Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secured Peer Communication not working for domain name only certificate #8600

Closed
DaspawnW opened this issue Sep 24, 2017 · 4 comments
Closed

Secured Peer Communication not working for domain name only certificate #8600

DaspawnW opened this issue Sep 24, 2017 · 4 comments

Comments

@DaspawnW
Copy link

Hi all,

I having problems in provisioning an etcd cluster:
ETCD Version: 3.2.7
Configuration:

ETCD_INITIAL_CLUSTER="etcd-server-0=https://etcd-server-0.example.de:2380,etcd-server-1=https://etcd-server-1.example.de:2380"
ETCD_NAME="etcd-server-0"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-1"

ETCD_ADVERTISE_CLIENT_URLS="https://etcd-server-0.example.de:2379"
ETCD_ADVERTISE_PEER_URLS="https://etcd-server-0.example.de:2380"

ETCD_LISTEN_CLIENT_URLS="https://10.135.72.158:2379,http://127.0.0.1:2379"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_CERT_FILE="/etc/etcd/server.pem"
ETCD_KEY_FILE="/etc/etcd/server-key.pem"
ETCD_TRUSTED_CA_FILE="/etc/etcd/ca.pem"

ETCD_LISTEN_PEER_URLS="https://10.135.72.158:2380"
ETCD_PEER_CLIENT_CERT_AUTH=true
ETCD_PEER_CERT_FILE="/etc/etcd/peer.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/peer-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ca.pem"

The peer certificate is generated via cfssl with following configuration:

{
    "CN": "etcd peer",
    "hosts": [
        "*.example.de"
    ],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "DE",
            "L": "NW",
            "ST": "Wesel"
        }
    ]
}

Starting the etcd cluster leads to following exception:

ep 24 09:49:54 etcd-server-0 etcd[10669]: rejected connection from "10.135.72.159:49676" (tls: "10.135.72.159" does not match any of DNSNames ["*.example.de"] (lookup 159.72.135.10.in-addr.arpa. on 67.207.67.2:53: no such host))

If I add the IP Address to the certificate it seems to work. But I'm trying to do it so dynamic that only *.example.de is in the IP area. Do you have any idea how to solve it?

Best regards,
Björn
@gyuho
Copy link
Contributor

gyuho commented Sep 24, 2017

Can you share the output of command dig -x 10.135.72.159?

@gyuho
Copy link
Contributor

gyuho commented Sep 24, 2017

159.72.135.10.in-addr.arpa does not match *.example.de, so etcd is working as expected with DNS misconfiguration.

@DaspawnW
Copy link
Author

Hrm this is interesting, dns is configured by DigitalOcean...

Here is the output of dig -x 10.135.72.159:

$ dig -x 10.135.72.159

; <<>> DiG 9.10.3-P4-Ubuntu <<>> -x 10.135.72.159
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 32593
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;159.72.135.10.in-addr.arpa.	IN	PTR

;; AUTHORITY SECTION:
10.in-addr.arpa.	670	IN	SOA	localhost. root. 1 604800 86400 2419200 604800

;; Query time: 0 msec
;; SERVER: 67.207.67.2#53(67.207.67.2)
;; WHEN: Sun Sep 24 18:18:36 UTC 2017
;; MSG SIZE  rcvd: 104```

@gyuho
Copy link
Contributor

gyuho commented Sep 24, 2017

;159.72.135.10.in-addr.arpa. IN PTR

Yeah, this is DNS misconfiguration, not etcd bug.
Please reopen if it still doesn't work after fixing the DNS.

@gyuho gyuho closed this as completed Sep 24, 2017
@gyuho gyuho mentioned this issue Oct 31, 2017
Closed
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DaspawnW @gyuho