search

shieldproject / shield-boshrelease

BOSH Release for shield
MIT License
11 stars 17 forks source link

Shield-agent raised an unexpected error x509: certificate signed by unknown authority when domains is set with a name instead an IP #153

Closed JCL38-ORANGE closed 6 years ago

JCL38-ORANGE commented 6 years ago

Hello,

I have tried to deployed a shield agent following two different ways.

The first way is with a domain populated by an IP => It is a success. 2018-11-07 22:04:19.216444919 +000 UTC /var/vcap/packages/shield/bin/shield-agent: DEBUG: pre-registering with https://192.168.211.250:443/v2/agents as {"name":"shield/shield@z1/0","port":5444} 2018-11-07 22:04:19.229284988 +000 UTC /var/vcap/packages/shield/bin/shield-agent: INFO: pre-registered with https://192.168.211.250:443 as shield/shield@z1/0 (port 5444)

The second way is with a domain populated by a name (shield-webui-mydomain.com) => It fails. The shield-agent is raising an unexpected error : 2018-11-09 11:19:43.255589287 +000 UTC /var/vcap/packages/shield/bin/shield-agent: DEBUG: pre-registering with https://shield-webui-mydomain.com:443/v2/agents as {"name":"shield-ua/shield@z1/0","port":5444} 2018-11-09 11:19:43.262907808 +000 UTC /var/vcap/packages/shield/bin/shield-agent: ERROR: failed to issue POST /v2/agents: Post https://shield-webui-mydomain.com:443/v2/agents: x509: certificate signed by unknown authority

The same certificate is used for the two ways (IP and name). It is generated by credhub with the following manifest snippet : ...

I have successfully verified my certificate with the following command : wget -vd https://shield-webui-mydomain.com:443 --ca-certificate=/var/vcap/jobs/shield-agent/config/tls/shield.ca => X509 certificate successfully verified and matches host shield-webui-mydomain.com

I suspect a problem with the Go Client library. Has this configuration been tested on your own ? Is there a workaround for that ?

Thanks and regards for your help, Jean-Christophe.

JCL38-ORANGE commented 6 years ago

Hello,

I found the solution. The issue can be closed. Jean-Christophe.

jhunt commented 6 years ago

Care to elaborate on the solution for future GitHub searchers?

AlexMussell commented 5 years ago

Can you please elaborate. I am experiencing the exact same issues.

JCL38-ORANGE commented 5 years ago

Hello,

The problem came from a bad certificate supplied in the field : /instance_groups/name=shield/jobs/name=shield-agent/properties/core/ca Supplying the good certificate (certificate platform in my context) solved the issue. Regards, Jean-Christophe.

AlexMussell commented 5 years ago

Thanks for the swift reply. Yeah I understand that, but the certificates are generated on the fly by the bosh variables. How did you create a certificate that was valid? I'm probably missing the same thing you were

My variables currently look like so:

  - name: shield-agent-key
     type: ssh  

  - name: shield-ca
    type: certificate
    options:
      is_ca: true
      common_name: shieldca

  - name: shield-tls
    type: certificate
    options:
      ca: shield-ca
      common_name: shield
      extended_key_usage:
        - client_auth
        - server_auth
      alternative_names:
        - 127.0.0.1
        - ((static_ip))
        - "*.shield.default.shield.bosh"
        - ((domain_name))

And the jobs like so:

jobs:
    - name: core
      release: shield
      provides:
        shield: {shared: true, as: shield}
      properties:
        domain: ((domain_name))  
        agent:
          key: ((shield-agent-key.private_key))
        tls:
          certificate: ((shield-tls.certificate))
          key:         ((shield-tls.private_key))

    - name: shield-agent
      release: shield
      consumes:
        shield: {from: shield}
      properties:
        core:
          ca: ((shield-tls.ca))
        agent:
          key: ((shield-agent-key.public_key))
JCL38-ORANGE commented 5 years ago

Hello,

I expose the shield web ui (core) on a go router with the routing release (route_registrar job). There is a certificate attached to this go router. In the core job, I put the route in the domain properties field. In the shield-agent job, I put the go router certificate in the core.ca properties field. The x509 error is very generic and maybe it is not the same root cause.

Regards, Jean-Christophe.

AlexMussell commented 5 years ago

Hello,

After some digging, I have found where the error is and require some advice. After doing a tcp dump on the shield box, there is a client hello to our LB (sits in front of gorouters) from our shield IP, then a server hello from the LB IP to the shield IP, then the server performs the server key exchange where the server sends the LB certificate and chain (these are certs that are generated by COMODO, and should therefore be trusted automatically). When the shield box tries to respond, there is the Bad Certificate error. I assume this is due to the self-signed certificate generated in the deployment. Does the shield deployment not trusted publicly signed certs? Is there any workarounds for this?

Regards, Alex

jhunt commented 5 years ago

Alex, can you open a new issue to track your problem? It seems related but different enough.

In addition, when you open the new issue, can you clarify what you mean by "shield IP"? Is that the SHIELD Core or one of the SHIELD Agents?