Skip to content

Commit

Permalink
pkg/certsigner/signer: Add "client" usage to server profile
Browse files Browse the repository at this point in the history 
Avoid issues like [1]:

  WARNING: 2018/05/29 11:17:10 Failed to dial 127.0.0.1:2379: connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate"; please retry.

In the discussion there, the issue seems to be that etcd 3.2 started
requiring the client usage for the server cert, which is (for some
reason) used when connecting to the gRPC gateway [2,3].

[1]: etcd-io/etcd#9785 (comment)
[2]: etcd-io/etcd#9785 (comment)
[3]: https://github.com/etcd-io/etcd/blob/v3.3.10/Documentation/dev-guide/api_grpc_gateway.md
  • Loading branch information
@wking @hexfusion
wking authored and hexfusion committed Nov 7, 2019
1 parent 227189d commit be39735
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions pkg/certsigner/signer.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,7 @@ func signerPolicy(c Config) config.Signing {
Usage: []string{
string(capi.UsageKeyEncipherment),
string(capi.UsageDigitalSignature),
string(capi.UsageClientAuth),
string(capi.UsageServerAuth),
},
Expiry: c.EtcdServerCertDuration,
Expand Down

0 comments on commit be39735

Please sign in to comment.