Closed dovholuknf closed 1 year ago
alt_server_cert specified in web section would have no effect on controler plane -- or SNI would kick in.
web
Configuring a controller with as shown below:
identity: cert: "/persistent/pki/ctrl.clint.demo.openziti.org-intermediate/certs/ctrl.clint.demo.openziti.org-client.cert" server_cert: "/persistent/pki/ctrl.clint.demo.openziti.org-intermediate/certs/ctrl.clint.demo.openziti.org-server.chain.pem" key: "/persistent/pki/ctrl.clint.demo.openziti.org-intermediate/keys/ctrl.clint.demo.openziti.org-server.key" ca: "/persistent/pki/cas.pem" ctrl: listener: tls:0.0.0.0:8440
identity: ca: "/persistent/pki/ctrl.clint.demo.openziti.org-intermediate/certs/ctrl.clint.demo.openziti.org-intermediate.cert" key: "/persistent/pki/ctrl.clint.demo.openziti.org-intermediate/keys/ctrl.clint.demo.openziti.org-server.key" server_cert: "/persistent/pki/ctrl.clint.demo.openziti.org-intermediate/certs/ctrl.clint.demo.openziti.org-server.chain.pem" cert: "/persistent/pki/ctrl.clint.demo.openziti.org-intermediate/certs/ctrl.clint.demo.openziti.org-client.cert" alt_server_certs: - server_cert: "/etc/letsencrypt/live/clint.demo.openziti.org/fullchain.pem" server_key: "/etc/letsencrypt/live/clint.demo.openziti.org/privkey.pem"
Ends up returning the pki of the alt_server_cert, which then makes it so the edge router cannot connect to the controller complaining of:
ERROR channel/v2.(*classicListener).acceptConnection.func1 [tls:0.0.0.0:8440]: error receiving hello from [tls:172.21.0.1:37154] (receive error (remote error: tls: bad certificate)) ERROR fabric/router/env.(*networkControllers).connectToControllerWithBackoff.func2: {endpoint=[tls:ec2-13-58-222-94.us-east-2.compute.amazonaws.com:8440] error=[error connecting ctrl (tls: failed to verify certificate: x509: certificate is valid for ctrl.clint.demo.openziti.org, localhost, ziti, not ec2-13-58-222-94.us-east-2.compute.amazonaws.com)]} unable to connect controller
openssl s_client confirms the behavior:
openssl s_client -connect ec2-13-58-222-94.us-east-2.compute.amazonaws.com:8440 2>&1 | openssl x509 -text | grep -A1 "Subject Alternative" X509v3 Subject Alternative Name: DNS:ctrl.clint.demo.openziti.org, DNS:localhost, DNS:ziti, IP Address:127.0.0.1
uh - yeah. nevermind. automation changed the values in the blocks and i only noticed it after filing... :|
Expected Behavior
alt_server_cert specified in
web
section would have no effect on controler plane -- or SNI would kick in.Actual Behavior
Configuring a controller with as shown below:
"root" identity block
a "web" block like this:
Ends up returning the pki of the alt_server_cert, which then makes it so the edge router cannot connect to the controller complaining of:
openssl s_client confirms the behavior: