search

openziti / ziti

The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network @OpenZiti
https://openziti.io
Apache License 2.0
2.69k stars 153 forks source link

alt_server_certs on web, delivered via control plane #1189

Closed dovholuknf closed 1 year ago

dovholuknf commented 1 year ago

Expected Behavior

alt_server_cert specified in web section would have no effect on controler plane -- or SNI would kick in.

Actual Behavior

Configuring a controller with as shown below:

"root" identity block

identity:
  cert:                 "/persistent/pki/ctrl.clint.demo.openziti.org-intermediate/certs/ctrl.clint.demo.openziti.org-client.cert"
  server_cert:          "/persistent/pki/ctrl.clint.demo.openziti.org-intermediate/certs/ctrl.clint.demo.openziti.org-server.chain.pem"
  key:                  "/persistent/pki/ctrl.clint.demo.openziti.org-intermediate/keys/ctrl.clint.demo.openziti.org-server.key"
  ca:                   "/persistent/pki/cas.pem"

ctrl:
  listener:             tls:0.0.0.0:8440

a "web" block like this:

    identity:
      ca:          "/persistent/pki/ctrl.clint.demo.openziti.org-intermediate/certs/ctrl.clint.demo.openziti.org-intermediate.cert"
      key:         "/persistent/pki/ctrl.clint.demo.openziti.org-intermediate/keys/ctrl.clint.demo.openziti.org-server.key"
      server_cert: "/persistent/pki/ctrl.clint.demo.openziti.org-intermediate/certs/ctrl.clint.demo.openziti.org-server.chain.pem"
      cert:        "/persistent/pki/ctrl.clint.demo.openziti.org-intermediate/certs/ctrl.clint.demo.openziti.org-client.cert"
      alt_server_certs:
      - server_cert: "/etc/letsencrypt/live/clint.demo.openziti.org/fullchain.pem"
        server_key: "/etc/letsencrypt/live/clint.demo.openziti.org/privkey.pem"

Ends up returning the pki of the alt_server_cert, which then makes it so the edge router cannot connect to the controller complaining of:

ERROR channel/v2.(*classicListener).acceptConnection.func1 [tls:0.0.0.0:8440]: error receiving hello from [tls:172.21.0.1:37154] (receive error (remote error: tls: bad certificate))
ERROR fabric/router/env.(*networkControllers).connectToControllerWithBackoff.func2: {endpoint=[tls:ec2-13-58-222-94.us-east-2.compute.amazonaws.com:8440] error=[error connecting ctrl (tls: failed to verify certificate: x509: certificate is valid for ctrl.clint.demo.openziti.org, localhost, ziti, not ec2-13-58-222-94.us-east-2.compute.amazonaws.com)]} unable to connect controller

openssl s_client confirms the behavior:

openssl s_client -connect ec2-13-58-222-94.us-east-2.compute.amazonaws.com:8440 2>&1 | openssl x509 -text | grep -A1 "Subject Alternative"
            X509v3 Subject Alternative Name:
                DNS:ctrl.clint.demo.openziti.org, DNS:localhost, DNS:ziti, IP Address:127.0.0.1
dovholuknf commented 1 year ago

uh - yeah. nevermind. automation changed the values in the blocks and i only noticed it after filing... :|