Open BrandonALXEllisSS opened 3 years ago
omkensey
commented
3 years ago It looks like if you change the tls_disable variable in the vars.tf from true to false, it pipes the cert to the instances through a provisioner and adds it to the Boundary config.
jwieder
commented
3 years ago That is true, however (at least in the aws config) setting tls_disable var to false results in further errors. Specifically, there are two hard-coded http paths; changing those results in further errors when using default EC2 hostname nomenclature, e.g.:
Error: error calling read scope: error performing client request during Read call: Get "https://boundary-test-control-rando-a12345c123a0d1.elb.us-east-1.amazonaws.com:9200/v1/scopes/global": x509: certificate is not valid for any names, but wanted to match boundary-test-control-rando-a12345c123a0d1.elb.us-east-1.amazonaws.com
EDIT: the latter may be specific to executing terraform in MacOS due to this: https://github.com/hashicorp/terraform/issues/22193#issuecomment-610877715
omkensey
commented
3 years ago Actually, looking at the TLS part of this, it looks like the cert we request is for a CN that's not a hostname. So let me poke around on this and I might cough up a PR later for either or both of you to test.
jwieder
commented
3 years ago Good catch. Looks like boundary.dev in the certs file.
On Thu, Oct 28, 2021, 10:16 Joe Thompson @.***> wrote:
Actually, looking at the TLS part of this, it looks like the cert we request is for a CN that's not a hostname. So let me poke around on this and I might cough up a PR later for either or both of you to test.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/hashicorp/boundary-reference-architecture/issues/52#issuecomment-953891347, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABGSL5WK3M5OJNXMZOGZKTLUJFLLZANCNFSM5CGHISDA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
ddvdozuki
commented
2 years ago Any update to this?
There's AWS resources to create a self-signed ACM certificate, but given that there's no domain name system set up and the ACM certificate isn't used, any connections to the reference architecture can't use https (despite the constant plethora of example links that do use https, i.e.
Please update the documentation to warn the user that he/she needs to set up HTTPS on their own behalf, or advise to use HTTP if just testing the architecture.