search

LINBIT / linstor-proxmox

Integration pluging bridging LINSTOR to Proxmox VE
31 stars 7 forks source link

Linstor with mTLS authentication broken? #58

Closed simonbjorzen-ts closed 8 months ago

simonbjorzen-ts commented 8 months ago

Hi, I'm trying to activate mTLS for Linstor, but I'm faced with an issue.

TASK ERROR: could not connect to any LINSTOR controller at /usr/share/perl5/PVE/Storage/Custom/LINSTORPlugin.pm line 214.

/etc/pve/storage.cfg has been configured with: apicrt /root/cert.pem apikey /root/key.pem apica /root/ca.pem

I see traffic coming to the controller using tcpdump on port 3371.

Using curl with mTLS works using the keys above, so the keys are fine.

rck commented 8 months ago

hm, I'm afraid there is nothing I could do about it, the plugin just forwards what you feed it to the the perl REST::Client library: https://github.com/LINBIT/linstor-proxmox/blob/master/LINSTORPlugin.pm#L202

Either that library is broken (I doubt that) or something is wrong/incomplete with you keys. In both cases nothing I could help with I'm afraid. Did you follow these steps? https://linbit.com/drbd-user-guide/linstor-guide-1_0-en/#s-linstor-rest-api-https For debugging I'd probably factor out these 5 lines of perl calling the REST::Client that call the /health endpoint and continue from there.

maybe there is something interesting in the LINSTOR controller logs?

simonbjorzen-ts commented 8 months ago

Hey,

I have checked the logs, but nothing. It is just dropped due to failed mTLS auth.

I will attempt to write a perl script that uses REST::Client and see if that works manually.

Curl works using the certificates, so mTLS configuration should be fine in Linstor.

And yeah, that is the guide that I followed, then extracted the keys in pem format from the keystore.

simonbjorzen-ts commented 8 months ago

Alright, i figured out what the issue is by running the following perl script:

use REST::Client;

my $cli = REST::Client->new( {
  host => "https://172.16.11.14:3371",
  cert => './cert.pem',
  key => './key.pem',
  ca => './ca.pem',
} );

print $cli->GET('/v1/view/resources')->responseContent();

Can't connect to 172.16.11.14:3371 (hostname verification failed) hostname verification failed at /usr/share/perl5/LWP/Protocol/http.pm line 50.

I will try to solve this by recreating the keystore and adding the IPs in the SAN field.

It would have been really helpful to have some kind of debug logging for the Proxmox plugin.

Closing this, thanks for the quick reply.

simonbjorzen-ts commented 8 months ago

Confirming that this fixed the issue.