Project

General

Profile

Actions

Architecture #19492

closed

Architecture #18784: Reuse agent certificates for HTTPS communication

Add policy server certificate information to policies

Added by Alexis Mousset over 3 years ago. Updated over 3 years ago.

Status:
Released
Priority:
N/A
Category:
Web - Config management
Target version:
Effort required:
Name check:
To do
Fix check:
To do
Regression:

Description

We need:

  • The root and parent policy server's certificate in .pem format, in the inputs/certs folder:
    • root.pem
    • policy-server.pem (which can be a symbolic link to root.pem if it's not a different relay)
  • A hash of the policy server public key in rudder.json on all nodes, named POLICY_SERVER_KEY_HASH. This format is the one used in HPKP :
# base64(sha256(x509pubkey.der))
openssl x509 -in my-certificate.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

It should looks like sha256//YhKJKSzoTt2b5FP18fvpHo7fJYqQCjAa3HWY3tvRMwE=

  • change the format for SUB_NODES_KEYHASH from nodeInfo.sha256KeyHash to that one (ie: we need to add the base64 encoding, and change the sha256: to shat256//)

This hash should also be displayed in the node details.

(note to dev: check that the base64 algo is really the one used by openssl)


Subtasks 4 (0 open4 closed)

Architecture #19525: Read base64 hash in nodeslist.confReleasedBenoît PECCATTEActions
Architecture #19529: Add root.pem and policy-server.pem in node inputs ReleasedVincent MEMBRÉActions
Bug #19557: Compilation error: Path.of does not exist with Java 8ReleasedFrançois ARMANDActions
Bug #19587: Still a Path.of in TestRestFromFileDef.scalaReleasedRaphael GAUTHIERActions

Related issues 2 (2 open0 closed)

Related to Rudder - Architecture #19527: Rename POLICY_SERVER_KEY and POLICY_SERVER_KEY_HASHNewActions
Related to Rudder - Architecture #19524: Homogeneize nodeslist.json with rudder.jsonNewActions
Actions #1

Updated by Alexis Mousset over 3 years ago

  • Description updated (diff)
Actions #2

Updated by Alexis Mousset over 3 years ago

  • Description updated (diff)
Actions #3

Updated by Alexis Mousset over 3 years ago

  • Description updated (diff)
Actions #4

Updated by Alexis Mousset over 3 years ago

  • Description updated (diff)
Actions #5

Updated by Alexis Mousset over 3 years ago

  • Description updated (diff)
Actions #6

Updated by François ARMAND over 3 years ago

  • Description updated (diff)
Actions #7

Updated by François ARMAND over 3 years ago

  • Description updated (diff)
Actions #8

Updated by Alexis Mousset over 3 years ago

  • Description updated (diff)
Actions #9

Updated by François ARMAND over 3 years ago

  • Description updated (diff)
Actions #10

Updated by François ARMAND over 3 years ago

  • Status changed from New to In progress
  • Assignee set to François ARMAND
Actions #11

Updated by François ARMAND over 3 years ago

Also, change the object name CFengineKey to NodeKeyHashes which is more akin to what we do now.
Change return type to IOResult, as we do in 2021.

Actions #12

Updated by François ARMAND over 3 years ago

Actions #13

Updated by François ARMAND over 3 years ago

I'm creating an other ticket for the addition of the two certificate file during generation

Actions #14

Updated by François ARMAND over 3 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Alexis Mousset
  • Pull Request set to https://github.com/Normation/rudder/pull/3713
Actions #15

Updated by François ARMAND over 3 years ago

  • Status changed from Pending technical review to Pending release
Actions #16

Updated by Vincent MEMBRÉ over 3 years ago

This bug has been fixed in Rudder 7.0.0~beta1 which was released today.

Actions #17

Updated by Vincent MEMBRÉ over 3 years ago

Actions #18

Updated by Vincent MEMBRÉ over 3 years ago

  • Status changed from Pending release to Released
Actions

Also available in: Atom PDF