search

siderolabs / omni

SaaS-simple deployment of Kubernetes - on your own hardware.
Other
525 stars 31 forks source link

[bug] Correct PATH for custom CA Certificates #212

Closed MAHDTech closed 5 months ago

MAHDTech commented 5 months ago

Is there an existing issue for this?

Current Behavior

Hi, I'm testing out Omni and trying to add a custom CA to the Omni trust store.

In this case it's because I have a SAML server signed by a different CA chain then my Omni instance.

Currently I've tried a few usual places but each results in the following error when Omni attempts to access the SAML URL.

tls: failed to verify certificates x509: certificate signed by unknown authority

So far I've tried mouting my Full CA Chain via Docker volume in;

I've also tried appending the CA Chain the to file read by the --cert flag but this doesn't seem to work either.

Where is the correct location to mount a custom CA Chain for Omni to read it and in this case, trust the SAML providers certificate?

Expected Behavior

Mount the CA cert chain and Omni trusts it.

Steps To Reproduce

Example snippet from a Docker Compose

   volumes:
      - etcd:/_out/etcd
      - logs:/out/logs
      - secondary-storage:/_out/secondary-storage
      - etcd-backup:/tmp/omni-data/etcd-backup
      - ${SECRETS}/tls.key:/tls.key
      - ${SECRETS}/omni.asc:/omni.asc
      # Test 1
      - ${CERT_CHAIN}:/etc/ssl/certs/ca-certificates.crt:ro
      # Test 2
      - ${CERT_CHAIN}:/etc/ssl/omni-certs/ca-certificates.crt:ro
      # This is what i pass to --cert and --key
      - ${OMNI_CERT_CHAIN}:/tls.crt
      - ${OMNI_CERT_KEY}:/tks.key

What browsers are you seeing the problem on?

No response

Anything else?

No response

MAHDTech commented 5 months ago

It's always the way, you create an issue and then figure it out a few mins later :grin:

In this case, the problem was the local file permissions on the cert chain.

After relaxing the permissions on the .crt file the issue resolved itself.

Perhaps if there is a permissions problem reading the file or the file was empty could the error be more descriptive to hint at the problem.

Thanks.

utkuozdemir commented 5 months ago

Thanks for reporting.

The --cert and --key arguments affects the HTTP server Omni itself runs, they do not affect the certificates it trusts. So they are unrelated with this issue.

One thing I noticed - you would want to mount your certificates into the certs directory, but not override the ca-certificates.crt file - it contains the whole set of root certificates. So, instead, you'd simply mount your CA CRT into /etc/ssl/certs directory and Go would respect that - see: https://go.dev/src/crypto/x509/root_linux.go

As it is Go's crypto internals detecting the certificates and trusting them, I don't think we on our side should do any special handling to them like checking their permissions.

MAHDTech commented 5 months ago

Thanks, I've used a different path now and with the correct permissions it's working as intended.