[GitHub] [cloudstack] JoaoJandre opened a new pull request, #7728: Add MGMT IP in management.network.cidr as alternate name in their self-signed certificate

[via GitHub]

JoaoJandre opened a new pull request, #7728:
URL: https://github.com/apache/cloudstack/pull/7728

   ### Description
   
   During deployment, ACS creates a Root CA and stores it in the database. From 
this Root CA, ACS generates a self-signed certificate for the management 
servers and other components. The MS certificate is stored in memory and is 
generated every time the MS is restarted.
   
   Currently, the MS adds as alternative name only the IP of its default 
network, therefore, if the network used for communication between the MSs is 
different from their default network, the certificate will never be accepted 
and the communication will not take place.
   
   This PR adds the MS's IP in the `management.network.cidr` network as an 
alternative name in the self-signed certificate. 
   
   ### Types of changes
   
   - [ ] Breaking change (fix or feature that would cause existing 
functionality to change)
   - [ ] New feature (non-breaking change which adds functionality)
   - [ ] Bug fix (non-breaking change which fixes an issue)
   - [X] Enhancement (improves an existing feature and functionality)
   - [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
   
   ### Feature/Enhancement Scale or Bug Severity
   
   #### Feature/Enhancement Scale
   
   - [ ] Major
   - [X] Minor
   
   #### Bug Severity
   
   - [ ] BLOCKER
   - [ ] Critical
   - [ ] Major
   - [ ] Minor
   - [ ] Trivial
   
   
   ### Screenshots (if appropriate):
   
   
   ### How Has This Been Tested?
   With `ca.plugin.root.auth.strictness` turned on and 
`management.network.cidr` configured to the MGMT network. I changed the default 
network in one of my env's MS and restarted ACS. 
   Without this PR's changes, handshake errors between MSs started to show in 
the logs. 
   ```
   2023-07-06 14:23:48,647 DEBUG [o.a.c.c.p.RootCACustomTrustManager] 
(pool-75-thread-1:null) (logid:) A client/agent attempting connection from 
address=192.168.201.151 has presented these certificate(s):
   Certificate [1] :
    Serial: ea4d6d28ad1c0362
     Not Before:Thu Jul 06 02:22:13 UTC 2023
     Not After:Sat Jun 28 14:22:13 UTC 2053
     Signature Algorithm:SHA256withRSA
     Version:3
     Subject DN:CN=cloudstack-lab-management-2
     Issuer DN:CN=ca.cloudstack.apache.org
     Alternative Names:[[7, 172.16.200.151], [7, 
fe80:0:0:0:c05d:54ff:feca:1b42], [2, cloudstack-lab-management-2]]
   Certificate [2] :
    Serial: def004b8c96b8a99
     Not Before:Fri Oct 08 05:25:17 UTC 2021
     Not After:Sun Oct 01 17:25:17 UTC 2051
     Signature Algorithm:SHA256withRSA
     Version:3
     Subject DN:CN=ca.cloudstack.apache.org
     Issuer DN:CN=ca.cloudstack.apache.org
     Alternative Names:null
   2023-07-06 14:23:48,655 ERROR [o.a.c.c.p.RootCACustomTrustManager] 
(pool-75-thread-1:null) (logid:) Certificate ownership verification failed for 
client: 192.168.201.151
   2023-07-06 14:23:48,657 ERROR [c.c.u.n.Link] 
(AgentManager-SSLHandshakeHandler-3:null) (logid:) SSL error caught during wrap 
data: Certificate ownership verification failed for client: 192.168.201.151, 
for local address=/192.168.201.150:8250, remote address=/192.168.201.151:58284.
   ```
   With this PR's changes, the communication between MSs returned to normal.
   ```
   2023-07-06 14:34:30,180 DEBUG [o.a.c.c.p.RootCACustomTrustManager] 
(pool-40-thread-1:null) (logid:) A client/agent attempting connection from 
address=192.168.201.151 has presented these certificate(s):
   Certificate [1] :
    Serial: d41eb113b05c84da
     Not Before:Thu Jul 06 02:34:06 UTC 2023
     Not After:Sat Jun 28 14:34:06 UTC 2053
     Signature Algorithm:SHA256withRSA
     Version:3
     Subject DN:CN=cloudstack-lab-management-2
     Issuer DN:CN=ca.cloudstack.apache.org
     Alternative Names:[[7, 172.16.200.151], [7, 
fe80:0:0:0:c05d:54ff:feca:1b42], [7, 192.168.201.151], [2, 
cloudstack-lab-management-2]]
   Certificate [2] :
    Serial: def004b8c96b8a99
     Not Before:Fri Oct 08 05:25:17 UTC 2021
     Not After:Sun Oct 01 17:25:17 UTC 2051
     Signature Algorithm:SHA256withRSA
     Version:3
     Subject DN:CN=ca.cloudstack.apache.org
     Issuer DN:CN=ca.cloudstack.apache.org
     Alternative Names:null
   2023-07-06 14:34:30,196 DEBUG [o.a.c.c.p.RootCACustomTrustManager] 
(pool-40-thread-1:null) (logid:) Client/agent connection from 
ip=192.168.201.151 has been validated and trusted.
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org