hongchaodeng do you agree with this, so that I i can stop the noise on etcd and follow up coreos/etcd-operator#1384 (comment) |
@raoofm, @hongchaodeng specifically requested the stricter SAN checking and I implemented it. Please follow up on etcd-operator |
Sorry that I dismissed this issue. Now let me explain the background and the root cause better. Originally there are some problems with unauthorized endpoints joining quorums. Which has led to #7687 that adds stricter SAN check. So now the check has some problems with non-FQDN names. I will follow up an issue with a more detailed analysis in code. |
The mTLS validation fails if the SAN doesn't have IP address in it. Github Issue here: etcd-io/etcd#8534 [#154472172] Signed-off-by: Greg Patricio <gpatricio@pivotal.io>
carrying this over from coreos/etcd-operator#1384
May be related to #8268
The text was updated successfully, but these errors were encountered: