search

openziti / ziti

The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network @OpenZiti
https://openziti.io
Apache License 2.0
2.86k stars 160 forks source link

log alt certs in use when starting up #1238

Open dovholuknf opened 1 year ago

dovholuknf commented 1 year ago

Expected Behavior

When configuring alt server certs, observe anything in the logs indicating that the certs were used (or not) would be much appreciated

Observed Behavior No positive nor negative message is presented, leaving me wondering if I configured it correctly or not

Background

tonight I had created a config file using the ziti cli and the controller that started is not apparently correctly configured with alt-server-certs. Issuing:

openssl s_client -connect ctrl.clint.demo.openziti.org:8441 | openssl x509 -text

informs me:

X509v3 Subject Alternative Name:
                DNS:ec2-13-58-222-94.us-east-2.compute.amazonaws.com, DNS:ip-172-31-11-231, DNS:localhost, IP Address:127.0.0.1

I've stopped the process, confirmed it's not running etc. The config file (abridged) looks like this:

db:                     "/home/ubuntu/.ziti/quickstart/ip-172-31-11-231/db/ctrl.db"

identity:
  cert:        "/home/ubuntu/.ziti/quickstart/ip-172-31-11-231/pki/ip-172-31-11-231-intermediate/certs/ip-172-31-11-231-client.cert"
  server_cert: "/home/ubuntu/.ziti/quickstart/ip-172-31-11-231/pki/ip-172-31-11-231-intermediate/certs/ip-172-31-11-231-server.chain.pem"
  key:         "/home/ubuntu/.ziti/quickstart/ip-172-31-11-231/pki/ip-172-31-11-231-intermediate/keys/ip-172-31-11-231-server.key"
  ca:          "/home/ubuntu/.ziti/quickstart/ip-172-31-11-231/pki/cas.pem"
  alt_server_certs:
    - server_cert:  "/etc/letsencrypt/live/zititv.demo.openziti.org/fullchain.pem"
      server_key:   "/etc/letsencrypt/live/zititv.demo.openziti.org/privkey.pem"
...
web:
...
    # Allows the webListener to have a specific identity instead of defaulting to the root 'identity' section.
    identity:
      ca:          "/home/ubuntu/.ziti/quickstart/ip-172-31-11-231/pki/ip-172-31-11-231-edge-controller-intermediate/certs/ip-172-31-11-231-edge-controller-intermediate.cert"
      key:         "/home/ubuntu/.ziti/quickstart/ip-172-31-11-231/pki/ip-172-31-11-231-edge-controller-intermediate/keys/ec2-13-58-222-94.us-east-2.compute.amazonaws.com-server.key"
      server_cert: "/home/ubuntu/.ziti/quickstart/ip-172-31-11-231/pki/ip-172-31-11-231-edge-controller-intermediate/certs/ec2-13-58-222-94.us-east-2.compute.amazonaws.com-server.chain.pem"
      cert:        "/home/ubuntu/.ziti/quickstart/ip-172-31-11-231/pki/ip-172-31-11-231-edge-controller-intermediate/certs/ec2-13-58-222-94.us-east-2.compute.amazonaws.com-client.cert"
      alt_server_certs:
        - server_cert: "/etc/letsencrypt/live/zititv.demo.openziti.org/fullchain.pem"
          server_key:  "/etc/letsencrypt/live/zititv.demo.openziti.org/privkey.pem"
andrewpmartinez commented 3 months ago

During grooming, the request was to log the hostnames to which SNI would respond during startup.