search

hashicorp / consul

Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
https://www.consul.io
Other
28.31k stars 4.42k forks source link

consul tls ca create ignores filename-prefix #7196

Open allthingsclowd opened 4 years ago

allthingsclowd commented 4 years ago

Hi Team,

I may just be interpreting the documentation incorrectly, apologies if that's the case. The documentation for the consul tls helper function for creating consul pki certificates implies that a filename prefix can be added as follows:

Usage: consul tls ca create [filename-prefix] [options] source

However when I try using a filename prefix of bananas, it's ignored:

sudo /usr/local/bin/consul tls ca create bananas
==> Saved consul-agent-ca.pem
==> Saved consul-agent-ca-key.pem

Looking at the code it appears the the filename prefix is actually taken by reading the -domain flag source

And by testing I get the desired result:

sudo /usr/local/bin/consul tls ca create -domain=bananas
==> Saved bananas-agent-ca.pem
==> Saved bananas-agent-ca-key.pem

If the code is correct I think that it may be clearer to remove the [filename-prefix] from the usage examples and just update the options section for -domain to mention this is also used as the prefix for the generated files?

Thank you.

hanshasselberg commented 4 years ago

@allthingsclowd thank you for spotting this! You are absolutely correct, the documentation https://www.consul.io/docs/commands/tls/ca.html is wrong. Domain is supported and it is part of the filename of the CA and the key. It would be great to document that since the CA will also have a constraint on that domain name: https://github.com/hashicorp/consul/blob/5a6e602b86224a5179ba6f30a1771396bc14de9b/tlsutil/generate.go#L65-L68.

Would you like to create a PR or should I take care of this?