This repository has been archived by the owner on Feb 9, 2024. It is now read-only.
[7.0.x] Certificate changes according to the latest MacOS specific requirements. (2209) #2279
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ts. (#2209) * Certificate changes according to the latest MacOS specific requirements. * Added comments describing MacOS specific requirements. * Use Teleport's TLSCredentials struct instead of copy-paste. * Test case for MacOS specific certificate properties. * Implemented auto-rotation of self signed cluster cert in order to mitigate the impact of the reduced validity period. The validity period was reduced due to MacOS requirements. * Better comment. * Use OrganizationUnit field to identify gravitational self signed cert. * Improved comment. * Use embedded error value instead of trace.DebugReport. * Removed duplicated log message. * Check for empty cert block after pem.Decode. * Extra info in the logs for the new cert(ExpirationDate and SerialNumber). * Debug log level for skip customer cert rotation message. * Extracted a constant to defaults.go. * Check if existing certificate files have already expired. This may happen if a user has been using their own cert for some time and have deleted it and decided to use the self-signed one. * Move SelfSignedCert organisation ID to lib/defaults. * Retry with backoff if the cert rotation fails. * 3 second initial interval for the backoff logic. * Certificate backdating. Letsencrypt backdates by 1 hour. * Dont do DNS lookups for localhost. Need to be careful of a very particular oddity of golang and some base images missing /etc/nsswitch.conf. Several versions of golang when missing nsswitch configuration, will use DNS without local host resolution. This means this lookup could query external DNS servers and be subject to a number of unexpected results. * A new name for self-signed cert org: Gravitiational Self Signed Web. * Improved comment. * Fixed spelling Organisation -> Organization. * Assert that the result block is not nil when doing pem.Decode. * Additional info in the log messages (cluster web UI cert). * Check for expired cluster web UI cert on process start. * Changed Lets Encrypt to Let's Encrypt for consistency. * Check for exact match when comparing cert OrganizationalUnit values. * Improved log messages. * Improved log message. * Improved log message. (cherry picked from commit fdeebb9)
lenko-d
requested review from
r0mant,
a-palchikov and
knisbet
and removed request for
r0mant,
alex-kovoy,
bernardjkim and
a team
r0mant
approved these changes
Oct 27, 2020
knisbet
approved these changes
Oct 27, 2020
a-palchikov
approved these changes
Oct 27, 2020
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Port of the MacOS cert changes to the 7.0.x branch (2209)
(cherry picked from commit fdeebb9)