Fix a handful of auto encrypt issues #8211
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
mkeeler
commented
Jun 30, 2020
•
mkeeler
commented
- Ensure that the original auto encrypt CSR contains the DNS and IP SANs from the configuration
- Initialize State of the agent leaf cert cache fetch result to prevent always issuing a second certificate signing RPC to the servers
- Move the connect CA signing rate limiter to the Server so that it can be shared with auto-encrypt and the main certificate signing RPC endpoints.
- Overwrite the agent leaf certificate trust domain on the servers. This ensures that the first certificate sent back is "correct" and has the correct trust domain instead of the dummy one.
- Fixed a bug where Consul would segfault if no client TLS certificate was available when initiating a connection.
mkeeler
force-pushed
the
bugfix/auto-encrypt-various
branch
from
87d08cf
to
8ab34e5
Compare
The initial auto encrypt CSR wasn’t containing the user supplied IP and DNS SANs. This fixes that. Also We were configuring a default :: IP SAN. This should be ::1 instead and was fixed.
…nnecessary second certificate signing
This fixes a bug where auto_encrypt was operating without utilizing a common rate limiter.
mkeeler
force-pushed
the
bugfix/auto-encrypt-various
branch
from
8ab34e5
to
2ddcba0
Compare
Also fix a bug where Consul could segfault if TLS was enabled but no client certificate was provided. How no one has reported this as a problem I am not sure.
mkeeler
force-pushed
the
bugfix/auto-encrypt-various
branch
from
137efbd
to
6e7acfa
Compare
crhino
approved these changes
Jun 30, 2020
| @@ -480,6 +428,30 @@ func (s *ConnectCA) Sign( | |||
| return fmt.Errorf("SPIFFE ID in CSR from a different trust domain: %s, "+ | |||
| "we are %s", serviceID.Host, signingID.Host()) | |||
| } | |||
| } else { | |||
There was a problem hiding this comment.
This could also live in the AutoEncrypt.Sign endpoint, then we wouldn't have to check the cert type. And it would only fix it for the first time when we are starting an agent.
There was a problem hiding this comment.
I wonder if we should enforce the trustdomain for agent certs too, after it was fixed once.
There was a problem hiding this comment.
The reason why it cannot go there easily is that we would have to move out all the CSR and URI parsing too.
hanshasselberg
approved these changes
Jul 2, 2020
|
🍒✅ Cherry pick of commit f8e8f48 onto |
hashicorp-ci
pushed a commit
that referenced
this pull request
Jul 2, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.