Architecture #6366
closedUser story #6363: Secure agent/server communication
Help the user setup signed certificates
Description
We should help the user wanting a fully secure server by helping him having properly signed certificates.
This means :
- a script creating one or 2 (in case of distributed setup) CSR with know informations from Rudder, specifically the subjectaltname (IP1: 127.0.0.1, DNS: (short + fqdn) x (inventory + webapp)
- a script to put those certificates at the right place for rudder
- going through everywhere SSL is used in Rudder to ensure that certificates are well checked
Updated by Benoît PECCATTE almost 10 years ago
- Tracker changed from Bug to Architecture
Updated by Vincent MEMBRÉ over 9 years ago
- Target version changed from 3.1.0~beta1 to 3.1.0~rc1
Updated by Vincent MEMBRÉ over 9 years ago
- Target version changed from 3.1.0~rc1 to 3.1.0
Updated by Janos Mattyasovszky over 9 years ago
Hi,
You could place already existing SSL Certificates, so they won't get generated by the RPM:
ruddersrv # rpm -qa --scripts rudder* | grep /opt/rudder/etc/ssl/rudder-webapp.crt if [ ! -f /opt/rudder/etc/ssl/rudder-webapp.crt ] || [ ! -f /opt/rudder/etc/ssl/rudder-webapp.key ]; then openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$(hostname --fqdn)/" -keyout /opt/rudder/etc/ssl/rudder-webapp.key -out /opt/rudder/etc/ssl/rudder-webapp.crt -days 1460 -nodes -sha256 >/dev/null 2>&1
I agree that the knowledge of which certificates and SANs are used is vital since curl does not use -k, and requires the ssl certs to be trusted by the end systems. However, I am not sure that curl should use https on localhost/127.0.0.1, and it's not that easy to get a cert with these hostname/ip combination.
And since http->https redirection is forced regardless of anything, I could imagine two ways to go:- use curl -s for localhost over https (for example in NCF technique reload or any other curl invocations), or
- use plain http for localhost (do not force redirection)
Currently we solved that by using a self-signed Root-CA based PKI (easyrsa is you friend ;), that is being rolled out to the clients, as we could not get our Certs issued with all the necessary requirements, but I agree, that a CRQ-generator would be of help.
Updated by Benoît PECCATTE over 9 years ago
I don't think we should avoid generating certificates, each one should be unique to your installation, otherwise you thwart the trust on first use security model.
However I do agree that we should not use httpS on localhost.
Updated by Benoît PECCATTE over 9 years ago
And indeed we wrote a patch a few weeks ago to avoid https for ncf technique reload
Updated by Vincent MEMBRÉ over 9 years ago
- Target version changed from 3.1.0 to 3.1.1
Updated by Vincent MEMBRÉ over 9 years ago
- Target version changed from 3.1.1 to 3.1.2
Updated by Jonathan CLARKE over 9 years ago
- Target version changed from 3.1.2 to 3.2.0~beta1
Updated by Vincent MEMBRÉ about 9 years ago
- Target version changed from 3.2.0~beta1 to 3.2.0~rc1
Updated by Benoît PECCATTE about 9 years ago
- Target version changed from 3.2.0~rc1 to 3.2.0~rc2
Updated by Benoît PECCATTE almost 9 years ago
- Target version changed from 3.2.0~rc2 to 3.2.0
Updated by Vincent MEMBRÉ almost 9 years ago
- Target version changed from 3.2.0 to 3.2.1
Updated by Vincent MEMBRÉ almost 9 years ago
- Target version changed from 3.2.1 to 3.2.2
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 3.2.2 to 3.2.3
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 3.2.3 to 3.2.5
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 3.2.5 to 3.2.6
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 3.2.6 to 3.2.7
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 3.2.7 to 3.2.8
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 3.2.8 to 3.2.9
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 3.2.9 to 3.2.10
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 3.2.10 to 3.2.11
Updated by Vincent MEMBRÉ almost 8 years ago
- Target version changed from 3.2.11 to 339
Updated by Vincent MEMBRÉ almost 8 years ago
- Target version changed from 339 to 4.0.4
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 4.0.4 to 4.0.5
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 4.0.5 to 4.0.6
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 4.0.6 to 4.0.7
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 4.0.7 to 357
Updated by Alexis Mousset over 7 years ago
- Target version changed from 357 to 4.1.6
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 4.1.6 to 4.1.7
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 4.1.7 to 4.1.8
Updated by Vincent MEMBRÉ about 7 years ago
- Target version changed from 4.1.8 to 4.1.9
Updated by Vincent MEMBRÉ about 7 years ago
- Target version changed from 4.1.9 to 4.1.10
Updated by Benoît PECCATTE almost 7 years ago
- Target version changed from 4.1.10 to Ideas (not version specific)
Updated by Alexis Mousset over 5 years ago
- Target version changed from Ideas (not version specific) to 6.0.0~beta1
Updated by Alexis Mousset over 5 years ago
- Target version changed from 6.0.0~beta1 to Ideas (not version specific)
The validation is optional in 5.1, we still lack the certificate generation helper.
Updated by Alexis Mousset over 3 years ago
- Status changed from New to Resolved
We are implementing an alternative solution for 7.0.