search

sensu / sensu-go

Simple. Scalable. Multi-cloud monitoring.
https://sensu.io
MIT License
1.02k stars 176 forks source link

mTLS Agent Certificate Being Used As Backend API Certificate #5028

Closed devinlyons closed 1 year ago

devinlyons commented 1 year ago

Expected Behavior

The mTLS agent certificate should be used for authentication while the backend certificate should be used for the API.

Current Behavior

I generated an agent certificate and configured the backend as follows:

---
cert-file: "/etc/sensu/tls/cert.pem"
key-file: "/etc/sensu/tls/key.pem"
trusted-ca-file: "/etc/sensu/tls/ca.pem"
insecure-skip-tls-verify: false
state-dir: "/var/lib/sensu/sensu-backend"
agent-auth-cert-file: "/etc/sensu/tls/agent-cert.pem"
agent-auth-key-file: "/etc/sensu/tls/agent-key.pem"
agent-auth-trusted-ca-file: "/etc/sensu/tls/ca.pem"

Now, when I connect to the API over HTTPS or WSS, it fails because the server certificate is incorrect. Specifically, Sensu is offering the agent-auth-cert-file as the server certificate. I have verified that the correct certificates are in the correct files.

Backend Cert:

# openssl x509 -in cert.pem -noout -text                                
Certificate:
    Data:
        Version: 3 (0x2)
       ...
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:sensu-test, IP Address:127.0.0.1
            X509v3 Subject Key Identifier: 
                E5:69:44:09:A0:F6:F0:CB:DB:0A:42:61:9D:52:4D:86:ED:A1:CE:C1
            X509v3 Authority Key Identifier: 
                keyid:43:08:39:AD:D2:13:41:9F:12:A4:F7:55:B4:E8:22:A3:5A:7E:37:B1
            ...
            1.3.6.1.4.1.311.20.2: 
                ...W.e.b.S.e.r.v.e.r
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
    Signature Algorithm: sha256WithRSAEncryption

Agent Cert:

# openssl x509 -in agent-cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
         ...
        Subject: C = US, ST = ..., L = ..., O = ..., CN = agent, emailAddress = ...
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                ...
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:sensu-test
            ...

But when I connect to the API, it offers the agent certificate.

# openssl s_client -showcerts -connect 127.0.0.1:8081 </dev/null         
CONNECTED(00000005)
depth=0 C = US, ST = ..., L = ..., O = ..., CN = agent, emailAddress = ...
verify error:num=26:unsupported certificate purpose
verify return:1
depth=2 DC = com, ..
verify return:1
depth=1 DC = com, ..
verify return:1
depth=0 C = US, ST = ..., L = ..., O = ..., CN = agent, emailAddress = ...
verify return:1
---
Certificate chain
...
Server certificate
subject=C = US, ST = ..., L = ..., O = ..., CN = agent, emailAddress = ...

issuer=DC = com, ...

---
Acceptable client certificate CA names
DC = com, ...
Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4403 bytes and written 405 bytes
Verification error: unsupported certificate purpose
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 26 (unsupported certificate purpose)
---
139764209189312:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1528:SSL alert number 42

Possible Solution

I believe the mTLS certificate configuration is overwriting the backend certificate configuration.

Steps to Reproduce (for bugs)

  1. Setup Sensu mTLS with a certificate.

Context

I am trying to use the secret delivery system in Sensu and I need mTLS enabled to do that.

Your Environment

devinlyons commented 1 year ago

I have discovered that the backend API is offering the agent certificate instead of the backend certificate. I updated the issue summary to reflect this new information since no one has looked at this issue yet.

devinlyons commented 1 year ago

It looks like this is the intended behavior and I just got the configuration wrong.