try to allow certificate-chains #8859
Conversation
icinga-probot
bot
added
area/cli
|
I've added a bit of explanation here: #7719 (comment) |
|
Thank you for your pull request. Before we can look at it, you'll need to sign a Contributor License Agreement (CLA). Please follow instructions at https://icinga.com/company/contributor-agreement to sign the CLA. After that, please reply here with a comment and we'll verify. Contributors that have not signed yet: @sircubbi
|
Done |
|
@cla-bot check |
|
I stumbled over this issue trying to set up a setup using the puppet CA. I see a function from the puppet module, which is currently not usable with an up to date puppet setup and this feature would solve it. Is there a reason to not accept the patch? |
I guess the developers are concentrating on the build-in CA of Icinga. But yes, that doesn't work with the way Puppet setups Icinga. My patch isn't really invasive I think, so unfortunately I don't know what the holdback is. As long as you are using an RHEL-based system you can grab patched packages from our Copr-repository at https://copr.fedorainfracloud.org/coprs/relaix/utils/ |
|
I had a quick look at the code. Do I understand correctly that this basically pushes some intermediate certificates into the trust store so that they are known when a leaf certificate is sent without a complete chain (similar to how browsers cache intermediate certificates and then accept certificates even if the chain is incomplete)? By the way, have you tried if #9026 solves your issue? I didn't have time to properly test either PR so far unfortunately. |
Kind of. The problem with the current icinga-implementation is, that the CA as well as the certificate sent by the client is always only a single PEM. That doesn't work if an intermediate is used, since the server will only read the topmost certificate from its ca-file (so it doesn't matter if you put the root or the intermediate there) and the client will also only send its topmost certificate from its cert-file. OpenSSL needs to verify a whole chain from top to bottom, so with an intermediate you have at least three different certs to check, and the current implementation has no way to supply more than two certs. What my patch does is not reading the top cert from the ca-file, but all certs that you put in there, and therefore supplying the OpenSSL-verify-function with the whole chain.
And no, #9026 does not solve the issue, since it only controls if the icinga-master will try to reissue a certificate with its own CA. The purpose if this PR is explicitly to allow the usage of an external CA with intermediates (so either the Puppet CA or actually any other reallife CA you will encounter nowadays, eg. LetsEncrypt). |
|
@bobapple can you support here and try to figure out if this PR will be merged or closed? |
|
Is there any reason why this PR was removed from the next milestone? What can I do to get it picked up faster? Essentially there is currently no proper way to setup icinga2 with an existing puppet-ca, although the solution is kind of simple and also doesn't break anything or introduce any security risks |
Not much changed for this PR, it's still "if it's ready before the next release, it can be in the next release". I'm just trying to get the milestone into a state were it contains things we definitely want in a release. More can still be added.
Preferably, the certificate code should move towards how everything else handles certificates. So for intermediate certificates, this would mean that the trust store should only contain the root certificate and the intermediate certificates are sent with the leaf certificates. I'd prefer a PR that makes things work if the intermediate is put there. |
I can check how much efford it would be for the agents to sent a whole chain instead of the leaf-cert only. However, I kind of disagree that the master should only have (one) root certificate in its store. I still think the master should always have a certificate bundle, to allow for different root-certificates. Consider a split setup, where some of the agents would use the Puppet CA and some of the agents use the icinga-builtin CA. You could even extend that to some agents using Lets-Encrypt for example. I see no reason why it should be restricted to only one CA, especially since all of the bundle-handling is already fully implemented within OpenSSL. |
There was a problem hiding this comment.
@julianbrost already said everything pretty clearly.
Apropos, I'm wondering whether you could "just" put the intermediates in the same file as the leaf cert. Not Icinga. You. Or your automation tool. After all the CA, and the leaves of course, are external.
Also, multiple roots or not, if you can easily separate that construction area from this one, please do that.
Hmmm, but as said, that would fix only part of the issue. Why not doing the proper thing in the first place?
No, you cannot do that, as the current Icinga-code just throws away everything from the store and only extracts one single X509-cert. And btw: the whole mess results from the official way provided by Icinga on how to roll everything out with Puppet. Using the puppet-ca was officially implemented in the puppet-modules provided by the Icinga-devs themselves. So I really think it is best to fix SSL to work like in any other software, which would mean to properly accept multiple Roots and Intermediates. It is just not common today anymore to use on single root, even if that is the way the internal Icinga-CA works at the moment. |
Indeed. Notes for the future myself |
|
But if it doesn’t work right now, we should enable that in the future. |
Similar to Icinga#8859 this patch works around Icinga#7719 by allowing the intermediate certificate presented by the icinga2-agent. To make this work the icinga2-master only holds to root-ca in its local ca.crt, while the icinga2-agent has the intermediate-cert in its local ca.crt (or the intermediate together with the root in the ca.crt / or the intermediate in the cert.pem - doesn't matter).
|
OK, so I kind of reworked the whole thing now. I made a separate PR (#9795) which uses the full chain that will be presented by the client/icinga-agent. In that PR the icinga-master only holds to topmost root-cert of the ca, while the icinga-agent has the intermediate-certs (either in the local ca.crt, or added to the clients-certfile). I then combined the above changes into this PR, since I still believe that is useful to allow mixed setups of different certificate-origins and therefore have a cabundle-file on the icinga-master. (Just in case the original changes previously in this PR are preserved at https://github.com/sircubbi/icinga2/tree/certchain_server). |
|
I'm not sure what exactly the role of this PR is given that you just opened #9795. Looks like both contain some of the same changes, but it's not like one is based on top of the other (which means if both were to be merged, I think there would be conflicts). Is it that this PR includes #9795 but on top, it allows more than one trusted root certificate? |
|
In this case please indicate this via separate commits. If the other PR is a true subset of this one commit and both share the same parent commit, separate commits should be easy via:
|
OK, sure. I will rework (#9795) first with the recommended parameter defaults, and then split this PR into two commits. |
Similar to Icinga#8859 this patch works around Icinga#7719 by allowing the intermediate certificate presented by the icinga2-agent. To make this work the icinga2-master only holds to root-ca in its local ca.crt, while the icinga2-agent has the intermediate-cert in its local ca.crt (or the intermediate together with the root in the ca.crt / or the intermediate in the cert.pem - doesn't matter).
Currently the verification of certificates uses only the first pem in the ca-file and the first pem in the certificate-file. This breaks if an intermediate certificate is needed. A simple workaround is to put the full chain into the ca-file and give the ca-file instead of the X509-structure to the VerifyCertificate() methode. There we can just do the usual business but add the full ca-file again to OpenSSLs SSL_CTX_load_verify_locations(). While this seems a little bit hackish it should at least allow the proper verification of a certificate chain without introducing any security implications for setups with just a single root-ca. The only downside currently: while the CLI "pki verify" will correctly check the supplied parameters, it still only shows the topmost certificate from the ca-file (which I guess is fine for the moment).
As requested this PR now consists of two commits. The first commit is just the change from (#9795), while the second commit also allows a whole ca-bundle on the master-side. |
Similar to Icinga#8859 this patch works around Icinga#7719 by allowing the intermediate certificate presented by the icinga2-agent. To make this work the icinga2-master only holds to root-ca in its local ca.crt, while the icinga2-agent has the intermediate-cert in its local ca.crt (or the intermediate together with the root in the ca.crt / or the intermediate in the cert.pem - doesn't matter).
Similar to Icinga#8859 this patch works around Icinga#7719 by allowing the intermediate certificate presented by the icinga2-agent. To make this work the icinga2-master only holds to root-ca in its local ca.crt, while the icinga2-agent has the intermediate-cert in its local ca.crt (or the intermediate together with the root in the ca.crt / or the intermediate in the cert.pem - doesn't matter).
Currently the verification of certificates uses only the first pem in
the ca-file and the first pem in the certificate-file. This breaks if an
intermediate certificate is needed.
A simple workaround is to put the full chain into the ca-file and give
the ca-file instead of the X509-structure to the VerifyCertificate()
methode. There we can just do the usual business but add the full
ca-file again to OpenSSLs SSL_CTX_load_verify_locations().
While this seems a little bit hackish it should at least allow the
proper verification of a certificate chain without introducing any
security implications for setups with just a single root-ca.
The only downside currently: while the CLI "pki verify" will correctly
check the supplied parameters, it still only shows the topmost
certificate from the ca-file (which I guess is fine for the moment).
see also issue #7719. With this patch you can put the full chain into the local ca.crt-file (order does not matter). This would fix setups where the puppet PKI is used with a recent puppetmaster (PE2019.x/Puppet 6 which uses an intermediate CA).