Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Installer: self-signs certs cause installation failure #2216

Closed
sehz opened this issue Feb 19, 2022 · 3 comments
Closed

Installer: self-signs certs cause installation failure #2216

sehz opened this issue Feb 19, 2022 · 3 comments
Assignees
@wendyOn
Labels
Installation k8/general
Milestone
0.9.21

Comments

@sehz
Copy link
Contributor

sehz commented Feb 19, 2022

steps reproduce it:

  1. Create Kubernetes cluster with self-signed certs
  2. Installer will set up the cluster but SC and SPU pods are running correctly.

Please see: https://gist.github.com/tarokkk/be24d9c1fde100b21150fa26a6031ce9. Installer terminates with error:

Error:
   0: Fluvio cluster error
   1: Failed to install Fluvio on Kubernetes
   2: Kubernetes client error
   3: error trying to connect: tls handshake: HandshakeError: the handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1916:: unable to get issuer certificate
   4: error trying to connect: tls handshake: HandshakeError: the handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1916:: unable to get issuer certificate
   5: tls handshake: HandshakeError: the handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1916:: unable to get issuer certificate
   6: tls handshake: HandshakeError: the handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1916:: unable to get issuer certificate

This is probably because K8 library doesn't add ca.crt in kubernetes.io/service-account-token.

kubectl get secret -n fluvio fluvio-token-5x5hb -o=jsonpath='{.data.ca.crt}' | base64 -D | openssl x509 -text                             *[master]
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            [xxx]
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=cluster-7133-ca
        Validity
            Not Before: Feb 14 09:37:46 2022 GMT
            Not After : Feb 13 10:38:16 2027 GMT
        Subject: CN=kubernetes-ca
@sehz sehz added this to the 0.9.21 milestone Feb 19, 2022
@tarokkk
Copy link

tarokkk commented Feb 19, 2022

Just to make clear that is 2 different error:

  1. During the installation the rust Kubernetes client does not use/satisfied with the ca.crt in the KubeConfig it tries to search for the Issuer of that certificate. (curl --cacert ca.crt https://x.x.x.x:6443/ work as expected)
  2. The fluvio service in-cluster config fails to authenticate probably mishandling kubernetes.io/service-account-token (described in the issue)

@wendyOn
Copy link

wendyOn commented Feb 19, 2022
edited
Loading

So OpenSSL - which is used via k8-client - has this X509_V_FLAG_PARTIAL_CHAIN thing - changed in OpenSSL 1.1.0
openssl/openssl#7871

a lot of - including node - people have hit this with intermediary self-signed certs
nodejs/node#36453 (comment)

curl has it enabled it by default
curl/curl#4655

This is why in curl it works.

@pinkforest pinkforest mentioned this issue Mar 2, 2022
Closed
@wendyOn wendyOn mentioned this issue Mar 7, 2022
Closed
@wendyOn
Copy link

wendyOn commented Mar 7, 2022
edited
Loading

Hi, I've repro'd and proposed a feature and added tests to it here at client level:

@tarokkk would it be possible to quickly see what kind of configuration so I can repro as-is using similar environment?

I think I've created pretty accurate repro but in case if you got that handy somewhere to emulate so I didn't miss any little thing-

Additional integration test could be always useful.

Thanks

@wendyOn wendyOn mentioned this issue Mar 7, 2022
Closed
bors bot pushed a commit that referenced this issue Mar 8, 2022
@pinkforest
feat: openssl partial CA trust anchor (#2232)
fd59c40 
Fixes #2216 by adopting downstream changes from fluvio-future & k8-client

Intermediate CAs are used to compartmentalize issuance and management in certain configurations to improve security.

However managing the full client CA chain in this case would become logistically cumbersome and the industry has moved to generally to accept using the intermediate CAs as the partial "Trust anchor" on the client end e.g. curl or kubectl.

### Dependant on

fluvio-future bump to 0.3.14 under:
- infinyon/future-aio#134

k8-client bump to 0.5.1 (depends fluvio-future 0.13.14 as well)
- infinyon/k8-api#151
@bors bors bot closed this as completed in a8bb0ec Mar 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wendyOn wendyOn

Labels
Installation k8/general
Projects
None yet
Milestone
0.9.21
Development

Successfully merging a pull request may close this issue.

[Merged by Bors] - feat: openssl partial CA trust anchor pinkforest/fluvio
3 participants
@sehz @tarokkk @wendyOn