Closed Airgunster closed 3 years ago
This also regenerates our Root CA with subjectAltNames, as this is now required for Golang (otherwise MongoDB Agent should use GODEBUG=x509ignoreCN=0
variable).
Example of /certs/client.pem
,
[root@n1 certs]# openssl x509 -in /certs/client.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
13:01:40:5e:3e:fd:a1:5a:30:a6:09:d7:b9:fc:aa:42:c7:7c:b7:e7
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=MongoDB, OU=Technical Services, CN=Root CA
Validity
Not Before: Aug 4 22:52:41 2021 GMT
Not After : Nov 7 22:52:41 2023 GMT
Subject: O=MongoDB, OU=Technical Services, CN=n1-client-x509-certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:dd:1a:02:56:c8:5d:d0:97:d3:13:0a:f2:31:b0:
58:e0:c0:e7:50:00:9f:e1:02:0d:7f:fa:b3:96:b6:
71:71:88:79:9a:85:8a:e7:c7:a1:51:65:6f:54:37:
1b:16:7f:82:f1:dd:22:cb:4f:a3:9f:23:46:70:f0:
75:2a:64:96:55:8c:75:48:cd:7e:9b:69:5f:b7:34:
72:ea:a5:b0:11:7a:b6:48:64:bb:47:1b:46:f9:16:
a2:92:7f:f4:a3:36:84:f7:dd:57:68:22:10:44:03:
70:5e:7c:00:3c:f9:18:b5:08:51:bd:b0:cb:fe:66:
78:76:64:8b:8f:a2:92:c7:1a:50:22:2d:79:d9:52:
ba:7b:ad:e9:ad:a3:ce:bf:2b:64:7c:a4:f7:4d:24:
90:90:e1:ce:06:59:c6:fb:bc:d9:3f:33:7c:b3:0f:
ea:b3:a1:3a:d0:a9:f7:24:43:12:d5:fd:bb:6a:76:
a5:44:45:ff:f7:fe:64:a5:79:11:b1:0d:12:eb:c8:
61:28:fa:29:c2:bc:df:07:ed:5f:b2:97:da:d3:b4:
27:03:98:87:e7:12:59:f1:b7:5e:4c:bb:d5:f7:dd:
7f:05:c7:1d:36:a1:81:b9:53:7f:71:b7:70:3f:42:
4f:1b:58:d2:89:a6:b0:8b:cd:7f:43:68:2e:8d:74:
3c:e0:fa:98:a4:6f:dc:3f:4d:24:c9:90:b9:b4:7e:
dc:0e:a7:fe:1b:c8:7b:ed:a2:0d:1c:3c:35:a1:fd:
f1:57:92:c5:28:d7:10:ee:82:c2:9a:72:64:7c:19:
15:80:a8:0a:d5:4f:e1:80:0a:65:84:92:6c:75:d2:
db:77:56:ce:05:ed:c8:86:13:5f:35:66:b6:51:1c:
52:eb:db:d9:08:8b:bc:8b:aa:f0:5d:1e:3e:d2:69:
02:86:6a:d4:b7:67:8a:89:5b:8f:2e:c1:45:81:84:
75:57:83:b1:bf:ab:17:88:41:5c:6d:a4:f4:9d:9d:
0b:b0:a9:7e:4e:09:cb:07:7f:b3:d7:6b:40:ee:99:
c1:96:0c:2a:9e:6c:2d:f1:fb:ad:2f:30:f5:c1:48:
b6:3a:07:c0:93:3b:48:d1:a6:7f:a9:93:62:97:36:
fb:4d:64:9c:f6:fa:7a:42:30:b3:3d:f8:f6:6b:09:
1e:4b:05:de:09:d7:e8:45:da:9a:20:e9:21:47:16:
48:be:a3:ec:17:58:93:a5:e5:2c:66:26:7e:55:89:
e2:ae:6b:3c:5b:8a:f9:28:f8:8e:ea:33:8e:b6:a2:
64:24:e6:6d:17:b9:7c:25:e6:37:78:19:0f:88:fe:
06:4a:f7:6a:b6:76:4e:95:96:54:b6:09:35:0c:cd:
cf:60:13
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:n1, DNS:*.omansible.int
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Subject Key Identifier:
A9:EA:59:6F:33:E7:EA:EC:40:D0:BA:DE:11:2C:F1:0C:36:69:31:6A
X509v3 Authority Key Identifier:
keyid:68:13:2B:EA:9C:45:F0:4E:4E:B6:5D:40:3F:1C:60:8F:78:2A:FA:11
Signature Algorithm: sha256WithRSAEncryption
Example of /certs/server.pem
,
[root@n1 certs]# openssl x509 -in /certs/server.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:79:0f:f5:30:c7:38:2c:05:5a:a4:98:fa:94:c4:c0:af:0b:7a:ad
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=MongoDB, OU=Technical Services, CN=Root CA
Validity
Not Before: Aug 4 22:52:44 2021 GMT
Not After : Nov 7 22:52:44 2023 GMT
Subject: O=MongoDB, OU=Technical Services, CN=n1-server-x509-certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:dd:1a:02:56:c8:5d:d0:97:d3:13:0a:f2:31:b0:
58:e0:c0:e7:50:00:9f:e1:02:0d:7f:fa:b3:96:b6:
71:71:88:79:9a:85:8a:e7:c7:a1:51:65:6f:54:37:
1b:16:7f:82:f1:dd:22:cb:4f:a3:9f:23:46:70:f0:
75:2a:64:96:55:8c:75:48:cd:7e:9b:69:5f:b7:34:
72:ea:a5:b0:11:7a:b6:48:64:bb:47:1b:46:f9:16:
a2:92:7f:f4:a3:36:84:f7:dd:57:68:22:10:44:03:
70:5e:7c:00:3c:f9:18:b5:08:51:bd:b0:cb:fe:66:
78:76:64:8b:8f:a2:92:c7:1a:50:22:2d:79:d9:52:
ba:7b:ad:e9:ad:a3:ce:bf:2b:64:7c:a4:f7:4d:24:
90:90:e1:ce:06:59:c6:fb:bc:d9:3f:33:7c:b3:0f:
ea:b3:a1:3a:d0:a9:f7:24:43:12:d5:fd:bb:6a:76:
a5:44:45:ff:f7:fe:64:a5:79:11:b1:0d:12:eb:c8:
61:28:fa:29:c2:bc:df:07:ed:5f:b2:97:da:d3:b4:
27:03:98:87:e7:12:59:f1:b7:5e:4c:bb:d5:f7:dd:
7f:05:c7:1d:36:a1:81:b9:53:7f:71:b7:70:3f:42:
4f:1b:58:d2:89:a6:b0:8b:cd:7f:43:68:2e:8d:74:
3c:e0:fa:98:a4:6f:dc:3f:4d:24:c9:90:b9:b4:7e:
dc:0e:a7:fe:1b:c8:7b:ed:a2:0d:1c:3c:35:a1:fd:
f1:57:92:c5:28:d7:10:ee:82:c2:9a:72:64:7c:19:
15:80:a8:0a:d5:4f:e1:80:0a:65:84:92:6c:75:d2:
db:77:56:ce:05:ed:c8:86:13:5f:35:66:b6:51:1c:
52:eb:db:d9:08:8b:bc:8b:aa:f0:5d:1e:3e:d2:69:
02:86:6a:d4:b7:67:8a:89:5b:8f:2e:c1:45:81:84:
75:57:83:b1:bf:ab:17:88:41:5c:6d:a4:f4:9d:9d:
0b:b0:a9:7e:4e:09:cb:07:7f:b3:d7:6b:40:ee:99:
c1:96:0c:2a:9e:6c:2d:f1:fb:ad:2f:30:f5:c1:48:
b6:3a:07:c0:93:3b:48:d1:a6:7f:a9:93:62:97:36:
fb:4d:64:9c:f6:fa:7a:42:30:b3:3d:f8:f6:6b:09:
1e:4b:05:de:09:d7:e8:45:da:9a:20:e9:21:47:16:
48:be:a3:ec:17:58:93:a5:e5:2c:66:26:7e:55:89:
e2:ae:6b:3c:5b:8a:f9:28:f8:8e:ea:33:8e:b6:a2:
64:24:e6:6d:17:b9:7c:25:e6:37:78:19:0f:88:fe:
06:4a:f7:6a:b6:76:4e:95:96:54:b6:09:35:0c:cd:
cf:60:13
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:n1, DNS:*.omansible.int
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
A9:EA:59:6F:33:E7:EA:EC:40:D0:BA:DE:11:2C:F1:0C:36:69:31:6A
X509v3 Authority Key Identifier:
keyid:68:13:2B:EA:9C:45:F0:4E:4E:B6:5D:40:3F:1C:60:8F:78:2A:FA:11
Signature Algorithm: sha256WithRSAEncryption
Example of /certs/member_auth.pem
,
# openssl x509 -in /certs/member_auth.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
52:4c:a6:94:93:87:00:a8:21:99:16:81:43:7e:ac:85:20:d9:da:9a
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=MongoDB, OU=Technical Services, CN=Root CA
Validity
Not Before: Aug 4 22:52:46 2021 GMT
Not After : Nov 7 22:52:46 2023 GMT
Subject: O=MongoDB, OU=Technical Services, CN=n1-member-auth-x509-certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:dd:1a:02:56:c8:5d:d0:97:d3:13:0a:f2:31:b0:
58:e0:c0:e7:50:00:9f:e1:02:0d:7f:fa:b3:96:b6:
71:71:88:79:9a:85:8a:e7:c7:a1:51:65:6f:54:37:
1b:16:7f:82:f1:dd:22:cb:4f:a3:9f:23:46:70:f0:
75:2a:64:96:55:8c:75:48:cd:7e:9b:69:5f:b7:34:
72:ea:a5:b0:11:7a:b6:48:64:bb:47:1b:46:f9:16:
a2:92:7f:f4:a3:36:84:f7:dd:57:68:22:10:44:03:
70:5e:7c:00:3c:f9:18:b5:08:51:bd:b0:cb:fe:66:
78:76:64:8b:8f:a2:92:c7:1a:50:22:2d:79:d9:52:
ba:7b:ad:e9:ad:a3:ce:bf:2b:64:7c:a4:f7:4d:24:
90:90:e1:ce:06:59:c6:fb:bc:d9:3f:33:7c:b3:0f:
ea:b3:a1:3a:d0:a9:f7:24:43:12:d5:fd:bb:6a:76:
a5:44:45:ff:f7:fe:64:a5:79:11:b1:0d:12:eb:c8:
61:28:fa:29:c2:bc:df:07:ed:5f:b2:97:da:d3:b4:
27:03:98:87:e7:12:59:f1:b7:5e:4c:bb:d5:f7:dd:
7f:05:c7:1d:36:a1:81:b9:53:7f:71:b7:70:3f:42:
4f:1b:58:d2:89:a6:b0:8b:cd:7f:43:68:2e:8d:74:
3c:e0:fa:98:a4:6f:dc:3f:4d:24:c9:90:b9:b4:7e:
dc:0e:a7:fe:1b:c8:7b:ed:a2:0d:1c:3c:35:a1:fd:
f1:57:92:c5:28:d7:10:ee:82:c2:9a:72:64:7c:19:
15:80:a8:0a:d5:4f:e1:80:0a:65:84:92:6c:75:d2:
db:77:56:ce:05:ed:c8:86:13:5f:35:66:b6:51:1c:
52:eb:db:d9:08:8b:bc:8b:aa:f0:5d:1e:3e:d2:69:
02:86:6a:d4:b7:67:8a:89:5b:8f:2e:c1:45:81:84:
75:57:83:b1:bf:ab:17:88:41:5c:6d:a4:f4:9d:9d:
0b:b0:a9:7e:4e:09:cb:07:7f:b3:d7:6b:40:ee:99:
c1:96:0c:2a:9e:6c:2d:f1:fb:ad:2f:30:f5:c1:48:
b6:3a:07:c0:93:3b:48:d1:a6:7f:a9:93:62:97:36:
fb:4d:64:9c:f6:fa:7a:42:30:b3:3d:f8:f6:6b:09:
1e:4b:05:de:09:d7:e8:45:da:9a:20:e9:21:47:16:
48:be:a3:ec:17:58:93:a5:e5:2c:66:26:7e:55:89:
e2:ae:6b:3c:5b:8a:f9:28:f8:8e:ea:33:8e:b6:a2:
64:24:e6:6d:17:b9:7c:25:e6:37:78:19:0f:88:fe:
06:4a:f7:6a:b6:76:4e:95:96:54:b6:09:35:0c:cd:
cf:60:13
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:n1, DNS:*.omansible.int
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Key Identifier:
A9:EA:59:6F:33:E7:EA:EC:40:D0:BA:DE:11:2C:F1:0C:36:69:31:6A
X509v3 Authority Key Identifier:
keyid:68:13:2B:EA:9C:45:F0:4E:4E:B6:5D:40:3F:1C:60:8F:78:2A:FA:11
Signature Algorithm: sha256WithRSAEncryption
Please don't commit this.
Those public CAs are needed to allow Agents download the mongodb binaries from the net while using the CA pem file for connecting to OM using HTTPS. You are going to break this.
beware that this commit dupe https://github.com/HenryGP/om_ansible/pull/84 a lot, and it's less effective.
Tested out with both download URL shapes, all good with the shortened CA in this PR. For example:
[root@n1 /]# curl --verbose https://fastdl.mongodb.org/osx/mongodb-macos-x86_64-4.2.15.tgz -o /dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to fastdl.mongodb.org port 443 (#0)
* Trying 13.224.67.109...
* Connected to fastdl.mongodb.org (13.224.67.109) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=downloads.mongodb.com
* start date: Jun 28 00:00:00 2021 GMT
* expire date: Jul 27 23:59:59 2022 GMT
* common name: downloads.mongodb.com
* issuer: CN=Amazon,OU=Server CA 1B,O=Amazon,C=US
> GET /osx/mongodb-macos-x86_64-4.2.15.tgz HTTP/1.1
> User-Agent: curl/7.29.0
> Host: fastdl.mongodb.org
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/gzip
< Content-Length: 119565460
< Connection: keep-alive
< Date: Thu, 05 Aug 2021 10:55:52 GMT
< Last-Modified: Wed, 07 Jul 2021 15:03:41 GMT
< ETag: "d395eb1ffa647a004fa3008bfd1f76c7"
< Accept-Ranges: bytes
< Server: AmazonS3
< X-Cache: Miss from cloudfront
< Via: 1.1 df28c5139a58e7fd82c9f1801939f7c1.cloudfront.net (CloudFront)
< X-Amz-Cf-Pop: DUB2-C1
< X-Amz-Cf-Id: -PzcF83kFHjqSB9hlPDciORCMS-wd6ElY5mp7TB-zaWFQalvthHkqg==
<
{ [data not shown]
and
[root@n1 /]# curl --verbose https://downloads.mongodb.com/linux/mongodb-linux-x86_64-enterprise-rhel70-4.4.0.tgz -o /dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to downloads.mongodb.com port 443 (#0)
* Trying 13.224.67.72...
* Connected to downloads.mongodb.com (13.224.67.72) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=downloads.mongodb.com
* start date: Jun 28 00:00:00 2021 GMT
* expire date: Jul 27 23:59:59 2022 GMT
* common name: downloads.mongodb.com
* issuer: CN=Amazon,OU=Server CA 1B,O=Amazon,C=US
> GET /linux/mongodb-linux-x86_64-enterprise-rhel70-4.4.0.tgz HTTP/1.1
> User-Agent: curl/7.29.0
> Host: downloads.mongodb.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/gzip
< Content-Length: 131986084
< Connection: keep-alive
< Date: Thu, 05 Aug 2021 10:55:15 GMT
< Last-Modified: Mon, 27 Jul 2020 15:21:41 GMT
< ETag: "1df3728bec07dc9227901c2514eb739a"
< Accept-Ranges: bytes
< Server: AmazonS3
< X-Cache: Miss from cloudfront
< Via: 1.1 003bc9225f430357abb8eb4b34f6dc20.cloudfront.net (CloudFront)
< X-Amz-Cf-Pop: DUB2-C1
< X-Amz-Cf-Id: P1ZvihiRkrFQyjX8hRvXarvftoSAICz8mGaSZJQ2OnoySe4aI9HF9w==
<
{ [data not shown]
@HenryGP you are using the OS CA certs with curl.
The agent doesn't use them when httpsCAFile is set.
There is a ticket for dealing with that was never fixed...
Fixes https://github.com/HenryGP/om_ansible/issues/81.