mkdir -p /mnt/certs
|
cd /mnt/certs
|
|
# Generate CA Authority key
|
openssl genrsa 2048 > ca-key.pem
|
# Generate X509 cert for Authority key
|
openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Authority/OU=Authority123/CN=CommonName"
|
|
# Generate server private key and cert
|
openssl req -newkey rsa:2048 -nodes -days 365000 -keyout server-key.pem -out server-req.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Server/OU=Server123/CN=Server456"
|
# Generate X509 cert between Authority & server
|
openssl x509 -req -days 365000 -set_serial 01 -in server-req.pem -out server-cert.pem -CA ca-cert.pem -CAkey ca-key.pem
|
|
# Generate client private key and cert
|
openssl req -newkey rsa:2048 -nodes -days 365000 -keyout client-key.pem -out client-req.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Client/OU=Client123/CN=Client456"
|
# Generate X509 cert for client
|
openssl x509 -req -days 365000 -set_serial 01 -in client-req.pem -out client-cert.pem -CA ca-cert.pem -CAkey ca-key.pem
|
|
chown -R maxscale:maxscale /mnt/certs
|
|
# Verify the client certificate
|
openssl verify -CAfile ca-cert.pem ca-cert.pem client-cert.pem
|
# Verify the server certificate
|
openssl verify -CAfile ca-cert.pem ca-cert.pem server-cert.pem
|
|
maxctrl show maxscale | grep -i admin_ssl*
|
|
maxctrl create user mxadmin mxadminpassword --type=admin
|
# maxctrl destroy user mxadmin
|
maxctrl --user=mxadmin --password=mxadminpassword list servers
|
|
# works
|
maxctrl alter maxscale admin_ssl_cert /mnt/certs/server-cert.pem
|
maxctrl alter maxscale admin_ssl_key /mnt/certs/server-key.pem
|
systemctl restart maxscale
|
secure="--user=mxadmin --password=mxadminpassword --secure --tls-ca-cert=/mnt/certs/ca-cert.pem --tls-verify-server-cert=false"
|
maxctrl $secure list servers
|
maxctrl $secure show maxscale | grep -i admin_ssl*
|
|
# Now that we have first set of certs - time to replace/update with new ones
|
mkdir -p /mnt/certs-new
|
cd /mnt/certs-new
|
|
# Generate CA Authority key
|
openssl genrsa 2048 > ca-key.pem
|
# Generate X509 cert for Authority key
|
openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Authority/OU=Authority123/CN=CommonName"
|
|
# Generate server private key and cert
|
openssl req -newkey rsa:2048 -nodes -days 365000 -keyout server-key.pem -out server-req.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Server/OU=Server123/CN=Server456" -config <(printf "[req]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n\n[req_distinguished_name]\n[v3_req]\nkeyUsage = keyEncipherment, dataEncipherment\nextendedKeyUsage = serverAuth\nsubjectAltName = IP:127.0.0.1")
|
# Generate X509 cert between Authority & server
|
openssl x509 -req -days 365000 -set_serial 01 -in server-req.pem -out server-cert.pem -CA ca-cert.pem -CAkey ca-key.pem
|
|
# Generate client private key and cert
|
openssl req -newkey rsa:2048 -nodes -days 365000 -keyout client-key.pem -out client-req.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Client/OU=Client123/CN=Client456" -config <(printf "[req]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n\n[req_distinguished_name]\n[v3_req]\nkeyUsage = keyEncipherment, dataEncipherment\nextendedKeyUsage = serverAuth\nsubjectAltName = IP:127.0.0.1")
|
# Generate X509 cert for client
|
openssl x509 -req -days 365000 -set_serial 01 -in client-req.pem -out client-cert.pem -CA ca-cert.pem -CAkey ca-key.pem
|
|
chown -R maxscale:maxscale /mnt/certs-new
|
|
# Verify the client certificate
|
openssl verify -CAfile ca-cert.pem ca-cert.pem client-cert.pem
|
# Verify the server certificate
|
openssl verify -CAfile ca-cert.pem ca-cert.pem server-cert.pem
|
maxctrl $secure show maxscale | grep -i admin_ssl*
|
|
maxctrl $secure alter maxscale admin_ssl_cert /mnt/certs-new/server-cert.pem
|
cat /var/lib/maxscale/maxscale.cnf.d/maxscale.cnf
|
|
##################################################################
|
# FAILS HERE
|
maxctrl $secure alter maxscale admin_ssl_key /mnt/certs-new/server-key.pem
|
Error: write EPROTO 139947547596672:error:0407E085:rsa routines:RSA_verify_PKCS1_PSS_mgf1:first octet invalid:../deps/openssl/openssl/crypto/rsa/rsa_pss.c:70:
|
139947547596672:error:1417B07B:SSL routines:tls_process_cert_verify:bad signature:../deps/openssl/openssl/ssl/statem/statem_lib.c:504:
|
# work around: vi /var/lib/maxscale/maxscale.cnf.d/maxscale.cnf "/mnt/certs/server-key.pem" -> "/mnt/certs-new/server-key.pem"; then systemctl restart maxscale
|
|
# Expectation - stop the alter? but then how to update both values
|
maxctrl $secure reload tls
|
|
secure="--user=mxadmin --password=mxadminpassword --secure --tls-ca-cert=/mnt/certs-new/ca-cert.pem --tls-verify-server-cert=false"
|
maxctrl $secure list servers
|
maxctrl $secure show maxscale | grep -i admin_ssl*
|
I think I have a reproduction of this lack of verification of admin_ssl_cert , though let me know if a new ticket is required
Error:
Reproduction:
mkdir -p /mnt/certs
cd /mnt/certs
# Generate CA Authority key
# Generate X509 cert between Authority & server
chown -R maxscale:maxscale /mnt/certs
# Verify the client certificate
openssl verify -CAfile ca-cert.pem ca-cert.pem client-cert.pem
# Verify the server certificate
openssl verify -CAfile ca-cert.pem ca-cert.pem server-cert.pem
maxctrl show maxscale | grep -i admin_ssl*
maxctrl create user mxadmin mxadminpassword --type=admin
# maxctrl destroy user mxadmin
maxctrl --user=mxadmin --password=mxadminpassword list servers
# works
maxctrl alter maxscale admin_ssl_cert /mnt/certs/server-cert.pem
maxctrl alter maxscale admin_ssl_key /mnt/certs/server-key.pem
systemctl restart maxscale
maxctrl $secure list servers
maxctrl $secure show maxscale | grep -i admin_ssl*
# Generate CA Authority key
# Generate X509 cert between Authority & server
# Verify the client certificate
openssl verify -CAfile ca-cert.pem ca-cert.pem client-cert.pem
# Verify the server certificate
openssl verify -CAfile ca-cert.pem ca-cert.pem server-cert.pem
maxctrl $secure show maxscale | grep -i admin_ssl*
cat /var/lib/maxscale/maxscale.cnf.d/maxscale.cnf
##################################################################
# FAILS HERE
# Expectation - stop the alter? but then how to update both values
maxctrl $secure reload tls
maxctrl $secure list servers
maxctrl $secure show maxscale | grep -i admin_ssl*
side error that could be more clear
Error: socket hang up