Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix TLS gen() func to use updated csr file: #128

Merged
merged 1 commit into from
Apr 6, 2022
Merged

Fix TLS gen() func to use updated csr file: #128

merged 1 commit into from
Apr 6, 2022

Conversation

jacobweinstock
Copy link
Member

@jacobweinstock jacobweinstock commented Apr 6, 2022
edited

Description

This fixes a regression in the docker-compose where the TINKERBELL_HOST_IP in the .env file wasn't showing up as a sans ip in the TLS certificate. This caused all TLS communication with the Tink server to fail with an error like:

x509: certificate is valid for 192.168.56.4, 127.0.0.1, not 192.168.2.150

This was happening because the updated csr.json file was not being used to generate the TLS certs. In this line here, the csr.json is updated and written to this location here. But this line here, where the TLS certs are generated, was not using this updated location. It was using this hardcoded location: /app/csr.json.

Why is this needed

Fixes: #127

How Has This Been Tested?

How are existing users impacted? What migration steps/scripts do we need?

The certs docker volume will need to be deleted, remove ./deploy/compose/state/webroot/workflow/ca.pem and then re-run docker-compose up -d

or

docker-compose down -v --remove-orphans
rm deploy/compose/state/webroot/workflow/ca.pem
git checkout main
git pull
docker-compose up -d

Checklist:

I have:

  • updated the documentation and/or roadmap (if required)
  • added unit or e2e tests
  • provided instructions on how to upgrade

@jacobweinstock
Fix TLS gen() func to use updated csr file:
7b97b56 
This fixes a regression in the docker-compose where
the `TINKERBELL_HOST_IP` in the .env file wasn't showing
up as a sans ip in the TLS certificate. This caused all TLS
communication with the Tink server to fail with an error like:

`x509: certificate is valid for 192.168.56.4, 127.0.0.1, not 192.168.2.150`

Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
@jacobweinstock jacobweinstock requested a review from mmlb April 6, 2022 03:45
@jacobweinstock jacobweinstock added priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. kind/regression Categorizes issue or PR as related to a regression from a prior release. labels Apr 6, 2022
@jacobweinstock jacobweinstock added the ready-to-merge Signal to Mergify to merge the PR. label Apr 6, 2022
@jacobweinstock jacobweinstock removed the request for review from mmlb April 6, 2022 15:02
@mergify mergify bot merged commit 10331dd into tinkerbell:main Apr 6, 2022
@jacobweinstock jacobweinstock deleted the fix-tls-regression branch April 6, 2022 15:03
@mmlb
Copy link
Contributor

mmlb commented Apr 6, 2022

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markjacksonfishing markjacksonfishing markjacksonfishing approved these changes

Assignees
No one assigned
Labels
kind/regression Categorizes issue or PR as related to a regression from a prior release. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. ready-to-merge Signal to Mergify to merge the PR.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

x.5009 cert error on docker-compose
3 participants
@jacobweinstock @mmlb @markjacksonfishing