tls: fallback to self-signed certificate (#2760)

* tls: fallback to self-signed certificate

* remove unknown domain because certs are no longer valid

* update multi-deployment to use service-specific certificates

config/envoyconfig/listeners.go

@@ -532,7 +532,7 @@ func (b *Builder) buildGRPCListener(ctx context.Context, cfg *config.Config) (*e
 		return li, nil
 	}
 
-	chains, err := b.buildFilterChains(cfg.Options, cfg.Options.Addr,
+	chains, err := b.buildFilterChains(cfg.Options, cfg.Options.GRPCAddr,
 		func(tlsDomain string, httpDomains []string) (*envoy_config_listener_v3.FilterChain, error) {
 			filterChain := &envoy_config_listener_v3.FilterChain{
 				Filters: []*envoy_config_listener_v3.Filter{filter},

integration/control_plane_test.go

@@ -75,7 +75,6 @@ func TestHealth(t *testing.T) {
 		"https://authenticate.localhost.pomerium.io",
 		"https://httpdetails.localhost.pomerium.io",
 		"https://restricted-httpdetails.localhost.pomerium.io",
-		"https://unknown.localhost.pomerium.io",
 	}
 	endpoints := []string{"healthz", "ping"}
 

integration/tpl/backends/pomerium.libsonnet

@@ -102,7 +102,6 @@ local Environment(mode, idp, dns_suffix) =
     DATABROKER_SERVICE_URL: 'https://pomerium-databroker:5443',
     GRPC_ADDRESS: ':5443',
     GRPC_INSECURE: 'false',
-    OVERRIDE_CERTIFICATE_NAME: '*.localhost.pomerium.io',
   } else if mode == 'traefik' then {
     FORWARD_AUTH_URL: 'https://forward-authenticate.localhost.pomerium.io',
   } else if mode == 'nginx' then {
@@ -141,6 +140,8 @@ function(mode, idp, dns_suffix='') {
         image: image,
         environment: environment {
           SERVICES: 'authorize',
+          CERTIFICATE: std.base64(importstr '../files/pomerium-authorize.pem'),
+          CERTIFICATE_KEY: std.base64(importstr '../files/pomerium-authorize-key.pem'),
         },
         ports: [
           '9904:9901/tcp',
@@ -161,6 +162,8 @@ function(mode, idp, dns_suffix='') {
         image: image,
         environment: environment {
           SERVICES: 'databroker',
+          CERTIFICATE: std.base64(importstr '../files/pomerium-databroker.pem'),
+          CERTIFICATE_KEY: std.base64(importstr '../files/pomerium-databroker-key.pem'),
         },
         ports: [
           '9902:9901/tcp',

pkg/cryptutil/tls.go

@@ -55,10 +55,9 @@ func GetCertificateForDomain(certificates []tls.Certificate, domain string) (*tl
 		}
 	}
 
-	// next use the first cert
-	if len(certificates) > 0 {
-		return &certificates[0], nil
-	}
+	log.Error(context.Background()).
+		Str("domain", domain).
+		Msg("cryptutil: no TLS certificate found for domain, using self-signed certificate")
 
 	// finally fall back to a generated, self-signed certificate
 	return GenerateSelfSignedCertificate(domain)

pkg/cryptutil/tls_test.go

@@ -49,7 +49,8 @@ func TestGetCertificateForDomain(t *testing.T) {
 		if !assert.NoError(t, err) {
 			return
 		}
-		assert.Equal(t, &certs[0], found)
+		assert.NotNil(t, found)
+		assert.NotEqual(t, &certs[0], found)
 	})
 	t.Run("generate", func(t *testing.T) {
 		certs := []tls.Certificate{}