Closed rgl closed 2 years ago
Hey @rgl, thanks for reporting this. I do believe our TLS generation could use some updating. I'm not able to reproduce the curl
behavior you're getting. Using the vagrant-virtualbox
and vagrant-libvirt
setup I'm getting this:
vagrant@ubuntu2004:~$ curl "https://$TINKERBELL_HOST_IP/v2/_catalog"
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I've updated the TLS a bit in this branch here. Would you mind testing out the updated TLS there to see if it has the same behavior?
Sorry, I forgot to describe the root case of the "curl" problem. It was because the update-ca-certificates
command refused to add the certificates inside the bundle.pem
file to the machine trust store because it has two certificates: the root ca certificate and the server certificate.
Hence, the tls-gen step must be modified to generate two separate certificate files: one for root ca certificate and another for the server certificate. For this you do not need to create an intermediate ca; the existing root ca is enough.
ah ok. what was the output you got? I was able to add it successfully with just a warning.
vagrant@ubuntu2004:~$ sudo cp -a /vagrant/compose/state/webroot/workflow/ca.pem /usr/share/ca-certificates/cacert.crt
vagrant@ubuntu2004:~$ sudo dpkg-reconfigure ca-certificates
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping cacert.pem,it does not contain exactly one certificate or CRL
rehash: warning: skipping ca.pem,it does not contain exactly one certificate or CRL
1 added, 0 removed; done.
Processing triggers for ca-certificates (20210119~20.04.1) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
vagrant@ubuntu2004:~$ curl "https://$TINKERBELL_HOST_IP/v2/_catalog"
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}
Hey @rgl, any chance you are able to share your output from update-ca-certificates
?
FYI @rgl @jacobweinstock I can produce the error with curl
on vagrant-virtualbox
:
$ curl "https://$TINKERBELL_HOST_IP/v2/_catalog"
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
This is currently breaking the instructions in our Vagrant getting started guide and possibly others which I'm working to fix.
If I understand @rgl 's suggestion correctly it seems like the first step would be to fix the gen()
function in https://github.com/tinkerbell/sandbox/blob/main/deploy/compose/tls/generate.sh so that instead of bundling server.pem
and ca.pem
into bundle.pem
like this:
cat server.pem ca.pem >"${bundle_destination}"
We instead just put the three separate files into the certs
directory like this:
certs
├── server.pem
├── server-key.pem
└── ca.pem
Then I can fix the registry. Currently the registry service in https://github.com/tinkerbell/sandbox/blob/main/deploy/compose/docker-compose.yml looks like this:
registry:
image: registry:2.7.1
restart: unless-stopped
network_mode: host
healthcheck:
test:
[
"CMD-SHELL",
"wget --no-check-certificate https://$TINKERBELL_HOST_IP -O -",
]
interval: 5s
timeout: 1s
retries: 5
environment:
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
REGISTRY_AUTH_HTPASSWD_PATH: /auth/.htpasswd
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/${FACILITY:-onprem}/bundle.pem
REGISTRY_HTTP_TLS_KEY: /certs/${FACILITY:-onprem}/server-key.pem
REGISTRY_HTTP_ADDR: $TINKERBELL_HOST_IP:443
volumes:
- certs:/certs/${FACILITY:-onprem}:ro
- auth:/auth:rw
depends_on:
tls-gen:
condition: service_completed_successfully
registry-auth:
condition: service_completed_successfully
What should the REGISTRY_HTTP_TLS_CERTIFICATE: /certs/${FACILITY:-onprem}/bundle.pem
and REGISTRY_HTTP_TLS_KEY: /certs/${FACILITY:-onprem}/server-key.pem
be instead?
I missed @jacobweinstock 's branch ^^^. Let me work with that and come back.
@mrmrcoleman, yes, that's it, separate in three files: server private key. server certificate. and ca certificate.
I ended doing an workaround in my use of the sandbox:
https://github.com/rgl/tinkerbell-vagrant/blob/master/provision-tinkerbell.sh#L37-L52
@rgl I believe by following both your and @jacobweinstock 's instructions I still don't have a working solution, however I've narrowed it down to a couple of things but my TLS foo isn't sufficient. Could we pair on this please?
@mrmrcoleman, can you please verify whether #111 works for you?
please note that I didn't actually test the vagrant environment change. let me known how it goes!
Expected Behaviour
The current generated bundle.pem must not contain the CA certificate as that fails the certificate validation.
Only the client must have the CA certificate. The server must not send it.
Current Behaviour
openssl s_client
fails to validate the certificate:wget
fails to validate the certificate:curl
does not fail to validate the certificate, but it should, so I'm not really sure what is going on:Possible Solution
bundle.pem
file. Instead it should split them into aserver-crt.pem
and aca.pem
file.Steps to Reproduce (for bugs)