Closed davewalter closed 3 years ago
A PR for this would be very welcomed! Thanks for the investigative work you put in to figure this out 👏
Thanks for the quick response @taylorsilva. We created #234 with the changes we think are required.
Fixed by #234
While testing the latest patch releases of bosh-bootloader for compatibility with Concourse, I recently discovered that the concourse-smoke-tests originally written by @joshzarrabi started failing when the pipeline started consuming v7.0.0. The error occurred in the ci task when setting up the test environment:
When I watched the web process' logs while making the same request manually, I saw this in the web.stderr.log:
Reading through the release notes, the only reference I could find to a client TLS certificate came from the introduction for support for mTLS:
Working backwards through the changes made in that PR (https://github.com/concourse/concourse/pull/6355), I found that if a CA certificate is included in the ATC's tls configuration then that will enable mTLS, which will require a client certificate to be included in requests. This happens automatically if the
tls.cert.ca
property is included in the job spec for the web instance in the BOSH manifest. This, in turn, happens automatically since theatc_tls
variable defined intls-vars.yml
is used in its entirety in thetls.yml
ops-file.I have confirmed that excluding the CA from the web instance group's
tls.cert
property and redeploying fixes the problem and allows me to download the fly CLI from the server. I would be happy to PR this change if it would be acceptable. I could also include a newmtls.yml
ops-file that includes thetls.cert.ca
property for users that want to enable mTLS on their web VMs.