You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It looks like we do not actually use the cert-validity parameters. This func seems to be responsible for generating the certificates, but we only pass it the CA validity params.
Attached logs below (with some new debug logs added to make sure the params are parsed correctly). You can see the actual certificate is valid for 4h instead of 2h.
12:32 $ make go-run
# Run the operator locally with role All, with debug logs, operator image set to latest and operator namespace for a global operator
AUTO_PORT_FORWARD=true \
go run \
-ldflags "-X github.com/elastic/cloud-on-k8s/pkg/about.version=1.0.0 -X github.com/elastic/cloud-on-k8s/pkg/about.buildHash=688635ea -X github.com/elastic/cloud-on-k8s/pkg/about.buildDate=2020-02-10T18:33:06Z -X github.com/elastic/cloud-on-k8s/pkg/about.buildSnapshot=true" \
-tags "" \
./cmd/main.go manager \
--development --operator-roles=global,namespace \
--log-verbosity=1 \
--ca-cert-validity=4h --ca-cert-rotate-before=1h \
--cert-validity=2h --cert-rotate-before=1h \
--operator-namespace=default \
--namespaces= \
--manage-webhook-certs=false
...
2020-02-10T12:33:14.728-0600 DEBUG manager Using certificate authority rotation parameters {"service.version": "1.0.0-688635ea", "ca-cert-validity": "4h0m0s", "ca-cert-rotate-before": "1h0m0s"}
2020-02-10T12:33:14.728-0600 DEBUG manager Using certificate rotation parameters {"service.version": "1.0.0-688635ea", "cert-validity": "2h0m0s", "cert-rotate-before": "1h0m0s"}
[root@quickstart-es-default-0 elasticsearch]# curl --insecure -v https://localhost:9200 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=quickstart-es-http.default.es.local,OU=quickstart
* start date: Feb 10 18:36:43 2020 GMT
* expire date: Feb 10 22:46:43 2020 GMT
* common name: quickstart-es-http.default.es.local
* issuer: CN=quickstart-http,OU=quickstart
* Connection #0 to host localhost left intact
Verified in OpenSSL too just to make sure I wasn't being goofy:
13:11 $ kubectl get secrets quickstart-es-http-certs-public -o json | jq -r '.["data"]["tls.crt"]'| base64 --decode | openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
aa:21:39:74:df:dd:de:a2:45:ba:59:66:e8:8d:cc:5d
Signature Algorithm: sha256WithRSAEncryption
Issuer: OU=quickstart, CN=quickstart-http
Validity
Not Before: Feb 10 18:36:43 2020 GMT
Not After : Feb 10 22:46:43 2020 GMT
Subject: OU=quickstart, CN=quickstart-es-http.default.es.local
The text was updated successfully, but these errors were encountered:
From a discuss topic: https://discuss.elastic.co/t/cert-validity-isnt-working/218631
It looks like we do not actually use the cert-validity parameters. This func seems to be responsible for generating the certificates, but we only pass it the CA validity params.
Attached logs below (with some new debug logs added to make sure the params are parsed correctly). You can see the actual certificate is valid for 4h instead of 2h.
Verified in OpenSSL too just to make sure I wasn't being goofy:
The text was updated successfully, but these errors were encountered: