Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS cert soft failure #2580

Open
benjaminleonard opened this issue Nov 26, 2024 · 1 comment · May be fixed by #2582
Open

TLS cert soft failure #2580

benjaminleonard opened this issue Nov 26, 2024 · 1 comment · May be fixed by #2582

Comments

@benjaminleonard
Copy link
Contributor

#2578 (comment)

Similar to the "soft-failures" we have on image import, we could probably decode the certificate and verify that either the the CN or SAN covers the computed silo url {silo}.sys.{domain}. Less useful for long term users, but likely nice for initial silo creation.

Seems like a quick win, design work is minimal since we can just reuse the pattern from image import. @augustuswm have you got a test cert you could send to play with.

@augustuswm
Copy link

Since we are only interested in verifying the name here (and maybe the expiration?) you can generate self-signed certificates for testing:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=<silo>.sys.<domain>" -addext "subjectAltName = DNS:<silo>.sys.<domain>"

You can then print the contents of the cert with:

openssl x509 -in cert.pem -text -noout

You can change the value of the subject CN by altering the CN=<silo.sys.<domain> part, and you can change the SAN entries by editing the DNS:<silo>.sys.<domain> part. I think for this initial check we can look so see if the silo is covered by either of those, including if one is specified as a wildcard (i.e. *.sys.<domain>)

@benjaminleonard benjaminleonard linked a pull request Nov 27, 2024 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants