Project

General

Profile

Actions

Architecture #6366

closed

User story #6363: Secure agent/server communication

Help the user setup signed certificates

Added by Benoît PECCATTE over 9 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
N/A
Assignee:
-
Category:
System integration
Effort required:
Name check:
Fix check:
Regression:

Description

We should help the user wanting a fully secure server by helping him having properly signed certificates.
This means :
- a script creating one or 2 (in case of distributed setup) CSR with know informations from Rudder, specifically the subjectaltname (IP1: 127.0.0.1, DNS: (short + fqdn) x (inventory + webapp)

- a script to put those certificates at the right place for rudder

- going through everywhere SSL is used in Rudder to ensure that certificates are well checked

Actions #1

Updated by Benoît PECCATTE over 9 years ago

  • Tracker changed from Bug to Architecture
Actions #2

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.0~beta1 to 3.1.0~rc1
Actions #3

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.0~rc1 to 3.1.0
Actions #4

Updated by Janos Mattyasovszky over 9 years ago

Hi,

You could place already existing SSL Certificates, so they won't get generated by the RPM:

ruddersrv # rpm -qa --scripts rudder* | grep /opt/rudder/etc/ssl/rudder-webapp.crt
if [ ! -f /opt/rudder/etc/ssl/rudder-webapp.crt ] || [ ! -f /opt/rudder/etc/ssl/rudder-webapp.key ]; then
        openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$(hostname --fqdn)/" -keyout /opt/rudder/etc/ssl/rudder-webapp.key -out /opt/rudder/etc/ssl/rudder-webapp.crt -days 1460 -nodes -sha256 >/dev/null 2>&1

I agree that the knowledge of which certificates and SANs are used is vital since curl does not use -k, and requires the ssl certs to be trusted by the end systems. However, I am not sure that curl should use https on localhost/127.0.0.1, and it's not that easy to get a cert with these hostname/ip combination.

And since http->https redirection is forced regardless of anything, I could imagine two ways to go:
  • use curl -s for localhost over https (for example in NCF technique reload or any other curl invocations), or
  • use plain http for localhost (do not force redirection)

Currently we solved that by using a self-signed Root-CA based PKI (easyrsa is you friend ;), that is being rolled out to the clients, as we could not get our Certs issued with all the necessary requirements, but I agree, that a CRQ-generator would be of help.

Actions #5

Updated by Benoît PECCATTE over 9 years ago

I don't think we should avoid generating certificates, each one should be unique to your installation, otherwise you thwart the trust on first use security model.

However I do agree that we should not use httpS on localhost.

Actions #6

Updated by Benoît PECCATTE over 9 years ago

And indeed we wrote a patch a few weeks ago to avoid https for ncf technique reload

Actions #7

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.0 to 3.1.1
Actions #8

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.1 to 3.1.2
Actions #9

Updated by Jonathan CLARKE over 9 years ago

  • Target version changed from 3.1.2 to 3.2.0~beta1
Actions #10

Updated by Vincent MEMBRÉ almost 9 years ago

  • Target version changed from 3.2.0~beta1 to 3.2.0~rc1
Actions #11

Updated by Benoît PECCATTE almost 9 years ago

  • Target version changed from 3.2.0~rc1 to 3.2.0~rc2
Actions #12

Updated by Benoît PECCATTE almost 9 years ago

  • Target version changed from 3.2.0~rc2 to 3.2.0
Actions #13

Updated by Vincent MEMBRÉ almost 9 years ago

  • Target version changed from 3.2.0 to 3.2.1
Actions #14

Updated by Vincent MEMBRÉ over 8 years ago

  • Target version changed from 3.2.1 to 3.2.2
Actions #15

Updated by Vincent MEMBRÉ over 8 years ago

  • Target version changed from 3.2.2 to 3.2.3
Actions #16

Updated by Vincent MEMBRÉ over 8 years ago

  • Target version changed from 3.2.3 to 3.2.5
Actions #17

Updated by Vincent MEMBRÉ over 8 years ago

  • Target version changed from 3.2.5 to 3.2.6
Actions #18

Updated by Vincent MEMBRÉ about 8 years ago

  • Target version changed from 3.2.6 to 3.2.7
Actions #19

Updated by Vincent MEMBRÉ about 8 years ago

  • Target version changed from 3.2.7 to 3.2.8
Actions #20

Updated by Vincent MEMBRÉ about 8 years ago

  • Target version changed from 3.2.8 to 3.2.9
Actions #21

Updated by Vincent MEMBRÉ about 8 years ago

  • Target version changed from 3.2.9 to 3.2.10
Actions #22

Updated by Vincent MEMBRÉ almost 8 years ago

  • Target version changed from 3.2.10 to 3.2.11
Actions #23

Updated by Vincent MEMBRÉ almost 8 years ago

  • Target version changed from 3.2.11 to 339
Actions #24

Updated by Vincent MEMBRÉ almost 8 years ago

  • Target version changed from 339 to 4.0.4
Actions #25

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 4.0.4 to 4.0.5
Actions #26

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 4.0.5 to 4.0.6
Actions #27

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 4.0.6 to 4.0.7
Actions #28

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 4.0.7 to 357
Actions #29

Updated by Alexis Mousset over 7 years ago

  • Target version changed from 357 to 4.1.6
Actions #30

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 4.1.6 to 4.1.7
Actions #31

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 4.1.7 to 4.1.8
Actions #32

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 4.1.8 to 4.1.9
Actions #33

Updated by Vincent MEMBRÉ almost 7 years ago

  • Target version changed from 4.1.9 to 4.1.10
Actions #34

Updated by Benoît PECCATTE almost 7 years ago

  • Target version changed from 4.1.10 to Ideas (not version specific)
Actions #35

Updated by Alexis Mousset over 5 years ago

  • Target version changed from Ideas (not version specific) to 6.0.0~beta1
Actions #36

Updated by Alexis Mousset about 5 years ago

  • Target version changed from 6.0.0~beta1 to Ideas (not version specific)

The validation is optional in 5.1, we still lack the certificate generation helper.

Actions #37

Updated by Alexis Mousset over 3 years ago

  • Status changed from New to Resolved

We are implementing an alternative solution for 7.0.

Actions

Also available in: Atom PDF