search

canonical / observability-libs

A collection of charm libraries curated by the Observability team.
https://charmhub.io/observability-libs
Apache License 2.0
3 stars 8 forks source link

Split SANs into DNS and IP #60

Closed sed-i closed 11 months ago

sed-i commented 12 months ago

Issue

When traefik generates a CSR with IP address (this is often the case in testing), then the IP address goes into the DNS section, but according to RFC 2818 (via) it needs to go to a different, dedicated section:

In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.

Solution

Keep cert_handler API the same, but internally split the list into ips and hostnames and pass accordingly to generate_csr.

Tandem PRs:

Possibly depends on:

Context

NTA.

Testing Instructions

Deploy the tandem PRs. Then copy over the external-ca cert, and attempt to curl prometheus via its ingress url, from within the grafana container.

juju run external-ca/0 get-ca-certificate --format json | jq -r '."external-ca/0".results."ca-certificate"' > external-ca.crt
openssl x509 -noout -text -in external-ca.crt

echo | openssl s_client -showcerts -servername 10.43.8.206 -connect 10.43.8.206:443 | openssl x509 -text -noout

juju scp --container prometheus external-ca.crt prometheus/0:/usr/local/share/ca-certificates
juju ssh --container prometheus prometheus/0 update-ca-certificates --fresh

juju scp --container grafana external-ca.crt grafana/0:/usr/local/share/ca-certificates
juju ssh --container grafana grafana/0 update-ca-certificates --fresh

juju ssh --container grafana grafana/0 curl https://10.43.8.206/trfk-prometheus-0/api/v1/targets | jq | grep -E "scrapeUrl|health"

# from within the grafana workload container, from /usr/local/share/ca-certificates
openssl verify -CAfile $PWD/external-ca.crt -CApath $PWD -verbose -x509_strict -verify_ip ip

Before https://github.com/canonical/traefik-k8s-operator/pull/249, curl gives curl: (60) SSL certificate problem: self-signed certificate and openssl verify complains:

error 85 at 0 depth lookup: Missing Authority Key Identifier
C = US, CN = external.demo.ca
error 92 at 1 depth lookup: CA cert does not include key usage extension
error stdin: verification failed

With the default cert set in traefik, it works.

Release Notes

Split SANs into DNS and IP.

sed-i commented 12 months ago

@ghislainbourgeois have you tried using CSRs that list bare IPs? Did it work for you?

sed-i commented 12 months ago

According to this, we need to add x509.KeyUsage to generate_ca.

Example usage.

Wdyt @ghislainbourgeois?

sed-i commented 11 months ago

Confirmed this works with https://github.com/canonical/traefik-k8s-operator/pull/249.