Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-5046

maxctrl alter admin_ssl_* <same full path as prior cert> not actually updating

    XMLWordPrintable

Details

    • MXS-SPRINT-206, MXS-SPRINT-207

    Description

      When running maxctrl alter with the same full path as the existing value, maxctrl returns OK but doesnt actually refresh the certs like when you pass a different value than whats currently set. This functionality is important to support for kubernetes deployments mount a new set of files with new certs but same full path in maxscale pod.

      Fails

      # FAILS BUT EXPECTED TO WORK
      		 
      # Overwrite the simlinked files - and run maxctrl alter on the same full path name
      		 
      yes | cp /mnt/certs-new/* /mnt/certs/ ;
      		 
       chown -R maxscale:maxscale /mnt/certs*
      		 
      maxctrl  $secure  alter maxscale admin_ssl_cert /mnt/certs-sim/server-cert.pem
      		 
      maxctrl  $secure  alter maxscale admin_ssl_key /mnt/certs-sim/server-key.pem 
      maxctrl  $secure  alter maxscale admin_ssl_ca_cert "/mnt/certs-sim/ca-cert.pem"
      		 
      # NOTICE: when cert 1 expires, maxscale commands fail but new certs should be working and not expired

      Works if new full path used

      # SOLUTION WORKS IF NEW FULL PATHS ARE USED
      		 
      maxctrl $secure alter maxscale admin_ssl_key=/mnt/certs-new/server-key.pem admin_ssl_cert=/mnt/certs-new/server-cert.pem
      		 
      secure2="--user=mxadmin --password=mxadminpassword --secure --tls-ca-cert=/mnt/certs-new/ca-cert.pem --tls-verify-server-cert"
      		 
      maxctrl $secure show maxscale  | grep -i admin_ssl*      # NOTICE: This still works until 1st cert pair expires    - NEW PROBLEM ?
      		 
      maxctrl $secure2 show maxscale  | grep -i admin_ssl*     # This continues to work as expected until 2nd cert pair expires
      		 
      maxctrl $secure list servers ;maxctrl $secure2 list servers ;

      Full Reproduction

       
      		 
      yum install faketime -y;
      		 
      mkdir -p /mnt/certs
      		 
      cd  /mnt/certs
      		 
      # short expiration
      		 
      time1=$(date -d "+2 minute" -u +"%H:%M:%S")
      		 
      openssl genrsa 2048 > ca-key.pem
      		 
      faketime "yesterday $time1" openssl req -new -key ca-key.pem -out ca-csr.pem -config openssl.cnf -subj "/C=US/ST=Georgia/L=Atlanta/O=Authority/OU=Authority123/CN=CA" 
      faketime "yesterday $time1" openssl req -new -x509 -nodes -days 1 -key ca-key.pem -out ca-cert.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Authority/OU=Authority123/CN=CA" 
      openssl x509 -noout -startdate -enddate -in ca-cert.pem
      		 
      faketime "yesterday $time1" /bin/bash -c 'openssl req -newkey rsa:2048 -nodes -days 1 -keyout server-key.pem -out server-req.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Server/OU=Server123/CN=Server"'
      		 
      faketime "yesterday $time1" /bin/bash -c 'openssl x509 -req -days 1 -set_serial 01 -in server-req.pem -out server-cert.pem -CA ca-cert.pem -CAkey ca-key.pem -extfile <(printf "subjectAltName=IP:127.0.0.1")'
      		 
      echo "server-cert"; openssl x509 -text -noout -in server-cert.pem | fgrep -A2 Validity; 
      openssl x509 -in server-cert.pem -text -noout
      		 
      chown -R maxscale:maxscale /mnt/certs
      		 
      openssl verify -CAfile ca-cert.pem ca-cert.pem client-cert.pem
      		 
      openssl verify -CAfile ca-cert.pem ca-cert.pem server-cert.pem
      		 
      maxctrl create user mxadmin mxadminpassword --type=admin
      		 
      maxctrl --user=mxadmin --password=mxadminpassword list servers
      		 
      maxctrl show maxscale  | grep -i admin_ssl*
      		 
      mkdir /mnt/certs-sim/
      		 
      ln -s /mnt/certs/server-cert.pem /mnt/certs-sim/server-cert.pem
      		 
      ln -s /mnt/certs/server-key.pem /mnt/certs-sim/server-key.pem 
      ln -s /mnt/certs/ca-cert.pem /mnt/certs-sim/ca-cert.pem
      		 
      chown -R maxscale:maxscale /mnt/certs-sim/
      		 
      # Set admin_ssl_key & admin_ssl_cert
      		 
      maxctrl alter maxscale admin_ssl_key=/mnt/certs-sim/server-key.pem admin_ssl_cert=/mnt/certs-sim/server-cert.pem
      		 
      maxctrl --user=mxadmin --password=mxadminpassword list servers
      		 
      echo "admin_ssl_ca=/mnt/certs-sim/ca-cert.pem" >> /var/lib/maxscale/maxscale.cnf.d/maxscale.cnf
      		 
      # restart container
      		 
      docker restart mx1
      		 
      # tail -f /var/log/maxscale/maxscale.log
      		 
      secure="--user=mxadmin --password=mxadminpassword --secure --tls-ca-cert=/mnt/certs-sim/ca-cert.pem --tls-verify-server-cert"
      		 
      maxctrl $secure list servers
      		 
      time2=$(date -d "+4 minute" -u +"%H:%M:%S");
      		 
      mkdir -p /mnt/certs-new
      		 
      cd  /mnt/certs-new
      		 
      cp /mnt/certs/ca-key.pem /mnt/certs-new/ca-key.pem;
      		 
      faketime "yesterday $time2" openssl req -new -key ca-key.pem -out ca-csr.pem -config openssl.cnf -subj "/C=US/ST=Georgia/L=Atlanta/O=Authority/OU=Authority123/CN=CA" 
      faketime "yesterday $time2" openssl req -new -x509 -nodes -days 1 -key ca-key.pem -out ca-cert.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Authority/OU=Authority123/CN=CA" 
      openssl x509 -noout -startdate -enddate -in ca-cert.pem
      		 
      faketime "yesterday $time2" /bin/bash -c 'openssl req -newkey rsa:2048 -nodes -days 1 -keyout server-key.pem -out server-req.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Server/OU=Server123/CN=Server"'
      		 
      faketime "yesterday $time2" /bin/bash -c 'openssl x509 -req -days 1 -set_serial 01 -in server-req.pem -out server-cert.pem -CA ca-cert.pem -CAkey ca-key.pem -extfile <(printf "subjectAltName=IP:127.0.0.1")'
      		 
      openssl x509 -in server-cert.pem -text -noout
      		 
      chown -R maxscale:maxscale /mnt/certs-new
      		 
      openssl verify -CAfile ca-cert.pem ca-cert.pem client-cert.pem
      		 
      openssl verify -CAfile ca-cert.pem ca-cert.pem server-cert.pem
      		 
      maxctrl $secure show maxscale  | grep -i admin_ssl*
      		 
      maxctrl $secure list servers 
      maxctrl $secure list servers ; echo "";echo "Old -/mnt/certs:";openssl x509 -text -noout -in /mnt/certs/ca-cert.pem | fgrep -A2 Validity;echo "New -/mnt/certs-new/:";openssl x509 -text -noout -in /mnt/certs-new/ca-cert.pem | fgrep -A2 Validity ; echo "Current -/mnt/certs-sim/:"; openssl x509 -text -noout -in /mnt/certs-sim/ca-cert.pem | fgrep -A2 Validity;echo "";printf "NOW:                $(date)\n"; echo "";echo "server-cert"; openssl x509 -text -noout -in /mnt/certs/server-cert.pem | fgrep -A2 Validity; 
      # FAILS BUT EXPECTED TO WORK
      		 
      # Make similar to Nokia - overwrite the simlinked files - and run maxctrl alter on the same full path name
      		 
      cp -r /mnt/certs/ /mnt/certs-old/ ;
      		 
      yes | cp /mnt/certs-new/* /mnt/certs/ ;
      		 
       chown -R maxscale:maxscale /mnt/certs*
      		 
      maxctrl  $secure  alter maxscale admin_ssl_cert /mnt/certs-sim/server-cert.pem
      		 
      maxctrl  $secure  alter maxscale admin_ssl_key /mnt/certs-sim/server-key.pem 
      maxctrl  $secure  alter maxscale admin_ssl_ca_cert "/mnt/certs-sim/ca-cert.pem"
      		 
      maxctrl $secure list servers ; echo "";echo "Old -/mnt/certs-old:";openssl x509 -text -noout -in /mnt/certs-old/ca-cert.pem | fgrep -A2 Validity;echo "New -/mnt/certs-new/:";openssl x509 -text -noout -in /mnt/certs-new/ca-cert.pem | fgrep -A2 Validity ; echo "Current -/mnt/certs-sim/:"; openssl x509 -text -noout -in /mnt/certs-sim/ca-cert.pem | fgrep -A2 Validity;echo "";printf "NOW:                $(date)\n"; echo "";echo "server-cert"; openssl x509 -text -noout -in /mnt/certs/server-cert.pem | fgrep -A2 Validity; 
      # NOTICE: when cert 1 expires (/mnt/certs-old/), maxscale commands fail but new certs should be working and not expired because of simlinked files are not expired
      		 
      # SOLUTION WORKS IF NEW FULL PATHS ARE USED
      		 
      maxctrl $secure alter maxscale admin_ssl_key=/mnt/certs-new/server-key.pem admin_ssl_cert=/mnt/certs-new/server-cert.pem
      		 
      secure2="--user=mxadmin --password=mxadminpassword --secure --tls-ca-cert=/mnt/certs-new/ca-cert.pem --tls-verify-server-cert"
      		 
      maxctrl $secure show maxscale  | grep -i admin_ssl*      # NOTICE: This still works until 1st cert pair expires    - NEW PROBLEM ?
      		 
      maxctrl $secure2 show maxscale  | grep -i admin_ssl*     # This continues to work as expected until 2nd cert pair expires
      		 
      maxctrl $secure list servers ;maxctrl $secure2 list servers ; echo "";echo "Old -/mnt/certs:";openssl x509 -text -noout -in /mnt/certs/ca-cert.pem | fgrep -A2 Validity;echo "New -/mnt/certs-new/:";openssl x509 -text -noout -in /mnt/certs-new/ca-cert.pem | fgrep -A2 Validity ; echo "Current -/mnt/certs-sim/:"; openssl x509 -text -noout -in /mnt/certs-sim/ca-cert.pem | fgrep -A2 Validity;echo "";printf "NOW:                $(date)\n"; echo "";echo "server-cert"; openssl x509 -text -noout -in /mnt/certs/server-cert.pem | fgrep -A2 Validity; 
      # reset test
      		 
      vi /var/lib/maxscale/maxscale.cnf.d/maxscale.cnf
      		 
      rm -rf /mnt/certs*

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MXS-4968 REST-API TLS certificates can be reloaded but the path to them cannot be altered

          • Major - Major loss of function.
          • Closed
          mentioned in

          Page Loading...

          Activity

            People

              markus makela markus makela
              allen.herrera Allen Herrera
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.