search

burmilla / os

Tiny Linux distro that runs the entire OS as Docker containers
https://burmillaos.org
Apache License 2.0
210 stars 13 forks source link

TLS certificate regeneration #164

Closed stevecharon closed 11 months ago

stevecharon commented 11 months ago

BurmillaOS Version: (ros os version) 1.5.8

Where are you running BurmillaOS? (docker-machine, AWS, GCE, baremetal, etc.) Nutanix AHV VM

Which processor architecture you are using? Intel gold

Do you use some extra hardware? (GPU, etc)? No

Which console you use (default, ubuntu, centos, etc..) debian

Do you use some service(s) which are not enabled by default? qemu-guestagent

Have you installed some extra tools to console?

Do you use some other customizations? Docker TLS, own registry (jfrog-artifactory)

Please share copy of your cloud-init (remember remove all sensitive data first)

hostname: MYVM132.some.where
mounts:
- - /dev/sdb1
  - /opt/diskmount
  - ext4
  - ""
rancher:
  cloud_init:
    datasources:
    - vmware
  console: debian
  docker:
    environment:
    - http_proxy=http://192.168.0.34:8080
    - https_proxy=http://192.168.0.34:8080
    - no_proxy=localhost,127.0.0.1,*.some.where,10.*,192.168.*
    - HTTPS_PROXY=http://192.168.0.34:8080
    - HTTP_PROXY=http://192.168.0.34:8080
    - NO_PROXY=localhost,127.0.0.1,*.some.where,10.*,192.168.*
    tls: true
  environment:
    EXTRA_CMDLINE: /init
    HTTPS_PROXY: http://192.168.0.34:8080
    HTTP_PROXY: http://192.168.0.34:8080
    NO_PROXY: localhost,127.0.0.1,*.some.where,10.*,192.168.*
    http_proxy: http://192.168.0.34:8080
    https_proxy: http://192.168.0.34:8080
    no_proxy: localhost,127.0.0.1,*.some.where,10.*,192.168.*
  network:
    HTTPS_PROXY: http://192.168.0.34:8080
    HTTP_PROXY: http://192.168.0.34:8080
    dns:
      nameservers:
      - 192.168.16.2
      - 192.168.16.8
      override: true
      search:
      - some.where
    http_proxy: http://192.168.0.34:8080
    https_proxy: http://192.168.0.34:8080
    interfaces:
      eth0:
        address: 192.168.16.132/24
        dhcp: false
        gateway: 192.168.16.254
        mtu: 1500
    no_proxy: localhost,127.0.0.1,*.some.where,10.*,192.168.*
  services_include:
    container-cron: true
    open-vm-tools: false
    qemu-guest-agent: true
  state:
    dev: LABEL=RANCHER_STATE
    wait: true
  system_docker:
    environment:
    - http_proxy=http://192.168.0.34:8080
    - https_proxy=http://192.168.0.34:8080
    - no_proxy=localhost,127.0.0.1,*.some.where,10.*,192.168.*
    - HTTPS_PROXY=http://192.168.0.34:8080
    - HTTP_PROXY=http://192.168.0.34:8080
    - NO_PROXY=localhost,127.0.0.1,*.some.where,10.*,192.168.*
  upgrade:
    url: https://gist.githubusercontent.com/abuisine/29e18fda1b13b1f2c9f57429d75ebef1/raw/bdb61803f10d13527e9d1471a8897443c97f63f3/releases.yml
runcmd:
- mkdir -p /opt/diskmount
- mount -t ext4 /dev/sdb1 /opt/diskmount || (mkfs.ext4 /dev/sdb1 && mount -t ext4 /dev/sdb1 /opt/diskmount)
ssh_authorized_keys:
- ssh-rsa public-key-012345678
write_files:
- container: ntp
  content: |+
    server 192.168.0.34
    server 192.168.16.2
    server 192.168.16.3
    server 192.168.16.8
    # Allow only time queries, at a limited rate, sending KoD when in excess.
    # Allow all local queries (IPv4, IPv6)
    restrict default nomodify nopeer noquery limited kod
    restrict 127.0.0.1
    restrict [::1]
  owner: root
  path: /etc/ntp.conf
  permissions: "0644"

I use TLS since 2020 to monitor the containers in the VM. Now the certificate expired and I wanted to regenerate according to documentation. But I noticed that only server and client cert can be regenerated. The underlying CA is still kept, which will expire tomorrow. How can I regenerate the CA too? I already deleted CA.pem and CA-cert.pem to no avail. The exact some files are put in /etc/docker/tls every time I use sudo ros tls gen -H localhost -d /etc/docker/tls

I know I am using rancheros 1.5.8 but since documentation still states the same for burmilla I thought here is more responsive. If you can tell me switching to burmilla will fix this I would be happy to do so

best regards

Steve

olljanat commented 11 months ago

How can I regenerate the CA too?

With quick look to code, logic looks to be that those are generated when they do not exist in config. So this should works (worked at least on my lab):

  1. Edit /var/lib/rancher/conf/cloud-config.yml and remove ca_cert and ca_key
  2. Reboot
  3. sudo ros tls gen --server -H localhost
  4. Reboot again

If you can tell me switching to burmilla will fix this I would be happy to do so

It does not but I would recommend upgrade because of known security issues and other bugs on RancherOS. However on this point of time, you probably want to wait that our 2.0.0 version get out from release candidate state and released as RTM.

stevecharon commented 11 months ago

thanks, now I have a correct ca in place. What is odd: it should not even regenerate certs if the CA is about to expire and server/client cert goes beyond validity of CA. That is just plain wrong. I will test migration to 1.9.x Waiting for 2.0 can be used to get up to the latest. I would guess upgrading from 1.9 to 2.x will be more smooth than from 1.5?