Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate not reloaded on SIGHUP for dev agents #4408

Closed
schmichael opened this issue Jun 12, 2018 · 2 comments
Closed

Certificate not reloaded on SIGHUP for dev agents #4408

schmichael opened this issue Jun 12, 2018 · 2 comments
Assignees
@chelseakomlo
Labels
theme/tls type/bug

Comments

@schmichael
Copy link
Member

schmichael commented Jun 12, 2018
edited
Loading

Nomad version

Nomad v0.9.0-dev

350c836

for dev agents only

Regular clients and servers handle SIGHUP correctly.

Issue

Reproduction steps

Run nomad agent -dev -config tlsagent.hcl in the root of the nomad repo with the following tlsagent.hcl file:

tls {
  http = true
  rpc  = true

  ca_file   = "demo/tls/ca.pem"
  cert_file = "demo/tls/dev.pem"
  key_file  = "demo/tls/dev-key.pem"
}

Verify the certificates reported by the agent are the same as those on disk:

$ openssl x509 -in demo/tls/dev.pem -noout -text | grep 'Nomad Demo'
        Issuer: C=US, ST=CA, L=San Francisco, OU=Nomad Demo, CN=example.nomad
        Subject: C=US, ST=CA, L=San Francisco, OU=Nomad Demo

$ openssl s_client -connect localhost:4646 | grep 'Nomad Demo'
...
 0 s:/C=US/ST=CA/L=San Francisco/OU=Nomad Demo
   i:/C=US/ST=CA/L=San Francisco/OU=Nomad Demo/CN=example.nomad
...

Then copy new certificates over the configured one:

cp helper/tlsutil/testdata/ca.pem demo/tls/ca.pem
cp helper/tlsutil/testdata/nomad-foo.pem demo/tls/dev.pem
cp helper/tlsutil/testdata/nomad-foo-key.pem demo/tls/dev-key.pem

$ openssl x509 -in demo/tls/dev.pem -noout -text | grep CN=
        Issuer: C=US, ST=California, L=San Francisco, O=HashiCorp, OU=Nomad, CN=nomad.hashicorp
        Subject: C=US, ST=California, L=San Francisco, O=HashiCorp, OU=Nomad, CN=regionFoo.nomad

Send SIGHUP to the nomad PID and see that the original certificate is still in place:

$ openssl s_client -connect localhost:4646 | grep CN=
...
   i:/C=US/ST=CA/L=San Francisco/OU=Nomad Demo/CN=example.nomad
issuer=/C=US/ST=CA/L=San Francisco/OU=Nomad Demo/CN=example.nomad

Expected CN=regionFoo.hashicorp but found the old example.nomad

Nomad Client logs (if appropriate)

Sending SIGHUP logs the following:

==> Caught signal: hangup
==> Reloading configuration...
    2018/06/12 18:45:26.264697 [DEBUG] agent: starting reload of server config
@schmichael schmichael mentioned this issue Jun 12, 2018
Closed
@schmichael schmichael changed the title Certificate not reloaded on SIGHUP Certificate not reloaded on SIGHUP for dev agents Jun 12, 2018
@chelseakomlo chelseakomlo self-assigned this Jun 12, 2018
@chelseakomlo chelseakomlo mentioned this issue Jul 5, 2018
Merged
@chelseakomlo
Copy link
Contributor

Fixed in #4476

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@chelseakomlo chelseakomlo

Labels
theme/tls type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@schmichael @chelseakomlo