Details
Description
When running maxctrl alter with the same full path as the existing value, maxctrl returns OK but doesnt actually refresh the certs like when you pass a different value than whats currently set. This functionality is important to support for kubernetes deployments mount a new set of files with new certs but same full path in maxscale pod.
Fails
# FAILS BUT EXPECTED TO WORK
|
# Overwrite the simlinked files - and run maxctrl alter on the same full path name
|
yes | cp /mnt/certs-new/* /mnt/certs/ ; |
chown -R maxscale:maxscale /mnt/certs*
|
maxctrl $secure alter maxscale admin_ssl_cert /mnt/certs-sim/server-cert.pem
|
maxctrl $secure alter maxscale admin_ssl_key /mnt/certs-sim/server-key.pem
|
maxctrl $secure alter maxscale admin_ssl_ca_cert "/mnt/certs-sim/ca-cert.pem" |
# NOTICE: when cert 1 expires, maxscale commands fail but new certs should be working and not expired |
Works if new full path used
# SOLUTION WORKS IF NEW FULL PATHS ARE USED
|
maxctrl $secure alter maxscale admin_ssl_key=/mnt/certs-new/server-key.pem admin_ssl_cert=/mnt/certs-new/server-cert.pem |
secure2="--user=mxadmin --password=mxadminpassword --secure --tls-ca-cert=/mnt/certs-new/ca-cert.pem --tls-verify-server-cert" |
maxctrl $secure show maxscale | grep -i admin_ssl* # NOTICE: This still works until 1st cert pair expires - NEW PROBLEM ?
|
maxctrl $secure2 show maxscale | grep -i admin_ssl* # This continues to work as expected until 2nd cert pair expires
|
maxctrl $secure list servers ;maxctrl $secure2 list servers ;
|
Full Reproduction
 |
yum install faketime -y;
|
mkdir -p /mnt/certs
|
cd /mnt/certs
|
# short expiration |
time1=$(date -d "+2 minute" -u +"%H:%M:%S") |
openssl genrsa 2048 > ca-key.pem |
faketime "yesterday $time1" openssl req -new -key ca-key.pem -out ca-csr.pem -config openssl.cnf -subj "/C=US/ST=Georgia/L=Atlanta/O=Authority/OU=Authority123/CN=CA" |
faketime "yesterday $time1" openssl req -new -x509 -nodes -days 1 -key ca-key.pem -out ca-cert.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Authority/OU=Authority123/CN=CA" |
openssl x509 -noout -startdate -enddate -in ca-cert.pem
|
faketime "yesterday $time1" /bin/bash -c 'openssl req -newkey rsa:2048 -nodes -days 1 -keyout server-key.pem -out server-req.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Server/OU=Server123/CN=Server"' |
faketime "yesterday $time1" /bin/bash -c 'openssl x509 -req -days 1 -set_serial 01 -in server-req.pem -out server-cert.pem -CA ca-cert.pem -CAkey ca-key.pem -extfile <(printf "subjectAltName=IP:127.0.0.1")' |
echo "server-cert"; openssl x509 -text -noout -in server-cert.pem | fgrep -A2 Validity; |
openssl x509 -in server-cert.pem -text -noout
|
chown -R maxscale:maxscale /mnt/certs
|
openssl verify -CAfile ca-cert.pem ca-cert.pem client-cert.pem
|
openssl verify -CAfile ca-cert.pem ca-cert.pem server-cert.pem
|
maxctrl create user mxadmin mxadminpassword --type=admin
|
maxctrl --user=mxadmin --password=mxadminpassword list servers
|
maxctrl show maxscale | grep -i admin_ssl*
|
mkdir /mnt/certs-sim/
|
ln -s /mnt/certs/server-cert.pem /mnt/certs-sim/server-cert.pem
|
ln -s /mnt/certs/server-key.pem /mnt/certs-sim/server-key.pem
|
ln -s /mnt/certs/ca-cert.pem /mnt/certs-sim/ca-cert.pem
|
chown -R maxscale:maxscale /mnt/certs-sim/
|
# Set admin_ssl_key & admin_ssl_cert
|
maxctrl alter maxscale admin_ssl_key=/mnt/certs-sim/server-key.pem admin_ssl_cert=/mnt/certs-sim/server-cert.pem
|
maxctrl --user=mxadmin --password=mxadminpassword list servers
|
echo "admin_ssl_ca=/mnt/certs-sim/ca-cert.pem" >> /var/lib/maxscale/maxscale.cnf.d/maxscale.cnf |
# restart container
|
docker restart mx1
|
# tail -f /var/log/maxscale/maxscale.log
|
secure="--user=mxadmin --password=mxadminpassword --secure --tls-ca-cert=/mnt/certs-sim/ca-cert.pem --tls-verify-server-cert" |
maxctrl $secure list servers
|
time2=$(date -d "+4 minute" -u +"%H:%M:%S"); |
mkdir -p /mnt/certs-new |
cd /mnt/certs-new |
cp /mnt/certs/ca-key.pem /mnt/certs-new/ca-key.pem; |
faketime "yesterday $time2" openssl req -new -key ca-key.pem -out ca-csr.pem -config openssl.cnf -subj "/C=US/ST=Georgia/L=Atlanta/O=Authority/OU=Authority123/CN=CA" |
faketime "yesterday $time2" openssl req -new -x509 -nodes -days 1 -key ca-key.pem -out ca-cert.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Authority/OU=Authority123/CN=CA" |
openssl x509 -noout -startdate -enddate -in ca-cert.pem
|
faketime "yesterday $time2" /bin/bash -c 'openssl req -newkey rsa:2048 -nodes -days 1 -keyout server-key.pem -out server-req.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Server/OU=Server123/CN=Server"' |
faketime "yesterday $time2" /bin/bash -c 'openssl x509 -req -days 1 -set_serial 01 -in server-req.pem -out server-cert.pem -CA ca-cert.pem -CAkey ca-key.pem -extfile <(printf "subjectAltName=IP:127.0.0.1")' |
openssl x509 -in server-cert.pem -text -noout
|
chown -R maxscale:maxscale /mnt/certs-new |
openssl verify -CAfile ca-cert.pem ca-cert.pem client-cert.pem
|
openssl verify -CAfile ca-cert.pem ca-cert.pem server-cert.pem
|
maxctrl $secure show maxscale | grep -i admin_ssl*
|
maxctrl $secure list servers
|
maxctrl $secure list servers ; echo "";echo "Old -/mnt/certs:";openssl x509 -text -noout -in /mnt/certs/ca-cert.pem | fgrep -A2 Validity;echo "New -/mnt/certs-new/:";openssl x509 -text -noout -in /mnt/certs-new/ca-cert.pem | fgrep -A2 Validity ; echo "Current -/mnt/certs-sim/:"; openssl x509 -text -noout -in /mnt/certs-sim/ca-cert.pem | fgrep -A2 Validity;echo "";printf "NOW: $(date)\n"; echo "";echo "server-cert"; openssl x509 -text -noout -in /mnt/certs/server-cert.pem | fgrep -A2 Validity; |
# FAILS BUT EXPECTED TO WORK
|
# Make similar to Nokia - overwrite the simlinked files - and run maxctrl alter on the same full path name
|
cp -r /mnt/certs/ /mnt/certs-old/ ;
|
yes | cp /mnt/certs-new/* /mnt/certs/ ; |
chown -R maxscale:maxscale /mnt/certs*
|
maxctrl $secure alter maxscale admin_ssl_cert /mnt/certs-sim/server-cert.pem
|
maxctrl $secure alter maxscale admin_ssl_key /mnt/certs-sim/server-key.pem
|
maxctrl $secure alter maxscale admin_ssl_ca_cert "/mnt/certs-sim/ca-cert.pem" |
maxctrl $secure list servers ; echo "";echo "Old -/mnt/certs-old:";openssl x509 -text -noout -in /mnt/certs-old/ca-cert.pem | fgrep -A2 Validity;echo "New -/mnt/certs-new/:";openssl x509 -text -noout -in /mnt/certs-new/ca-cert.pem | fgrep -A2 Validity ; echo "Current -/mnt/certs-sim/:"; openssl x509 -text -noout -in /mnt/certs-sim/ca-cert.pem | fgrep -A2 Validity;echo "";printf "NOW: $(date)\n"; echo "";echo "server-cert"; openssl x509 -text -noout -in /mnt/certs/server-cert.pem | fgrep -A2 Validity; |
# NOTICE: when cert 1 expires (/mnt/certs-old/), maxscale commands fail but new certs should be working and not expired because of simlinked files are not expired |
# SOLUTION WORKS IF NEW FULL PATHS ARE USED
|
maxctrl $secure alter maxscale admin_ssl_key=/mnt/certs-new/server-key.pem admin_ssl_cert=/mnt/certs-new/server-cert.pem |
secure2="--user=mxadmin --password=mxadminpassword --secure --tls-ca-cert=/mnt/certs-new/ca-cert.pem --tls-verify-server-cert" |
maxctrl $secure show maxscale | grep -i admin_ssl* # NOTICE: This still works until 1st cert pair expires - NEW PROBLEM ?
|
maxctrl $secure2 show maxscale | grep -i admin_ssl* # This continues to work as expected until 2nd cert pair expires
|
maxctrl $secure list servers ;maxctrl $secure2 list servers ; echo "";echo "Old -/mnt/certs:";openssl x509 -text -noout -in /mnt/certs/ca-cert.pem | fgrep -A2 Validity;echo "New -/mnt/certs-new/:";openssl x509 -text -noout -in /mnt/certs-new/ca-cert.pem | fgrep -A2 Validity ; echo "Current -/mnt/certs-sim/:"; openssl x509 -text -noout -in /mnt/certs-sim/ca-cert.pem | fgrep -A2 Validity;echo "";printf "NOW: $(date)\n"; echo "";echo "server-cert"; openssl x509 -text -noout -in /mnt/certs/server-cert.pem | fgrep -A2 Validity; |
# reset test
|
vi /var/lib/maxscale/maxscale.cnf.d/maxscale.cnf
|
rm -rf /mnt/certs*
|
Attachments
Issue Links
- relates to
-
MXS-4968 REST-API TLS certificates can be reloaded but the path to them cannot be altered
-
- Closed
-