From 568da5918b4ef1923182ef6f2a0ce26cd5865ee2 Mon Sep 17 00:00:00 2001 From: Lance Haig Date: Mon, 22 May 2023 15:31:56 +0200 Subject: [PATCH] cli: tls certs not created with correct SANs (#16959) The `nomad tls cert` command did not create certificates with the correct SANs for them to work with non default domain and region names. This changset updates the code to support non default domains and regions in the certificates. --- .changelog/16959.txt | 3 + client/alloc_watcher_e2e_test.go | 10 +- client/client_test.go | 46 ++-- client/rpc_test.go | 14 +- command/agent/agent_test.go | 128 +++++------ command/agent/http_test.go | 61 ++++-- command/tls_ca_create.go | 2 +- command/tls_ca_create_test.go | 4 +- command/tls_cert_create.go | 112 ++++++---- command/tls_cert_create_test.go | 203 ++++++++++++++---- helper/tlsutil/config_test.go | 70 +++--- helper/tlsutil/testdata/README.md | 90 +++++--- helper/tlsutil/testdata/bad-agent-ca-key.pem | 5 + helper/tlsutil/testdata/bad-agent-ca.pem | 19 ++ .../testdata/badRegion-client-bad-key.pem | 5 + .../tlsutil/testdata/badRegion-client-bad.pem | 18 ++ .../testdata/badRegion-server-bad-key.pem | 5 + .../tlsutil/testdata/badRegion-server-bad.pem | 18 ++ helper/tlsutil/testdata/ca-bad-csr.json | 16 -- helper/tlsutil/testdata/ca-bad-key.pem | 5 - helper/tlsutil/testdata/ca-bad.csr | 9 - helper/tlsutil/testdata/ca-bad.pem | 14 -- helper/tlsutil/testdata/ca-config.json | 14 -- helper/tlsutil/testdata/ca-csr.json | 16 -- helper/tlsutil/testdata/ca-key.pem | 5 - helper/tlsutil/testdata/ca-whitespace.pem | 15 -- helper/tlsutil/testdata/ca.csr | 9 - helper/tlsutil/testdata/ca.pem | 14 -- helper/tlsutil/testdata/global-ca.pem | 13 -- helper/tlsutil/testdata/global-client-key.pem | 5 - .../testdata/global-client-nomad-key.pem | 5 + .../tlsutil/testdata/global-client-nomad.pem | 17 ++ helper/tlsutil/testdata/global-client.pem | 15 -- helper/tlsutil/testdata/global-server-key.pem | 5 - .../testdata/global-server-nomad-key.pem | 5 + .../tlsutil/testdata/global-server-nomad.pem | 17 ++ helper/tlsutil/testdata/global-server.pem | 15 -- .../tlsutil/testdata/nomad-agent-ca-key.pem | 5 + helper/tlsutil/testdata/nomad-agent-ca.pem | 18 ++ helper/tlsutil/testdata/nomad-bad-csr.json | 20 -- helper/tlsutil/testdata/nomad-bad-key.pem | 5 - helper/tlsutil/testdata/nomad-bad.csr | 11 - helper/tlsutil/testdata/nomad-bad.pem | 17 -- .../tlsutil/testdata/nomad-foo-client-key.pem | 5 - helper/tlsutil/testdata/nomad-foo-client.pem | 15 -- helper/tlsutil/testdata/nomad-foo-csr.json | 20 -- helper/tlsutil/testdata/nomad-foo-key.pem | 5 - helper/tlsutil/testdata/nomad-foo.csr | 11 - helper/tlsutil/testdata/nomad-foo.pem | 17 -- .../testdata/regionFoo-client-nomad-key.pem | 5 + .../testdata/regionFoo-client-nomad.pem | 17 ++ .../testdata/regionFoo-server-nomad-key.pem | 5 + .../testdata/regionFoo-server-nomad.pem | 17 ++ .../testdata/whitespace-agent-ca-key.pem | 5 + .../tlsutil/testdata/whitespace-agent-ca.pem | 22 ++ nomad/acl_test.go | 22 +- nomad/rpc_test.go | 36 ++-- nomad/server_test.go | 42 ++-- nomad/structs/config/tls_test.go | 50 ++--- .../content/docs/commands/tls/cert-create.mdx | 7 +- .../content/docs/upgrade/upgrade-specific.mdx | 6 + 61 files changed, 776 insertions(+), 634 deletions(-) create mode 100644 .changelog/16959.txt create mode 100644 helper/tlsutil/testdata/bad-agent-ca-key.pem create mode 100644 helper/tlsutil/testdata/bad-agent-ca.pem create mode 100644 helper/tlsutil/testdata/badRegion-client-bad-key.pem create mode 100644 helper/tlsutil/testdata/badRegion-client-bad.pem create mode 100644 helper/tlsutil/testdata/badRegion-server-bad-key.pem create mode 100644 helper/tlsutil/testdata/badRegion-server-bad.pem delete mode 100644 helper/tlsutil/testdata/ca-bad-csr.json delete mode 100644 helper/tlsutil/testdata/ca-bad-key.pem delete mode 100644 helper/tlsutil/testdata/ca-bad.csr delete mode 100644 helper/tlsutil/testdata/ca-bad.pem delete mode 100644 helper/tlsutil/testdata/ca-config.json delete mode 100644 helper/tlsutil/testdata/ca-csr.json delete mode 100644 helper/tlsutil/testdata/ca-key.pem delete mode 100644 helper/tlsutil/testdata/ca-whitespace.pem delete mode 100644 helper/tlsutil/testdata/ca.csr delete mode 100644 helper/tlsutil/testdata/ca.pem delete mode 100644 helper/tlsutil/testdata/global-ca.pem delete mode 100644 helper/tlsutil/testdata/global-client-key.pem create mode 100644 helper/tlsutil/testdata/global-client-nomad-key.pem create mode 100644 helper/tlsutil/testdata/global-client-nomad.pem delete mode 100644 helper/tlsutil/testdata/global-client.pem delete mode 100644 helper/tlsutil/testdata/global-server-key.pem create mode 100644 helper/tlsutil/testdata/global-server-nomad-key.pem create mode 100644 helper/tlsutil/testdata/global-server-nomad.pem delete mode 100644 helper/tlsutil/testdata/global-server.pem create mode 100644 helper/tlsutil/testdata/nomad-agent-ca-key.pem create mode 100644 helper/tlsutil/testdata/nomad-agent-ca.pem delete mode 100644 helper/tlsutil/testdata/nomad-bad-csr.json delete mode 100644 helper/tlsutil/testdata/nomad-bad-key.pem delete mode 100644 helper/tlsutil/testdata/nomad-bad.csr delete mode 100644 helper/tlsutil/testdata/nomad-bad.pem delete mode 100644 helper/tlsutil/testdata/nomad-foo-client-key.pem delete mode 100644 helper/tlsutil/testdata/nomad-foo-client.pem delete mode 100644 helper/tlsutil/testdata/nomad-foo-csr.json delete mode 100644 helper/tlsutil/testdata/nomad-foo-key.pem delete mode 100644 helper/tlsutil/testdata/nomad-foo.csr delete mode 100644 helper/tlsutil/testdata/nomad-foo.pem create mode 100644 helper/tlsutil/testdata/regionFoo-client-nomad-key.pem create mode 100644 helper/tlsutil/testdata/regionFoo-client-nomad.pem create mode 100644 helper/tlsutil/testdata/regionFoo-server-nomad-key.pem create mode 100644 helper/tlsutil/testdata/regionFoo-server-nomad.pem create mode 100644 helper/tlsutil/testdata/whitespace-agent-ca-key.pem create mode 100644 helper/tlsutil/testdata/whitespace-agent-ca.pem diff --git a/.changelog/16959.txt b/.changelog/16959.txt new file mode 100644 index 000000000..5a1f2c71f --- /dev/null +++ b/.changelog/16959.txt @@ -0,0 +1,3 @@ +```release-note:bug +tls: Fixed a bug where the `nomad tls cert` command did not create certificates with the correct SANs for them to work with non default domain and region names. +``` \ No newline at end of file diff --git a/client/alloc_watcher_e2e_test.go b/client/alloc_watcher_e2e_test.go index 6dad30d53..9539da82e 100644 --- a/client/alloc_watcher_e2e_test.go +++ b/client/alloc_watcher_e2e_test.go @@ -24,11 +24,11 @@ import ( // work when TLS is enabled. func TestPrevAlloc_StreamAllocDir_TLS(t *testing.T) { const ( - caFn = "../helper/tlsutil/testdata/global-ca.pem" - serverCertFn = "../helper/tlsutil/testdata/global-server.pem" - serverKeyFn = "../helper/tlsutil/testdata/global-server-key.pem" - clientCertFn = "../helper/tlsutil/testdata/global-client.pem" - clientKeyFn = "../helper/tlsutil/testdata/global-client-key.pem" + caFn = "../helper/tlsutil/testdata/nomad-agent-ca.pem" + serverCertFn = "../helper/tlsutil/testdata/global-server-nomad.pem" + serverKeyFn = "../helper/tlsutil/testdata/global-server-nomad-key.pem" + clientCertFn = "../helper/tlsutil/testdata/global-client-nomad.pem" + clientKeyFn = "../helper/tlsutil/testdata/global-client-nomad-key.pem" ) ci.Parallel(t) require := require.New(t) diff --git a/client/client_test.go b/client/client_test.go index a84fd9cf9..04148854c 100644 --- a/client/client_test.go +++ b/client/client_test.go @@ -258,9 +258,9 @@ func TestClient_MixedTLS(t *testing.T) { ci.Parallel(t) const ( - cafile = "../helper/tlsutil/testdata/ca.pem" - foocert = "../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem" + fooservercert = "../helper/tlsutil/testdata/regionFoo-server-nomad.pem" + fooserverkey = "../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem" ) s1, addr, cleanupS1 := testServer(t, func(c *nomad.Config) { c.TLSConfig = &nconfig.TLSConfig{ @@ -268,8 +268,8 @@ func TestClient_MixedTLS(t *testing.T) { EnableRPC: true, VerifyServerHostname: true, CAFile: cafile, - CertFile: foocert, - KeyFile: fookey, + CertFile: fooservercert, + KeyFile: fooserverkey, } }) defer cleanupS1() @@ -306,12 +306,12 @@ func TestClient_BadTLS(t *testing.T) { ci.Parallel(t) const ( - cafile = "../helper/tlsutil/testdata/ca.pem" - foocert = "../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" - badca = "../helper/tlsutil/testdata/ca-bad.pem" - badcert = "../helper/tlsutil/testdata/nomad-bad.pem" - badkey = "../helper/tlsutil/testdata/nomad-bad-key.pem" + cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem" + fooclientcert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fooclientkey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" + badca = "../helper/tlsutil/testdata/bad-agent-ca.pem" + badcert = "../helper/tlsutil/testdata/badRegion-client-bad.pem" + badkey = "../helper/tlsutil/testdata/badRegion-client-bad-key.pem" ) s1, addr, cleanupS1 := testServer(t, func(c *nomad.Config) { c.TLSConfig = &nconfig.TLSConfig{ @@ -319,8 +319,8 @@ func TestClient_BadTLS(t *testing.T) { EnableRPC: true, VerifyServerHostname: true, CAFile: cafile, - CertFile: foocert, - KeyFile: fookey, + CertFile: fooclientcert, + KeyFile: fooclientkey, } }) defer cleanupS1() @@ -1078,9 +1078,9 @@ func TestClient_ReloadTLS_UpgradePlaintextToTLS(t *testing.T) { testutil.WaitForLeader(t, s1.RPC) const ( - cafile = "../helper/tlsutil/testdata/ca.pem" - foocert = "../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem" + fooclientcert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fooclientkey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" ) c1, cleanup := TestClient(t, func(c *config.Config) { @@ -1114,8 +1114,8 @@ func TestClient_ReloadTLS_UpgradePlaintextToTLS(t *testing.T) { EnableRPC: true, VerifyServerHostname: true, CAFile: cafile, - CertFile: foocert, - KeyFile: fookey, + CertFile: fooclientcert, + KeyFile: fooclientkey, } err := c1.reloadTLSConnections(newConfig) @@ -1154,9 +1154,9 @@ func TestClient_ReloadTLS_DowngradeTLSToPlaintext(t *testing.T) { testutil.WaitForLeader(t, s1.RPC) const ( - cafile = "../helper/tlsutil/testdata/ca.pem" - foocert = "../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem" + fooclientcert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fooclientkey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" ) c1, cleanup := TestClient(t, func(c *config.Config) { @@ -1166,8 +1166,8 @@ func TestClient_ReloadTLS_DowngradeTLSToPlaintext(t *testing.T) { EnableRPC: true, VerifyServerHostname: true, CAFile: cafile, - CertFile: foocert, - KeyFile: fookey, + CertFile: fooclientcert, + KeyFile: fooclientkey, } }) defer cleanup() diff --git a/client/rpc_test.go b/client/rpc_test.go index a824206ba..29a0d1a9b 100644 --- a/client/rpc_test.go +++ b/client/rpc_test.go @@ -59,9 +59,9 @@ func TestRpc_streamingRpcConn_badEndpoint_TLS(t *testing.T) { require := require.New(t) const ( - cafile = "../helper/tlsutil/testdata/ca.pem" - foocert = "../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem" + fooservercert = "../helper/tlsutil/testdata/regionFoo-server-nomad.pem" + fooserverkey = "../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem" ) s1, cleanupS1 := nomad.TestServer(t, func(c *nomad.Config) { @@ -72,8 +72,8 @@ func TestRpc_streamingRpcConn_badEndpoint_TLS(t *testing.T) { EnableRPC: true, VerifyServerHostname: true, CAFile: cafile, - CertFile: foocert, - KeyFile: fookey, + CertFile: fooservercert, + KeyFile: fooserverkey, } }) defer cleanupS1() @@ -87,8 +87,8 @@ func TestRpc_streamingRpcConn_badEndpoint_TLS(t *testing.T) { EnableRPC: true, VerifyServerHostname: true, CAFile: cafile, - CertFile: foocert, - KeyFile: fookey, + CertFile: fooservercert, + KeyFile: fooserverkey, } }) defer cleanupC() diff --git a/command/agent/agent_test.go b/command/agent/agent_test.go index e7a38ff15..29f5e2452 100644 --- a/command/agent/agent_test.go +++ b/command/agent/agent_test.go @@ -920,11 +920,12 @@ func TestServer_Reload_TLS_Shared_Keyloader(t *testing.T) { // We will start out with a bad cert and then reload with a good one. const ( - cafile = "../../helper/tlsutil/testdata/ca.pem" - foocert = "../../helper/tlsutil/testdata/nomad-bad.pem" - fookey = "../../helper/tlsutil/testdata/nomad-bad-key.pem" - foocert2 = "../../helper/tlsutil/testdata/nomad-foo.pem" - fookey2 = "../../helper/tlsutil/testdata/nomad-foo-key.pem" + badca = "../../helper/tlsutil/testdata/bad-agent-ca.pem" + badcert = "../../helper/tlsutil/testdata/badRegion-client-bad.pem" + badkey = "../../helper/tlsutil/testdata/badRegion-client-bad-key.pem" + foocafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem" + fooclientcert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fooclientkey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" ) agent := NewTestAgent(t, t.Name(), func(c *Config) { @@ -932,9 +933,9 @@ func TestServer_Reload_TLS_Shared_Keyloader(t *testing.T) { EnableHTTP: true, EnableRPC: true, VerifyServerHostname: true, - CAFile: cafile, - CertFile: foocert, - KeyFile: fookey, + CAFile: badca, + CertFile: badcert, + KeyFile: badkey, } }) defer agent.Shutdown() @@ -952,9 +953,9 @@ func TestServer_Reload_TLS_Shared_Keyloader(t *testing.T) { EnableHTTP: true, EnableRPC: true, VerifyServerHostname: true, - CAFile: cafile, - CertFile: foocert2, - KeyFile: fookey2, + CAFile: foocafile, + CertFile: fooclientcert, + KeyFile: fooclientkey, }, } @@ -987,11 +988,12 @@ func TestServer_Reload_TLS_Certificate(t *testing.T) { assert := assert.New(t) const ( - cafile = "../../helper/tlsutil/testdata/ca.pem" - foocert = "../../helper/tlsutil/testdata/nomad-bad.pem" - fookey = "../../helper/tlsutil/testdata/nomad-bad-key.pem" - foocert2 = "../../helper/tlsutil/testdata/nomad-foo.pem" - fookey2 = "../../helper/tlsutil/testdata/nomad-foo-key.pem" + badca = "../../helper/tlsutil/testdata/nomad-agent-ca.pem" + badcert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + badkey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" + cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem" + fooclientcert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fooclientkey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" ) agentConfig := &Config{ @@ -999,9 +1001,9 @@ func TestServer_Reload_TLS_Certificate(t *testing.T) { EnableHTTP: true, EnableRPC: true, VerifyServerHostname: true, - CAFile: cafile, - CertFile: foocert, - KeyFile: fookey, + CAFile: badca, + CertFile: badcert, + KeyFile: badkey, }, } @@ -1016,8 +1018,8 @@ func TestServer_Reload_TLS_Certificate(t *testing.T) { EnableRPC: true, VerifyServerHostname: true, CAFile: cafile, - CertFile: foocert2, - KeyFile: fookey2, + CertFile: fooclientcert, + KeyFile: fooclientkey, }, } @@ -1036,11 +1038,11 @@ func TestServer_Reload_TLS_Certificate_Invalid(t *testing.T) { assert := assert.New(t) const ( - cafile = "../../helper/tlsutil/testdata/ca.pem" - foocert = "../../helper/tlsutil/testdata/nomad-bad.pem" - fookey = "../../helper/tlsutil/testdata/nomad-bad-key.pem" - foocert2 = "invalid_cert_path" - fookey2 = "invalid_key_path" + badca = "../../helper/tlsutil/testdata/nomad-agent-ca.pem" + badcert = "../../helper/tlsutil/testdata/badRegion-client-bad.pem" + badkey = "../../helper/tlsutil/testdata/badRegion-client-bad-key.pem" + newfoocert = "invalid_cert_path" + newfookey = "invalid_key_path" ) agentConfig := &Config{ @@ -1048,9 +1050,9 @@ func TestServer_Reload_TLS_Certificate_Invalid(t *testing.T) { EnableHTTP: true, EnableRPC: true, VerifyServerHostname: true, - CAFile: cafile, - CertFile: foocert, - KeyFile: fookey, + CAFile: badca, + CertFile: badcert, + KeyFile: badkey, }, } @@ -1064,9 +1066,9 @@ func TestServer_Reload_TLS_Certificate_Invalid(t *testing.T) { EnableHTTP: true, EnableRPC: true, VerifyServerHostname: true, - CAFile: cafile, - CertFile: foocert2, - KeyFile: fookey2, + CAFile: badca, + CertFile: newfoocert, + KeyFile: newfookey, }, } @@ -1123,9 +1125,9 @@ func TestServer_Reload_TLS_UpgradeToTLS(t *testing.T) { assert := assert.New(t) const ( - cafile = "../../helper/tlsutil/testdata/ca.pem" - foocert = "../../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" ) logger := testlog.HCLogger(t) @@ -1164,9 +1166,9 @@ func TestServer_Reload_TLS_DowngradeFromTLS(t *testing.T) { assert := assert.New(t) const ( - cafile = "../../helper/tlsutil/testdata/ca.pem" - foocert = "../../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" ) logger := testlog.HCLogger(t) @@ -1238,9 +1240,9 @@ func TestServer_ShouldReload_ReturnFalseForNoChanges(t *testing.T) { assert := assert.New(t) const ( - cafile = "../../helper/tlsutil/testdata/ca.pem" - foocert = "../../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" ) sameAgentConfig := &Config{ @@ -1276,9 +1278,9 @@ func TestServer_ShouldReload_ReturnTrueForOnlyHTTPChanges(t *testing.T) { require := require.New(t) const ( - cafile = "../../helper/tlsutil/testdata/ca.pem" - foocert = "../../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" ) sameAgentConfig := &Config{ @@ -1314,9 +1316,9 @@ func TestServer_ShouldReload_ReturnTrueForOnlyRPCChanges(t *testing.T) { assert := assert.New(t) const ( - cafile = "../../helper/tlsutil/testdata/ca.pem" - foocert = "../../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" ) sameAgentConfig := &Config{ @@ -1352,11 +1354,11 @@ func TestServer_ShouldReload_ReturnTrueForConfigChanges(t *testing.T) { assert := assert.New(t) const ( - cafile = "../../helper/tlsutil/testdata/ca.pem" - foocert = "../../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem" - foocert2 = "../../helper/tlsutil/testdata/nomad-bad.pem" - fookey2 = "../../helper/tlsutil/testdata/nomad-bad-key.pem" + cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" + badcert = "../../helper/tlsutil/testdata/badRegion-client-bad.pem" + badkey = "../../helper/tlsutil/testdata/badRegion-client-bad-key.pem" ) agent := NewTestAgent(t, t.Name(), func(c *Config) { @@ -1377,8 +1379,8 @@ func TestServer_ShouldReload_ReturnTrueForConfigChanges(t *testing.T) { EnableRPC: true, VerifyServerHostname: true, CAFile: cafile, - CertFile: foocert2, - KeyFile: fookey2, + CertFile: badcert, + KeyFile: badkey, }, } @@ -1419,8 +1421,8 @@ func TestServer_ShouldReload_ReturnTrueForFileChanges(t *testing.T) { require.Nil(err) const ( - cafile = "../../helper/tlsutil/testdata/ca.pem" - key = "../../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem" + key = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" ) logger := testlog.HCLogger(t) @@ -1491,11 +1493,11 @@ func TestServer_ShouldReload_ShouldHandleMultipleChanges(t *testing.T) { require := require.New(t) const ( - cafile = "../../helper/tlsutil/testdata/ca.pem" - foocert = "../../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem" - foocert2 = "../../helper/tlsutil/testdata/nomad-bad.pem" - fookey2 = "../../helper/tlsutil/testdata/nomad-bad-key.pem" + cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" + badcert = "../../helper/tlsutil/testdata/badRegion-client-bad.pem" + badkey = "../../helper/tlsutil/testdata/badRegion-client-bad-key.pem" ) sameAgentConfig := &Config{ @@ -1515,8 +1517,8 @@ func TestServer_ShouldReload_ShouldHandleMultipleChanges(t *testing.T) { EnableRPC: true, VerifyServerHostname: true, CAFile: cafile, - CertFile: foocert2, - KeyFile: fookey2, + CertFile: badcert, + KeyFile: badkey, } }) defer agent.Shutdown() diff --git a/command/agent/http_test.go b/command/agent/http_test.go index 59e4dd159..bd541029d 100644 --- a/command/agent/http_test.go +++ b/command/agent/http_test.go @@ -732,12 +732,12 @@ func TestParsePagination(t *testing.T) { func TestHTTP_VerifyHTTPSClient(t *testing.T) { ci.Parallel(t) const ( - cafile = "../../helper/tlsutil/testdata/ca.pem" - foocert = "../../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../../helper/tlsutil/testdata/regionFoo-server-nomad.pem" + fookey = "../../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem" ) s := makeHTTPServer(t, func(c *Config) { - c.Region = "foo" // match the region on foocert + c.Region = "regionFoo" // match the region on foocert c.TLSConfig = &config.TLSConfig{ EnableHTTP: true, VerifyHTTPSClient: true, @@ -749,10 +749,29 @@ func TestHTTP_VerifyHTTPSClient(t *testing.T) { }) defer s.Shutdown() + tlConf := &tls.Config{ + ServerName: "client.regionFoo.nomad", + } + cacert, err := os.ReadFile(cafile) + if err != nil { + t.Fatalf("error reading cacert: %v", err) + } + tlConf.RootCAs, err = x509.SystemCertPool() + if err != nil { + t.Fatalf("error reading SystemPool: %v", err) + } + tlConf.RootCAs.AppendCertsFromPEM(cacert) + tr := &http.Transport{TLSClientConfig: tlConf} + clnt := &http.Client{Transport: tr} + reqURL := fmt.Sprintf("https://%s/v1/agent/self", s.Agent.config.AdvertiseAddrs.HTTP) + request, err := http.NewRequest("GET", reqURL, nil) + must.NoError(t, err, must.Sprintf("error creating request: %v", err)) + + resp, err := clnt.Do(request) + // FAIL: Requests that expect 127.0.0.1 as the name should fail - resp, err := http.Get(reqURL) if err == nil { resp.Body.Close() t.Fatalf("expected non-nil error but received: %v", resp.StatusCode) @@ -767,14 +786,16 @@ func TestHTTP_VerifyHTTPSClient(t *testing.T) { if !ok { t.Fatalf("expected a x509.HostnameError but received: %T -> %v", urlErr.Err, urlErr.Err) } - if expected := "127.0.0.1"; hostErr.Host != expected { + if expected := "client.regionFoo.nomad"; hostErr.Host != expected { t.Fatalf("expected hostname on error to be %q but found %q", expected, hostErr.Host) } // FAIL: Requests that specify a valid hostname but not the CA should // fail + pool := x509.NewCertPool() tlsConf := &tls.Config{ - ServerName: "client.regionFoo.nomad", + RootCAs: pool, + ServerName: "server.regionFoo.nomad", } transport := &http.Transport{TLSClientConfig: tlsConf} client := &http.Client{Transport: transport} @@ -860,11 +881,11 @@ func TestHTTP_VerifyHTTPSClient_AfterConfigReload(t *testing.T) { assert := assert.New(t) const ( - cafile = "../../helper/tlsutil/testdata/ca.pem" - foocert = "../../helper/tlsutil/testdata/nomad-bad.pem" - fookey = "../../helper/tlsutil/testdata/nomad-bad-key.pem" - foocert2 = "../../helper/tlsutil/testdata/nomad-foo.pem" - fookey2 = "../../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem" + badcert = "../../helper/tlsutil/testdata/badRegion-client-bad.pem" + badkey = "../../helper/tlsutil/testdata/badRegion-client-bad-key.pem" + foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" ) agentConfig := &Config{ @@ -872,8 +893,8 @@ func TestHTTP_VerifyHTTPSClient_AfterConfigReload(t *testing.T) { EnableHTTP: true, VerifyHTTPSClient: true, CAFile: cafile, - CertFile: foocert, - KeyFile: fookey, + CertFile: badcert, + KeyFile: badkey, }, } @@ -882,8 +903,8 @@ func TestHTTP_VerifyHTTPSClient_AfterConfigReload(t *testing.T) { EnableHTTP: true, VerifyHTTPSClient: true, CAFile: cafile, - CertFile: foocert2, - KeyFile: fookey2, + CertFile: foocert, + KeyFile: fookey, }, } @@ -933,7 +954,7 @@ func TestHTTP_VerifyHTTPSClient_AfterConfigReload(t *testing.T) { ServerName: "client.regionFoo.nomad", RootCAs: x509.NewCertPool(), GetClientCertificate: func(*tls.CertificateRequestInfo) (*tls.Certificate, error) { - c, err := tls.LoadX509KeyPair(foocert2, fookey2) + c, err := tls.LoadX509KeyPair(foocert, fookey) if err != nil { return nil, err } @@ -1053,9 +1074,9 @@ func TestHTTPServer_Limits_OK(t *testing.T) { ci.Parallel(t) const ( - cafile = "../../helper/tlsutil/testdata/ca.pem" - foocert = "../../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" maxConns = 10 // limit must be < this for testing bufSize = 1 // enough to know if something was written ) diff --git a/command/tls_ca_create.go b/command/tls_ca_create.go index 6b1b0457b..3c9466986 100644 --- a/command/tls_ca_create.go +++ b/command/tls_ca_create.go @@ -139,7 +139,7 @@ func (c *TLSCACreateCommand) Run(args []string) int { constraints := []string{} if c.constraint { - constraints = []string{c.domain, "localhost"} + constraints = []string{c.domain, "localhost", "nomad"} constraints = append(constraints, c.additionalDomain...) } diff --git a/command/tls_ca_create_test.go b/command/tls_ca_create_test.go index 12bd76dc0..d4da1cbce 100644 --- a/command/tls_ca_create_test.go +++ b/command/tls_ca_create_test.go @@ -53,8 +53,8 @@ func TestCACreateCommand(t *testing.T) { func(t *testing.T, cert *x509.Certificate) { require.Equal(t, 365*24*time.Hour, time.Until(cert.NotAfter).Round(24*time.Hour)) require.True(t, cert.PermittedDNSDomainsCritical) - require.Len(t, cert.PermittedDNSDomains, 3) - require.ElementsMatch(t, cert.PermittedDNSDomains, []string{"foo", "localhost", "bar"}) + require.Len(t, cert.PermittedDNSDomains, 4) + require.ElementsMatch(t, cert.PermittedDNSDomains, []string{"nomad", "foo", "localhost", "bar"}) }, }, {"with common-name", diff --git a/command/tls_cert_create.go b/command/tls_cert_create.go index 611fb98fb..1cfa657f1 100644 --- a/command/tls_cert_create.go +++ b/command/tls_cert_create.go @@ -33,19 +33,23 @@ type TLSCertCreateCommand struct { cli bool client bool - // key is used to set the custom CA certificate key when creating - // certificates. - key string - // days is the number of days the certificate will be valid for. days int + // domain is used to provide a custom domain for the certificate. + domain string + // cluster_region is used to add the region name to the certifacte SAN // records cluster_region string - // domain is used to provide a custom domain for the certificate. - domain string + // key is used to set the custom CA certificate key when creating + // certificates. + key string + + // cluster_region is used to add the region name to the certifacte SAN + // records + region string server bool } @@ -79,8 +83,7 @@ Certificate Create Options: Generate a client certificate. -cluster-region - Provide the datacenter. Only used for -server certificates. - Defaults to "global". + DEPRECATED please use -region. -days Provide number of days the certificate is valid for from now on. @@ -92,6 +95,10 @@ Certificate Create Options: -key Provide path to the certificate authority key. Defaults to #DOMAIN#-agent-ca-key.pem. + + -region + Provide the region. Only used for -server certificates. + Defaults to "global". -server Generate a server certificate. @@ -134,10 +141,11 @@ func (c *TLSCertCreateCommand) Run(args []string) int { flagSet.StringVar(&c.ca, "ca", "#DOMAIN#-agent-ca.pem", "") flagSet.BoolVar(&c.cli, "cli", false, "") flagSet.BoolVar(&c.client, "client", false, "") - flagSet.StringVar(&c.key, "key", "#DOMAIN#-agent-ca-key.pem", "") + // cluster region will be deprecated in the next version + flagSet.StringVar(&c.cluster_region, "cluster-region", "", "") flagSet.IntVar(&c.days, "days", 365, "") - flagSet.StringVar(&c.cluster_region, "cluster-region", "global", "") flagSet.StringVar(&c.domain, "domain", "nomad", "") + flagSet.StringVar(&c.key, "key", "#DOMAIN#-agent-ca-key.pem", "") flagSet.BoolVar(&c.server, "server", false, "") if err := flagSet.Parse(args); err != nil { return 1 @@ -165,43 +173,42 @@ func (c *TLSCertCreateCommand) Run(args []string) int { return 1 } - var DNSNames []string - var IPAddresses []net.IP + var dnsNames []string + var ipAddresses []net.IP var extKeyUsage []x509.ExtKeyUsage - var name, prefix string + var name, regionName, prefix string for _, d := range c.dnsNames { if len(d) > 0 { - DNSNames = append(DNSNames, strings.TrimSpace(d)) + dnsNames = append(dnsNames, strings.TrimSpace(d)) } } for _, i := range c.ipAddresses { if len(i) > 0 { - IPAddresses = append(IPAddresses, net.ParseIP(strings.TrimSpace(i))) + ipAddresses = append(ipAddresses, net.ParseIP(strings.TrimSpace(i))) } } - if c.server { - name = fmt.Sprintf("server.%s.%s", c.cluster_region, c.domain) - DNSNames = append(DNSNames, name) - DNSNames = append(DNSNames, "localhost") + // set region variable to prepare for deprecating cluster_region + switch { + case c.cluster_region != "": + regionName = c.cluster_region + case c.clientConfig().Region != "" && c.clientConfig().Region != "global": + regionName = c.clientConfig().Region + default: + regionName = "global" + } - IPAddresses = append(IPAddresses, net.ParseIP("127.0.0.1")) - extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth} - prefix = fmt.Sprintf("%s-server-%s", c.cluster_region, c.domain) - - } else if c.client { - name = fmt.Sprintf("client.%s.%s", c.cluster_region, c.domain) - DNSNames = append(DNSNames, []string{name, "localhost"}...) - IPAddresses = append(IPAddresses, net.ParseIP("127.0.0.1")) - extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth} - prefix = fmt.Sprintf("%s-client-%s", c.cluster_region, c.domain) - } else if c.cli { - name = fmt.Sprintf("cli.%s.%s", c.cluster_region, c.domain) - DNSNames = []string{name, "localhost"} - prefix = fmt.Sprintf("%s-cli-%s", c.cluster_region, c.domain) - } else { + // Set dnsNames and ipAddresses based on whether this is a client, server or cli + switch { + case c.server: + ipAddresses, dnsNames, name, extKeyUsage, prefix = recordPreparation("server", regionName, c.domain, dnsNames, ipAddresses) + case c.client: + ipAddresses, dnsNames, name, extKeyUsage, prefix = recordPreparation("client", regionName, c.domain, dnsNames, ipAddresses) + case c.cli: + ipAddresses, dnsNames, name, extKeyUsage, prefix = recordPreparation("cli", regionName, c.domain, dnsNames, ipAddresses) + default: c.Ui.Error("Neither client, cli nor server - should not happen") return 1 } @@ -252,10 +259,9 @@ func (c *TLSCertCreateCommand) Run(args []string) int { c.Ui.Error(err.Error()) return 1 } - pub, priv, err := tlsutil.GenerateCert(tlsutil.CertOpts{ Signer: signer, CA: string(cert), Name: name, Days: c.days, - DNSNames: DNSNames, IPAddresses: IPAddresses, ExtKeyUsage: extKeyUsage, + DNSNames: dnsNames, IPAddresses: ipAddresses, ExtKeyUsage: extKeyUsage, }) if err != nil { c.Ui.Error(err.Error()) @@ -294,3 +300,37 @@ func (c *TLSCertCreateCommand) Run(args []string) int { return 0 } + +func recordPreparation(certType string, regionName string, domain string, dnsNames []string, ipAddresses []net.IP) ([]net.IP, []string, string, []x509.ExtKeyUsage, string) { + var ( + extKeyUsage []x509.ExtKeyUsage + name, regionUrl, prefix string + ) + if certType == "server" || certType == "client" { + extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth} + ipAddresses = append(ipAddresses, net.ParseIP("127.0.0.1")) + } else if certType == "cli" { + extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth} + } + // prefix is used to generate the filename for the certificate before writing to disk. + prefix = fmt.Sprintf("%s-%s-%s", regionName, certType, domain) + regionUrl = fmt.Sprintf("%s.%s.nomad", certType, regionName) + name = fmt.Sprintf("%s.%s.%s", certType, regionName, domain) + + if regionName != "global" && domain != "nomad" { + dnsNames = append(dnsNames, name, regionUrl, fmt.Sprintf("%s.global.nomad", certType), "localhost") + } + + if regionName != "global" && domain == "nomad" { + dnsNames = append(dnsNames, regionUrl, fmt.Sprintf("%s.global.nomad", certType), "localhost") + } + + if regionName == "global" && domain != "nomad" { + dnsNames = append(dnsNames, regionUrl, fmt.Sprintf("%s.%s.%s", certType, regionName, domain), "localhost") + } + + if regionName == "global" && domain == "nomad" { + dnsNames = append(dnsNames, name, "localhost") + } + return ipAddresses, dnsNames, name, extKeyUsage, prefix +} diff --git a/command/tls_cert_create_test.go b/command/tls_cert_create_test.go index 48acce0a3..94683b006 100644 --- a/command/tls_cert_create_test.go +++ b/command/tls_cert_create_test.go @@ -7,6 +7,7 @@ import ( "crypto/x509" "net" "os" + "strings" "testing" "github.com/hashicorp/nomad/testutil" @@ -57,7 +58,7 @@ func TestTlsCertCreateCommand_InvalidArgs(t *testing.T) { } } -func TestTlsCertCreateCommand_fileCreate(t *testing.T) { +func TestTlsCertCreateCommandDefaults_fileCreate(t *testing.T) { testDir := t.TempDir() previousDirectory, err := os.Getwd() require.NoError(t, err) @@ -97,14 +98,15 @@ func TestTlsCertCreateCommand_fileCreate(t *testing.T) { []net.IP{{127, 0, 0, 1}}, "==> WARNING: Server Certificates grants authority to become a\n server and access all state in the cluster including root keys\n and all ACL tokens. Do not distribute them to production hosts\n that are not server nodes. Store them as securely as CA keys.\n", }, - {"server0-region2-altdomain", + {"server0-region1", "server", - []string{"-server", "-cluster-region", "region2", "-domain", "nomad"}, - "region2-server-nomad.pem", - "region2-server-nomad-key.pem", - "server.region2.nomad", + []string{"-server", "-region", "region1"}, + "region1-server-nomad.pem", + "region1-server-nomad-key.pem", + "server.region1.nomad", []string{ - "server.region2.nomad", + "server.region1.nomad", + "server.global.nomad", "localhost", }, []net.IP{{127, 0, 0, 1}}, @@ -123,19 +125,6 @@ func TestTlsCertCreateCommand_fileCreate(t *testing.T) { []net.IP{{127, 0, 0, 1}}, "", }, - {"client0-region2-altdomain", - "client", - []string{"-client", "-cluster-region", "region2", "-domain", "nomad"}, - "region2-client-nomad.pem", - "region2-client-nomad-key.pem", - "client.region2.nomad", - []string{ - "client.region2.nomad", - "localhost", - }, - []net.IP{{127, 0, 0, 1}}, - "", - }, {"cli0", "cli", []string{"-cli"}, @@ -146,20 +135,7 @@ func TestTlsCertCreateCommand_fileCreate(t *testing.T) { "cli.global.nomad", "localhost", }, - nil, - "", - }, - {"cli0-region2-altdomain", - "cli", - []string{"-cli", "-cluster-region", "region2", "-domain", "nomad"}, - "region2-cli-nomad.pem", - "region2-cli-nomad-key.pem", - "cli.region2.nomad", - []string{ - "cli.region2.nomad", - "localhost", - }, - nil, + []net.IP(nil), "", }, } @@ -184,10 +160,12 @@ func TestTlsCertCreateCommand_fileCreate(t *testing.T) { cert.ExtKeyUsage) case "client": require.Equal(t, - []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, + []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, cert.ExtKeyUsage) case "cli": - require.Len(t, cert.ExtKeyUsage, 0) + require.Equal(t, + []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, + cert.ExtKeyUsage) } require.False(t, cert.IsCA) require.Equal(t, tc.expectDNS, cert.DNSNames) @@ -195,3 +173,156 @@ func TestTlsCertCreateCommand_fileCreate(t *testing.T) { })) } } + +func TestTlsRecordPreparation(t *testing.T) { + type testcase struct { + name string + certType string + regionName string + domain string + dnsNames []string + ipAddresses []string + expectedipAddresses []net.IP + expectedDNSNames []string + expectedName string + expectedextKeyUsage []x509.ExtKeyUsage + expectedPrefix string + } + // The default values are region = global and domain = nomad. + cases := []testcase{ + { + name: "server0", + certType: "server", + regionName: "global", + domain: "nomad", + dnsNames: []string{}, + ipAddresses: []string{}, + expectedipAddresses: []net.IP{net.ParseIP("127.0.0.1")}, + expectedDNSNames: []string{ + "server.global.nomad", + "localhost", + }, + expectedName: "server.global.nomad", + expectedextKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, + expectedPrefix: "global-server-nomad", + }, + { + name: "server0-region1", + certType: "server", + regionName: "region1", + domain: "nomad", + dnsNames: []string{}, + ipAddresses: []string{}, + expectedipAddresses: []net.IP{net.ParseIP("127.0.0.1")}, + expectedDNSNames: []string{ + "server.region1.nomad", + "server.global.nomad", + "localhost", + }, + expectedName: "server.region1.nomad", + expectedextKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, + expectedPrefix: "region1-server-nomad", + }, + { + name: "server0-domain1", + certType: "server", + regionName: "global", + domain: "domain1", + dnsNames: []string{}, + ipAddresses: []string{}, + expectedipAddresses: []net.IP{net.ParseIP("127.0.0.1")}, + expectedDNSNames: []string{ + "server.global.nomad", + "server.global.domain1", + "localhost", + }, + expectedName: "server.global.domain1", + expectedextKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, + expectedPrefix: "global-server-domain1", + }, + { + name: "server0-dns", + certType: "server", + regionName: "global", + domain: "nomad", + dnsNames: []string{"server.global.foo"}, + ipAddresses: []string{}, + expectedipAddresses: []net.IP{net.ParseIP("127.0.0.1")}, + expectedDNSNames: []string{ + "server.global.foo", + "server.global.nomad", + "localhost", + }, + expectedName: "server.global.nomad", + expectedextKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, + expectedPrefix: "global-server-nomad", + }, + { + name: "server0-ips", + certType: "server", + regionName: "global", + domain: "nomad", + dnsNames: []string{}, + ipAddresses: []string{"10.0.0.1"}, + expectedipAddresses: []net.IP{net.ParseIP("10.0.0.1"), net.ParseIP("127.0.0.1")}, + expectedDNSNames: []string{ + "server.global.nomad", + "localhost", + }, + expectedName: "server.global.nomad", + expectedextKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, + expectedPrefix: "global-server-nomad", + }, + { + name: "client0", + certType: "client", + regionName: "global", + domain: "nomad", + dnsNames: []string{}, + ipAddresses: []string{}, + expectedipAddresses: []net.IP{net.ParseIP("127.0.0.1")}, + expectedDNSNames: []string{ + "client.global.nomad", + "localhost", + }, + expectedName: "client.global.nomad", + expectedextKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, + expectedPrefix: "global-client-nomad", + }, + { + name: "cli0", + certType: "cli", + regionName: "global", + domain: "nomad", + dnsNames: []string{}, + ipAddresses: []string{}, + expectedipAddresses: []net.IP(nil), + expectedDNSNames: []string{ + "cli.global.nomad", + "localhost", + }, + expectedName: "cli.global.nomad", + expectedextKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, + expectedPrefix: "global-cli-nomad", + }, + } + + for _, tc := range cases { + tc := tc + require.True(t, t.Run(tc.name, func(t *testing.T) { + var ipAddresses []net.IP + for _, i := range tc.ipAddresses { + if len(i) > 0 { + ipAddresses = append(ipAddresses, net.ParseIP(strings.TrimSpace(i))) + } + } + + ipAddresses, dnsNames, name, extKeyUsage, prefix := recordPreparation(tc.certType, tc.regionName, tc.domain, tc.dnsNames, ipAddresses) + require.Equal(t, tc.expectedipAddresses, ipAddresses) + require.Equal(t, tc.expectedDNSNames, dnsNames) + require.Equal(t, tc.expectedName, name) + require.Equal(t, tc.expectedextKeyUsage, extKeyUsage) + require.Equal(t, tc.expectedPrefix, prefix) + })) + } +} diff --git a/helper/tlsutil/config_test.go b/helper/tlsutil/config_test.go index b40882b6c..73098f4b8 100644 --- a/helper/tlsutil/config_test.go +++ b/helper/tlsutil/config_test.go @@ -22,11 +22,13 @@ import ( const ( // See README.md for documentation - cacert = "./testdata/ca.pem" - foocert = "./testdata/nomad-foo.pem" - fookey = "./testdata/nomad-foo-key.pem" - badcert = "./testdata/nomad-bad.pem" - badkey = "./testdata/nomad-bad-key.pem" + cacert = "./testdata/nomad-agent-ca.pem" + fooclientcert = "./testdata/regionFoo-client-nomad.pem" + fooclientkey = "./testdata/regionFoo-client-nomad-key.pem" + fooservercert = "./testdata/regionFoo-server-nomad.pem" + fooserverkey = "./testdata/regionFoo-server-nomad-key.pem" + badcert = "./testdata/badRegion-client-bad.pem" + badkey = "./testdata/badRegion-client-bad-key.pem" ) func TestConfig_AppendCA_None(t *testing.T) { @@ -115,7 +117,7 @@ func TestConfig_AppendCA_Valid_Whitespace(t *testing.T) { require := require.New(t) - const cacertWhitespace = "./testdata/ca-whitespace.pem" + const cacertWhitespace = "./testdata/whitespace-agent-ca.pem" conf := &Config{ CAFile: cacertWhitespace, } @@ -296,8 +298,8 @@ func TestConfig_LoadKeyPair_Valid(t *testing.T) { ci.Parallel(t) conf := &Config{ - CertFile: foocert, - KeyFile: fookey, + CertFile: fooclientcert, + KeyFile: fooclientkey, KeyLoader: &config.KeyLoader{}, } cert, err := conf.LoadKeyPair() @@ -391,8 +393,8 @@ func TestConfig_OutgoingTLS_WithKeyPair(t *testing.T) { conf := &Config{ VerifyOutgoing: true, CAFile: cacert, - CertFile: foocert, - KeyFile: fookey, + CertFile: fooclientcert, + KeyFile: fooclientkey, KeyLoader: &config.KeyLoader{}, } tlsConf, err := conf.OutgoingTLSConfig() @@ -507,8 +509,8 @@ func TestConfig_outgoingWrapper_OK(t *testing.T) { config := &Config{ CAFile: cacert, - CertFile: foocert, - KeyFile: fookey, + CertFile: fooservercert, + KeyFile: fooserverkey, VerifyServerHostname: true, VerifyOutgoing: true, KeyLoader: &config.KeyLoader{}, @@ -545,8 +547,8 @@ func TestConfig_outgoingWrapper_BadCert(t *testing.T) { t.SkipNow() config := &Config{ CAFile: cacert, - CertFile: foocert, - KeyFile: fookey, + CertFile: fooclientcert, + KeyFile: fooclientkey, VerifyServerHostname: true, VerifyOutgoing: true, } @@ -580,8 +582,8 @@ func TestConfig_wrapTLS_OK(t *testing.T) { config := &Config{ CAFile: cacert, - CertFile: foocert, - KeyFile: fookey, + CertFile: fooclientcert, + KeyFile: fooclientkey, VerifyOutgoing: true, KeyLoader: &config.KeyLoader{}, } @@ -655,8 +657,8 @@ func TestConfig_IncomingTLS(t *testing.T) { conf := &Config{ VerifyIncoming: true, CAFile: cacert, - CertFile: foocert, - KeyFile: fookey, + CertFile: fooclientcert, + KeyFile: fooclientkey, KeyLoader: &config.KeyLoader{}, } tlsC, err := conf.IncomingTLSConfig() @@ -684,8 +686,8 @@ func TestConfig_IncomingTLS_MissingCA(t *testing.T) { conf := &Config{ VerifyIncoming: true, - CertFile: foocert, - KeyFile: fookey, + CertFile: fooclientcert, + KeyFile: fooclientkey, KeyLoader: &config.KeyLoader{}, } _, err := conf.IncomingTLSConfig() @@ -786,8 +788,8 @@ func TestConfig_ParseCiphers_Valid(t *testing.T) { require := require.New(t) tlsConfig := &config.TLSConfig{ - CertFile: foocert, - KeyFile: fookey, + CertFile: fooclientcert, + KeyFile: fooclientkey, KeyLoader: &config.KeyLoader{}, TLSCipherSuites: strings.Join([]string{ "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", @@ -856,8 +858,8 @@ func TestConfig_ParseCiphers_Default(t *testing.T) { } empty := &config.TLSConfig{ - CertFile: foocert, - KeyFile: fookey, + CertFile: fooclientcert, + KeyFile: fooclientkey, KeyLoader: &config.KeyLoader{}, } parsedCiphers, err := ParseCiphers(empty) @@ -880,8 +882,8 @@ func TestConfig_ParseCiphers_Invalid(t *testing.T) { for _, cipher := range invalidCiphers { tlsConfig := &config.TLSConfig{ TLSCipherSuites: cipher, - CertFile: foocert, - KeyFile: fookey, + CertFile: fooclientcert, + KeyFile: fooclientkey, KeyLoader: &config.KeyLoader{}, } parsedCiphers, err := ParseCiphers(tlsConfig) @@ -902,8 +904,8 @@ func TestConfig_ParseCiphers_SupportedSignature(t *testing.T) { { tlsConfig := &config.TLSConfig{ TLSCipherSuites: "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", - CertFile: foocert, - KeyFile: fookey, + CertFile: fooclientcert, + KeyFile: fooclientkey, KeyLoader: &config.KeyLoader{}, } parsedCiphers, err := ParseCiphers(tlsConfig) @@ -915,8 +917,8 @@ func TestConfig_ParseCiphers_SupportedSignature(t *testing.T) { { tlsConfig := &config.TLSConfig{ TLSCipherSuites: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", - CertFile: foocert, - KeyFile: fookey, + CertFile: fooclientcert, + KeyFile: fooclientkey, KeyLoader: &config.KeyLoader{}, } parsedCiphers, err := ParseCiphers(tlsConfig) @@ -972,8 +974,8 @@ func TestConfig_NewTLSConfiguration(t *testing.T) { conf := &config.TLSConfig{ TLSCipherSuites: "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - CertFile: foocert, - KeyFile: fookey, + CertFile: fooclientcert, + KeyFile: fooclientkey, KeyLoader: &config.KeyLoader{}, } @@ -1024,8 +1026,8 @@ func TestConfig_ShouldReloadRPCConnections(t *testing.T) { }, new: &config.TLSConfig{ CAFile: cacert, - CertFile: foocert, - KeyFile: fookey, + CertFile: fooclientcert, + KeyFile: fooclientkey, }, shouldReload: true, errorStr: "Different TLS Configuration should reload", diff --git a/helper/tlsutil/testdata/README.md b/helper/tlsutil/testdata/README.md index e9814d311..52ecb0566 100644 --- a/helper/tlsutil/testdata/README.md +++ b/helper/tlsutil/testdata/README.md @@ -1,39 +1,67 @@ # Nomad Test Certificate -Using [cfssl 1.6.0](https://github.com/cloudflare/cfssl) +Nomad has a built in command to generate certificates for setting up tls encryption. +This will generate valid certificates with default settings if run without any configuration. +The command `nomad tls` is used to generate the test certificates in this directory. -| File | Description | -|---------------------|---------------------------| -| `ca.pem` | CA certificate | -| `ca-key.pem` | CA Key | -| `nomad-foo.pem` | Nomad cert for foo region | -| `nomad-foo-key.pem` | Nomad key for foo region | -| `ca-bad.pem` | CA cert for bad region | -| `ca-key-bad.pem` | CA key for bad region | -| `nomad-bad.pem` | Nomad cert for bad region | -| `nomad-bad-key.pem` | Nomad key for bad region | -| `global-*.pem` | For global region | +| File | Description | +|----------------------------------|---------------------------| +| `nomad-agent-ca.pem` | CA certificate | +| `nomad-agent-ca-key.pem` | CA Key | +| `regionFoo-client-nomad.pem` | Nomad cert for foo region | +| `regionFoo-client-nomad-key.pem` | Nomad key for foo region | +| `bad-agent-ca.pem` | CA cert for bad region | +| `bad-agent-ca-key.pem` | CA key for bad region | +| `badRegion-client-bad.pem` | Nomad cert for bad region | +| `badRegion-client-bad-key.pem` | Nomad key for bad region | +| `global-*.pem` | For global region | +| `whitespace-agent-ca.pem` | For whitespace test | + +## Generating self-signed certs with nomad tls -## Generating self-signed certs ```sh -# Write defaults and update. -# NOTE: this doesn't need to be run if regenerating old certificates and -# shouldn't as it overrides non-default values. -cfssl print-defaults csr > ca-csr.json -cfssl print-defaults csr > ca-bad-csr.json -cfssl print-defaults config > ca-config.json -# Generate CA certificates and keys. -# -# 1. Generates ca.csr, ca.pem, and ca-key.pem. -# 2. Generates ca-bad.csr, ca-bad.pem, and ca-bad-key.pem. -cfssl gencert -loglevel=5 -config ca-config.json -initca ca-csr.json | cfssljson -bare ca - -cfssl gencert -loglevel=5 -config ca-config.json -initca ca-bad-csr.json | cfssljson -bare ca-bad - +# Generate CA certificate and key. +nomad tls ca create -# Generate certificates and keys. -# -# 1. Generates nomad-foo.csr, nomad-foo.pem, and nomad-foo-key.pem. -# 1. Generates nomad-bad.csr, nomad-bad.pem, and nomad-bad-key.pem. -cfssl gencert -loglevel=5 -ca ca.pem -ca-key ca-key.pem -config ca-config.json nomad-foo-csr.json | cfssljson -bare nomad-foo -cfssl gencert -loglevel=5 -ca ca-bad.pem -ca-key ca-bad-key.pem -config ca-config.json nomad-bad-csr.json | cfssljson -bare nomad-bad +# Generate certificates and keys with default values. +# 1. Generate server certificate with default values +# 2. Generate client certificate with default values +nomad tls cert create -server +nomad tls cert create -client + +# Generate certificates and keys for region regionFoo. +# 1. Generate server certificate for region regionFoo +# 2. Generate client certificate for region regionFoo +nomad tls cert create -server -region regionFoo +nomad tls cert create -client -region regionFoo ``` + + +## Generating additional self-signed certs for testing tls misconfiguration + +These certificates are used to test incorrect tls configuration. +They are valid certificates but issued from a different CA + +```sh + +# Generate CA certificate and key. +nomad tls ca create -name-constraint=true -domain bad + +# Generate certificates and keys for region badRegion. +# 1. Generate server certificate for region badRegion +# 2. Generate client certificate for region badRegion +nomad tls cert create -server -region badRegion -domain=bad +nomad tls cert create -client -region badRegion -domain=bad +``` + +## Generate CA for whitespace test + +You will need to edit the pem file to add some whitespace after the +-----END CERTIFICATE----- line + +```sh + +# Generate CA certificate and key. +nomad tls ca create -name-constraint=true -domain whitespace +``` \ No newline at end of file diff --git a/helper/tlsutil/testdata/bad-agent-ca-key.pem b/helper/tlsutil/testdata/bad-agent-ca-key.pem new file mode 100644 index 000000000..9b9f69c15 --- /dev/null +++ b/helper/tlsutil/testdata/bad-agent-ca-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIOtIspf5RTZcXnYsKINVSqrO1aJQBy0Ustei5x3pdrxAoAoGCCqGSM49 +AwEHoUQDQgAE4KKQKga9sXh3c+vK8YSkqKx9zAWJfSDsxzX/xzie4FhYcF5IbeVh +EjDZHXhU8AtGhzPIHkPc4PtP4iNdlwkuAw== +-----END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/bad-agent-ca.pem b/helper/tlsutil/testdata/bad-agent-ca.pem new file mode 100644 index 000000000..dde66ec3c --- /dev/null +++ b/helper/tlsutil/testdata/bad-agent-ca.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDGjCCAsCgAwIBAgIQd7vqgOhuwTDMFXo80ZEyxDAKBggqhkjOPQQDAjCBuDEL +MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv +MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV +BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZOb21hZCBBZ2VudCBDQSAx +NTkxNTM4NDczMDc5Mzc0NzQzOTQzOTMwMjc3MTAxODQxNDE1MDgwHhcNMjMwNTIw +MDU0NTMyWhcNMjgwNTE4MDU0NTMyWjCBuDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT +AkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQJExExMDEgU2Vjb25k +IFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAVBgNVBAoTDkhhc2hpQ29ycCBJbmMu +MT8wPQYDVQQDEzZOb21hZCBBZ2VudCBDQSAxNTkxNTM4NDczMDc5Mzc0NzQzOTQz +OTMwMjc3MTAxODQxNDE1MDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATgopAq +Br2xeHdz68rxhKSorH3MBYl9IOzHNf/HOJ7gWFhwXkht5WESMNkdeFTwC0aHM8ge +Q9zg+0/iI12XCS4Do4GpMIGmMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD +AQH/MCkGA1UdDgQiBCAIUJQLq88JPZcO+4YnsIUi5EinrxH6ffLRUHz+cF972jAr +BgNVHSMEJDAigCAIUJQLq88JPZcO+4YnsIUi5EinrxH6ffLRUHz+cF972jArBgNV +HR4BAf8EITAfoB0wBYIDYmFkMAuCCWxvY2FsaG9zdDAHggVub21hZDAKBggqhkjO +PQQDAgNIADBFAiEArvFAMvwtByJVNZD6ojiUYI8PFGbmzTzkkNNvhsHSOv8CIBKj +MACtGi02f3JS0oz+Ef2TqjiuOClGBhr/x6qG4cxy +-----END CERTIFICATE----- diff --git a/helper/tlsutil/testdata/badRegion-client-bad-key.pem b/helper/tlsutil/testdata/badRegion-client-bad-key.pem new file mode 100644 index 000000000..2e8507825 --- /dev/null +++ b/helper/tlsutil/testdata/badRegion-client-bad-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIOXshxnqSDtF5SDD4PWNbhzEhgX89tC1e4vs/YFRdZV2oAoGCCqGSM49 +AwEHoUQDQgAE1FmtPIHfG9n5nvJHdkpMwCon8D3c/4Ekg+QnFvleUXB8PoXlYND6 +gX/+n7cJ2p5dZ/NcXPAASHKCQFdAIl+jEg== +-----END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/badRegion-client-bad.pem b/helper/tlsutil/testdata/badRegion-client-bad.pem new file mode 100644 index 000000000..3b6baa047 --- /dev/null +++ b/helper/tlsutil/testdata/badRegion-client-bad.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzzCCAnWgAwIBAgIRAPIeOK1i31bByJjW0J471YIwCgYIKoZIzj0EAwIwgbgx +CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj +bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw +FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg +MTU5MTUzODQ3MzA3OTM3NDc0Mzk0MzkzMDI3NzEwMTg0MTQxNTA4MB4XDTIzMDUy +MDA1NDYwNloXDTI0MDUxOTA1NDYwNlowHzEdMBsGA1UEAxMUY2xpZW50LmJhZFJl +Z2lvbi5iYWQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATUWa08gd8b2fme8kd2 +SkzAKifwPdz/gSSD5CcW+V5RcHw+heVg0PqBf/6ftwnanl1n81xc8ABIcoJAV0Ai +X6MSo4H3MIH0MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI +KwYBBQUHAwIwDAYDVR0TAQH/BAIwADApBgNVHQ4EIgQgIS+aVN7DyWMFuExUlPtR +XqSuFVzBjLJSIBAYeoLekOAwKwYDVR0jBCQwIoAgCFCUC6vPCT2XDvuGJ7CFIuRI +p68R+n3y0VB8/nBfe9owXQYDVR0RBFYwVIIUY2xpZW50LmJhZFJlZ2lvbi5iYWSC +FmNsaWVudC5iYWRSZWdpb24ubm9tYWSCE2NsaWVudC5nbG9iYWwubm9tYWSCCWxv +Y2FsaG9zdIcEfwAAATAKBggqhkjOPQQDAgNIADBFAiA/RK692gWJA3D5GeD6k3a2 ++ijWvHxyRWzYCREuN7NasQIhAKR4XOASgzcY4u17ny8v8cxeZMA4aD+UwZnjE3s/ +VaNU +-----END CERTIFICATE----- diff --git a/helper/tlsutil/testdata/badRegion-server-bad-key.pem b/helper/tlsutil/testdata/badRegion-server-bad-key.pem new file mode 100644 index 000000000..78d92b7bf --- /dev/null +++ b/helper/tlsutil/testdata/badRegion-server-bad-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIN1hpOPcd0fHzA+MUq3ImrK/6zwsvxl/gpSL11nFB6UooAoGCCqGSM49 +AwEHoUQDQgAE3t6MXDmu0U5jdrTHX6K0wVLantQkytnUipeVWJh+vstUyPQrbREB +aj2mmx6Ckh+8L4qy7b6CFkjK7koP23pe9g== +-----END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/badRegion-server-bad.pem b/helper/tlsutil/testdata/badRegion-server-bad.pem new file mode 100644 index 000000000..63b5a6739 --- /dev/null +++ b/helper/tlsutil/testdata/badRegion-server-bad.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzjCCAnSgAwIBAgIQJb2AONazlSeNtRZNdghuWDAKBggqhkjOPQQDAjCBuDEL +MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv +MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV +BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZOb21hZCBBZ2VudCBDQSAx +NTkxNTM4NDczMDc5Mzc0NzQzOTQzOTMwMjc3MTAxODQxNDE1MDgwHhcNMjMwNTIw +MDU0NTUzWhcNMjQwNTE5MDU0NTUzWjAfMR0wGwYDVQQDExRzZXJ2ZXIuYmFkUmVn +aW9uLmJhZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABN7ejFw5rtFOY3a0x1+i +tMFS2p7UJMrZ1IqXlViYfr7LVMj0K20RAWo9ppsegpIfvC+Ksu2+ghZIyu5KD9t6 +XvajgfcwgfQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr +BgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCB663RX5DMarQTUbtWE2RS7 +ll/r8OuJkGw3kQSmm7PFpTArBgNVHSMEJDAigCAIUJQLq88JPZcO+4YnsIUi5Ein +rxH6ffLRUHz+cF972jBdBgNVHREEVjBUghRzZXJ2ZXIuYmFkUmVnaW9uLmJhZIIW +c2VydmVyLmJhZFJlZ2lvbi5ub21hZIITc2VydmVyLmdsb2JhbC5ub21hZIIJbG9j +YWxob3N0hwR/AAABMAoGCCqGSM49BAMCA0gAMEUCIQDqHUtOtFW/GSCKG8ZGrPGD +Z0TqbqgP8PQglqKMJ3ldtgIgJ1LFcDiv1slRcvCRB4OSZZRtMmgrK1+n7s1b/0JN +01s= +-----END CERTIFICATE----- diff --git a/helper/tlsutil/testdata/ca-bad-csr.json b/helper/tlsutil/testdata/ca-bad-csr.json deleted file mode 100644 index 83de7c50e..000000000 --- a/helper/tlsutil/testdata/ca-bad-csr.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "bad.nomad.hashicorp", - "key": { - "algo": "ecdsa", - "size": 256 - }, - "names": [ - { - "C": "US", - "L": "San Francisco", - "O": "HashiCorp", - "OU": "Nomad", - "ST": "California" - } - ] -} diff --git a/helper/tlsutil/testdata/ca-bad-key.pem b/helper/tlsutil/testdata/ca-bad-key.pem deleted file mode 100644 index 37ae26449..000000000 --- a/helper/tlsutil/testdata/ca-bad-key.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIM9NSxYeRvnFLx/z6iLN3eJw+hgW2GOf4YDxOWwNxFuKoAoGCCqGSM49 -AwEHoUQDQgAEjGPxvMgyhwrYxM6Y7MWdgELE33ut7aXbGO8p+IFlfQUy3q/0OK3p -Fjmpqh1XApvOXo7Z3YjdpO3M2aMOSi6BRg== ------END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/ca-bad.csr b/helper/tlsutil/testdata/ca-bad.csr deleted file mode 100644 index d2dcc3ab1..000000000 --- a/helper/tlsutil/testdata/ca-bad.csr +++ /dev/null @@ -1,9 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIIBNzCB3gIBADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEW -MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzESMBAGA1UEChMJSGFzaGlDb3JwMQ4wDAYD -VQQLEwVOb21hZDEcMBoGA1UEAxMTYmFkLm5vbWFkLmhhc2hpY29ycDBZMBMGByqG -SM49AgEGCCqGSM49AwEHA0IABIxj8bzIMocK2MTOmOzFnYBCxN97re2l2xjvKfiB -ZX0FMt6v9Dit6RY5qaodVwKbzl6O2d2I3aTtzNmjDkougUagADAKBggqhkjOPQQD -AgNIADBFAiEA4IyK8liUiVVaCSmP3BqJpkEPCEiJ3bph7mN2Urrlb7ICIBu1q1Xa -kJunzBkREZcmpwVp2IUlTFaQvvy7eeRL4obB ------END CERTIFICATE REQUEST----- diff --git a/helper/tlsutil/testdata/ca-bad.pem b/helper/tlsutil/testdata/ca-bad.pem deleted file mode 100644 index f15d0bd87..000000000 --- a/helper/tlsutil/testdata/ca-bad.pem +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICOzCCAeKgAwIBAgIUeXTO3L4oiO38Y33Opu8YrQj9HlYwCgYIKoZIzj0EAwIw -fDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh -biBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwGA1UECxMFTm9tYWQx -HDAaBgNVBAMTE2JhZC5ub21hZC5oYXNoaWNvcnAwHhcNMjEwODEzMDg1MjAwWhcN -MjYwODEyMDg1MjAwWjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p -YTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzESMBAGA1UEChMJSGFzaGlDb3JwMQ4w -DAYDVQQLEwVOb21hZDEcMBoGA1UEAxMTYmFkLm5vbWFkLmhhc2hpY29ycDBZMBMG -ByqGSM49AgEGCCqGSM49AwEHA0IABIxj8bzIMocK2MTOmOzFnYBCxN97re2l2xjv -KfiBZX0FMt6v9Dit6RY5qaodVwKbzl6O2d2I3aTtzNmjDkougUajQjBAMA4GA1Ud -DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRybjwTW9incERj -Y/Bw7E9iVcdhPDAKBggqhkjOPQQDAgNHADBEAiAkv5FG1AF8VVeytFSsqelinpB2 -ETojhNxgm95bFKIqpAIgfhFdNVes9XJflthIJo9mSWsH2ht0CXwcwMuGxNLgy1E= ------END CERTIFICATE----- diff --git a/helper/tlsutil/testdata/ca-config.json b/helper/tlsutil/testdata/ca-config.json deleted file mode 100644 index 798788396..000000000 --- a/helper/tlsutil/testdata/ca-config.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "signing": { - "default": { - "expiry": "876000h", - "usages": [ - "signing", - "key encipherment", - "server auth", - "client auth" - ] - } - } -} - diff --git a/helper/tlsutil/testdata/ca-csr.json b/helper/tlsutil/testdata/ca-csr.json deleted file mode 100644 index bb2770c27..000000000 --- a/helper/tlsutil/testdata/ca-csr.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "nomad.hashicorp", - "key": { - "algo": "ecdsa", - "size": 256 - }, - "names": [ - { - "C": "US", - "L": "San Francisco", - "O": "HashiCorp", - "OU": "Nomad", - "ST": "California" - } - ] -} diff --git a/helper/tlsutil/testdata/ca-key.pem b/helper/tlsutil/testdata/ca-key.pem deleted file mode 100644 index 871bea7a6..000000000 --- a/helper/tlsutil/testdata/ca-key.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIM3rBHk5t/VtMgspx2/amPd2/LcaLdXr3FjRac3OrFCaoAoGCCqGSM49 -AwEHoUQDQgAEBCIpONsFqQMf1P4Jf5X23mw9wQBIrFfr900fTRXge2R5X8auQEnV -rnCeVomK8sY3B2XAVitL6KIpcNuIkYD7ug== ------END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/ca-whitespace.pem b/helper/tlsutil/testdata/ca-whitespace.pem deleted file mode 100644 index a8a7a1891..000000000 --- a/helper/tlsutil/testdata/ca-whitespace.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICNTCCAZagAwIBAgIRANjgoh5iVZI26+Hz/K65G0UwCgYIKoZIzj0EAwQwNjEb -MBkGA1UEChMSSGFzaGlDb3JwIFRyYWluaW5nMRcwFQYDVQQDEw5zZXJ2aWNlLmNv -bnN1bDAeFw0xODA4MjMxNzM0NTBaFw0xODA5MjIxNzM0NTBaMDYxGzAZBgNVBAoT -Ekhhc2hpQ29ycCBUcmFpbmluZzEXMBUGA1UEAxMOc2VydmljZS5jb25zdWwwgZsw -EAYHKoZIzj0CAQYFK4EEACMDgYYABAGjC4sWsOfirS/DQ9/e7PdQeJwlOjziiOx/ -CALjS6ryEDkZPqRqMuoFXfudAmfdk6tl8AT1IKMVcgiQU5jkm7fliwFIk48uh+n2 -obqZjwDyM76VYBVSYi6i3BPXown1ivIMJNQS1txnWZLZHsv+WxbHydS+GNOAwKDK -KsXj9dEhd36pvaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w -HQYDVR0OBBYEFIk3oG2hu0FxueW4e7fL+FdMOquBMAoGCCqGSM49BAMEA4GMADCB -iAJCAPIPwPyk+8Ymj7Zlvb5qIUQg+UxoacAeJtFZrJ8xQjro0YjsM33O86rAfw+x -sWWGul4Ews93KFBXvhbKCwb0F0PhAkIAh2z7COsKcQzvBoIy+Kx92+9j/sUjlzzl -TttDu+g2VdbcBwVDZ49X2Md6OY2N3G8Irdlj+n+mCQJaHwVt52DRzz0= ------END CERTIFICATE----- - diff --git a/helper/tlsutil/testdata/ca.csr b/helper/tlsutil/testdata/ca.csr deleted file mode 100644 index 6e8d63550..000000000 --- a/helper/tlsutil/testdata/ca.csr +++ /dev/null @@ -1,9 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIIBNDCB2gIBADB4MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEW -MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzESMBAGA1UEChMJSGFzaGlDb3JwMQ4wDAYD -VQQLEwVOb21hZDEYMBYGA1UEAxMPbm9tYWQuaGFzaGljb3JwMFkwEwYHKoZIzj0C -AQYIKoZIzj0DAQcDQgAEBCIpONsFqQMf1P4Jf5X23mw9wQBIrFfr900fTRXge2R5 -X8auQEnVrnCeVomK8sY3B2XAVitL6KIpcNuIkYD7uqAAMAoGCCqGSM49BAMCA0kA -MEYCIQCmPOKtb8kE6Qof97bu1R3qdi1Q6K5MsxMm4weGGNaKswIhAIibKtTD7xsa -/4vLSZJPdCZTmpllsMHS7dQxnkTzFh/9 ------END CERTIFICATE REQUEST----- diff --git a/helper/tlsutil/testdata/ca.pem b/helper/tlsutil/testdata/ca.pem deleted file mode 100644 index 54b5a9e45..000000000 --- a/helper/tlsutil/testdata/ca.pem +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICNDCCAdqgAwIBAgIUMOrtAaeiKw9TR7Rq6KI+V2liZZIwCgYIKoZIzj0EAwIw -eDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh -biBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwGA1UECxMFTm9tYWQx -GDAWBgNVBAMTD25vbWFkLmhhc2hpY29ycDAeFw0yMTA4MTMwODQ2MDBaFw0yNjA4 -MTIwODQ2MDBaMHgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYw -FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRIwEAYDVQQKEwlIYXNoaUNvcnAxDjAMBgNV -BAsTBU5vbWFkMRgwFgYDVQQDEw9ub21hZC5oYXNoaWNvcnAwWTATBgcqhkjOPQIB -BggqhkjOPQMBBwNCAAQEIik42wWpAx/U/gl/lfbebD3BAEisV+v3TR9NFeB7ZHlf -xq5ASdWucJ5WiYryxjcHZcBWK0vooilw24iRgPu6o0IwQDAOBgNVHQ8BAf8EBAMC -AQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUomQ0rTTqNWz95h/jDTSNyJCP -YwQwCgYIKoZIzj0EAwIDSAAwRQIhAK6StWS84EMx8G73jr66l9L8GQVer2UcpPgy -7wlFD5kQAiA0kjySsH3FzLnqrrUS7f4BrzBv+TDBvVbLFlc41bpTQQ== ------END CERTIFICATE----- diff --git a/helper/tlsutil/testdata/global-ca.pem b/helper/tlsutil/testdata/global-ca.pem deleted file mode 100644 index 62a5f545d..000000000 --- a/helper/tlsutil/testdata/global-ca.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICATCCAaigAwIBAgIUdyw+oCYCUUrIQ68hGVJVRRCxnjMwCgYIKoZIzj0EAwIw -XzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp -c2NvMRMwEQYDVQQLEwpOb21hZCBEZW1vMRYwFAYDVQQDEw1leGFtcGxlLm5vbWFk -MB4XDTE4MDkwNTIzNTQwMFoXDTIzMDkwNDIzNTQwMFowXzELMAkGA1UEBhMCVVMx -CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQLEwpO -b21hZCBEZW1vMRYwFAYDVQQDEw1leGFtcGxlLm5vbWFkMFkwEwYHKoZIzj0CAQYI -KoZIzj0DAQcDQgAE6kWmOEIfGJZSh2VHYHuCli+W+dXJOoPN7F01k+bqLcxxuYaS -6ZOT3+J1t7s3zCoF61/m4ITLm/i1GFGcnfzQg6NCMEAwDgYDVR0PAQH/BAQDAgEG -MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCEqBD2o3StC6qePPy6WaDknOPh2 -MAoGCCqGSM49BAMCA0cAMEQCIFab4iZ4Of3lBztV8PMzorBCBiUDDaqVswACVMhI -xqltAiA/O7LcVvvVYmtcF27NSQLPhh1ibtRjKnTZviBGzwkV3w== ------END CERTIFICATE----- diff --git a/helper/tlsutil/testdata/global-client-key.pem b/helper/tlsutil/testdata/global-client-key.pem deleted file mode 100644 index 90c46b8b9..000000000 --- a/helper/tlsutil/testdata/global-client-key.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEICWrWIE3q8UlYau6xKhLz43CO9wg36fxG4Qcy+kBItdeoAoGCCqGSM49 -AwEHoUQDQgAEvei5KnuNBvuhGrELae9FL61aJeVvXw0iP0j1XpNvOaYhfMMvq9fY -1q4fVN92D1HQN6FsfLNl/YCvdF+sT4qxnQ== ------END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/global-client-nomad-key.pem b/helper/tlsutil/testdata/global-client-nomad-key.pem new file mode 100644 index 000000000..69b7e3449 --- /dev/null +++ b/helper/tlsutil/testdata/global-client-nomad-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIMNiNYgDT0xord/mxPdyNNb5MoQ4L8qXMKysxevqDoePoAoGCCqGSM49 +AwEHoUQDQgAEozWvKqFPwy8h/q4HX16eQvLY2WzcSrvX6gZlMTl0P3L/HOrk33jk +eqC+GaSpChuhWZYLRbwacqhifsCDyq+XqQ== +-----END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/global-client-nomad.pem b/helper/tlsutil/testdata/global-client-nomad.pem new file mode 100644 index 000000000..f6454a398 --- /dev/null +++ b/helper/tlsutil/testdata/global-client-nomad.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICnzCCAkagAwIBAgIRANXm75GYbZfpnSAEkdvr+GEwCgYIKoZIzj0EAwIwgbgx +CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj +bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw +FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg +MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTIzMDUw +MjE3NTMzOFoXDTI0MDUwMTE3NTMzOFowHjEcMBoGA1UEAxMTY2xpZW50Lmdsb2Jh +bC5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKM1ryqhT8MvIf6uB19e +nkLy2Nls3Eq71+oGZTE5dD9y/xzq5N945HqgvhmkqQoboVmWC0W8GnKoYn7Ag8qv +l6mjgckwgcYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr +BgEFBQcDATAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCAsSQfoSE6Za82gpdlV2awz +Ezkx5X59vYVvj57vTaqFWjArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXHgpqA +x3ja2M6VnTBx7cHEHDAvBgNVHREEKDAmghNjbGllbnQuZ2xvYmFsLm5vbWFkggls +b2NhbGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgaPwQrg4A2eOFUG6Avfuz +EoWdGHSPk3K50jCemtWb/NsCIAQ+NIiGiQFqnhdXGxwhzAFwCNFaRDIizsSm4sr0 +NgQn +-----END CERTIFICATE----- diff --git a/helper/tlsutil/testdata/global-client.pem b/helper/tlsutil/testdata/global-client.pem deleted file mode 100644 index 016504993..000000000 --- a/helper/tlsutil/testdata/global-client.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICSTCCAe+gAwIBAgIUZ+VBej1K6fCm2QSvnyRCIBw1e1cwCgYIKoZIzj0EAwIw -XzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp -c2NvMRMwEQYDVQQLEwpOb21hZCBEZW1vMRYwFAYDVQQDEw1leGFtcGxlLm5vbWFk -MB4XDTE4MDkwNTIzNTQwMFoXDTI4MDkwMjIzNTQwMFowRzELMAkGA1UEBhMCVVMx -CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQLEwpO -b21hZCBEZW1vMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvei5KnuNBvuhGrEL -ae9FL61aJeVvXw0iP0j1XpNvOaYhfMMvq9fY1q4fVN92D1HQN6FsfLNl/YCvdF+s -T4qxnaOBoDCBnTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG -CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFBnFzsZ4hOacg/zVkrVT -ChnNTWKTMB8GA1UdIwQYMBaAFCEqBD2o3StC6qePPy6WaDknOPh2MB4GA1UdEQQX -MBWCE2NsaWVudC5nbG9iYWwubm9tYWQwCgYIKoZIzj0EAwIDSAAwRQIhAMjzKDvs -QPw2OX2GXVUABt7czuaP6ZvJhHXkedRkSoNYAiAuYaS0VxaCdSxSXX96FR03Lcaa -FbRG9S396qK/HSlhcA== ------END CERTIFICATE----- diff --git a/helper/tlsutil/testdata/global-server-key.pem b/helper/tlsutil/testdata/global-server-key.pem deleted file mode 100644 index f60ed4241..000000000 --- a/helper/tlsutil/testdata/global-server-key.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEINcyDkLfcVur3bsEvdesW2oUbRMFAyVWyvxAYsNVeSNgoAoGCCqGSM49 -AwEHoUQDQgAENcwnm0Z/yFL/hb0xUXu4E7fKebTnt/AWQPyeJtDBGa9NAqw8yCOH -XP8GGSomLgGAvrUj/ZOMgenFNSsUhEJKSA== ------END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/global-server-nomad-key.pem b/helper/tlsutil/testdata/global-server-nomad-key.pem new file mode 100644 index 000000000..2bbf90557 --- /dev/null +++ b/helper/tlsutil/testdata/global-server-nomad-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIKkGG3r4oVoWObbU6m1kMf/vwengkstOdNf9LIkcwlI8oAoGCCqGSM49 +AwEHoUQDQgAExUEFNlC2277Vl+4gLCLAERa0DPDihUic8FoeWiaSJA7HzBjJE3ue +8+RbfEs3nHJ61uTNEOzsdh0arFMZqz215g== +-----END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/global-server-nomad.pem b/helper/tlsutil/testdata/global-server-nomad.pem new file mode 100644 index 000000000..e40340e7a --- /dev/null +++ b/helper/tlsutil/testdata/global-server-nomad.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICoTCCAkagAwIBAgIRAOgA+9t9J70U/cv8Wx0kGyMwCgYIKoZIzj0EAwIwgbgx +CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj +bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw +FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg +MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTIzMDUw +MjE3NTM0M1oXDTI0MDUwMTE3NTM0M1owHjEcMBoGA1UEAxMTc2VydmVyLmdsb2Jh +bC5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMVBBTZQttu+1ZfuICwi +wBEWtAzw4oVInPBaHlomkiQOx8wYyRN7nvPkW3xLN5xyetbkzRDs7HYdGqxTGas9 +teajgckwgcYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr +BgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCBthynn3utQfFpsGsUVNd83 +Q075xOyeLlJd7vNJKUckcTArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXHgpqA +x3ja2M6VnTBx7cHEHDAvBgNVHREEKDAmghNzZXJ2ZXIuZ2xvYmFsLm5vbWFkggls +b2NhbGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhAKUl2wTU4GlXH7iBjFax +hVBW16jTDAtkVLmWTUMsh5ZiAiEA9NYSCyTTFLx2C5a5D2OavzkzcIlxQfxyjAbo +PZ8/00U= +-----END CERTIFICATE----- diff --git a/helper/tlsutil/testdata/global-server.pem b/helper/tlsutil/testdata/global-server.pem deleted file mode 100644 index 08ffe5fd7..000000000 --- a/helper/tlsutil/testdata/global-server.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICSjCCAe+gAwIBAgIUN/zxE9m1ROiJGALka29tm1ThVDUwCgYIKoZIzj0EAwIw -XzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp -c2NvMRMwEQYDVQQLEwpOb21hZCBEZW1vMRYwFAYDVQQDEw1leGFtcGxlLm5vbWFk -MB4XDTE4MDkwNTIzNTQwMFoXDTI4MDkwMjIzNTQwMFowRzELMAkGA1UEBhMCVVMx -CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQLEwpO -b21hZCBEZW1vMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENcwnm0Z/yFL/hb0x -UXu4E7fKebTnt/AWQPyeJtDBGa9NAqw8yCOHXP8GGSomLgGAvrUj/ZOMgenFNSsU -hEJKSKOBoDCBnTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG -CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFHAAhBdKRVqlgjVWEa5V -vyrSwl13MB8GA1UdIwQYMBaAFCEqBD2o3StC6qePPy6WaDknOPh2MB4GA1UdEQQX -MBWCE3NlcnZlci5nbG9iYWwubm9tYWQwCgYIKoZIzj0EAwIDSQAwRgIhAOsmkXXS -mIVm+zEki3IapO+yD9Te6YA6jmmCszEiWYPbAiEA5irkdcc/27jL3i+Woc38kCxa -Den1x+p62mD/LV+76oI= ------END CERTIFICATE----- diff --git a/helper/tlsutil/testdata/nomad-agent-ca-key.pem b/helper/tlsutil/testdata/nomad-agent-ca-key.pem new file mode 100644 index 000000000..fac27c4ac --- /dev/null +++ b/helper/tlsutil/testdata/nomad-agent-ca-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIJzq2OYwVRT7HC3g4Lab3c//8w/hO+/4+KbodUMa+3DNoAoGCCqGSM49 +AwEHoUQDQgAE9qb3BfDs0ZooB/J1KIKqwgh8xFmB1moyFNqU8Q5ZwVm0dwsBcf7U +Ayn32XCBJ9jFTuIZmZy5n33efM22C9JApA== +-----END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/nomad-agent-ca.pem b/helper/tlsutil/testdata/nomad-agent-ca.pem new file mode 100644 index 000000000..c9fc3b1da --- /dev/null +++ b/helper/tlsutil/testdata/nomad-agent-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6zCCApKgAwIBAgIRAMUnaddCxpcrFtOZu4J6gFAwCgYIKoZIzj0EAwIwgbgx +CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj +bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw +FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg +MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTIzMDUw +MjE3NTMwNFoXDTI4MDQzMDE3NTMwNFowgbgxCzAJBgNVBAYTAlVTMQswCQYDVQQI +EwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEaMBgGA1UECRMRMTAxIFNlY29u +ZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcwFQYDVQQKEw5IYXNoaUNvcnAgSW5j +LjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0EgMjYyMDYyNTYxNDU0ODQwNzAxMDY0 +NDc1OTg0MjIzMzE0NTQyNjcyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9qb3 +BfDs0ZooB/J1KIKqwgh8xFmB1moyFNqU8Q5ZwVm0dwsBcf7UAyn32XCBJ9jFTuIZ +mZy5n33efM22C9JApKN7MHkwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMB +Af8wKQYDVR0OBCIEIDVSNgVCiLhcb7DNl8fNlceCmoDHeNrYzpWdMHHtwcQcMCsG +A1UdIwQkMCKAIDVSNgVCiLhcb7DNl8fNlceCmoDHeNrYzpWdMHHtwcQcMAoGCCqG +SM49BAMCA0cAMEQCIFfKD/8Ek2yfvciuOEr0DB7OiHuRCFiC38B1I6W4AErwAiAa +6Jexd1AfuvJA2kBcHn4GrB0u3nOvVKighqgCJ4RqJg== +-----END CERTIFICATE----- diff --git a/helper/tlsutil/testdata/nomad-bad-csr.json b/helper/tlsutil/testdata/nomad-bad-csr.json deleted file mode 100644 index 869a65cf3..000000000 --- a/helper/tlsutil/testdata/nomad-bad-csr.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "CN": "regionBad.nomad", - "hosts": [ - "server.regionBad.nomad", - "client.regionBad.nomad" - ], - "key": { - "algo": "ecdsa", - "size": 256 - }, - "names": [ - { - "C": "US", - "L": "San Francisco", - "O": "HashiCorp", - "OU": "Nomad", - "ST": "California" - } - ] -} diff --git a/helper/tlsutil/testdata/nomad-bad-key.pem b/helper/tlsutil/testdata/nomad-bad-key.pem deleted file mode 100644 index ede5f1a4f..000000000 --- a/helper/tlsutil/testdata/nomad-bad-key.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIIdLbfRt+KZFZrn6BsaCmi/8n3+gzqDgU2KYEc3bs/YLoAoGCCqGSM49 -AwEHoUQDQgAE5EO2FyHkS9sgGpNwnXg22Lnolp1WwyChw+ONMGyG3i9GKQp7m39D -1TaarEHl1d1Xt/SH+nFObPuIk3rHZcZ3JA== ------END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/nomad-bad.csr b/helper/tlsutil/testdata/nomad-bad.csr deleted file mode 100644 index 8685599cc..000000000 --- a/helper/tlsutil/testdata/nomad-bad.csr +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIIBgDCCASYCAQAweDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx -FjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwG -A1UECxMFTm9tYWQxGDAWBgNVBAMTD3JlZ2lvbkJhZC5ub21hZDBZMBMGByqGSM49 -AgEGCCqGSM49AwEHA0IABORDthch5EvbIBqTcJ14Nti56JadVsMgocPjjTBsht4v -RikKe5t/Q9U2mqxB5dXdV7f0h/pxTmz7iJN6x2XGdySgTDBKBgkqhkiG9w0BCQ4x -PTA7MDkGA1UdEQQyMDCCFnNlcnZlci5yZWdpb25CYWQubm9tYWSCFmNsaWVudC5y -ZWdpb25CYWQubm9tYWQwCgYIKoZIzj0EAwIDSAAwRQIhAKnj9VZmqXp8kZ7akGpz -yP04Gyz5b6JnSDalkaaUekdBAiAAqqna5G8NLoQDQ5Kj8uLm5FyTuhE7eDHN1Xiz -PBWAaQ== ------END CERTIFICATE REQUEST----- diff --git a/helper/tlsutil/testdata/nomad-bad.pem b/helper/tlsutil/testdata/nomad-bad.pem deleted file mode 100644 index 8fec5fe1c..000000000 --- a/helper/tlsutil/testdata/nomad-bad.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICtTCCAlqgAwIBAgIUBXPfd1hp+fQszuZVdTyZZh0KoAUwCgYIKoZIzj0EAwIw -fDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh -biBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwGA1UECxMFTm9tYWQx -HDAaBgNVBAMTE2JhZC5ub21hZC5oYXNoaWNvcnAwIBcNMjEwODEzMDg1ODAwWhgP -MjEyMTA3MjAwODU4MDBaMHgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y -bmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRIwEAYDVQQKEwlIYXNoaUNvcnAx -DjAMBgNVBAsTBU5vbWFkMRgwFgYDVQQDEw9yZWdpb25CYWQubm9tYWQwWTATBgcq -hkjOPQIBBggqhkjOPQMBBwNCAATkQ7YXIeRL2yAak3CdeDbYueiWnVbDIKHD440w -bIbeL0YpCnubf0PVNpqsQeXV3Ve39If6cU5s+4iTesdlxncko4G7MIG4MA4GA1Ud -DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0T -AQH/BAIwADAdBgNVHQ4EFgQU16VwMPbF5dy1XF9mSokSVhH7DTEwHwYDVR0jBBgw -FoAUcm48E1vYp3BEY2PwcOxPYlXHYTwwOQYDVR0RBDIwMIIWc2VydmVyLnJlZ2lv -bkJhZC5ub21hZIIWY2xpZW50LnJlZ2lvbkJhZC5ub21hZDAKBggqhkjOPQQDAgNJ -ADBGAiEA6d+gBYWuAiOUU/wWXAoiSBgeNM0JXA82idFaVRVm7TYCIQDrX6O783ZM -FG0XIRoriOWNq9ysmP8D73KrMHkJtTRSTg== ------END CERTIFICATE----- diff --git a/helper/tlsutil/testdata/nomad-foo-client-key.pem b/helper/tlsutil/testdata/nomad-foo-client-key.pem deleted file mode 100644 index 56ad2d3b3..000000000 --- a/helper/tlsutil/testdata/nomad-foo-client-key.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIBxaGxJxJXnAXVmb8E3ALsWqva9F01R0cr/1Ap75YyeAoAoGCCqGSM49 -AwEHoUQDQgAEXSLJPcA7b9P6y0Ls7zR4997+F3251hwEUn8qR01AEVGjYrAjk/ns -qaq7P9y/w4k9TvhWaq9/L6id468a0/VWCw== ------END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/nomad-foo-client.pem b/helper/tlsutil/testdata/nomad-foo-client.pem deleted file mode 100644 index 27c3c94e8..000000000 --- a/helper/tlsutil/testdata/nomad-foo-client.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICWTCCAgCgAwIBAgIQOW7/CDB2IhlMyfh16erD/jAKBggqhkjOPQQDAjB4MQsw -CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy -YW5jaXNjbzESMBAGA1UEChMJSGFzaGlDb3JwMQ4wDAYDVQQLEwVOb21hZDEYMBYG -A1UEAxMPbm9tYWQuaGFzaGljb3JwMCAXDTIyMTEyOTE5MjY0MloYDzIxMjIxMTA1 -MTkyNjQyWjAhMR8wHQYDVQQDExZjbGllbnQucmVnaW9uRm9vLm5vbWFkMFkwEwYH -KoZIzj0CAQYIKoZIzj0DAQcDQgAEXSLJPcA7b9P6y0Ls7zR4997+F3251hwEUn8q -R01AEVGjYrAjk/nsqaq7P9y/w4k9TvhWaq9/L6id468a0/VWC6OBwDCBvTAOBgNV -HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1Ud -EwEB/wQCMAAwKQYDVR0OBCIEII1J2DmAAcPAaNLFlxFpdBzjhRFRd9E9fedoz9I8 -vHPPMB8GA1UdIwQYMBaAFKJkNK006jVs/eYf4w00jciQj2MEMDIGA1UdEQQrMCmC -FmNsaWVudC5yZWdpb25Gb28ubm9tYWSCCWxvY2FsaG9zdIcEfwAAATAKBggqhkjO -PQQDAgNHADBEAiAXzlb98iqyXvtlkThR13ojgjwjP25JBysDKf4vnXjQuwIgFpkB -0B7bPy5VNIAVsw6n5ocvsB7w0rgBPJyS3I2YCi0= ------END CERTIFICATE----- diff --git a/helper/tlsutil/testdata/nomad-foo-csr.json b/helper/tlsutil/testdata/nomad-foo-csr.json deleted file mode 100644 index 69a173cce..000000000 --- a/helper/tlsutil/testdata/nomad-foo-csr.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "CN": "regionFoo.nomad", - "hosts": [ - "server.regionFoo.nomad", - "client.regionFoo.nomad" - ], - "key": { - "algo": "ecdsa", - "size": 256 - }, - "names": [ - { - "C": "US", - "L": "San Francisco", - "O": "HashiCorp", - "OU": "Nomad", - "ST": "California" - } - ] -} diff --git a/helper/tlsutil/testdata/nomad-foo-key.pem b/helper/tlsutil/testdata/nomad-foo-key.pem deleted file mode 100644 index 61eadd341..000000000 --- a/helper/tlsutil/testdata/nomad-foo-key.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIH2tGBcTtZ43pPNsyLcO44eBOcp8Bevnf2kCcZeLhpzAoAoGCCqGSM49 -AwEHoUQDQgAECXq2d0JCbbmFAMnQ8rBj7nYa47NxiluAi3ybk7sxh8LWpYU3Rsdh -P71yaSkAYkMhNcBDjuacjH4A00bMVA1L6Q== ------END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/nomad-foo.csr b/helper/tlsutil/testdata/nomad-foo.csr deleted file mode 100644 index 0855a4a57..000000000 --- a/helper/tlsutil/testdata/nomad-foo.csr +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIIBgDCCASYCAQAweDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx -FjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwG -A1UECxMFTm9tYWQxGDAWBgNVBAMTD3JlZ2lvbkZvby5ub21hZDBZMBMGByqGSM49 -AgEGCCqGSM49AwEHA0IABAl6tndCQm25hQDJ0PKwY+52GuOzcYpbgIt8m5O7MYfC -1qWFN0bHYT+9cmkpAGJDITXAQ47mnIx+ANNGzFQNS+mgTDBKBgkqhkiG9w0BCQ4x -PTA7MDkGA1UdEQQyMDCCFnNlcnZlci5yZWdpb25Gb28ubm9tYWSCFmNsaWVudC5y -ZWdpb25Gb28ubm9tYWQwCgYIKoZIzj0EAwIDSAAwRQIgFeVjmQ2F+uBGlox+mBBb -PlIjygPhplQjHXC3ap8FsAMCIQDa2Y8K1o8uLrKfdptePbx7WguXEslmbDg9szce -wXq+Rg== ------END CERTIFICATE REQUEST----- diff --git a/helper/tlsutil/testdata/nomad-foo.pem b/helper/tlsutil/testdata/nomad-foo.pem deleted file mode 100644 index 8b5911903..000000000 --- a/helper/tlsutil/testdata/nomad-foo.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICsDCCAlagAwIBAgIUE+pHx/F3dQUcTwu3G6be0EV8jAcwCgYIKoZIzj0EAwIw -eDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh -biBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwGA1UECxMFTm9tYWQx -GDAWBgNVBAMTD25vbWFkLmhhc2hpY29ycDAgFw0yMTA4MTMwODU3MDBaGA8yMTIx -MDcyMDA4NTcwMFoweDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx -FjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwG -A1UECxMFTm9tYWQxGDAWBgNVBAMTD3JlZ2lvbkZvby5ub21hZDBZMBMGByqGSM49 -AgEGCCqGSM49AwEHA0IABAl6tndCQm25hQDJ0PKwY+52GuOzcYpbgIt8m5O7MYfC -1qWFN0bHYT+9cmkpAGJDITXAQ47mnIx+ANNGzFQNS+mjgbswgbgwDgYDVR0PAQH/ -BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8E -AjAAMB0GA1UdDgQWBBRX6gUtfRUruhfd6Cu0GX37vPFYzDAfBgNVHSMEGDAWgBSi -ZDStNOo1bP3mH+MNNI3IkI9jBDA5BgNVHREEMjAwghZzZXJ2ZXIucmVnaW9uRm9v -Lm5vbWFkghZjbGllbnQucmVnaW9uRm9vLm5vbWFkMAoGCCqGSM49BAMCA0gAMEUC -IQDKQZj6D4M0T2dgzUYAv57gsGVmr/dvPr1uJ8q0fom8NwIgKN1WmRmkz810/t0D -Fqj+tcXqE3NaagnBPfBs0Eq8Om4= ------END CERTIFICATE----- diff --git a/helper/tlsutil/testdata/regionFoo-client-nomad-key.pem b/helper/tlsutil/testdata/regionFoo-client-nomad-key.pem new file mode 100644 index 000000000..37a1da827 --- /dev/null +++ b/helper/tlsutil/testdata/regionFoo-client-nomad-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIBFfKnmgGcVDrDeFyU3c0IeYrqJZrQwasXo+2dtcc4TCoAoGCCqGSM49 +AwEHoUQDQgAEziQFRhmwFsRMdIKZNQF0LcIs98u2iuRwGiDO10iKqx1wVY4pbupF +77P8zclVjFfYyDFW5SCT3QtDKwJKGxT4ow== +-----END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/regionFoo-client-nomad.pem b/helper/tlsutil/testdata/regionFoo-client-nomad.pem new file mode 100644 index 000000000..1a46f3520 --- /dev/null +++ b/helper/tlsutil/testdata/regionFoo-client-nomad.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICuzCCAmGgAwIBAgIRAOAmpejcZSrltFovtOi1nnkwCgYIKoZIzj0EAwIwgbgx +CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj +bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw +FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg +MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTIzMDUw +MjE4MDA1OVoXDTI0MDUwMTE4MDA1OVowITEfMB0GA1UEAxMWY2xpZW50LnJlZ2lv +bkZvby5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABM4kBUYZsBbETHSC +mTUBdC3CLPfLtorkcBogztdIiqsdcFWOKW7qRe+z/M3JVYxX2MgxVuUgk90LQysC +ShsU+KOjgeEwgd4wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMC +BggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCAdSV5IX2uJQ35a6ngC +OzKGr1x2NOqMZRk8VhDMjtyxUDArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXH +gpqAx3ja2M6VnTBx7cHEHDBHBgNVHREEQDA+ghZjbGllbnQucmVnaW9uRm9vLm5v +bWFkghNjbGllbnQuZ2xvYmFsLm5vbWFkgglsb2NhbGhvc3SHBH8AAAEwCgYIKoZI +zj0EAwIDSAAwRQIhAKxhm9OUsD4DDPYueB7zsW2wyToksvv2MTDcRC2XDDAOAiBs +ZJi59bACZyp7P+bGaowrPF+PTKcuG8Vi/PpiUdnIrg== +-----END CERTIFICATE----- diff --git a/helper/tlsutil/testdata/regionFoo-server-nomad-key.pem b/helper/tlsutil/testdata/regionFoo-server-nomad-key.pem new file mode 100644 index 000000000..38cfac7f3 --- /dev/null +++ b/helper/tlsutil/testdata/regionFoo-server-nomad-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIEifr5oheNXaez/snF4nzH4YLWZ8v5kV6+0h9yPZiglXoAoGCCqGSM49 +AwEHoUQDQgAESpxIME2rOLbstfWkS6NCqwtPQDwlAI0k42WUxMHuZPaYWq9KyH73 +OAT5Z1a/MT+NQFltFODh8ui9ZjIAYEFt7g== +-----END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/regionFoo-server-nomad.pem b/helper/tlsutil/testdata/regionFoo-server-nomad.pem new file mode 100644 index 000000000..c11f9e8a7 --- /dev/null +++ b/helper/tlsutil/testdata/regionFoo-server-nomad.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICvDCCAmGgAwIBAgIRAM2RSbtHDbvrtarqCX0tZNYwCgYIKoZIzj0EAwIwgbgx +CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj +bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw +FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg +MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTIzMDUw +MjE4MjU0N1oXDTI0MDUwMTE4MjU0N1owITEfMB0GA1UEAxMWc2VydmVyLnJlZ2lv +bkZvby5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEqcSDBNqzi27LX1 +pEujQqsLT0A8JQCNJONllMTB7mT2mFqvSsh+9zgE+WdWvzE/jUBZbRTg4fLovWYy +AGBBbe6jgeEwgd4wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB +BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCBByMxUroSyPLJeid7e +8zrsfNAY1BjQ7kLpc/CE9RTFADArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXH +gpqAx3ja2M6VnTBx7cHEHDBHBgNVHREEQDA+ghZzZXJ2ZXIucmVnaW9uRm9vLm5v +bWFkghNzZXJ2ZXIuZ2xvYmFsLm5vbWFkgglsb2NhbGhvc3SHBH8AAAEwCgYIKoZI +zj0EAwIDSQAwRgIhANrnyPFKJ4V+93cgM3/A96wxFeBuTWHr4N6p/Xnyo40vAiEA +73GJzSkzew0LophXV+mqoPcjhnNV2dJPTvMouKUhNmQ= +-----END CERTIFICATE----- diff --git a/helper/tlsutil/testdata/whitespace-agent-ca-key.pem b/helper/tlsutil/testdata/whitespace-agent-ca-key.pem new file mode 100644 index 000000000..ded178c91 --- /dev/null +++ b/helper/tlsutil/testdata/whitespace-agent-ca-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIO2Eo72jUx4iZid6ppygk2B8pyslwTGLr+NhrPvhplMaoAoGCCqGSM49 +AwEHoUQDQgAE9Iqti3cT5EIWKK1VdlsoKwKv67eRcIWuxzPaEjG1tfKV9kWMnPx2 +1pS2XqL72QdFVjXgajomqXOrfDawtO/kAQ== +-----END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/whitespace-agent-ca.pem b/helper/tlsutil/testdata/whitespace-agent-ca.pem new file mode 100644 index 000000000..77120d7ed --- /dev/null +++ b/helper/tlsutil/testdata/whitespace-agent-ca.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDITCCAsegAwIBAgIQaG4+rrdqZeTWIqnbLbBqKTAKBggqhkjOPQQDAjCBuDEL +MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv +MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV +BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZOb21hZCBBZ2VudCBDQSAx +Mzg4MTIxMzU1Njc5MzAxNjk4MjExODMxMTM4MTI4NDk0ODYzNzcwHhcNMjMwNTIw +MDYwNjE1WhcNMjgwNTE4MDYwNjE1WjCBuDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT +AkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQJExExMDEgU2Vjb25k +IFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAVBgNVBAoTDkhhc2hpQ29ycCBJbmMu +MT8wPQYDVQQDEzZOb21hZCBBZ2VudCBDQSAxMzg4MTIxMzU1Njc5MzAxNjk4MjEx +ODMxMTM4MTI4NDk0ODYzNzcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT0iq2L +dxPkQhYorVV2WygrAq/rt5Fwha7HM9oSMbW18pX2RYyc/HbWlLZeovvZB0VWNeBq +Oiapc6t8NrC07+QBo4GwMIGtMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD +AQH/MCkGA1UdDgQiBCAAKucq/HIgPpQtrO7PUat83n1eyoZRzeMG2f/kdqYzljAr +BgNVHSMEJDAigCAAKucq/HIgPpQtrO7PUat83n1eyoZRzeMG2f/kdqYzljAyBgNV +HR4BAf8EKDAmoCQwDIIKd2hpdGVzcGFjZTALgglsb2NhbGhvc3QwB4IFbm9tYWQw +CgYIKoZIzj0EAwIDSAAwRQIhANB+qjXAK6pXL6o2u9v+5I3vnJdKpniIBKYH2s1f +AXTLAiBDzIRmMexCtC6wX0Q1oxnbbmHE09ESl7oDiBECz4G7aQ== +-----END CERTIFICATE----- + + + diff --git a/nomad/acl_test.go b/nomad/acl_test.go index d0124ff57..1dd1f86bf 100644 --- a/nomad/acl_test.go +++ b/nomad/acl_test.go @@ -34,13 +34,13 @@ func TestAuthenticate_mTLS(t *testing.T) { EnableHTTP: true, EnableRPC: true, VerifyServerHostname: true, - CAFile: "../helper/tlsutil/testdata/ca.pem", - CertFile: "../helper/tlsutil/testdata/nomad-foo.pem", - KeyFile: "../helper/tlsutil/testdata/nomad-foo-key.pem", + CAFile: "../helper/tlsutil/testdata/nomad-agent-ca.pem", + CertFile: "../helper/tlsutil/testdata/regionFoo-server-nomad.pem", + KeyFile: "../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem", } clientTLSCfg := tlsCfg.Copy() - clientTLSCfg.CertFile = "../helper/tlsutil/testdata/nomad-foo-client.pem" - clientTLSCfg.KeyFile = "../helper/tlsutil/testdata/nomad-foo-client-key.pem" + clientTLSCfg.CertFile = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + clientTLSCfg.KeyFile = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" setCfg := func(name string, bootstrapExpect int) func(*Config) { return func(c *Config) { @@ -178,7 +178,7 @@ func TestAuthenticate_mTLS(t *testing.T) { { name: "from peer to leader without token", // ex. Eval.Dequeue tlsCfg: tlsCfg, - expectTLSName: "regionFoo.nomad", + expectTLSName: "server.regionFoo.nomad", expectAccessor: "anonymous", expectIP: follower.GetConfig().RPCAddr.IP.String(), sendFromPeer: follower, @@ -190,7 +190,7 @@ func TestAuthenticate_mTLS(t *testing.T) { name: "anonymous forwarded from peer to leader", tlsCfg: tlsCfg, expectAccessor: "anonymous", - expectTLSName: "regionFoo.nomad", + expectTLSName: "server.regionFoo.nomad", expectIP: "127.0.0.1", expectIDKey: "token:anonymous", }, @@ -198,16 +198,16 @@ func TestAuthenticate_mTLS(t *testing.T) { name: "invalid token", tlsCfg: clientTLSCfg, testToken: uuid.Generate(), - expectTLSName: "regionFoo.nomad", + expectTLSName: "server.regionFoo.nomad", expectIP: follower.GetConfig().RPCAddr.IP.String(), - expectIDKey: "regionFoo.nomad:127.0.0.1", + expectIDKey: "server.regionFoo.nomad:127.0.0.1", expectErr: "rpc error: Permission denied", }, { name: "from peer to leader with leader ACL", // ex. core job GC tlsCfg: tlsCfg, testToken: leader.getLeaderAcl(), - expectTLSName: "regionFoo.nomad", + expectTLSName: "server.regionFoo.nomad", expectAccessor: "leader", expectIP: follower.GetConfig().RPCAddr.IP.String(), sendFromPeer: follower, @@ -224,7 +224,7 @@ func TestAuthenticate_mTLS(t *testing.T) { name: "from client missing secret", // ex. Node.Register tlsCfg: clientTLSCfg, expectAccessor: "anonymous", - expectTLSName: "regionFoo.nomad", + expectTLSName: "server.regionFoo.nomad", expectIP: follower.GetConfig().RPCAddr.IP.String(), }, { diff --git a/nomad/rpc_test.go b/nomad/rpc_test.go index 5e06ab8cd..0bebfd57f 100644 --- a/nomad/rpc_test.go +++ b/nomad/rpc_test.go @@ -223,9 +223,9 @@ func TestRPC_PlaintextRPCSucceedsWhenInUpgradeMode(t *testing.T) { assert := assert.New(t) const ( - cafile = "../helper/tlsutil/testdata/ca.pem" - foocert = "../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" ) dir := t.TempDir() @@ -265,9 +265,9 @@ func TestRPC_PlaintextRPCFailsWhenNotInUpgradeMode(t *testing.T) { assert := assert.New(t) const ( - cafile = "../helper/tlsutil/testdata/ca.pem" - foocert = "../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" ) dir := t.TempDir() @@ -331,9 +331,9 @@ func TestRPC_streamingRpcConn_badMethod_TLS(t *testing.T) { require := require.New(t) const ( - cafile = "../helper/tlsutil/testdata/ca.pem" - foocert = "../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../helper/tlsutil/testdata/regionFoo-server-nomad.pem" + fookey = "../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem" ) dir := t.TempDir() s1, cleanupS1 := TestServer(t, func(c *Config) { @@ -441,9 +441,9 @@ func TestRPC_streamingRpcConn_goodMethod_TLS(t *testing.T) { require := require.New(t) const ( - cafile = "../helper/tlsutil/testdata/ca.pem" - foocert = "../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../helper/tlsutil/testdata/regionFoo-server-nomad.pem" + fookey = "../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem" ) dir := t.TempDir() s1, cleanupS1 := TestServer(t, func(c *Config) { @@ -579,9 +579,9 @@ func TestRPC_TLS_in_TLS(t *testing.T) { ci.Parallel(t) const ( - cafile = "../helper/tlsutil/testdata/ca.pem" - foocert = "../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" ) s, cleanup := TestServer(t, func(c *Config) { @@ -639,9 +639,9 @@ func TestRPC_Limits_OK(t *testing.T) { ci.Parallel(t) const ( - cafile = "../helper/tlsutil/testdata/ca.pem" - foocert = "../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" maxConns = 10 // limit must be < this for testing ) diff --git a/nomad/server_test.go b/nomad/server_test.go index 67a9d2b53..258a5a81d 100644 --- a/nomad/server_test.go +++ b/nomad/server_test.go @@ -40,9 +40,9 @@ func TestServer_RPC_TLS(t *testing.T) { ci.Parallel(t) const ( - cafile = "../helper/tlsutil/testdata/ca.pem" - foocert = "../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../helper/tlsutil/testdata/regionFoo-server-nomad.pem" + fookey = "../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem" ) dir := t.TempDir() @@ -105,9 +105,9 @@ func TestServer_RPC_MixedTLS(t *testing.T) { ci.Parallel(t) const ( - cafile = "../helper/tlsutil/testdata/ca.pem" - foocert = "../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../helper/tlsutil/testdata/regionFoo-server-nomad.pem" + fookey = "../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem" ) dir := t.TempDir() @@ -244,9 +244,9 @@ func TestServer_Reload_TLSConnections_PlaintextToTLS(t *testing.T) { assert := assert.New(t) const ( - cafile = "../helper/tlsutil/testdata/ca.pem" - foocert = "../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" ) dir := t.TempDir() @@ -292,9 +292,9 @@ func TestServer_Reload_TLSConnections_TLSToPlaintext_RPC(t *testing.T) { assert := assert.New(t) const ( - cafile = "../helper/tlsutil/testdata/ca.pem" - foocert = "../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" ) dir := t.TempDir() @@ -338,9 +338,9 @@ func TestServer_Reload_TLSConnections_TLSToPlaintext_OnlyRPC(t *testing.T) { assert := assert.New(t) const ( - cafile = "../helper/tlsutil/testdata/ca.pem" - foocert = "../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" ) dir := t.TempDir() @@ -391,9 +391,9 @@ func TestServer_Reload_TLSConnections_PlaintextToTLS_OnlyRPC(t *testing.T) { assert := assert.New(t) const ( - cafile = "../helper/tlsutil/testdata/ca.pem" - foocert = "../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" ) dir := t.TempDir() @@ -446,9 +446,9 @@ func TestServer_Reload_TLSConnections_Raft(t *testing.T) { assert := assert.New(t) const ( - cafile = "../../helper/tlsutil/testdata/ca.pem" - foocert = "../../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" barcert = "../dev/tls_cluster/certs/nomad.pem" barkey = "../dev/tls_cluster/certs/nomad-key.pem" ) diff --git a/nomad/structs/config/tls_test.go b/nomad/structs/config/tls_test.go index 800974f2e..3a6601d7d 100644 --- a/nomad/structs/config/tls_test.go +++ b/nomad/structs/config/tls_test.go @@ -52,11 +52,11 @@ func TestTLS_CertificateInfoIsEqual_FalseWhenUnequal(t *testing.T) { require := require.New(t) const ( - cafile = "../../../helper/tlsutil/testdata/ca.pem" - foocert = "../../../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../../../helper/tlsutil/testdata/nomad-foo-key.pem" - foocert2 = "../../../helper/tlsutil/testdata/nomad-bad.pem" - fookey2 = "../../../helper/tlsutil/testdata/nomad-bad-key.pem" + cafile = "../../../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../../../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" + badcert = "../../../helper/tlsutil/testdata/badRegion-client-bad.pem" + badkey = "../../../helper/tlsutil/testdata/badRegion-client-bad-key.pem" ) // Assert that both mismatching certificate and key files are considered @@ -71,8 +71,8 @@ func TestTLS_CertificateInfoIsEqual_FalseWhenUnequal(t *testing.T) { b := &TLSConfig{ CAFile: cafile, - CertFile: foocert2, - KeyFile: fookey2, + CertFile: badcert, + KeyFile: badkey, } isEqual, err := a.CertificateInfoIsEqual(b) require.Nil(err) @@ -90,7 +90,7 @@ func TestTLS_CertificateInfoIsEqual_FalseWhenUnequal(t *testing.T) { b := &TLSConfig{ CAFile: cafile, - CertFile: foocert2, + CertFile: badcert, KeyFile: fookey, } isEqual, err := a.CertificateInfoIsEqual(b) @@ -110,7 +110,7 @@ func TestTLS_CertificateInfoIsEqual_FalseWhenUnequal(t *testing.T) { b := &TLSConfig{ CAFile: cafile, CertFile: foocert, - KeyFile: fookey2, + KeyFile: badkey, } isEqual, err := a.CertificateInfoIsEqual(b) require.Nil(err) @@ -124,7 +124,7 @@ func TestTLS_CertificateInfoIsEqual_FalseWhenUnequal(t *testing.T) { b := &TLSConfig{ CAFile: cafile, CertFile: foocert, - KeyFile: fookey2, + KeyFile: badkey, } isEqual, err := a.CertificateInfoIsEqual(b) require.Nil(err) @@ -136,13 +136,13 @@ func TestTLS_CertificateInfoIsEqual_FalseWhenUnequal(t *testing.T) { a := &TLSConfig{ CAFile: cafile, CertFile: foocert, - KeyFile: fookey2, + KeyFile: badkey, } b := &TLSConfig{ CAFile: cafile, CertFile: "invalid_file", - KeyFile: fookey2, + KeyFile: badkey, } isEqual, err := a.CertificateInfoIsEqual(b) require.NotNil(err) @@ -157,9 +157,9 @@ func TestTLS_CertificateInfoIsEqual_TrueWhenEqual(t *testing.T) { require := require.New(t) const ( - cafile = "../../../helper/tlsutil/testdata/ca.pem" - foocert = "../../../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../../../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../../../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../../../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" ) a := &TLSConfig{ CAFile: cafile, @@ -183,9 +183,9 @@ func TestTLS_Copy(t *testing.T) { require := require.New(t) const ( - cafile = "../../../helper/tlsutil/testdata/ca.pem" - foocert = "../../../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../../../helper/tlsutil/testdata/nomad-foo-key.pem" + cafile = "../../../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../../../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" ) a := &TLSConfig{ CAFile: cafile, @@ -216,11 +216,11 @@ func TestTLS_GetKeyloader(t *testing.T) { func TestTLS_SetChecksum(t *testing.T) { require := require.New(t) const ( - cafile = "../../../helper/tlsutil/testdata/ca.pem" - foocert = "../../../helper/tlsutil/testdata/nomad-foo.pem" - fookey = "../../../helper/tlsutil/testdata/nomad-foo-key.pem" - foocert2 = "../../../helper/tlsutil/testdata/nomad-bad.pem" - fookey2 = "../../../helper/tlsutil/testdata/nomad-bad-key.pem" + cafile = "../../../helper/tlsutil/testdata/nomad-agent-ca.pem" + foocert = "../../../helper/tlsutil/testdata/regionFoo-client-nomad.pem" + fookey = "../../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" + badcert = "../../../helper/tlsutil/testdata/badRegion-client-bad.pem" + badkey = "../../../helper/tlsutil/testdata/badRegion-client-bad-key.pem" ) a := &TLSConfig{ @@ -231,8 +231,8 @@ func TestTLS_SetChecksum(t *testing.T) { a.SetChecksum() oldChecksum := a.Checksum - a.CertFile = foocert2 - a.KeyFile = fookey2 + a.CertFile = badcert + a.KeyFile = badkey a.SetChecksum() diff --git a/website/content/docs/commands/tls/cert-create.mdx b/website/content/docs/commands/tls/cert-create.mdx index aae4c0339..d0fc2d5bb 100644 --- a/website/content/docs/commands/tls/cert-create.mdx +++ b/website/content/docs/commands/tls/cert-create.mdx @@ -35,8 +35,7 @@ Usage: `nomad tls cert create [options]` - `-days=`: Provide number of days the certificate is valid for from now on. Defaults to 1 year. -- `-dc=`: Provide the datacenter. Matters only for `-server` - certificates. Defaults to `dc1`. +- `-cluster-region=`: DEPRECATED please use `-region`. - `-domain=`: Provide the domain. Matters only for `-server` certificates. @@ -44,9 +43,7 @@ Usage: `nomad tls cert create [options]` - `-key=`: Provide path to the key. Defaults to `#DOMAIN#-agent-ca-key.pem`. -- `-node=`: When generating a server cert and this server is set an - additional DNS name is included of the form - `.server..`. +- `-region=`: Provide the region. Defaults to "global". - `-server`: Generate server certificate. diff --git a/website/content/docs/upgrade/upgrade-specific.mdx b/website/content/docs/upgrade/upgrade-specific.mdx index 605ed041f..17bca7b17 100644 --- a/website/content/docs/upgrade/upgrade-specific.mdx +++ b/website/content/docs/upgrade/upgrade-specific.mdx @@ -34,6 +34,12 @@ called this endpoint or used this command using tokens with just the `read-job` capability or the `read` policy must update their tokens to use the `submit-job` capability or the `write` policy. +#### Command `nomad tls cert create` flag `-cluster-region` deprecated + +Nomad 1.6.0 will deprecate the command `nomad tls cert create` flag `-cluster-region` +in favour of using the standard flag `-region`. The `-cluster-region` flag +will be removed in Nomad 1.7.0 + ## Nomad 1.5.5 Nomad 1.5.5 fixed a bug where allocations that are rescheduled for jobs