search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.01k stars 417 forks source link

Change APNs validation at startup to use HTTP/HTTPS instead of TCP+TLS #21683

Closed ddribeiro closed 1 month ago

ddribeiro commented 1 month ago

Fleet version: 4.54.1

💥  Actual behavior

A customer whose Fleet server is behind a proxy is unable to start their server after inserting their APNS certificate in their configuration file to enable Apple MDM features. It appears the HTTP_PROXY and HTTPS_PROXY environment variables are not being used when communicating with Apple servers.

The following error appears:

Failed to start: validate authentication with Apple APNs certificate: TLS dial: dial tcp 17.188.143.66:443: i/o timeout

@lucasmrod: Yeah, it seems our checks at startup do not use HTTPS_PROXY/HTTP_PROXY because to verify connection we just do a TCP+TLS connection, no HTTP. We should instead do a HTTP/HTTPS just like we do when communicating with Apple servers after the startup.

🧑‍💻  Steps to reproduce

  1. Insert values for mdm.apple_apns_* and mdm.apple_scep* in the Fleet server configuration file.
  2. With the Fleet server behind a proxy and HTTP_PROXY and HTTPS_PROXY environment variables correctly set, start the Fleet server.
  3. Observe the Fleet server is unable to start due to an error validating authentication with the APNs certificate.

🕯️ More info (optional)

N/A

JoStableford commented 1 month ago

Related to a Slack conversation

zayhanlon commented 1 month ago

@georgekarrv this is not just workflow blocking, but blocking the entire MDM setup flow (can't start Fleet server with the existing APNS cert). i would like to push for this to be a p1 - is this something you can review and confirm if your team can tackle sooner?

@lukeheath fyi

lucasmrod commented 1 month ago

Also it seems the connection test uses https://api.sandbox.push.apple.com, maybe it should use https://api.push.apple.com (production endpoint)?

roperzh commented 1 month ago

rationale for using the sandbox endpoint here https://github.com/fleetdm/fleet/pull/8730/files#r1028145802 (not saying it can't be changed! just adding historical context)

lukeheath commented 1 month ago

@zayhanlon @georgekarrv I agree, this is a P1 critical bug.

georgekarrv commented 1 month ago

I had Sarah start looking at this today, hopefully we can get it into the RC

fleet-release commented 1 month ago

With HTTP in use, Fleet's servers find their path, Data flows, no ruse.

fleet-release commented 1 month ago

Behind proxies' veil, Fleet's reach expands with grace, Apple's secrets hail.