Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pin certificate server key type to RSA #18

Merged
merged 1 commit into from
Aug 21, 2023
Merged

Pin certificate server key type to RSA #18

merged 1 commit into from
Aug 21, 2023

Conversation

dfangl
Copy link
Member

@dfangl dfangl commented Aug 21, 2023

Motivation

Currently, our certificate workflow would use the certbot default - ECDSA, as generated server key.

However, this breaks LocalStack's EKS implementation, since it seems our proxy implementation does not like ECDSA public keys, and will somehow break the client certificates necessary for authentication with the k3s API.

It will lead to the following errors in k3s:

localstack_main  | E0821 08:06:18.027860      83 authentication.go:63] "Unable to authenticate the request" err="[x509: certificate signed by unknown authority, verifying certificate SN=428217389087803287667876166580439937980685, SKID=48:C1:E1:76:BE:19:EC:D3:E0:55:58:6C:17:5A:D4:5D:35:FB:B9:70, AKID=14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 failed: x509: certificate signed by unknown authority]"
localstack_main  | E0821 08:06:20.056375      83 authentication.go:63] "Unable to authenticate the request" err="[x509: certificate signed by unknown authority, verifying certificate SN=428217389087803287667876166580439937980685, SKID=48:C1:E1:76:BE:19:EC:D3:E0:55:58:6C:17:5A:D4:5D:35:FB:B9:70, AKID=14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 failed: x509: certificate signed by unknown authority]"
localstack_main  | E0821 08:06:22.083400      83 authentication.go:63] "Unable to authenticate the request" err="[x509: certificate signed by unknown authority, verifying certificate SN=428217389087803287667876166580439937980685, SKID=48:C1:E1:76:BE:19:EC:D3:E0:55:58:6C:17:5A:D4:5D:35:FB:B9:70, AKID=14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 failed: x509: certificate signed by unknown authority]"
localstack_main  | E0821 08:06:24.109302      83 authentication.go:63] "Unable to authenticate the request" err="[x509: certificate signed by unknown authority, verifying certificate SN=428217389087803287667876166580439937980685, SKID=48:C1:E1:76:BE:19:EC:D3:E0:55:58:6C:17:5A:D4:5D:35:FB:B9:70, AKID=14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 failed: x509: certificate signed by unknown authority]"
localstack_main  | E0821 08:06:26.136980      83 authentication.go:63] "Unable to authenticate the request" err="[x509: certificate signed by unknown authority, verifying certificate SN=428217389087803287667876166580439937980685, SKID=48:C1:E1:76:BE:19:EC:D3:E0:55:58:6C:17:5A:D4:5D:35:FB:B9:70, AKID=14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 failed: x509: certificate signed by unknown authority]"
localstack_main  | E0821 08:06:28.166789      83 authentication.go:63] "Unable to authenticate the request" err="[x509: certificate signed by unknown authority, verifying certificate SN=428217389087803287667876166580439937980685, SKID=48:C1:E1:76:BE:19:EC:D3:E0:55:58:6C:17:5A:D4:5D:35:FB:B9:70, AKID=14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 failed: x509: certificate signed by unknown authority]"

For now, we need to pin an RSA server key to avoid breaking behavior, until we can replace the proxy library (necessary for python3.11 as well).

Changes

  • Pin server key to RSA

@dfangl dfangl requested a review from simonrw August 21, 2023 08:11
simonrw
simonrw approved these changes Aug 21, 2023
View reviewed changes
Copy link

@simonrw simonrw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds like a fair fix for now.

local-certs/generate-certificate.sh
@@ -11,7 +11,7 @@ chmod 600 gandi.ini

# request certificate
set -x
certbot -n --agree-tos --email ${CERTBOT_EMAIL} ${CERTBOT_ARGS} --authenticator dns-gandi --dns-gandi-credentials gandi.ini --work-dir=$PWD/work --config-dir=$PWD/config --logs-dir=$PWD/logs -d $certificate_domains certonly
certbot -n --agree-tos --email ${CERTBOT_EMAIL} ${CERTBOT_ARGS} --authenticator dns-gandi --dns-gandi-credentials gandi.ini --key-type rsa --work-dir=$PWD/work --config-dir=$PWD/config --logs-dir=$PWD/logs -d $certificate_domains certonly
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor: do we have any control over how many bits the rsa key uses? It would be good to ensure a secure amount, though I suppose it doesn't really matter for this use case...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can set it with --rsa-key-size, but I also do not quite see the need here.
Also, we should start moving to ECDSA as soon as we get rid of the libary anyway, then the defaults are 256bit, which should be good currently.

@dfangl dfangl merged commit f19692c into master Aug 21, 2023
1 check passed
@dfangl dfangl deleted the fix-certificate-server-key branch August 21, 2023 09:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simonrw simonrw simonrw approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@dfangl @simonrw