trust-manager Bundle only has root CAs

[qrkourier]

Ziti needs a bundle of trust chains so it can publish well-known certs to edge clients. There's a bug in the Helm chart template that causes the bundle to contain only root CAs, not the intermediate CAs that issue leaf cert. These are needed too.

The reason is that cert-manager concatenates the issuer cert chain in the tls.crt key of the K8s Secret where key and cert material are strored, and always places the root CA in ca.crt. I mistakenly believed the ca.crt key in a leaf cert's K8s Secret would contain its issuer's cert, but in fact it is the root CA's cert.

The solution is to refactor the Bundle resource template that is used to compose the trust bundle that's mounted on the path referenced in the controller config property identity.ca.

Specifically, the Bundle resource needs to aggregate the tls.crt key from each issuer instead of aggregating ca.crt from the leaf and intermediate as it does currently.

[jan94]

Hi @qrkourier, I was able to follow through what you described in this issue now :) Can you explain what the effect of this bug on openziti and its' functionality is ?

I'm asking that, because my current deployment actually works and do not see the problem arising by this issue.

[qrkourier]

Closing this because I have a better understanding now, and the current behavior of bundling only root CAs is correct.

This is because server certificates are presented with intermediate certs when a client initiates server TLS. For example, a Ziti edge SDK initiates server TLS and receives the full chain, not only the server cert. The client verifies the server cert by verifying the received chain with the trust bundle from its identity configuration. That trust bundle is established by enrollment or it may be orchestrated out-of-band in the case of external ID claims.

How to inspect the trust chain presented with the web listener's server cert:

openssl s_client -connect minicontroller.ziti:443 -showcerts <>/dev/null