Test self-signed certificates for Che on Kubernetes/OS deployed with chectl (helm/operator installers)

[sleshchenko]

Is your task related to a problem?

I tried to test self-signed certificate but I did manage to generate them correctly(more see https://github.com/eclipse/che/pull/13946). This issue is about setting up self-signed certificate for Che, and check if everything works correctly (like Java Maven workspace is started and working).

[rhopp]

@skabashnyuk @slemeur @sleshchenko Is this needed for 7.0?

[l0rd]

@sleshchenko what's the relationship with https://github.com/eclipse/che/issues/12634? I mean I thought we had fixed the issues with self-signed certs (wsmaster, plugin-broker, theia) and that we knew how to deploy Che using a self-signed cert. What's new here?

[sleshchenko]

The new part is that I did not manage to generate the right wildcard self-signed certificate that would work after importing to a browser, also plugin-broker refused such a generated certificate:

It would be nice if we have instructions list how to generate the right self-signed certificate for Che Server.

[sleshchenko]

I tried to play with generating a self-signed certificate and discovered typical issues people faced:

1. Chrome from 58 version requires Subject Alternative Names to be set, previously Common name was fine.
2. Firefox does not allow to use a CA certificate as a certificate for signing requests.

Here I found some meaningful instructions about generating self-signed certificates https://wiki.mozilla.org/SecurityEngineering/x509Certs and https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309 But it did not work for me in as-is. I modified them and got the following instructions: Generate self-signed certs

CA_CN=minishift-signer
DOMAIN=*.192.168.99.100.nip.io

#Generate root key # add -des3 if you want to set pass phrase
openssl genrsa -out rootCA.key 4096

# Generate root cert
openssl req -x509 \
  -new -nodes \
  -key rootCA.key \
  -sha256 \
  -days 1024 \
  -out rootCA.crt \
  -subj /CN=${CA_CN} \
  -reqexts SAN \
  -extensions SAN \
  -config <(cat /etc/ssl/openssl.cnf \
      <(printf '[SAN]\nbasicConstraints=critical, CA:TRUE\nkeyUsage=keyCertSign, cRLSign, digitalSignature, keyEncipherment'))

#Create cert key for domain
openssl genrsa -out domain.key 2048

#create csr for domain
openssl req -new -sha256 \
    -key domain.key \
    -subj "/C=UA/ST=CK/O=RedHat/CN=${DOMAIN}" \
    -reqexts SAN \
    -config <(cat /etc/ssl/openssl.cnf \
        <(printf "\n[SAN]\nsubjectAltName=DNS:${DOMAIN}\nbasicConstraints=critical, CA:FALSE\nkeyUsage=keyCertSign, digitalSignature, keyEncipherment\nextendedKeyUsage=serverAuth")) \
    -out domain.csr

# create cert for domain
openssl x509 -req -extfile <(printf "subjectAltName=DNS:${DOMAIN}\nbasicConstraints=critical, CA:FALSE\nkeyUsage=keyCertSign, digitalSignature, keyEncipherment\nextendedKeyUsage=serverAuth") -days 365 -in domain.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out domain.crt

After executing it, you'll be able to use domain.crt and domain.key for Route/Ingress TLS and rootCA.crt for importing to browsers - like Chrome, Mozilla (I tested only these two). I do not have deep knowledge in TLS and maybe some parts are not needed, but it's what works for my minishifti nstallation.

Deploy Che on Minishift Configure Router with generated certificate:

oc login -u system:admin --insecure-skip-tls-verify=true
oc project default
oc delete secret router-certs
cat domain.crt domain.key > minishift.crt
oc create secret tls router-certs --key=domain.key --cert=minishift.crt
oc rollout latest router

Precreate a secret with self-signed certificate for Che Server.

• It might be omitted since che-operator has the functionality of auto-grabbing certificate but it does not work in this particular case. The corresponding issue is already registered https://github.com/eclipse/che/issues/14175.

  oc create namespace che
  cp rootCA.crt ca.crt
  oc create secret generic self-signed-certificate --from-file=ca.crt -n=che

  Deploy Che Server itself

  chectl server:start --platform=minishift --installer=operator --multiuser --tls --self-signed-cert

Deploying on minikube is not fully working, I'm preparing fixes and will post PRs and instructions on how to deploy Che soon.

[sleshchenko]

I managed to deploy Che with self-signed cert (CA + certificate for TLS) with the following changes for helm chart and chectl: https://github.com/eclipse/che/pull/14176, https://github.com/che-incubator/chectl/pull/248. When self-signed certificates are generated (see https://github.com/eclipse/che/issues/14035#issuecomment-519822676 #Generate self-signed certs You can proceed to the following commands to deploy Che on minikube: Deploy Che on Minikube

kubectl create namespace che
kubectl create secret tls che-tls --key=domain.key --cert=domain.crt -n che

cp rootCA.crt ca.crt
kubectl create secret generic self-signed-cert --from-file=ca.crt -n che

chectl server:start --platform=minikube --installer=helm --multiuser --tls --self-signed-cert

[benoitf]

as Mario suggested, moving to 7.0.0 as fixes are there and PR are there

[sleshchenko]

Helm chart is fixed to correctly deploy Che Server with self-signed-cert configured, chectl is adapted to these changes as well https://github.com/eclipse/che/pull/14176, https://github.com/che-incubator/chectl/pull/248

Also, the following issues were found but will be fixed in separate issues:

• che-operator auto-grabbing of self-signed certificate does not work correctly https://github.com/eclipse/che/issues/14175
• chectl fails to request Che Server if it's deployed with self-signed-cert flag https://github.com/eclipse/che/issues/14179

[mmorhun]

On Fedora openssl configuration file is located under /etc/pki/tls/openssl.cnf instead of /etc/ssl/openssl.cnf as in the Sergii's examples. So the commands will look like:

# Generate root cert
openssl req -x509 -new -nodes  -key rootCA.key -sha256 -days 1024 -out rootCA.crt -subj /CN=${CA_CN} -reqexts SAN -extensions SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf '[SAN]\nbasicConstraints=critical, CA:TRUE\nkeyUsage=keyCertSign, cRLSign, digitalSignature, keyEncipherment'))

# Create csr for domain
openssl req -new -sha256 -key domain.key -subj "/C=UA/ST=CK/O=RedHat/CN=${DOMAIN}" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:${DOMAIN}\nbasicConstraints=critical, CA:FALSE\nkeyUsage=keyCertSign, digitalSignature, keyEncipherment\nextendedKeyUsage=serverAuth")) -out domain.csr

[erlansan]

Has anybody tried to create a self signed sertificate on windows to run in minishift? Is it possible to do, if so, where can i find the infos about it? All the tutorials and commands that i found so far seem to be opted for linux based OS.

[mmorhun]

In case one need to include root CA cert into router chain, minishift.crt should be created in the following way (docs):

cat domain.crt rootCA.crt domain.key > minishift.crt