Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cert-validity is ignored #2540

Closed
anyasabo opened this issue Feb 10, 2020 · 0 comments · Fixed by #2541
Closed

cert-validity is ignored #2540

anyasabo opened this issue Feb 10, 2020 · 0 comments · Fixed by #2541
Labels
>bug Something isn't working

Comments

@anyasabo
Copy link
Contributor

From a discuss topic: https://discuss.elastic.co/t/cert-validity-isnt-working/218631

It looks like we do not actually use the cert-validity parameters. This func seems to be responsible for generating the certificates, but we only pass it the CA validity params.

Attached logs below (with some new debug logs added to make sure the params are parsed correctly). You can see the actual certificate is valid for 4h instead of 2h.

12:32 $ make go-run
# Run the operator locally with role All, with debug logs, operator image set to latest and operator namespace for a global operator
AUTO_PORT_FORWARD=true \
		go run \
			-ldflags "-X github.com/elastic/cloud-on-k8s/pkg/about.version=1.0.0 -X github.com/elastic/cloud-on-k8s/pkg/about.buildHash=688635ea -X github.com/elastic/cloud-on-k8s/pkg/about.buildDate=2020-02-10T18:33:06Z -X github.com/elastic/cloud-on-k8s/pkg/about.buildSnapshot=true" \
			-tags "" \
			./cmd/main.go manager \
				--development --operator-roles=global,namespace \
				--log-verbosity=1 \
				--ca-cert-validity=4h --ca-cert-rotate-before=1h \
				--cert-validity=2h --cert-rotate-before=1h \
				--operator-namespace=default \
				--namespaces= \
				--manage-webhook-certs=false
...
2020-02-10T12:33:14.728-0600	DEBUG	manager	Using certificate authority rotation parameters	{"service.version": "1.0.0-688635ea", "ca-cert-validity": "4h0m0s", "ca-cert-rotate-before": "1h0m0s"}
2020-02-10T12:33:14.728-0600	DEBUG	manager	Using certificate rotation parameters	{"service.version": "1.0.0-688635ea", "cert-validity": "2h0m0s", "cert-rotate-before": "1h0m0s"}
[root@quickstart-es-default-0 elasticsearch]# curl --insecure -v https://localhost:9200 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* 	subject: CN=quickstart-es-http.default.es.local,OU=quickstart
* 	start date: Feb 10 18:36:43 2020 GMT
* 	expire date: Feb 10 22:46:43 2020 GMT
* 	common name: quickstart-es-http.default.es.local
* 	issuer: CN=quickstart-http,OU=quickstart
* Connection #0 to host localhost left intact

Verified in OpenSSL too just to make sure I wasn't being goofy:

13:11 $ kubectl get secrets quickstart-es-http-certs-public  -o json | jq -r '.["data"]["tls.crt"]'| base64 --decode | openssl x509 -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            aa:21:39:74:df:dd:de:a2:45:ba:59:66:e8:8d:cc:5d
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: OU=quickstart, CN=quickstart-http
        Validity
            Not Before: Feb 10 18:36:43 2020 GMT
            Not After : Feb 10 22:46:43 2020 GMT
        Subject: OU=quickstart, CN=quickstart-es-http.default.es.local
@anyasabo anyasabo added the >bug Something isn't working label Feb 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant