Regenerate server identity if APIDomain not present (#10946)

gravitational · Mar 10, 2022 · 0544df8 · 0544df8
1 parent b320c94
commit 0544df8
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 14 deletions.
diff --git a/lib/auth/auth.go b/lib/auth/auth.go
@@ -1608,12 +1608,11 @@ func (a *Server) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedKeys,
 		NotAfter:  a.clock.Now().UTC().Add(defaults.CATTL),
 		DNSNames:  append([]string{}, req.AdditionalPrincipals...),
 	}
-	// HTTPS requests need to specify DNS name that should be present in the
-	// certificate as one of the DNS Names. It is not known in advance,
-	// that is why there is a default one for all certificates
-	if req.Roles.Include(types.RoleAuth) || req.Roles.Include(types.RoleAdmin) || req.Roles.Include(types.RoleProxy) || req.Roles.Include(types.RoleKube) || req.Roles.Include(types.RoleApp) {
-		certRequest.DNSNames = append(certRequest.DNSNames, "*."+constants.APIDomain, constants.APIDomain)
-	}
+
+	// API requests need to specify a DNS name, which must be present in the certificate's DNS Names.
+	// The target DNS is not always known in advance so we add a default one to all certificates.
+	certRequest.DNSNames = append(certRequest.DNSNames, DefaultDNSNamesForRole(req.Roles)...)
+
 	// Unlike additional principals, DNS Names is x509 specific and is limited
 	// to services with TLS endpoints (e.g. auth, proxies, kubernetes)
 	if req.Roles.Include(types.RoleAuth) || req.Roles.Include(types.RoleAdmin) || req.Roles.Include(types.RoleProxy) || req.Roles.Include(types.RoleKube) {
@@ -2925,3 +2924,14 @@ func isHTTPS(u string) error {
 
 	return nil
 }
+
+// DefaultDNSNamesForRole returns default DNS names for the specified role.
+func DefaultDNSNamesForRole(roles types.SystemRoles) []string {
+	if roles.Include(types.RoleAuth) || roles.Include(types.RoleAdmin) || roles.Include(types.RoleProxy) || roles.Include(types.RoleKube) || roles.Include(types.RoleApp) || roles.Include(types.RoleDatabase) {
+		return []string{
+			"*." + constants.APIDomain,
+			constants.APIDomain,
+		}
+	}
+	return nil
+}
diff --git a/lib/service/service.go b/lib/service/service.go
@@ -2123,6 +2123,11 @@ func (process *TeleportProcess) getAdditionalPrincipals(role types.SystemRole) (
 		principals = append(principals, process.Config.Hostname)
 	}
 	var addrs []utils.NetAddr
+
+	// Add default DNSNames to the dnsNames list.
+	// For identities generated by teleport <= v6.1.6 the teleport.cluster.local DNS is not present
+	dnsNames = append(dnsNames, auth.DefaultDNSNamesForRole(types.SystemRoles{role})...)
+
 	switch role {
 	case types.RoleProxy:
 		addrs = append(process.Config.Proxy.PublicAddrs,

diff --git a/lib/service/service_test.go b/lib/service/service_test.go
@@ -354,6 +354,8 @@ func TestGetAdditionalPrincipals(t *testing.T) {
 				"proxy-kube-public-2",
 			},
 			wantDNS: []string{
+				"*.teleport.cluster.local",
+				"teleport.cluster.local",
 				"*.proxy-public-1",
 				"*.proxy-public-2",
 				"*.proxy-kube-public-1",
@@ -367,7 +369,10 @@ func TestGetAdditionalPrincipals(t *testing.T) {
 				"auth-public-1",
 				"auth-public-2",
 			},
-			wantDNS: []string{},
+			wantDNS: []string{
+				"*.teleport.cluster.local",
+				"teleport.cluster.local",
+			},
 		},
 		{
 			role: types.RoleAdmin,
@@ -376,7 +381,10 @@ func TestGetAdditionalPrincipals(t *testing.T) {
 				"auth-public-1",
 				"auth-public-2",
 			},
-			wantDNS: []string{},
+			wantDNS: []string{
+				"*.teleport.cluster.local",
+				"teleport.cluster.local",
+			},
 		},
 		{
 			role: types.RoleNode,
@@ -400,15 +408,21 @@ func TestGetAdditionalPrincipals(t *testing.T) {
 				"kube-public-1",
 				"kube-public-2",
 			},
-			wantDNS: []string{},
+			wantDNS: []string{
+				"*.teleport.cluster.local",
+				"teleport.cluster.local",
+			},
 		},
 		{
 			role: types.RoleApp,
 			wantPrincipals: []string{
 				"global-hostname",
 				"global-uuid",
 			},
-			wantDNS: []string{},
+			wantDNS: []string{
+				"*.teleport.cluster.local",
+				"teleport.cluster.local",
+			},
 		},
 		{
 			role: types.SystemRole("unknown"),

diff --git a/lib/tlsca/ca.go b/lib/tlsca/ca.go
@@ -28,13 +28,14 @@ import (
 	"net"
 	"time"
 
-	"github.com/gravitational/teleport"
-	"github.com/gravitational/teleport/api/types/events"
-	"github.com/gravitational/teleport/api/types/wrappers"
-
 	"github.com/gravitational/trace"
 	"github.com/jonboulle/clockwork"
 	"github.com/sirupsen/logrus"
+
+	"github.com/gravitational/teleport"
+	"github.com/gravitational/teleport/api/types/events"
+	"github.com/gravitational/teleport/api/types/wrappers"
+	"github.com/gravitational/teleport/api/utils"
 )
 
 var log = logrus.WithFields(logrus.Fields{
@@ -691,6 +692,9 @@ func (c *CertificateRequest) CheckAndSetDefaults() error {
 	if c.NotAfter.IsZero() {
 		return trace.BadParameter("missing parameter NotAfter")
 	}
+
+	c.DNSNames = utils.Deduplicate(c.DNSNames)
+
 	return nil
 }