cli: tls certs not created with correct SANs (#16959)
The `nomad tls cert` command did not create certificates with the correct SANs for them to work with non default domain and region names. This changset updates the code to support non default domains and regions in the certificates.
This commit is contained in:
parent
2f702a9f11
commit
568da5918b
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:bug
|
||||||
|
tls: Fixed a bug where the `nomad tls cert` command did not create certificates with the correct SANs for them to work with non default domain and region names.
|
||||||
|
```
|
|
@ -24,11 +24,11 @@ import (
|
||||||
// work when TLS is enabled.
|
// work when TLS is enabled.
|
||||||
func TestPrevAlloc_StreamAllocDir_TLS(t *testing.T) {
|
func TestPrevAlloc_StreamAllocDir_TLS(t *testing.T) {
|
||||||
const (
|
const (
|
||||||
caFn = "../helper/tlsutil/testdata/global-ca.pem"
|
caFn = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
serverCertFn = "../helper/tlsutil/testdata/global-server.pem"
|
serverCertFn = "../helper/tlsutil/testdata/global-server-nomad.pem"
|
||||||
serverKeyFn = "../helper/tlsutil/testdata/global-server-key.pem"
|
serverKeyFn = "../helper/tlsutil/testdata/global-server-nomad-key.pem"
|
||||||
clientCertFn = "../helper/tlsutil/testdata/global-client.pem"
|
clientCertFn = "../helper/tlsutil/testdata/global-client-nomad.pem"
|
||||||
clientKeyFn = "../helper/tlsutil/testdata/global-client-key.pem"
|
clientKeyFn = "../helper/tlsutil/testdata/global-client-nomad-key.pem"
|
||||||
)
|
)
|
||||||
ci.Parallel(t)
|
ci.Parallel(t)
|
||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
|
|
|
@ -258,9 +258,9 @@ func TestClient_MixedTLS(t *testing.T) {
|
||||||
ci.Parallel(t)
|
ci.Parallel(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../helper/tlsutil/testdata/ca.pem"
|
cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../helper/tlsutil/testdata/nomad-foo.pem"
|
fooservercert = "../helper/tlsutil/testdata/regionFoo-server-nomad.pem"
|
||||||
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fooserverkey = "../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem"
|
||||||
)
|
)
|
||||||
s1, addr, cleanupS1 := testServer(t, func(c *nomad.Config) {
|
s1, addr, cleanupS1 := testServer(t, func(c *nomad.Config) {
|
||||||
c.TLSConfig = &nconfig.TLSConfig{
|
c.TLSConfig = &nconfig.TLSConfig{
|
||||||
|
@ -268,8 +268,8 @@ func TestClient_MixedTLS(t *testing.T) {
|
||||||
EnableRPC: true,
|
EnableRPC: true,
|
||||||
VerifyServerHostname: true,
|
VerifyServerHostname: true,
|
||||||
CAFile: cafile,
|
CAFile: cafile,
|
||||||
CertFile: foocert,
|
CertFile: fooservercert,
|
||||||
KeyFile: fookey,
|
KeyFile: fooserverkey,
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
defer cleanupS1()
|
defer cleanupS1()
|
||||||
|
@ -306,12 +306,12 @@ func TestClient_BadTLS(t *testing.T) {
|
||||||
ci.Parallel(t)
|
ci.Parallel(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../helper/tlsutil/testdata/ca.pem"
|
cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../helper/tlsutil/testdata/nomad-foo.pem"
|
fooclientcert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fooclientkey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
badca = "../helper/tlsutil/testdata/ca-bad.pem"
|
badca = "../helper/tlsutil/testdata/bad-agent-ca.pem"
|
||||||
badcert = "../helper/tlsutil/testdata/nomad-bad.pem"
|
badcert = "../helper/tlsutil/testdata/badRegion-client-bad.pem"
|
||||||
badkey = "../helper/tlsutil/testdata/nomad-bad-key.pem"
|
badkey = "../helper/tlsutil/testdata/badRegion-client-bad-key.pem"
|
||||||
)
|
)
|
||||||
s1, addr, cleanupS1 := testServer(t, func(c *nomad.Config) {
|
s1, addr, cleanupS1 := testServer(t, func(c *nomad.Config) {
|
||||||
c.TLSConfig = &nconfig.TLSConfig{
|
c.TLSConfig = &nconfig.TLSConfig{
|
||||||
|
@ -319,8 +319,8 @@ func TestClient_BadTLS(t *testing.T) {
|
||||||
EnableRPC: true,
|
EnableRPC: true,
|
||||||
VerifyServerHostname: true,
|
VerifyServerHostname: true,
|
||||||
CAFile: cafile,
|
CAFile: cafile,
|
||||||
CertFile: foocert,
|
CertFile: fooclientcert,
|
||||||
KeyFile: fookey,
|
KeyFile: fooclientkey,
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
defer cleanupS1()
|
defer cleanupS1()
|
||||||
|
@ -1078,9 +1078,9 @@ func TestClient_ReloadTLS_UpgradePlaintextToTLS(t *testing.T) {
|
||||||
testutil.WaitForLeader(t, s1.RPC)
|
testutil.WaitForLeader(t, s1.RPC)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../helper/tlsutil/testdata/ca.pem"
|
cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../helper/tlsutil/testdata/nomad-foo.pem"
|
fooclientcert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fooclientkey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
||||||
c1, cleanup := TestClient(t, func(c *config.Config) {
|
c1, cleanup := TestClient(t, func(c *config.Config) {
|
||||||
|
@ -1114,8 +1114,8 @@ func TestClient_ReloadTLS_UpgradePlaintextToTLS(t *testing.T) {
|
||||||
EnableRPC: true,
|
EnableRPC: true,
|
||||||
VerifyServerHostname: true,
|
VerifyServerHostname: true,
|
||||||
CAFile: cafile,
|
CAFile: cafile,
|
||||||
CertFile: foocert,
|
CertFile: fooclientcert,
|
||||||
KeyFile: fookey,
|
KeyFile: fooclientkey,
|
||||||
}
|
}
|
||||||
|
|
||||||
err := c1.reloadTLSConnections(newConfig)
|
err := c1.reloadTLSConnections(newConfig)
|
||||||
|
@ -1154,9 +1154,9 @@ func TestClient_ReloadTLS_DowngradeTLSToPlaintext(t *testing.T) {
|
||||||
testutil.WaitForLeader(t, s1.RPC)
|
testutil.WaitForLeader(t, s1.RPC)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../helper/tlsutil/testdata/ca.pem"
|
cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../helper/tlsutil/testdata/nomad-foo.pem"
|
fooclientcert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fooclientkey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
||||||
c1, cleanup := TestClient(t, func(c *config.Config) {
|
c1, cleanup := TestClient(t, func(c *config.Config) {
|
||||||
|
@ -1166,8 +1166,8 @@ func TestClient_ReloadTLS_DowngradeTLSToPlaintext(t *testing.T) {
|
||||||
EnableRPC: true,
|
EnableRPC: true,
|
||||||
VerifyServerHostname: true,
|
VerifyServerHostname: true,
|
||||||
CAFile: cafile,
|
CAFile: cafile,
|
||||||
CertFile: foocert,
|
CertFile: fooclientcert,
|
||||||
KeyFile: fookey,
|
KeyFile: fooclientkey,
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
defer cleanup()
|
defer cleanup()
|
||||||
|
|
|
@ -59,9 +59,9 @@ func TestRpc_streamingRpcConn_badEndpoint_TLS(t *testing.T) {
|
||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../helper/tlsutil/testdata/ca.pem"
|
cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../helper/tlsutil/testdata/nomad-foo.pem"
|
fooservercert = "../helper/tlsutil/testdata/regionFoo-server-nomad.pem"
|
||||||
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fooserverkey = "../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
||||||
s1, cleanupS1 := nomad.TestServer(t, func(c *nomad.Config) {
|
s1, cleanupS1 := nomad.TestServer(t, func(c *nomad.Config) {
|
||||||
|
@ -72,8 +72,8 @@ func TestRpc_streamingRpcConn_badEndpoint_TLS(t *testing.T) {
|
||||||
EnableRPC: true,
|
EnableRPC: true,
|
||||||
VerifyServerHostname: true,
|
VerifyServerHostname: true,
|
||||||
CAFile: cafile,
|
CAFile: cafile,
|
||||||
CertFile: foocert,
|
CertFile: fooservercert,
|
||||||
KeyFile: fookey,
|
KeyFile: fooserverkey,
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
defer cleanupS1()
|
defer cleanupS1()
|
||||||
|
@ -87,8 +87,8 @@ func TestRpc_streamingRpcConn_badEndpoint_TLS(t *testing.T) {
|
||||||
EnableRPC: true,
|
EnableRPC: true,
|
||||||
VerifyServerHostname: true,
|
VerifyServerHostname: true,
|
||||||
CAFile: cafile,
|
CAFile: cafile,
|
||||||
CertFile: foocert,
|
CertFile: fooservercert,
|
||||||
KeyFile: fookey,
|
KeyFile: fooserverkey,
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
defer cleanupC()
|
defer cleanupC()
|
||||||
|
|
|
@ -920,11 +920,12 @@ func TestServer_Reload_TLS_Shared_Keyloader(t *testing.T) {
|
||||||
|
|
||||||
// We will start out with a bad cert and then reload with a good one.
|
// We will start out with a bad cert and then reload with a good one.
|
||||||
const (
|
const (
|
||||||
cafile = "../../helper/tlsutil/testdata/ca.pem"
|
badca = "../../helper/tlsutil/testdata/bad-agent-ca.pem"
|
||||||
foocert = "../../helper/tlsutil/testdata/nomad-bad.pem"
|
badcert = "../../helper/tlsutil/testdata/badRegion-client-bad.pem"
|
||||||
fookey = "../../helper/tlsutil/testdata/nomad-bad-key.pem"
|
badkey = "../../helper/tlsutil/testdata/badRegion-client-bad-key.pem"
|
||||||
foocert2 = "../../helper/tlsutil/testdata/nomad-foo.pem"
|
foocafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
fookey2 = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fooclientcert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
|
fooclientkey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
||||||
agent := NewTestAgent(t, t.Name(), func(c *Config) {
|
agent := NewTestAgent(t, t.Name(), func(c *Config) {
|
||||||
|
@ -932,9 +933,9 @@ func TestServer_Reload_TLS_Shared_Keyloader(t *testing.T) {
|
||||||
EnableHTTP: true,
|
EnableHTTP: true,
|
||||||
EnableRPC: true,
|
EnableRPC: true,
|
||||||
VerifyServerHostname: true,
|
VerifyServerHostname: true,
|
||||||
CAFile: cafile,
|
CAFile: badca,
|
||||||
CertFile: foocert,
|
CertFile: badcert,
|
||||||
KeyFile: fookey,
|
KeyFile: badkey,
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
defer agent.Shutdown()
|
defer agent.Shutdown()
|
||||||
|
@ -952,9 +953,9 @@ func TestServer_Reload_TLS_Shared_Keyloader(t *testing.T) {
|
||||||
EnableHTTP: true,
|
EnableHTTP: true,
|
||||||
EnableRPC: true,
|
EnableRPC: true,
|
||||||
VerifyServerHostname: true,
|
VerifyServerHostname: true,
|
||||||
CAFile: cafile,
|
CAFile: foocafile,
|
||||||
CertFile: foocert2,
|
CertFile: fooclientcert,
|
||||||
KeyFile: fookey2,
|
KeyFile: fooclientkey,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -987,11 +988,12 @@ func TestServer_Reload_TLS_Certificate(t *testing.T) {
|
||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../../helper/tlsutil/testdata/ca.pem"
|
badca = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../../helper/tlsutil/testdata/nomad-bad.pem"
|
badcert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../../helper/tlsutil/testdata/nomad-bad-key.pem"
|
badkey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
foocert2 = "../../helper/tlsutil/testdata/nomad-foo.pem"
|
cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
fookey2 = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fooclientcert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
|
fooclientkey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
||||||
agentConfig := &Config{
|
agentConfig := &Config{
|
||||||
|
@ -999,9 +1001,9 @@ func TestServer_Reload_TLS_Certificate(t *testing.T) {
|
||||||
EnableHTTP: true,
|
EnableHTTP: true,
|
||||||
EnableRPC: true,
|
EnableRPC: true,
|
||||||
VerifyServerHostname: true,
|
VerifyServerHostname: true,
|
||||||
CAFile: cafile,
|
CAFile: badca,
|
||||||
CertFile: foocert,
|
CertFile: badcert,
|
||||||
KeyFile: fookey,
|
KeyFile: badkey,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1016,8 +1018,8 @@ func TestServer_Reload_TLS_Certificate(t *testing.T) {
|
||||||
EnableRPC: true,
|
EnableRPC: true,
|
||||||
VerifyServerHostname: true,
|
VerifyServerHostname: true,
|
||||||
CAFile: cafile,
|
CAFile: cafile,
|
||||||
CertFile: foocert2,
|
CertFile: fooclientcert,
|
||||||
KeyFile: fookey2,
|
KeyFile: fooclientkey,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1036,11 +1038,11 @@ func TestServer_Reload_TLS_Certificate_Invalid(t *testing.T) {
|
||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../../helper/tlsutil/testdata/ca.pem"
|
badca = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../../helper/tlsutil/testdata/nomad-bad.pem"
|
badcert = "../../helper/tlsutil/testdata/badRegion-client-bad.pem"
|
||||||
fookey = "../../helper/tlsutil/testdata/nomad-bad-key.pem"
|
badkey = "../../helper/tlsutil/testdata/badRegion-client-bad-key.pem"
|
||||||
foocert2 = "invalid_cert_path"
|
newfoocert = "invalid_cert_path"
|
||||||
fookey2 = "invalid_key_path"
|
newfookey = "invalid_key_path"
|
||||||
)
|
)
|
||||||
|
|
||||||
agentConfig := &Config{
|
agentConfig := &Config{
|
||||||
|
@ -1048,9 +1050,9 @@ func TestServer_Reload_TLS_Certificate_Invalid(t *testing.T) {
|
||||||
EnableHTTP: true,
|
EnableHTTP: true,
|
||||||
EnableRPC: true,
|
EnableRPC: true,
|
||||||
VerifyServerHostname: true,
|
VerifyServerHostname: true,
|
||||||
CAFile: cafile,
|
CAFile: badca,
|
||||||
CertFile: foocert,
|
CertFile: badcert,
|
||||||
KeyFile: fookey,
|
KeyFile: badkey,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1064,9 +1066,9 @@ func TestServer_Reload_TLS_Certificate_Invalid(t *testing.T) {
|
||||||
EnableHTTP: true,
|
EnableHTTP: true,
|
||||||
EnableRPC: true,
|
EnableRPC: true,
|
||||||
VerifyServerHostname: true,
|
VerifyServerHostname: true,
|
||||||
CAFile: cafile,
|
CAFile: badca,
|
||||||
CertFile: foocert2,
|
CertFile: newfoocert,
|
||||||
KeyFile: fookey2,
|
KeyFile: newfookey,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1123,9 +1125,9 @@ func TestServer_Reload_TLS_UpgradeToTLS(t *testing.T) {
|
||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../../helper/tlsutil/testdata/ca.pem"
|
cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
||||||
logger := testlog.HCLogger(t)
|
logger := testlog.HCLogger(t)
|
||||||
|
@ -1164,9 +1166,9 @@ func TestServer_Reload_TLS_DowngradeFromTLS(t *testing.T) {
|
||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../../helper/tlsutil/testdata/ca.pem"
|
cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
||||||
logger := testlog.HCLogger(t)
|
logger := testlog.HCLogger(t)
|
||||||
|
@ -1238,9 +1240,9 @@ func TestServer_ShouldReload_ReturnFalseForNoChanges(t *testing.T) {
|
||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../../helper/tlsutil/testdata/ca.pem"
|
cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
||||||
sameAgentConfig := &Config{
|
sameAgentConfig := &Config{
|
||||||
|
@ -1276,9 +1278,9 @@ func TestServer_ShouldReload_ReturnTrueForOnlyHTTPChanges(t *testing.T) {
|
||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../../helper/tlsutil/testdata/ca.pem"
|
cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
||||||
sameAgentConfig := &Config{
|
sameAgentConfig := &Config{
|
||||||
|
@ -1314,9 +1316,9 @@ func TestServer_ShouldReload_ReturnTrueForOnlyRPCChanges(t *testing.T) {
|
||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../../helper/tlsutil/testdata/ca.pem"
|
cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
||||||
sameAgentConfig := &Config{
|
sameAgentConfig := &Config{
|
||||||
|
@ -1352,11 +1354,11 @@ func TestServer_ShouldReload_ReturnTrueForConfigChanges(t *testing.T) {
|
||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../../helper/tlsutil/testdata/ca.pem"
|
cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
foocert2 = "../../helper/tlsutil/testdata/nomad-bad.pem"
|
badcert = "../../helper/tlsutil/testdata/badRegion-client-bad.pem"
|
||||||
fookey2 = "../../helper/tlsutil/testdata/nomad-bad-key.pem"
|
badkey = "../../helper/tlsutil/testdata/badRegion-client-bad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
||||||
agent := NewTestAgent(t, t.Name(), func(c *Config) {
|
agent := NewTestAgent(t, t.Name(), func(c *Config) {
|
||||||
|
@ -1377,8 +1379,8 @@ func TestServer_ShouldReload_ReturnTrueForConfigChanges(t *testing.T) {
|
||||||
EnableRPC: true,
|
EnableRPC: true,
|
||||||
VerifyServerHostname: true,
|
VerifyServerHostname: true,
|
||||||
CAFile: cafile,
|
CAFile: cafile,
|
||||||
CertFile: foocert2,
|
CertFile: badcert,
|
||||||
KeyFile: fookey2,
|
KeyFile: badkey,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1419,8 +1421,8 @@ func TestServer_ShouldReload_ReturnTrueForFileChanges(t *testing.T) {
|
||||||
require.Nil(err)
|
require.Nil(err)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../../helper/tlsutil/testdata/ca.pem"
|
cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
key = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
key = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
||||||
logger := testlog.HCLogger(t)
|
logger := testlog.HCLogger(t)
|
||||||
|
@ -1491,11 +1493,11 @@ func TestServer_ShouldReload_ShouldHandleMultipleChanges(t *testing.T) {
|
||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../../helper/tlsutil/testdata/ca.pem"
|
cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
foocert2 = "../../helper/tlsutil/testdata/nomad-bad.pem"
|
badcert = "../../helper/tlsutil/testdata/badRegion-client-bad.pem"
|
||||||
fookey2 = "../../helper/tlsutil/testdata/nomad-bad-key.pem"
|
badkey = "../../helper/tlsutil/testdata/badRegion-client-bad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
||||||
sameAgentConfig := &Config{
|
sameAgentConfig := &Config{
|
||||||
|
@ -1515,8 +1517,8 @@ func TestServer_ShouldReload_ShouldHandleMultipleChanges(t *testing.T) {
|
||||||
EnableRPC: true,
|
EnableRPC: true,
|
||||||
VerifyServerHostname: true,
|
VerifyServerHostname: true,
|
||||||
CAFile: cafile,
|
CAFile: cafile,
|
||||||
CertFile: foocert2,
|
CertFile: badcert,
|
||||||
KeyFile: fookey2,
|
KeyFile: badkey,
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
defer agent.Shutdown()
|
defer agent.Shutdown()
|
||||||
|
|
|
@ -732,12 +732,12 @@ func TestParsePagination(t *testing.T) {
|
||||||
func TestHTTP_VerifyHTTPSClient(t *testing.T) {
|
func TestHTTP_VerifyHTTPSClient(t *testing.T) {
|
||||||
ci.Parallel(t)
|
ci.Parallel(t)
|
||||||
const (
|
const (
|
||||||
cafile = "../../helper/tlsutil/testdata/ca.pem"
|
cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../../helper/tlsutil/testdata/regionFoo-server-nomad.pem"
|
||||||
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem"
|
||||||
)
|
)
|
||||||
s := makeHTTPServer(t, func(c *Config) {
|
s := makeHTTPServer(t, func(c *Config) {
|
||||||
c.Region = "foo" // match the region on foocert
|
c.Region = "regionFoo" // match the region on foocert
|
||||||
c.TLSConfig = &config.TLSConfig{
|
c.TLSConfig = &config.TLSConfig{
|
||||||
EnableHTTP: true,
|
EnableHTTP: true,
|
||||||
VerifyHTTPSClient: true,
|
VerifyHTTPSClient: true,
|
||||||
|
@ -749,10 +749,29 @@ func TestHTTP_VerifyHTTPSClient(t *testing.T) {
|
||||||
})
|
})
|
||||||
defer s.Shutdown()
|
defer s.Shutdown()
|
||||||
|
|
||||||
|
tlConf := &tls.Config{
|
||||||
|
ServerName: "client.regionFoo.nomad",
|
||||||
|
}
|
||||||
|
cacert, err := os.ReadFile(cafile)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("error reading cacert: %v", err)
|
||||||
|
}
|
||||||
|
tlConf.RootCAs, err = x509.SystemCertPool()
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("error reading SystemPool: %v", err)
|
||||||
|
}
|
||||||
|
tlConf.RootCAs.AppendCertsFromPEM(cacert)
|
||||||
|
tr := &http.Transport{TLSClientConfig: tlConf}
|
||||||
|
clnt := &http.Client{Transport: tr}
|
||||||
|
|
||||||
reqURL := fmt.Sprintf("https://%s/v1/agent/self", s.Agent.config.AdvertiseAddrs.HTTP)
|
reqURL := fmt.Sprintf("https://%s/v1/agent/self", s.Agent.config.AdvertiseAddrs.HTTP)
|
||||||
|
|
||||||
|
request, err := http.NewRequest("GET", reqURL, nil)
|
||||||
|
must.NoError(t, err, must.Sprintf("error creating request: %v", err))
|
||||||
|
|
||||||
|
resp, err := clnt.Do(request)
|
||||||
|
|
||||||
// FAIL: Requests that expect 127.0.0.1 as the name should fail
|
// FAIL: Requests that expect 127.0.0.1 as the name should fail
|
||||||
resp, err := http.Get(reqURL)
|
|
||||||
if err == nil {
|
if err == nil {
|
||||||
resp.Body.Close()
|
resp.Body.Close()
|
||||||
t.Fatalf("expected non-nil error but received: %v", resp.StatusCode)
|
t.Fatalf("expected non-nil error but received: %v", resp.StatusCode)
|
||||||
|
@ -767,14 +786,16 @@ func TestHTTP_VerifyHTTPSClient(t *testing.T) {
|
||||||
if !ok {
|
if !ok {
|
||||||
t.Fatalf("expected a x509.HostnameError but received: %T -> %v", urlErr.Err, urlErr.Err)
|
t.Fatalf("expected a x509.HostnameError but received: %T -> %v", urlErr.Err, urlErr.Err)
|
||||||
}
|
}
|
||||||
if expected := "127.0.0.1"; hostErr.Host != expected {
|
if expected := "client.regionFoo.nomad"; hostErr.Host != expected {
|
||||||
t.Fatalf("expected hostname on error to be %q but found %q", expected, hostErr.Host)
|
t.Fatalf("expected hostname on error to be %q but found %q", expected, hostErr.Host)
|
||||||
}
|
}
|
||||||
|
|
||||||
// FAIL: Requests that specify a valid hostname but not the CA should
|
// FAIL: Requests that specify a valid hostname but not the CA should
|
||||||
// fail
|
// fail
|
||||||
|
pool := x509.NewCertPool()
|
||||||
tlsConf := &tls.Config{
|
tlsConf := &tls.Config{
|
||||||
ServerName: "client.regionFoo.nomad",
|
RootCAs: pool,
|
||||||
|
ServerName: "server.regionFoo.nomad",
|
||||||
}
|
}
|
||||||
transport := &http.Transport{TLSClientConfig: tlsConf}
|
transport := &http.Transport{TLSClientConfig: tlsConf}
|
||||||
client := &http.Client{Transport: transport}
|
client := &http.Client{Transport: transport}
|
||||||
|
@ -860,11 +881,11 @@ func TestHTTP_VerifyHTTPSClient_AfterConfigReload(t *testing.T) {
|
||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../../helper/tlsutil/testdata/ca.pem"
|
cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../../helper/tlsutil/testdata/nomad-bad.pem"
|
badcert = "../../helper/tlsutil/testdata/badRegion-client-bad.pem"
|
||||||
fookey = "../../helper/tlsutil/testdata/nomad-bad-key.pem"
|
badkey = "../../helper/tlsutil/testdata/badRegion-client-bad-key.pem"
|
||||||
foocert2 = "../../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey2 = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
||||||
agentConfig := &Config{
|
agentConfig := &Config{
|
||||||
|
@ -872,8 +893,8 @@ func TestHTTP_VerifyHTTPSClient_AfterConfigReload(t *testing.T) {
|
||||||
EnableHTTP: true,
|
EnableHTTP: true,
|
||||||
VerifyHTTPSClient: true,
|
VerifyHTTPSClient: true,
|
||||||
CAFile: cafile,
|
CAFile: cafile,
|
||||||
CertFile: foocert,
|
CertFile: badcert,
|
||||||
KeyFile: fookey,
|
KeyFile: badkey,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -882,8 +903,8 @@ func TestHTTP_VerifyHTTPSClient_AfterConfigReload(t *testing.T) {
|
||||||
EnableHTTP: true,
|
EnableHTTP: true,
|
||||||
VerifyHTTPSClient: true,
|
VerifyHTTPSClient: true,
|
||||||
CAFile: cafile,
|
CAFile: cafile,
|
||||||
CertFile: foocert2,
|
CertFile: foocert,
|
||||||
KeyFile: fookey2,
|
KeyFile: fookey,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -933,7 +954,7 @@ func TestHTTP_VerifyHTTPSClient_AfterConfigReload(t *testing.T) {
|
||||||
ServerName: "client.regionFoo.nomad",
|
ServerName: "client.regionFoo.nomad",
|
||||||
RootCAs: x509.NewCertPool(),
|
RootCAs: x509.NewCertPool(),
|
||||||
GetClientCertificate: func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
GetClientCertificate: func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
||||||
c, err := tls.LoadX509KeyPair(foocert2, fookey2)
|
c, err := tls.LoadX509KeyPair(foocert, fookey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -1053,9 +1074,9 @@ func TestHTTPServer_Limits_OK(t *testing.T) {
|
||||||
ci.Parallel(t)
|
ci.Parallel(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../../helper/tlsutil/testdata/ca.pem"
|
cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
maxConns = 10 // limit must be < this for testing
|
maxConns = 10 // limit must be < this for testing
|
||||||
bufSize = 1 // enough to know if something was written
|
bufSize = 1 // enough to know if something was written
|
||||||
)
|
)
|
||||||
|
|
|
@ -139,7 +139,7 @@ func (c *TLSCACreateCommand) Run(args []string) int {
|
||||||
|
|
||||||
constraints := []string{}
|
constraints := []string{}
|
||||||
if c.constraint {
|
if c.constraint {
|
||||||
constraints = []string{c.domain, "localhost"}
|
constraints = []string{c.domain, "localhost", "nomad"}
|
||||||
constraints = append(constraints, c.additionalDomain...)
|
constraints = append(constraints, c.additionalDomain...)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -53,8 +53,8 @@ func TestCACreateCommand(t *testing.T) {
|
||||||
func(t *testing.T, cert *x509.Certificate) {
|
func(t *testing.T, cert *x509.Certificate) {
|
||||||
require.Equal(t, 365*24*time.Hour, time.Until(cert.NotAfter).Round(24*time.Hour))
|
require.Equal(t, 365*24*time.Hour, time.Until(cert.NotAfter).Round(24*time.Hour))
|
||||||
require.True(t, cert.PermittedDNSDomainsCritical)
|
require.True(t, cert.PermittedDNSDomainsCritical)
|
||||||
require.Len(t, cert.PermittedDNSDomains, 3)
|
require.Len(t, cert.PermittedDNSDomains, 4)
|
||||||
require.ElementsMatch(t, cert.PermittedDNSDomains, []string{"foo", "localhost", "bar"})
|
require.ElementsMatch(t, cert.PermittedDNSDomains, []string{"nomad", "foo", "localhost", "bar"})
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{"with common-name",
|
{"with common-name",
|
||||||
|
|
|
@ -33,19 +33,23 @@ type TLSCertCreateCommand struct {
|
||||||
cli bool
|
cli bool
|
||||||
client bool
|
client bool
|
||||||
|
|
||||||
// key is used to set the custom CA certificate key when creating
|
|
||||||
// certificates.
|
|
||||||
key string
|
|
||||||
|
|
||||||
// days is the number of days the certificate will be valid for.
|
// days is the number of days the certificate will be valid for.
|
||||||
days int
|
days int
|
||||||
|
|
||||||
|
// domain is used to provide a custom domain for the certificate.
|
||||||
|
domain string
|
||||||
|
|
||||||
// cluster_region is used to add the region name to the certifacte SAN
|
// cluster_region is used to add the region name to the certifacte SAN
|
||||||
// records
|
// records
|
||||||
cluster_region string
|
cluster_region string
|
||||||
|
|
||||||
// domain is used to provide a custom domain for the certificate.
|
// key is used to set the custom CA certificate key when creating
|
||||||
domain string
|
// certificates.
|
||||||
|
key string
|
||||||
|
|
||||||
|
// cluster_region is used to add the region name to the certifacte SAN
|
||||||
|
// records
|
||||||
|
region string
|
||||||
|
|
||||||
server bool
|
server bool
|
||||||
}
|
}
|
||||||
|
@ -79,8 +83,7 @@ Certificate Create Options:
|
||||||
Generate a client certificate.
|
Generate a client certificate.
|
||||||
|
|
||||||
-cluster-region
|
-cluster-region
|
||||||
Provide the datacenter. Only used for -server certificates.
|
DEPRECATED please use -region.
|
||||||
Defaults to "global".
|
|
||||||
|
|
||||||
-days
|
-days
|
||||||
Provide number of days the certificate is valid for from now on.
|
Provide number of days the certificate is valid for from now on.
|
||||||
|
@ -92,6 +95,10 @@ Certificate Create Options:
|
||||||
-key
|
-key
|
||||||
Provide path to the certificate authority key. Defaults to
|
Provide path to the certificate authority key. Defaults to
|
||||||
#DOMAIN#-agent-ca-key.pem.
|
#DOMAIN#-agent-ca-key.pem.
|
||||||
|
|
||||||
|
-region
|
||||||
|
Provide the region. Only used for -server certificates.
|
||||||
|
Defaults to "global".
|
||||||
|
|
||||||
-server
|
-server
|
||||||
Generate a server certificate.
|
Generate a server certificate.
|
||||||
|
@ -134,10 +141,11 @@ func (c *TLSCertCreateCommand) Run(args []string) int {
|
||||||
flagSet.StringVar(&c.ca, "ca", "#DOMAIN#-agent-ca.pem", "")
|
flagSet.StringVar(&c.ca, "ca", "#DOMAIN#-agent-ca.pem", "")
|
||||||
flagSet.BoolVar(&c.cli, "cli", false, "")
|
flagSet.BoolVar(&c.cli, "cli", false, "")
|
||||||
flagSet.BoolVar(&c.client, "client", false, "")
|
flagSet.BoolVar(&c.client, "client", false, "")
|
||||||
flagSet.StringVar(&c.key, "key", "#DOMAIN#-agent-ca-key.pem", "")
|
// cluster region will be deprecated in the next version
|
||||||
|
flagSet.StringVar(&c.cluster_region, "cluster-region", "", "")
|
||||||
flagSet.IntVar(&c.days, "days", 365, "")
|
flagSet.IntVar(&c.days, "days", 365, "")
|
||||||
flagSet.StringVar(&c.cluster_region, "cluster-region", "global", "")
|
|
||||||
flagSet.StringVar(&c.domain, "domain", "nomad", "")
|
flagSet.StringVar(&c.domain, "domain", "nomad", "")
|
||||||
|
flagSet.StringVar(&c.key, "key", "#DOMAIN#-agent-ca-key.pem", "")
|
||||||
flagSet.BoolVar(&c.server, "server", false, "")
|
flagSet.BoolVar(&c.server, "server", false, "")
|
||||||
if err := flagSet.Parse(args); err != nil {
|
if err := flagSet.Parse(args); err != nil {
|
||||||
return 1
|
return 1
|
||||||
|
@ -165,43 +173,42 @@ func (c *TLSCertCreateCommand) Run(args []string) int {
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
var DNSNames []string
|
var dnsNames []string
|
||||||
var IPAddresses []net.IP
|
var ipAddresses []net.IP
|
||||||
var extKeyUsage []x509.ExtKeyUsage
|
var extKeyUsage []x509.ExtKeyUsage
|
||||||
var name, prefix string
|
var name, regionName, prefix string
|
||||||
|
|
||||||
for _, d := range c.dnsNames {
|
for _, d := range c.dnsNames {
|
||||||
if len(d) > 0 {
|
if len(d) > 0 {
|
||||||
DNSNames = append(DNSNames, strings.TrimSpace(d))
|
dnsNames = append(dnsNames, strings.TrimSpace(d))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, i := range c.ipAddresses {
|
for _, i := range c.ipAddresses {
|
||||||
if len(i) > 0 {
|
if len(i) > 0 {
|
||||||
IPAddresses = append(IPAddresses, net.ParseIP(strings.TrimSpace(i)))
|
ipAddresses = append(ipAddresses, net.ParseIP(strings.TrimSpace(i)))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if c.server {
|
// set region variable to prepare for deprecating cluster_region
|
||||||
name = fmt.Sprintf("server.%s.%s", c.cluster_region, c.domain)
|
switch {
|
||||||
DNSNames = append(DNSNames, name)
|
case c.cluster_region != "":
|
||||||
DNSNames = append(DNSNames, "localhost")
|
regionName = c.cluster_region
|
||||||
|
case c.clientConfig().Region != "" && c.clientConfig().Region != "global":
|
||||||
|
regionName = c.clientConfig().Region
|
||||||
|
default:
|
||||||
|
regionName = "global"
|
||||||
|
}
|
||||||
|
|
||||||
IPAddresses = append(IPAddresses, net.ParseIP("127.0.0.1"))
|
// Set dnsNames and ipAddresses based on whether this is a client, server or cli
|
||||||
extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}
|
switch {
|
||||||
prefix = fmt.Sprintf("%s-server-%s", c.cluster_region, c.domain)
|
case c.server:
|
||||||
|
ipAddresses, dnsNames, name, extKeyUsage, prefix = recordPreparation("server", regionName, c.domain, dnsNames, ipAddresses)
|
||||||
} else if c.client {
|
case c.client:
|
||||||
name = fmt.Sprintf("client.%s.%s", c.cluster_region, c.domain)
|
ipAddresses, dnsNames, name, extKeyUsage, prefix = recordPreparation("client", regionName, c.domain, dnsNames, ipAddresses)
|
||||||
DNSNames = append(DNSNames, []string{name, "localhost"}...)
|
case c.cli:
|
||||||
IPAddresses = append(IPAddresses, net.ParseIP("127.0.0.1"))
|
ipAddresses, dnsNames, name, extKeyUsage, prefix = recordPreparation("cli", regionName, c.domain, dnsNames, ipAddresses)
|
||||||
extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}
|
default:
|
||||||
prefix = fmt.Sprintf("%s-client-%s", c.cluster_region, c.domain)
|
|
||||||
} else if c.cli {
|
|
||||||
name = fmt.Sprintf("cli.%s.%s", c.cluster_region, c.domain)
|
|
||||||
DNSNames = []string{name, "localhost"}
|
|
||||||
prefix = fmt.Sprintf("%s-cli-%s", c.cluster_region, c.domain)
|
|
||||||
} else {
|
|
||||||
c.Ui.Error("Neither client, cli nor server - should not happen")
|
c.Ui.Error("Neither client, cli nor server - should not happen")
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
@ -252,10 +259,9 @@ func (c *TLSCertCreateCommand) Run(args []string) int {
|
||||||
c.Ui.Error(err.Error())
|
c.Ui.Error(err.Error())
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
pub, priv, err := tlsutil.GenerateCert(tlsutil.CertOpts{
|
pub, priv, err := tlsutil.GenerateCert(tlsutil.CertOpts{
|
||||||
Signer: signer, CA: string(cert), Name: name, Days: c.days,
|
Signer: signer, CA: string(cert), Name: name, Days: c.days,
|
||||||
DNSNames: DNSNames, IPAddresses: IPAddresses, ExtKeyUsage: extKeyUsage,
|
DNSNames: dnsNames, IPAddresses: ipAddresses, ExtKeyUsage: extKeyUsage,
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
c.Ui.Error(err.Error())
|
c.Ui.Error(err.Error())
|
||||||
|
@ -294,3 +300,37 @@ func (c *TLSCertCreateCommand) Run(args []string) int {
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func recordPreparation(certType string, regionName string, domain string, dnsNames []string, ipAddresses []net.IP) ([]net.IP, []string, string, []x509.ExtKeyUsage, string) {
|
||||||
|
var (
|
||||||
|
extKeyUsage []x509.ExtKeyUsage
|
||||||
|
name, regionUrl, prefix string
|
||||||
|
)
|
||||||
|
if certType == "server" || certType == "client" {
|
||||||
|
extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}
|
||||||
|
ipAddresses = append(ipAddresses, net.ParseIP("127.0.0.1"))
|
||||||
|
} else if certType == "cli" {
|
||||||
|
extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}
|
||||||
|
}
|
||||||
|
// prefix is used to generate the filename for the certificate before writing to disk.
|
||||||
|
prefix = fmt.Sprintf("%s-%s-%s", regionName, certType, domain)
|
||||||
|
regionUrl = fmt.Sprintf("%s.%s.nomad", certType, regionName)
|
||||||
|
name = fmt.Sprintf("%s.%s.%s", certType, regionName, domain)
|
||||||
|
|
||||||
|
if regionName != "global" && domain != "nomad" {
|
||||||
|
dnsNames = append(dnsNames, name, regionUrl, fmt.Sprintf("%s.global.nomad", certType), "localhost")
|
||||||
|
}
|
||||||
|
|
||||||
|
if regionName != "global" && domain == "nomad" {
|
||||||
|
dnsNames = append(dnsNames, regionUrl, fmt.Sprintf("%s.global.nomad", certType), "localhost")
|
||||||
|
}
|
||||||
|
|
||||||
|
if regionName == "global" && domain != "nomad" {
|
||||||
|
dnsNames = append(dnsNames, regionUrl, fmt.Sprintf("%s.%s.%s", certType, regionName, domain), "localhost")
|
||||||
|
}
|
||||||
|
|
||||||
|
if regionName == "global" && domain == "nomad" {
|
||||||
|
dnsNames = append(dnsNames, name, "localhost")
|
||||||
|
}
|
||||||
|
return ipAddresses, dnsNames, name, extKeyUsage, prefix
|
||||||
|
}
|
||||||
|
|
|
@ -7,6 +7,7 @@ import (
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"net"
|
"net"
|
||||||
"os"
|
"os"
|
||||||
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/hashicorp/nomad/testutil"
|
"github.com/hashicorp/nomad/testutil"
|
||||||
|
@ -57,7 +58,7 @@ func TestTlsCertCreateCommand_InvalidArgs(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestTlsCertCreateCommand_fileCreate(t *testing.T) {
|
func TestTlsCertCreateCommandDefaults_fileCreate(t *testing.T) {
|
||||||
testDir := t.TempDir()
|
testDir := t.TempDir()
|
||||||
previousDirectory, err := os.Getwd()
|
previousDirectory, err := os.Getwd()
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
@ -97,14 +98,15 @@ func TestTlsCertCreateCommand_fileCreate(t *testing.T) {
|
||||||
[]net.IP{{127, 0, 0, 1}},
|
[]net.IP{{127, 0, 0, 1}},
|
||||||
"==> WARNING: Server Certificates grants authority to become a\n server and access all state in the cluster including root keys\n and all ACL tokens. Do not distribute them to production hosts\n that are not server nodes. Store them as securely as CA keys.\n",
|
"==> WARNING: Server Certificates grants authority to become a\n server and access all state in the cluster including root keys\n and all ACL tokens. Do not distribute them to production hosts\n that are not server nodes. Store them as securely as CA keys.\n",
|
||||||
},
|
},
|
||||||
{"server0-region2-altdomain",
|
{"server0-region1",
|
||||||
"server",
|
"server",
|
||||||
[]string{"-server", "-cluster-region", "region2", "-domain", "nomad"},
|
[]string{"-server", "-region", "region1"},
|
||||||
"region2-server-nomad.pem",
|
"region1-server-nomad.pem",
|
||||||
"region2-server-nomad-key.pem",
|
"region1-server-nomad-key.pem",
|
||||||
"server.region2.nomad",
|
"server.region1.nomad",
|
||||||
[]string{
|
[]string{
|
||||||
"server.region2.nomad",
|
"server.region1.nomad",
|
||||||
|
"server.global.nomad",
|
||||||
"localhost",
|
"localhost",
|
||||||
},
|
},
|
||||||
[]net.IP{{127, 0, 0, 1}},
|
[]net.IP{{127, 0, 0, 1}},
|
||||||
|
@ -123,19 +125,6 @@ func TestTlsCertCreateCommand_fileCreate(t *testing.T) {
|
||||||
[]net.IP{{127, 0, 0, 1}},
|
[]net.IP{{127, 0, 0, 1}},
|
||||||
"",
|
"",
|
||||||
},
|
},
|
||||||
{"client0-region2-altdomain",
|
|
||||||
"client",
|
|
||||||
[]string{"-client", "-cluster-region", "region2", "-domain", "nomad"},
|
|
||||||
"region2-client-nomad.pem",
|
|
||||||
"region2-client-nomad-key.pem",
|
|
||||||
"client.region2.nomad",
|
|
||||||
[]string{
|
|
||||||
"client.region2.nomad",
|
|
||||||
"localhost",
|
|
||||||
},
|
|
||||||
[]net.IP{{127, 0, 0, 1}},
|
|
||||||
"",
|
|
||||||
},
|
|
||||||
{"cli0",
|
{"cli0",
|
||||||
"cli",
|
"cli",
|
||||||
[]string{"-cli"},
|
[]string{"-cli"},
|
||||||
|
@ -146,20 +135,7 @@ func TestTlsCertCreateCommand_fileCreate(t *testing.T) {
|
||||||
"cli.global.nomad",
|
"cli.global.nomad",
|
||||||
"localhost",
|
"localhost",
|
||||||
},
|
},
|
||||||
nil,
|
[]net.IP(nil),
|
||||||
"",
|
|
||||||
},
|
|
||||||
{"cli0-region2-altdomain",
|
|
||||||
"cli",
|
|
||||||
[]string{"-cli", "-cluster-region", "region2", "-domain", "nomad"},
|
|
||||||
"region2-cli-nomad.pem",
|
|
||||||
"region2-cli-nomad-key.pem",
|
|
||||||
"cli.region2.nomad",
|
|
||||||
[]string{
|
|
||||||
"cli.region2.nomad",
|
|
||||||
"localhost",
|
|
||||||
},
|
|
||||||
nil,
|
|
||||||
"",
|
"",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -184,10 +160,12 @@ func TestTlsCertCreateCommand_fileCreate(t *testing.T) {
|
||||||
cert.ExtKeyUsage)
|
cert.ExtKeyUsage)
|
||||||
case "client":
|
case "client":
|
||||||
require.Equal(t,
|
require.Equal(t,
|
||||||
[]x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
|
[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
|
||||||
cert.ExtKeyUsage)
|
cert.ExtKeyUsage)
|
||||||
case "cli":
|
case "cli":
|
||||||
require.Len(t, cert.ExtKeyUsage, 0)
|
require.Equal(t,
|
||||||
|
[]x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
|
||||||
|
cert.ExtKeyUsage)
|
||||||
}
|
}
|
||||||
require.False(t, cert.IsCA)
|
require.False(t, cert.IsCA)
|
||||||
require.Equal(t, tc.expectDNS, cert.DNSNames)
|
require.Equal(t, tc.expectDNS, cert.DNSNames)
|
||||||
|
@ -195,3 +173,156 @@ func TestTlsCertCreateCommand_fileCreate(t *testing.T) {
|
||||||
}))
|
}))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestTlsRecordPreparation(t *testing.T) {
|
||||||
|
type testcase struct {
|
||||||
|
name string
|
||||||
|
certType string
|
||||||
|
regionName string
|
||||||
|
domain string
|
||||||
|
dnsNames []string
|
||||||
|
ipAddresses []string
|
||||||
|
expectedipAddresses []net.IP
|
||||||
|
expectedDNSNames []string
|
||||||
|
expectedName string
|
||||||
|
expectedextKeyUsage []x509.ExtKeyUsage
|
||||||
|
expectedPrefix string
|
||||||
|
}
|
||||||
|
// The default values are region = global and domain = nomad.
|
||||||
|
cases := []testcase{
|
||||||
|
{
|
||||||
|
name: "server0",
|
||||||
|
certType: "server",
|
||||||
|
regionName: "global",
|
||||||
|
domain: "nomad",
|
||||||
|
dnsNames: []string{},
|
||||||
|
ipAddresses: []string{},
|
||||||
|
expectedipAddresses: []net.IP{net.ParseIP("127.0.0.1")},
|
||||||
|
expectedDNSNames: []string{
|
||||||
|
"server.global.nomad",
|
||||||
|
"localhost",
|
||||||
|
},
|
||||||
|
expectedName: "server.global.nomad",
|
||||||
|
expectedextKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
|
||||||
|
expectedPrefix: "global-server-nomad",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "server0-region1",
|
||||||
|
certType: "server",
|
||||||
|
regionName: "region1",
|
||||||
|
domain: "nomad",
|
||||||
|
dnsNames: []string{},
|
||||||
|
ipAddresses: []string{},
|
||||||
|
expectedipAddresses: []net.IP{net.ParseIP("127.0.0.1")},
|
||||||
|
expectedDNSNames: []string{
|
||||||
|
"server.region1.nomad",
|
||||||
|
"server.global.nomad",
|
||||||
|
"localhost",
|
||||||
|
},
|
||||||
|
expectedName: "server.region1.nomad",
|
||||||
|
expectedextKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
|
||||||
|
expectedPrefix: "region1-server-nomad",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "server0-domain1",
|
||||||
|
certType: "server",
|
||||||
|
regionName: "global",
|
||||||
|
domain: "domain1",
|
||||||
|
dnsNames: []string{},
|
||||||
|
ipAddresses: []string{},
|
||||||
|
expectedipAddresses: []net.IP{net.ParseIP("127.0.0.1")},
|
||||||
|
expectedDNSNames: []string{
|
||||||
|
"server.global.nomad",
|
||||||
|
"server.global.domain1",
|
||||||
|
"localhost",
|
||||||
|
},
|
||||||
|
expectedName: "server.global.domain1",
|
||||||
|
expectedextKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
|
||||||
|
expectedPrefix: "global-server-domain1",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "server0-dns",
|
||||||
|
certType: "server",
|
||||||
|
regionName: "global",
|
||||||
|
domain: "nomad",
|
||||||
|
dnsNames: []string{"server.global.foo"},
|
||||||
|
ipAddresses: []string{},
|
||||||
|
expectedipAddresses: []net.IP{net.ParseIP("127.0.0.1")},
|
||||||
|
expectedDNSNames: []string{
|
||||||
|
"server.global.foo",
|
||||||
|
"server.global.nomad",
|
||||||
|
"localhost",
|
||||||
|
},
|
||||||
|
expectedName: "server.global.nomad",
|
||||||
|
expectedextKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
|
||||||
|
expectedPrefix: "global-server-nomad",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "server0-ips",
|
||||||
|
certType: "server",
|
||||||
|
regionName: "global",
|
||||||
|
domain: "nomad",
|
||||||
|
dnsNames: []string{},
|
||||||
|
ipAddresses: []string{"10.0.0.1"},
|
||||||
|
expectedipAddresses: []net.IP{net.ParseIP("10.0.0.1"), net.ParseIP("127.0.0.1")},
|
||||||
|
expectedDNSNames: []string{
|
||||||
|
"server.global.nomad",
|
||||||
|
"localhost",
|
||||||
|
},
|
||||||
|
expectedName: "server.global.nomad",
|
||||||
|
expectedextKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
|
||||||
|
expectedPrefix: "global-server-nomad",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "client0",
|
||||||
|
certType: "client",
|
||||||
|
regionName: "global",
|
||||||
|
domain: "nomad",
|
||||||
|
dnsNames: []string{},
|
||||||
|
ipAddresses: []string{},
|
||||||
|
expectedipAddresses: []net.IP{net.ParseIP("127.0.0.1")},
|
||||||
|
expectedDNSNames: []string{
|
||||||
|
"client.global.nomad",
|
||||||
|
"localhost",
|
||||||
|
},
|
||||||
|
expectedName: "client.global.nomad",
|
||||||
|
expectedextKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
|
||||||
|
expectedPrefix: "global-client-nomad",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "cli0",
|
||||||
|
certType: "cli",
|
||||||
|
regionName: "global",
|
||||||
|
domain: "nomad",
|
||||||
|
dnsNames: []string{},
|
||||||
|
ipAddresses: []string{},
|
||||||
|
expectedipAddresses: []net.IP(nil),
|
||||||
|
expectedDNSNames: []string{
|
||||||
|
"cli.global.nomad",
|
||||||
|
"localhost",
|
||||||
|
},
|
||||||
|
expectedName: "cli.global.nomad",
|
||||||
|
expectedextKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
|
||||||
|
expectedPrefix: "global-cli-nomad",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, tc := range cases {
|
||||||
|
tc := tc
|
||||||
|
require.True(t, t.Run(tc.name, func(t *testing.T) {
|
||||||
|
var ipAddresses []net.IP
|
||||||
|
for _, i := range tc.ipAddresses {
|
||||||
|
if len(i) > 0 {
|
||||||
|
ipAddresses = append(ipAddresses, net.ParseIP(strings.TrimSpace(i)))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ipAddresses, dnsNames, name, extKeyUsage, prefix := recordPreparation(tc.certType, tc.regionName, tc.domain, tc.dnsNames, ipAddresses)
|
||||||
|
require.Equal(t, tc.expectedipAddresses, ipAddresses)
|
||||||
|
require.Equal(t, tc.expectedDNSNames, dnsNames)
|
||||||
|
require.Equal(t, tc.expectedName, name)
|
||||||
|
require.Equal(t, tc.expectedextKeyUsage, extKeyUsage)
|
||||||
|
require.Equal(t, tc.expectedPrefix, prefix)
|
||||||
|
}))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -22,11 +22,13 @@ import (
|
||||||
|
|
||||||
const (
|
const (
|
||||||
// See README.md for documentation
|
// See README.md for documentation
|
||||||
cacert = "./testdata/ca.pem"
|
cacert = "./testdata/nomad-agent-ca.pem"
|
||||||
foocert = "./testdata/nomad-foo.pem"
|
fooclientcert = "./testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "./testdata/nomad-foo-key.pem"
|
fooclientkey = "./testdata/regionFoo-client-nomad-key.pem"
|
||||||
badcert = "./testdata/nomad-bad.pem"
|
fooservercert = "./testdata/regionFoo-server-nomad.pem"
|
||||||
badkey = "./testdata/nomad-bad-key.pem"
|
fooserverkey = "./testdata/regionFoo-server-nomad-key.pem"
|
||||||
|
badcert = "./testdata/badRegion-client-bad.pem"
|
||||||
|
badkey = "./testdata/badRegion-client-bad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestConfig_AppendCA_None(t *testing.T) {
|
func TestConfig_AppendCA_None(t *testing.T) {
|
||||||
|
@ -115,7 +117,7 @@ func TestConfig_AppendCA_Valid_Whitespace(t *testing.T) {
|
||||||
|
|
||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
|
|
||||||
const cacertWhitespace = "./testdata/ca-whitespace.pem"
|
const cacertWhitespace = "./testdata/whitespace-agent-ca.pem"
|
||||||
conf := &Config{
|
conf := &Config{
|
||||||
CAFile: cacertWhitespace,
|
CAFile: cacertWhitespace,
|
||||||
}
|
}
|
||||||
|
@ -296,8 +298,8 @@ func TestConfig_LoadKeyPair_Valid(t *testing.T) {
|
||||||
ci.Parallel(t)
|
ci.Parallel(t)
|
||||||
|
|
||||||
conf := &Config{
|
conf := &Config{
|
||||||
CertFile: foocert,
|
CertFile: fooclientcert,
|
||||||
KeyFile: fookey,
|
KeyFile: fooclientkey,
|
||||||
KeyLoader: &config.KeyLoader{},
|
KeyLoader: &config.KeyLoader{},
|
||||||
}
|
}
|
||||||
cert, err := conf.LoadKeyPair()
|
cert, err := conf.LoadKeyPair()
|
||||||
|
@ -391,8 +393,8 @@ func TestConfig_OutgoingTLS_WithKeyPair(t *testing.T) {
|
||||||
conf := &Config{
|
conf := &Config{
|
||||||
VerifyOutgoing: true,
|
VerifyOutgoing: true,
|
||||||
CAFile: cacert,
|
CAFile: cacert,
|
||||||
CertFile: foocert,
|
CertFile: fooclientcert,
|
||||||
KeyFile: fookey,
|
KeyFile: fooclientkey,
|
||||||
KeyLoader: &config.KeyLoader{},
|
KeyLoader: &config.KeyLoader{},
|
||||||
}
|
}
|
||||||
tlsConf, err := conf.OutgoingTLSConfig()
|
tlsConf, err := conf.OutgoingTLSConfig()
|
||||||
|
@ -507,8 +509,8 @@ func TestConfig_outgoingWrapper_OK(t *testing.T) {
|
||||||
|
|
||||||
config := &Config{
|
config := &Config{
|
||||||
CAFile: cacert,
|
CAFile: cacert,
|
||||||
CertFile: foocert,
|
CertFile: fooservercert,
|
||||||
KeyFile: fookey,
|
KeyFile: fooserverkey,
|
||||||
VerifyServerHostname: true,
|
VerifyServerHostname: true,
|
||||||
VerifyOutgoing: true,
|
VerifyOutgoing: true,
|
||||||
KeyLoader: &config.KeyLoader{},
|
KeyLoader: &config.KeyLoader{},
|
||||||
|
@ -545,8 +547,8 @@ func TestConfig_outgoingWrapper_BadCert(t *testing.T) {
|
||||||
t.SkipNow()
|
t.SkipNow()
|
||||||
config := &Config{
|
config := &Config{
|
||||||
CAFile: cacert,
|
CAFile: cacert,
|
||||||
CertFile: foocert,
|
CertFile: fooclientcert,
|
||||||
KeyFile: fookey,
|
KeyFile: fooclientkey,
|
||||||
VerifyServerHostname: true,
|
VerifyServerHostname: true,
|
||||||
VerifyOutgoing: true,
|
VerifyOutgoing: true,
|
||||||
}
|
}
|
||||||
|
@ -580,8 +582,8 @@ func TestConfig_wrapTLS_OK(t *testing.T) {
|
||||||
|
|
||||||
config := &Config{
|
config := &Config{
|
||||||
CAFile: cacert,
|
CAFile: cacert,
|
||||||
CertFile: foocert,
|
CertFile: fooclientcert,
|
||||||
KeyFile: fookey,
|
KeyFile: fooclientkey,
|
||||||
VerifyOutgoing: true,
|
VerifyOutgoing: true,
|
||||||
KeyLoader: &config.KeyLoader{},
|
KeyLoader: &config.KeyLoader{},
|
||||||
}
|
}
|
||||||
|
@ -655,8 +657,8 @@ func TestConfig_IncomingTLS(t *testing.T) {
|
||||||
conf := &Config{
|
conf := &Config{
|
||||||
VerifyIncoming: true,
|
VerifyIncoming: true,
|
||||||
CAFile: cacert,
|
CAFile: cacert,
|
||||||
CertFile: foocert,
|
CertFile: fooclientcert,
|
||||||
KeyFile: fookey,
|
KeyFile: fooclientkey,
|
||||||
KeyLoader: &config.KeyLoader{},
|
KeyLoader: &config.KeyLoader{},
|
||||||
}
|
}
|
||||||
tlsC, err := conf.IncomingTLSConfig()
|
tlsC, err := conf.IncomingTLSConfig()
|
||||||
|
@ -684,8 +686,8 @@ func TestConfig_IncomingTLS_MissingCA(t *testing.T) {
|
||||||
|
|
||||||
conf := &Config{
|
conf := &Config{
|
||||||
VerifyIncoming: true,
|
VerifyIncoming: true,
|
||||||
CertFile: foocert,
|
CertFile: fooclientcert,
|
||||||
KeyFile: fookey,
|
KeyFile: fooclientkey,
|
||||||
KeyLoader: &config.KeyLoader{},
|
KeyLoader: &config.KeyLoader{},
|
||||||
}
|
}
|
||||||
_, err := conf.IncomingTLSConfig()
|
_, err := conf.IncomingTLSConfig()
|
||||||
|
@ -786,8 +788,8 @@ func TestConfig_ParseCiphers_Valid(t *testing.T) {
|
||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
|
|
||||||
tlsConfig := &config.TLSConfig{
|
tlsConfig := &config.TLSConfig{
|
||||||
CertFile: foocert,
|
CertFile: fooclientcert,
|
||||||
KeyFile: fookey,
|
KeyFile: fooclientkey,
|
||||||
KeyLoader: &config.KeyLoader{},
|
KeyLoader: &config.KeyLoader{},
|
||||||
TLSCipherSuites: strings.Join([]string{
|
TLSCipherSuites: strings.Join([]string{
|
||||||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
||||||
|
@ -856,8 +858,8 @@ func TestConfig_ParseCiphers_Default(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
empty := &config.TLSConfig{
|
empty := &config.TLSConfig{
|
||||||
CertFile: foocert,
|
CertFile: fooclientcert,
|
||||||
KeyFile: fookey,
|
KeyFile: fooclientkey,
|
||||||
KeyLoader: &config.KeyLoader{},
|
KeyLoader: &config.KeyLoader{},
|
||||||
}
|
}
|
||||||
parsedCiphers, err := ParseCiphers(empty)
|
parsedCiphers, err := ParseCiphers(empty)
|
||||||
|
@ -880,8 +882,8 @@ func TestConfig_ParseCiphers_Invalid(t *testing.T) {
|
||||||
for _, cipher := range invalidCiphers {
|
for _, cipher := range invalidCiphers {
|
||||||
tlsConfig := &config.TLSConfig{
|
tlsConfig := &config.TLSConfig{
|
||||||
TLSCipherSuites: cipher,
|
TLSCipherSuites: cipher,
|
||||||
CertFile: foocert,
|
CertFile: fooclientcert,
|
||||||
KeyFile: fookey,
|
KeyFile: fooclientkey,
|
||||||
KeyLoader: &config.KeyLoader{},
|
KeyLoader: &config.KeyLoader{},
|
||||||
}
|
}
|
||||||
parsedCiphers, err := ParseCiphers(tlsConfig)
|
parsedCiphers, err := ParseCiphers(tlsConfig)
|
||||||
|
@ -902,8 +904,8 @@ func TestConfig_ParseCiphers_SupportedSignature(t *testing.T) {
|
||||||
{
|
{
|
||||||
tlsConfig := &config.TLSConfig{
|
tlsConfig := &config.TLSConfig{
|
||||||
TLSCipherSuites: "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
TLSCipherSuites: "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
||||||
CertFile: foocert,
|
CertFile: fooclientcert,
|
||||||
KeyFile: fookey,
|
KeyFile: fooclientkey,
|
||||||
KeyLoader: &config.KeyLoader{},
|
KeyLoader: &config.KeyLoader{},
|
||||||
}
|
}
|
||||||
parsedCiphers, err := ParseCiphers(tlsConfig)
|
parsedCiphers, err := ParseCiphers(tlsConfig)
|
||||||
|
@ -915,8 +917,8 @@ func TestConfig_ParseCiphers_SupportedSignature(t *testing.T) {
|
||||||
{
|
{
|
||||||
tlsConfig := &config.TLSConfig{
|
tlsConfig := &config.TLSConfig{
|
||||||
TLSCipherSuites: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
TLSCipherSuites: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
||||||
CertFile: foocert,
|
CertFile: fooclientcert,
|
||||||
KeyFile: fookey,
|
KeyFile: fooclientkey,
|
||||||
KeyLoader: &config.KeyLoader{},
|
KeyLoader: &config.KeyLoader{},
|
||||||
}
|
}
|
||||||
parsedCiphers, err := ParseCiphers(tlsConfig)
|
parsedCiphers, err := ParseCiphers(tlsConfig)
|
||||||
|
@ -972,8 +974,8 @@ func TestConfig_NewTLSConfiguration(t *testing.T) {
|
||||||
|
|
||||||
conf := &config.TLSConfig{
|
conf := &config.TLSConfig{
|
||||||
TLSCipherSuites: "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
TLSCipherSuites: "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||||
CertFile: foocert,
|
CertFile: fooclientcert,
|
||||||
KeyFile: fookey,
|
KeyFile: fooclientkey,
|
||||||
KeyLoader: &config.KeyLoader{},
|
KeyLoader: &config.KeyLoader{},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1024,8 +1026,8 @@ func TestConfig_ShouldReloadRPCConnections(t *testing.T) {
|
||||||
},
|
},
|
||||||
new: &config.TLSConfig{
|
new: &config.TLSConfig{
|
||||||
CAFile: cacert,
|
CAFile: cacert,
|
||||||
CertFile: foocert,
|
CertFile: fooclientcert,
|
||||||
KeyFile: fookey,
|
KeyFile: fooclientkey,
|
||||||
},
|
},
|
||||||
shouldReload: true,
|
shouldReload: true,
|
||||||
errorStr: "Different TLS Configuration should reload",
|
errorStr: "Different TLS Configuration should reload",
|
||||||
|
|
|
@ -1,39 +1,67 @@
|
||||||
# Nomad Test Certificate
|
# Nomad Test Certificate
|
||||||
|
|
||||||
Using [cfssl 1.6.0](https://github.com/cloudflare/cfssl)
|
Nomad has a built in command to generate certificates for setting up tls encryption.
|
||||||
|
This will generate valid certificates with default settings if run without any configuration.
|
||||||
|
The command `nomad tls` is used to generate the test certificates in this directory.
|
||||||
|
|
||||||
| File | Description |
|
| File | Description |
|
||||||
|---------------------|---------------------------|
|
|----------------------------------|---------------------------|
|
||||||
| `ca.pem` | CA certificate |
|
| `nomad-agent-ca.pem` | CA certificate |
|
||||||
| `ca-key.pem` | CA Key |
|
| `nomad-agent-ca-key.pem` | CA Key |
|
||||||
| `nomad-foo.pem` | Nomad cert for foo region |
|
| `regionFoo-client-nomad.pem` | Nomad cert for foo region |
|
||||||
| `nomad-foo-key.pem` | Nomad key for foo region |
|
| `regionFoo-client-nomad-key.pem` | Nomad key for foo region |
|
||||||
| `ca-bad.pem` | CA cert for bad region |
|
| `bad-agent-ca.pem` | CA cert for bad region |
|
||||||
| `ca-key-bad.pem` | CA key for bad region |
|
| `bad-agent-ca-key.pem` | CA key for bad region |
|
||||||
| `nomad-bad.pem` | Nomad cert for bad region |
|
| `badRegion-client-bad.pem` | Nomad cert for bad region |
|
||||||
| `nomad-bad-key.pem` | Nomad key for bad region |
|
| `badRegion-client-bad-key.pem` | Nomad key for bad region |
|
||||||
| `global-*.pem` | For global region |
|
| `global-*.pem` | For global region |
|
||||||
|
| `whitespace-agent-ca.pem` | For whitespace test |
|
||||||
|
|
||||||
|
## Generating self-signed certs with nomad tls
|
||||||
|
|
||||||
## Generating self-signed certs
|
|
||||||
```sh
|
```sh
|
||||||
# Write defaults and update.
|
|
||||||
# NOTE: this doesn't need to be run if regenerating old certificates and
|
|
||||||
# shouldn't as it overrides non-default values.
|
|
||||||
cfssl print-defaults csr > ca-csr.json
|
|
||||||
cfssl print-defaults csr > ca-bad-csr.json
|
|
||||||
cfssl print-defaults config > ca-config.json
|
|
||||||
|
|
||||||
# Generate CA certificates and keys.
|
# Generate CA certificate and key.
|
||||||
#
|
nomad tls ca create
|
||||||
# 1. Generates ca.csr, ca.pem, and ca-key.pem.
|
|
||||||
# 2. Generates ca-bad.csr, ca-bad.pem, and ca-bad-key.pem.
|
|
||||||
cfssl gencert -loglevel=5 -config ca-config.json -initca ca-csr.json | cfssljson -bare ca -
|
|
||||||
cfssl gencert -loglevel=5 -config ca-config.json -initca ca-bad-csr.json | cfssljson -bare ca-bad -
|
|
||||||
|
|
||||||
# Generate certificates and keys.
|
# Generate certificates and keys with default values.
|
||||||
#
|
# 1. Generate server certificate with default values
|
||||||
# 1. Generates nomad-foo.csr, nomad-foo.pem, and nomad-foo-key.pem.
|
# 2. Generate client certificate with default values
|
||||||
# 1. Generates nomad-bad.csr, nomad-bad.pem, and nomad-bad-key.pem.
|
nomad tls cert create -server
|
||||||
cfssl gencert -loglevel=5 -ca ca.pem -ca-key ca-key.pem -config ca-config.json nomad-foo-csr.json | cfssljson -bare nomad-foo
|
nomad tls cert create -client
|
||||||
cfssl gencert -loglevel=5 -ca ca-bad.pem -ca-key ca-bad-key.pem -config ca-config.json nomad-bad-csr.json | cfssljson -bare nomad-bad
|
|
||||||
|
# Generate certificates and keys for region regionFoo.
|
||||||
|
# 1. Generate server certificate for region regionFoo
|
||||||
|
# 2. Generate client certificate for region regionFoo
|
||||||
|
nomad tls cert create -server -region regionFoo
|
||||||
|
nomad tls cert create -client -region regionFoo
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Generating additional self-signed certs for testing tls misconfiguration
|
||||||
|
|
||||||
|
These certificates are used to test incorrect tls configuration.
|
||||||
|
They are valid certificates but issued from a different CA
|
||||||
|
|
||||||
|
```sh
|
||||||
|
|
||||||
|
# Generate CA certificate and key.
|
||||||
|
nomad tls ca create -name-constraint=true -domain bad
|
||||||
|
|
||||||
|
# Generate certificates and keys for region badRegion.
|
||||||
|
# 1. Generate server certificate for region badRegion
|
||||||
|
# 2. Generate client certificate for region badRegion
|
||||||
|
nomad tls cert create -server -region badRegion -domain=bad
|
||||||
|
nomad tls cert create -client -region badRegion -domain=bad
|
||||||
|
```
|
||||||
|
|
||||||
|
## Generate CA for whitespace test
|
||||||
|
|
||||||
|
You will need to edit the pem file to add some whitespace after the
|
||||||
|
-----END CERTIFICATE----- line
|
||||||
|
|
||||||
|
```sh
|
||||||
|
|
||||||
|
# Generate CA certificate and key.
|
||||||
|
nomad tls ca create -name-constraint=true -domain whitespace
|
||||||
|
```
|
|
@ -0,0 +1,5 @@
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
MHcCAQEEIOtIspf5RTZcXnYsKINVSqrO1aJQBy0Ustei5x3pdrxAoAoGCCqGSM49
|
||||||
|
AwEHoUQDQgAE4KKQKga9sXh3c+vK8YSkqKx9zAWJfSDsxzX/xzie4FhYcF5IbeVh
|
||||||
|
EjDZHXhU8AtGhzPIHkPc4PtP4iNdlwkuAw==
|
||||||
|
-----END EC PRIVATE KEY-----
|
|
@ -0,0 +1,19 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDGjCCAsCgAwIBAgIQd7vqgOhuwTDMFXo80ZEyxDAKBggqhkjOPQQDAjCBuDEL
|
||||||
|
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
|
||||||
|
MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
|
||||||
|
BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZOb21hZCBBZ2VudCBDQSAx
|
||||||
|
NTkxNTM4NDczMDc5Mzc0NzQzOTQzOTMwMjc3MTAxODQxNDE1MDgwHhcNMjMwNTIw
|
||||||
|
MDU0NTMyWhcNMjgwNTE4MDU0NTMyWjCBuDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
|
||||||
|
AkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQJExExMDEgU2Vjb25k
|
||||||
|
IFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAVBgNVBAoTDkhhc2hpQ29ycCBJbmMu
|
||||||
|
MT8wPQYDVQQDEzZOb21hZCBBZ2VudCBDQSAxNTkxNTM4NDczMDc5Mzc0NzQzOTQz
|
||||||
|
OTMwMjc3MTAxODQxNDE1MDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATgopAq
|
||||||
|
Br2xeHdz68rxhKSorH3MBYl9IOzHNf/HOJ7gWFhwXkht5WESMNkdeFTwC0aHM8ge
|
||||||
|
Q9zg+0/iI12XCS4Do4GpMIGmMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD
|
||||||
|
AQH/MCkGA1UdDgQiBCAIUJQLq88JPZcO+4YnsIUi5EinrxH6ffLRUHz+cF972jAr
|
||||||
|
BgNVHSMEJDAigCAIUJQLq88JPZcO+4YnsIUi5EinrxH6ffLRUHz+cF972jArBgNV
|
||||||
|
HR4BAf8EITAfoB0wBYIDYmFkMAuCCWxvY2FsaG9zdDAHggVub21hZDAKBggqhkjO
|
||||||
|
PQQDAgNIADBFAiEArvFAMvwtByJVNZD6ojiUYI8PFGbmzTzkkNNvhsHSOv8CIBKj
|
||||||
|
MACtGi02f3JS0oz+Ef2TqjiuOClGBhr/x6qG4cxy
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,5 @@
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
MHcCAQEEIOXshxnqSDtF5SDD4PWNbhzEhgX89tC1e4vs/YFRdZV2oAoGCCqGSM49
|
||||||
|
AwEHoUQDQgAE1FmtPIHfG9n5nvJHdkpMwCon8D3c/4Ekg+QnFvleUXB8PoXlYND6
|
||||||
|
gX/+n7cJ2p5dZ/NcXPAASHKCQFdAIl+jEg==
|
||||||
|
-----END EC PRIVATE KEY-----
|
|
@ -0,0 +1,18 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICzzCCAnWgAwIBAgIRAPIeOK1i31bByJjW0J471YIwCgYIKoZIzj0EAwIwgbgx
|
||||||
|
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
|
||||||
|
bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
|
||||||
|
FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg
|
||||||
|
MTU5MTUzODQ3MzA3OTM3NDc0Mzk0MzkzMDI3NzEwMTg0MTQxNTA4MB4XDTIzMDUy
|
||||||
|
MDA1NDYwNloXDTI0MDUxOTA1NDYwNlowHzEdMBsGA1UEAxMUY2xpZW50LmJhZFJl
|
||||||
|
Z2lvbi5iYWQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATUWa08gd8b2fme8kd2
|
||||||
|
SkzAKifwPdz/gSSD5CcW+V5RcHw+heVg0PqBf/6ftwnanl1n81xc8ABIcoJAV0Ai
|
||||||
|
X6MSo4H3MIH0MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
|
||||||
|
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADApBgNVHQ4EIgQgIS+aVN7DyWMFuExUlPtR
|
||||||
|
XqSuFVzBjLJSIBAYeoLekOAwKwYDVR0jBCQwIoAgCFCUC6vPCT2XDvuGJ7CFIuRI
|
||||||
|
p68R+n3y0VB8/nBfe9owXQYDVR0RBFYwVIIUY2xpZW50LmJhZFJlZ2lvbi5iYWSC
|
||||||
|
FmNsaWVudC5iYWRSZWdpb24ubm9tYWSCE2NsaWVudC5nbG9iYWwubm9tYWSCCWxv
|
||||||
|
Y2FsaG9zdIcEfwAAATAKBggqhkjOPQQDAgNIADBFAiA/RK692gWJA3D5GeD6k3a2
|
||||||
|
+ijWvHxyRWzYCREuN7NasQIhAKR4XOASgzcY4u17ny8v8cxeZMA4aD+UwZnjE3s/
|
||||||
|
VaNU
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,5 @@
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
MHcCAQEEIN1hpOPcd0fHzA+MUq3ImrK/6zwsvxl/gpSL11nFB6UooAoGCCqGSM49
|
||||||
|
AwEHoUQDQgAE3t6MXDmu0U5jdrTHX6K0wVLantQkytnUipeVWJh+vstUyPQrbREB
|
||||||
|
aj2mmx6Ckh+8L4qy7b6CFkjK7koP23pe9g==
|
||||||
|
-----END EC PRIVATE KEY-----
|
|
@ -0,0 +1,18 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICzjCCAnSgAwIBAgIQJb2AONazlSeNtRZNdghuWDAKBggqhkjOPQQDAjCBuDEL
|
||||||
|
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
|
||||||
|
MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
|
||||||
|
BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZOb21hZCBBZ2VudCBDQSAx
|
||||||
|
NTkxNTM4NDczMDc5Mzc0NzQzOTQzOTMwMjc3MTAxODQxNDE1MDgwHhcNMjMwNTIw
|
||||||
|
MDU0NTUzWhcNMjQwNTE5MDU0NTUzWjAfMR0wGwYDVQQDExRzZXJ2ZXIuYmFkUmVn
|
||||||
|
aW9uLmJhZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABN7ejFw5rtFOY3a0x1+i
|
||||||
|
tMFS2p7UJMrZ1IqXlViYfr7LVMj0K20RAWo9ppsegpIfvC+Ksu2+ghZIyu5KD9t6
|
||||||
|
XvajgfcwgfQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
|
||||||
|
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCB663RX5DMarQTUbtWE2RS7
|
||||||
|
ll/r8OuJkGw3kQSmm7PFpTArBgNVHSMEJDAigCAIUJQLq88JPZcO+4YnsIUi5Ein
|
||||||
|
rxH6ffLRUHz+cF972jBdBgNVHREEVjBUghRzZXJ2ZXIuYmFkUmVnaW9uLmJhZIIW
|
||||||
|
c2VydmVyLmJhZFJlZ2lvbi5ub21hZIITc2VydmVyLmdsb2JhbC5ub21hZIIJbG9j
|
||||||
|
YWxob3N0hwR/AAABMAoGCCqGSM49BAMCA0gAMEUCIQDqHUtOtFW/GSCKG8ZGrPGD
|
||||||
|
Z0TqbqgP8PQglqKMJ3ldtgIgJ1LFcDiv1slRcvCRB4OSZZRtMmgrK1+n7s1b/0JN
|
||||||
|
01s=
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -1,16 +0,0 @@
|
||||||
{
|
|
||||||
"CN": "bad.nomad.hashicorp",
|
|
||||||
"key": {
|
|
||||||
"algo": "ecdsa",
|
|
||||||
"size": 256
|
|
||||||
},
|
|
||||||
"names": [
|
|
||||||
{
|
|
||||||
"C": "US",
|
|
||||||
"L": "San Francisco",
|
|
||||||
"O": "HashiCorp",
|
|
||||||
"OU": "Nomad",
|
|
||||||
"ST": "California"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
|
@ -1,5 +0,0 @@
|
||||||
-----BEGIN EC PRIVATE KEY-----
|
|
||||||
MHcCAQEEIM9NSxYeRvnFLx/z6iLN3eJw+hgW2GOf4YDxOWwNxFuKoAoGCCqGSM49
|
|
||||||
AwEHoUQDQgAEjGPxvMgyhwrYxM6Y7MWdgELE33ut7aXbGO8p+IFlfQUy3q/0OK3p
|
|
||||||
Fjmpqh1XApvOXo7Z3YjdpO3M2aMOSi6BRg==
|
|
||||||
-----END EC PRIVATE KEY-----
|
|
|
@ -1,9 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE REQUEST-----
|
|
||||||
MIIBNzCB3gIBADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEW
|
|
||||||
MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzESMBAGA1UEChMJSGFzaGlDb3JwMQ4wDAYD
|
|
||||||
VQQLEwVOb21hZDEcMBoGA1UEAxMTYmFkLm5vbWFkLmhhc2hpY29ycDBZMBMGByqG
|
|
||||||
SM49AgEGCCqGSM49AwEHA0IABIxj8bzIMocK2MTOmOzFnYBCxN97re2l2xjvKfiB
|
|
||||||
ZX0FMt6v9Dit6RY5qaodVwKbzl6O2d2I3aTtzNmjDkougUagADAKBggqhkjOPQQD
|
|
||||||
AgNIADBFAiEA4IyK8liUiVVaCSmP3BqJpkEPCEiJ3bph7mN2Urrlb7ICIBu1q1Xa
|
|
||||||
kJunzBkREZcmpwVp2IUlTFaQvvy7eeRL4obB
|
|
||||||
-----END CERTIFICATE REQUEST-----
|
|
|
@ -1,14 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIICOzCCAeKgAwIBAgIUeXTO3L4oiO38Y33Opu8YrQj9HlYwCgYIKoZIzj0EAwIw
|
|
||||||
fDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh
|
|
||||||
biBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwGA1UECxMFTm9tYWQx
|
|
||||||
HDAaBgNVBAMTE2JhZC5ub21hZC5oYXNoaWNvcnAwHhcNMjEwODEzMDg1MjAwWhcN
|
|
||||||
MjYwODEyMDg1MjAwWjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
|
|
||||||
YTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzESMBAGA1UEChMJSGFzaGlDb3JwMQ4w
|
|
||||||
DAYDVQQLEwVOb21hZDEcMBoGA1UEAxMTYmFkLm5vbWFkLmhhc2hpY29ycDBZMBMG
|
|
||||||
ByqGSM49AgEGCCqGSM49AwEHA0IABIxj8bzIMocK2MTOmOzFnYBCxN97re2l2xjv
|
|
||||||
KfiBZX0FMt6v9Dit6RY5qaodVwKbzl6O2d2I3aTtzNmjDkougUajQjBAMA4GA1Ud
|
|
||||||
DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRybjwTW9incERj
|
|
||||||
Y/Bw7E9iVcdhPDAKBggqhkjOPQQDAgNHADBEAiAkv5FG1AF8VVeytFSsqelinpB2
|
|
||||||
ETojhNxgm95bFKIqpAIgfhFdNVes9XJflthIJo9mSWsH2ht0CXwcwMuGxNLgy1E=
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,14 +0,0 @@
|
||||||
{
|
|
||||||
"signing": {
|
|
||||||
"default": {
|
|
||||||
"expiry": "876000h",
|
|
||||||
"usages": [
|
|
||||||
"signing",
|
|
||||||
"key encipherment",
|
|
||||||
"server auth",
|
|
||||||
"client auth"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,16 +0,0 @@
|
||||||
{
|
|
||||||
"CN": "nomad.hashicorp",
|
|
||||||
"key": {
|
|
||||||
"algo": "ecdsa",
|
|
||||||
"size": 256
|
|
||||||
},
|
|
||||||
"names": [
|
|
||||||
{
|
|
||||||
"C": "US",
|
|
||||||
"L": "San Francisco",
|
|
||||||
"O": "HashiCorp",
|
|
||||||
"OU": "Nomad",
|
|
||||||
"ST": "California"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
|
@ -1,5 +0,0 @@
|
||||||
-----BEGIN EC PRIVATE KEY-----
|
|
||||||
MHcCAQEEIM3rBHk5t/VtMgspx2/amPd2/LcaLdXr3FjRac3OrFCaoAoGCCqGSM49
|
|
||||||
AwEHoUQDQgAEBCIpONsFqQMf1P4Jf5X23mw9wQBIrFfr900fTRXge2R5X8auQEnV
|
|
||||||
rnCeVomK8sY3B2XAVitL6KIpcNuIkYD7ug==
|
|
||||||
-----END EC PRIVATE KEY-----
|
|
|
@ -1,15 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIICNTCCAZagAwIBAgIRANjgoh5iVZI26+Hz/K65G0UwCgYIKoZIzj0EAwQwNjEb
|
|
||||||
MBkGA1UEChMSSGFzaGlDb3JwIFRyYWluaW5nMRcwFQYDVQQDEw5zZXJ2aWNlLmNv
|
|
||||||
bnN1bDAeFw0xODA4MjMxNzM0NTBaFw0xODA5MjIxNzM0NTBaMDYxGzAZBgNVBAoT
|
|
||||||
Ekhhc2hpQ29ycCBUcmFpbmluZzEXMBUGA1UEAxMOc2VydmljZS5jb25zdWwwgZsw
|
|
||||||
EAYHKoZIzj0CAQYFK4EEACMDgYYABAGjC4sWsOfirS/DQ9/e7PdQeJwlOjziiOx/
|
|
||||||
CALjS6ryEDkZPqRqMuoFXfudAmfdk6tl8AT1IKMVcgiQU5jkm7fliwFIk48uh+n2
|
|
||||||
obqZjwDyM76VYBVSYi6i3BPXown1ivIMJNQS1txnWZLZHsv+WxbHydS+GNOAwKDK
|
|
||||||
KsXj9dEhd36pvaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w
|
|
||||||
HQYDVR0OBBYEFIk3oG2hu0FxueW4e7fL+FdMOquBMAoGCCqGSM49BAMEA4GMADCB
|
|
||||||
iAJCAPIPwPyk+8Ymj7Zlvb5qIUQg+UxoacAeJtFZrJ8xQjro0YjsM33O86rAfw+x
|
|
||||||
sWWGul4Ews93KFBXvhbKCwb0F0PhAkIAh2z7COsKcQzvBoIy+Kx92+9j/sUjlzzl
|
|
||||||
TttDu+g2VdbcBwVDZ49X2Md6OY2N3G8Irdlj+n+mCQJaHwVt52DRzz0=
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
|
|
|
@ -1,9 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE REQUEST-----
|
|
||||||
MIIBNDCB2gIBADB4MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEW
|
|
||||||
MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzESMBAGA1UEChMJSGFzaGlDb3JwMQ4wDAYD
|
|
||||||
VQQLEwVOb21hZDEYMBYGA1UEAxMPbm9tYWQuaGFzaGljb3JwMFkwEwYHKoZIzj0C
|
|
||||||
AQYIKoZIzj0DAQcDQgAEBCIpONsFqQMf1P4Jf5X23mw9wQBIrFfr900fTRXge2R5
|
|
||||||
X8auQEnVrnCeVomK8sY3B2XAVitL6KIpcNuIkYD7uqAAMAoGCCqGSM49BAMCA0kA
|
|
||||||
MEYCIQCmPOKtb8kE6Qof97bu1R3qdi1Q6K5MsxMm4weGGNaKswIhAIibKtTD7xsa
|
|
||||||
/4vLSZJPdCZTmpllsMHS7dQxnkTzFh/9
|
|
||||||
-----END CERTIFICATE REQUEST-----
|
|
|
@ -1,14 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIICNDCCAdqgAwIBAgIUMOrtAaeiKw9TR7Rq6KI+V2liZZIwCgYIKoZIzj0EAwIw
|
|
||||||
eDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh
|
|
||||||
biBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwGA1UECxMFTm9tYWQx
|
|
||||||
GDAWBgNVBAMTD25vbWFkLmhhc2hpY29ycDAeFw0yMTA4MTMwODQ2MDBaFw0yNjA4
|
|
||||||
MTIwODQ2MDBaMHgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYw
|
|
||||||
FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRIwEAYDVQQKEwlIYXNoaUNvcnAxDjAMBgNV
|
|
||||||
BAsTBU5vbWFkMRgwFgYDVQQDEw9ub21hZC5oYXNoaWNvcnAwWTATBgcqhkjOPQIB
|
|
||||||
BggqhkjOPQMBBwNCAAQEIik42wWpAx/U/gl/lfbebD3BAEisV+v3TR9NFeB7ZHlf
|
|
||||||
xq5ASdWucJ5WiYryxjcHZcBWK0vooilw24iRgPu6o0IwQDAOBgNVHQ8BAf8EBAMC
|
|
||||||
AQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUomQ0rTTqNWz95h/jDTSNyJCP
|
|
||||||
YwQwCgYIKoZIzj0EAwIDSAAwRQIhAK6StWS84EMx8G73jr66l9L8GQVer2UcpPgy
|
|
||||||
7wlFD5kQAiA0kjySsH3FzLnqrrUS7f4BrzBv+TDBvVbLFlc41bpTQQ==
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,13 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIICATCCAaigAwIBAgIUdyw+oCYCUUrIQ68hGVJVRRCxnjMwCgYIKoZIzj0EAwIw
|
|
||||||
XzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
|
|
||||||
c2NvMRMwEQYDVQQLEwpOb21hZCBEZW1vMRYwFAYDVQQDEw1leGFtcGxlLm5vbWFk
|
|
||||||
MB4XDTE4MDkwNTIzNTQwMFoXDTIzMDkwNDIzNTQwMFowXzELMAkGA1UEBhMCVVMx
|
|
||||||
CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQLEwpO
|
|
||||||
b21hZCBEZW1vMRYwFAYDVQQDEw1leGFtcGxlLm5vbWFkMFkwEwYHKoZIzj0CAQYI
|
|
||||||
KoZIzj0DAQcDQgAE6kWmOEIfGJZSh2VHYHuCli+W+dXJOoPN7F01k+bqLcxxuYaS
|
|
||||||
6ZOT3+J1t7s3zCoF61/m4ITLm/i1GFGcnfzQg6NCMEAwDgYDVR0PAQH/BAQDAgEG
|
|
||||||
MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCEqBD2o3StC6qePPy6WaDknOPh2
|
|
||||||
MAoGCCqGSM49BAMCA0cAMEQCIFab4iZ4Of3lBztV8PMzorBCBiUDDaqVswACVMhI
|
|
||||||
xqltAiA/O7LcVvvVYmtcF27NSQLPhh1ibtRjKnTZviBGzwkV3w==
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,5 +0,0 @@
|
||||||
-----BEGIN EC PRIVATE KEY-----
|
|
||||||
MHcCAQEEICWrWIE3q8UlYau6xKhLz43CO9wg36fxG4Qcy+kBItdeoAoGCCqGSM49
|
|
||||||
AwEHoUQDQgAEvei5KnuNBvuhGrELae9FL61aJeVvXw0iP0j1XpNvOaYhfMMvq9fY
|
|
||||||
1q4fVN92D1HQN6FsfLNl/YCvdF+sT4qxnQ==
|
|
||||||
-----END EC PRIVATE KEY-----
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
MHcCAQEEIMNiNYgDT0xord/mxPdyNNb5MoQ4L8qXMKysxevqDoePoAoGCCqGSM49
|
||||||
|
AwEHoUQDQgAEozWvKqFPwy8h/q4HX16eQvLY2WzcSrvX6gZlMTl0P3L/HOrk33jk
|
||||||
|
eqC+GaSpChuhWZYLRbwacqhifsCDyq+XqQ==
|
||||||
|
-----END EC PRIVATE KEY-----
|
|
@ -0,0 +1,17 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICnzCCAkagAwIBAgIRANXm75GYbZfpnSAEkdvr+GEwCgYIKoZIzj0EAwIwgbgx
|
||||||
|
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
|
||||||
|
bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
|
||||||
|
FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg
|
||||||
|
MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTIzMDUw
|
||||||
|
MjE3NTMzOFoXDTI0MDUwMTE3NTMzOFowHjEcMBoGA1UEAxMTY2xpZW50Lmdsb2Jh
|
||||||
|
bC5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKM1ryqhT8MvIf6uB19e
|
||||||
|
nkLy2Nls3Eq71+oGZTE5dD9y/xzq5N945HqgvhmkqQoboVmWC0W8GnKoYn7Ag8qv
|
||||||
|
l6mjgckwgcYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr
|
||||||
|
BgEFBQcDATAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCAsSQfoSE6Za82gpdlV2awz
|
||||||
|
Ezkx5X59vYVvj57vTaqFWjArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXHgpqA
|
||||||
|
x3ja2M6VnTBx7cHEHDAvBgNVHREEKDAmghNjbGllbnQuZ2xvYmFsLm5vbWFkggls
|
||||||
|
b2NhbGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgaPwQrg4A2eOFUG6Avfuz
|
||||||
|
EoWdGHSPk3K50jCemtWb/NsCIAQ+NIiGiQFqnhdXGxwhzAFwCNFaRDIizsSm4sr0
|
||||||
|
NgQn
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -1,15 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIICSTCCAe+gAwIBAgIUZ+VBej1K6fCm2QSvnyRCIBw1e1cwCgYIKoZIzj0EAwIw
|
|
||||||
XzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
|
|
||||||
c2NvMRMwEQYDVQQLEwpOb21hZCBEZW1vMRYwFAYDVQQDEw1leGFtcGxlLm5vbWFk
|
|
||||||
MB4XDTE4MDkwNTIzNTQwMFoXDTI4MDkwMjIzNTQwMFowRzELMAkGA1UEBhMCVVMx
|
|
||||||
CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQLEwpO
|
|
||||||
b21hZCBEZW1vMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvei5KnuNBvuhGrEL
|
|
||||||
ae9FL61aJeVvXw0iP0j1XpNvOaYhfMMvq9fY1q4fVN92D1HQN6FsfLNl/YCvdF+s
|
|
||||||
T4qxnaOBoDCBnTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
|
|
||||||
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFBnFzsZ4hOacg/zVkrVT
|
|
||||||
ChnNTWKTMB8GA1UdIwQYMBaAFCEqBD2o3StC6qePPy6WaDknOPh2MB4GA1UdEQQX
|
|
||||||
MBWCE2NsaWVudC5nbG9iYWwubm9tYWQwCgYIKoZIzj0EAwIDSAAwRQIhAMjzKDvs
|
|
||||||
QPw2OX2GXVUABt7czuaP6ZvJhHXkedRkSoNYAiAuYaS0VxaCdSxSXX96FR03Lcaa
|
|
||||||
FbRG9S396qK/HSlhcA==
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,5 +0,0 @@
|
||||||
-----BEGIN EC PRIVATE KEY-----
|
|
||||||
MHcCAQEEINcyDkLfcVur3bsEvdesW2oUbRMFAyVWyvxAYsNVeSNgoAoGCCqGSM49
|
|
||||||
AwEHoUQDQgAENcwnm0Z/yFL/hb0xUXu4E7fKebTnt/AWQPyeJtDBGa9NAqw8yCOH
|
|
||||||
XP8GGSomLgGAvrUj/ZOMgenFNSsUhEJKSA==
|
|
||||||
-----END EC PRIVATE KEY-----
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
MHcCAQEEIKkGG3r4oVoWObbU6m1kMf/vwengkstOdNf9LIkcwlI8oAoGCCqGSM49
|
||||||
|
AwEHoUQDQgAExUEFNlC2277Vl+4gLCLAERa0DPDihUic8FoeWiaSJA7HzBjJE3ue
|
||||||
|
8+RbfEs3nHJ61uTNEOzsdh0arFMZqz215g==
|
||||||
|
-----END EC PRIVATE KEY-----
|
|
@ -0,0 +1,17 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICoTCCAkagAwIBAgIRAOgA+9t9J70U/cv8Wx0kGyMwCgYIKoZIzj0EAwIwgbgx
|
||||||
|
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
|
||||||
|
bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
|
||||||
|
FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg
|
||||||
|
MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTIzMDUw
|
||||||
|
MjE3NTM0M1oXDTI0MDUwMTE3NTM0M1owHjEcMBoGA1UEAxMTc2VydmVyLmdsb2Jh
|
||||||
|
bC5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMVBBTZQttu+1ZfuICwi
|
||||||
|
wBEWtAzw4oVInPBaHlomkiQOx8wYyRN7nvPkW3xLN5xyetbkzRDs7HYdGqxTGas9
|
||||||
|
teajgckwgcYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
|
||||||
|
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCBthynn3utQfFpsGsUVNd83
|
||||||
|
Q075xOyeLlJd7vNJKUckcTArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXHgpqA
|
||||||
|
x3ja2M6VnTBx7cHEHDAvBgNVHREEKDAmghNzZXJ2ZXIuZ2xvYmFsLm5vbWFkggls
|
||||||
|
b2NhbGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhAKUl2wTU4GlXH7iBjFax
|
||||||
|
hVBW16jTDAtkVLmWTUMsh5ZiAiEA9NYSCyTTFLx2C5a5D2OavzkzcIlxQfxyjAbo
|
||||||
|
PZ8/00U=
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -1,15 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIICSjCCAe+gAwIBAgIUN/zxE9m1ROiJGALka29tm1ThVDUwCgYIKoZIzj0EAwIw
|
|
||||||
XzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
|
|
||||||
c2NvMRMwEQYDVQQLEwpOb21hZCBEZW1vMRYwFAYDVQQDEw1leGFtcGxlLm5vbWFk
|
|
||||||
MB4XDTE4MDkwNTIzNTQwMFoXDTI4MDkwMjIzNTQwMFowRzELMAkGA1UEBhMCVVMx
|
|
||||||
CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQLEwpO
|
|
||||||
b21hZCBEZW1vMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENcwnm0Z/yFL/hb0x
|
|
||||||
UXu4E7fKebTnt/AWQPyeJtDBGa9NAqw8yCOHXP8GGSomLgGAvrUj/ZOMgenFNSsU
|
|
||||||
hEJKSKOBoDCBnTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
|
|
||||||
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFHAAhBdKRVqlgjVWEa5V
|
|
||||||
vyrSwl13MB8GA1UdIwQYMBaAFCEqBD2o3StC6qePPy6WaDknOPh2MB4GA1UdEQQX
|
|
||||||
MBWCE3NlcnZlci5nbG9iYWwubm9tYWQwCgYIKoZIzj0EAwIDSQAwRgIhAOsmkXXS
|
|
||||||
mIVm+zEki3IapO+yD9Te6YA6jmmCszEiWYPbAiEA5irkdcc/27jL3i+Woc38kCxa
|
|
||||||
Den1x+p62mD/LV+76oI=
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
MHcCAQEEIJzq2OYwVRT7HC3g4Lab3c//8w/hO+/4+KbodUMa+3DNoAoGCCqGSM49
|
||||||
|
AwEHoUQDQgAE9qb3BfDs0ZooB/J1KIKqwgh8xFmB1moyFNqU8Q5ZwVm0dwsBcf7U
|
||||||
|
Ayn32XCBJ9jFTuIZmZy5n33efM22C9JApA==
|
||||||
|
-----END EC PRIVATE KEY-----
|
|
@ -0,0 +1,18 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIC6zCCApKgAwIBAgIRAMUnaddCxpcrFtOZu4J6gFAwCgYIKoZIzj0EAwIwgbgx
|
||||||
|
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
|
||||||
|
bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
|
||||||
|
FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg
|
||||||
|
MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTIzMDUw
|
||||||
|
MjE3NTMwNFoXDTI4MDQzMDE3NTMwNFowgbgxCzAJBgNVBAYTAlVTMQswCQYDVQQI
|
||||||
|
EwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEaMBgGA1UECRMRMTAxIFNlY29u
|
||||||
|
ZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcwFQYDVQQKEw5IYXNoaUNvcnAgSW5j
|
||||||
|
LjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0EgMjYyMDYyNTYxNDU0ODQwNzAxMDY0
|
||||||
|
NDc1OTg0MjIzMzE0NTQyNjcyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9qb3
|
||||||
|
BfDs0ZooB/J1KIKqwgh8xFmB1moyFNqU8Q5ZwVm0dwsBcf7UAyn32XCBJ9jFTuIZ
|
||||||
|
mZy5n33efM22C9JApKN7MHkwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMB
|
||||||
|
Af8wKQYDVR0OBCIEIDVSNgVCiLhcb7DNl8fNlceCmoDHeNrYzpWdMHHtwcQcMCsG
|
||||||
|
A1UdIwQkMCKAIDVSNgVCiLhcb7DNl8fNlceCmoDHeNrYzpWdMHHtwcQcMAoGCCqG
|
||||||
|
SM49BAMCA0cAMEQCIFfKD/8Ek2yfvciuOEr0DB7OiHuRCFiC38B1I6W4AErwAiAa
|
||||||
|
6Jexd1AfuvJA2kBcHn4GrB0u3nOvVKighqgCJ4RqJg==
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -1,20 +0,0 @@
|
||||||
{
|
|
||||||
"CN": "regionBad.nomad",
|
|
||||||
"hosts": [
|
|
||||||
"server.regionBad.nomad",
|
|
||||||
"client.regionBad.nomad"
|
|
||||||
],
|
|
||||||
"key": {
|
|
||||||
"algo": "ecdsa",
|
|
||||||
"size": 256
|
|
||||||
},
|
|
||||||
"names": [
|
|
||||||
{
|
|
||||||
"C": "US",
|
|
||||||
"L": "San Francisco",
|
|
||||||
"O": "HashiCorp",
|
|
||||||
"OU": "Nomad",
|
|
||||||
"ST": "California"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
|
@ -1,5 +0,0 @@
|
||||||
-----BEGIN EC PRIVATE KEY-----
|
|
||||||
MHcCAQEEIIdLbfRt+KZFZrn6BsaCmi/8n3+gzqDgU2KYEc3bs/YLoAoGCCqGSM49
|
|
||||||
AwEHoUQDQgAE5EO2FyHkS9sgGpNwnXg22Lnolp1WwyChw+ONMGyG3i9GKQp7m39D
|
|
||||||
1TaarEHl1d1Xt/SH+nFObPuIk3rHZcZ3JA==
|
|
||||||
-----END EC PRIVATE KEY-----
|
|
|
@ -1,11 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE REQUEST-----
|
|
||||||
MIIBgDCCASYCAQAweDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
|
|
||||||
FjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwG
|
|
||||||
A1UECxMFTm9tYWQxGDAWBgNVBAMTD3JlZ2lvbkJhZC5ub21hZDBZMBMGByqGSM49
|
|
||||||
AgEGCCqGSM49AwEHA0IABORDthch5EvbIBqTcJ14Nti56JadVsMgocPjjTBsht4v
|
|
||||||
RikKe5t/Q9U2mqxB5dXdV7f0h/pxTmz7iJN6x2XGdySgTDBKBgkqhkiG9w0BCQ4x
|
|
||||||
PTA7MDkGA1UdEQQyMDCCFnNlcnZlci5yZWdpb25CYWQubm9tYWSCFmNsaWVudC5y
|
|
||||||
ZWdpb25CYWQubm9tYWQwCgYIKoZIzj0EAwIDSAAwRQIhAKnj9VZmqXp8kZ7akGpz
|
|
||||||
yP04Gyz5b6JnSDalkaaUekdBAiAAqqna5G8NLoQDQ5Kj8uLm5FyTuhE7eDHN1Xiz
|
|
||||||
PBWAaQ==
|
|
||||||
-----END CERTIFICATE REQUEST-----
|
|
|
@ -1,17 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIICtTCCAlqgAwIBAgIUBXPfd1hp+fQszuZVdTyZZh0KoAUwCgYIKoZIzj0EAwIw
|
|
||||||
fDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh
|
|
||||||
biBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwGA1UECxMFTm9tYWQx
|
|
||||||
HDAaBgNVBAMTE2JhZC5ub21hZC5oYXNoaWNvcnAwIBcNMjEwODEzMDg1ODAwWhgP
|
|
||||||
MjEyMTA3MjAwODU4MDBaMHgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y
|
|
||||||
bmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRIwEAYDVQQKEwlIYXNoaUNvcnAx
|
|
||||||
DjAMBgNVBAsTBU5vbWFkMRgwFgYDVQQDEw9yZWdpb25CYWQubm9tYWQwWTATBgcq
|
|
||||||
hkjOPQIBBggqhkjOPQMBBwNCAATkQ7YXIeRL2yAak3CdeDbYueiWnVbDIKHD440w
|
|
||||||
bIbeL0YpCnubf0PVNpqsQeXV3Ve39If6cU5s+4iTesdlxncko4G7MIG4MA4GA1Ud
|
|
||||||
DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0T
|
|
||||||
AQH/BAIwADAdBgNVHQ4EFgQU16VwMPbF5dy1XF9mSokSVhH7DTEwHwYDVR0jBBgw
|
|
||||||
FoAUcm48E1vYp3BEY2PwcOxPYlXHYTwwOQYDVR0RBDIwMIIWc2VydmVyLnJlZ2lv
|
|
||||||
bkJhZC5ub21hZIIWY2xpZW50LnJlZ2lvbkJhZC5ub21hZDAKBggqhkjOPQQDAgNJ
|
|
||||||
ADBGAiEA6d+gBYWuAiOUU/wWXAoiSBgeNM0JXA82idFaVRVm7TYCIQDrX6O783ZM
|
|
||||||
FG0XIRoriOWNq9ysmP8D73KrMHkJtTRSTg==
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,5 +0,0 @@
|
||||||
-----BEGIN EC PRIVATE KEY-----
|
|
||||||
MHcCAQEEIBxaGxJxJXnAXVmb8E3ALsWqva9F01R0cr/1Ap75YyeAoAoGCCqGSM49
|
|
||||||
AwEHoUQDQgAEXSLJPcA7b9P6y0Ls7zR4997+F3251hwEUn8qR01AEVGjYrAjk/ns
|
|
||||||
qaq7P9y/w4k9TvhWaq9/L6id468a0/VWCw==
|
|
||||||
-----END EC PRIVATE KEY-----
|
|
|
@ -1,15 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIICWTCCAgCgAwIBAgIQOW7/CDB2IhlMyfh16erD/jAKBggqhkjOPQQDAjB4MQsw
|
|
||||||
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy
|
|
||||||
YW5jaXNjbzESMBAGA1UEChMJSGFzaGlDb3JwMQ4wDAYDVQQLEwVOb21hZDEYMBYG
|
|
||||||
A1UEAxMPbm9tYWQuaGFzaGljb3JwMCAXDTIyMTEyOTE5MjY0MloYDzIxMjIxMTA1
|
|
||||||
MTkyNjQyWjAhMR8wHQYDVQQDExZjbGllbnQucmVnaW9uRm9vLm5vbWFkMFkwEwYH
|
|
||||||
KoZIzj0CAQYIKoZIzj0DAQcDQgAEXSLJPcA7b9P6y0Ls7zR4997+F3251hwEUn8q
|
|
||||||
R01AEVGjYrAjk/nsqaq7P9y/w4k9TvhWaq9/L6id468a0/VWC6OBwDCBvTAOBgNV
|
|
||||||
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1Ud
|
|
||||||
EwEB/wQCMAAwKQYDVR0OBCIEII1J2DmAAcPAaNLFlxFpdBzjhRFRd9E9fedoz9I8
|
|
||||||
vHPPMB8GA1UdIwQYMBaAFKJkNK006jVs/eYf4w00jciQj2MEMDIGA1UdEQQrMCmC
|
|
||||||
FmNsaWVudC5yZWdpb25Gb28ubm9tYWSCCWxvY2FsaG9zdIcEfwAAATAKBggqhkjO
|
|
||||||
PQQDAgNHADBEAiAXzlb98iqyXvtlkThR13ojgjwjP25JBysDKf4vnXjQuwIgFpkB
|
|
||||||
0B7bPy5VNIAVsw6n5ocvsB7w0rgBPJyS3I2YCi0=
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,20 +0,0 @@
|
||||||
{
|
|
||||||
"CN": "regionFoo.nomad",
|
|
||||||
"hosts": [
|
|
||||||
"server.regionFoo.nomad",
|
|
||||||
"client.regionFoo.nomad"
|
|
||||||
],
|
|
||||||
"key": {
|
|
||||||
"algo": "ecdsa",
|
|
||||||
"size": 256
|
|
||||||
},
|
|
||||||
"names": [
|
|
||||||
{
|
|
||||||
"C": "US",
|
|
||||||
"L": "San Francisco",
|
|
||||||
"O": "HashiCorp",
|
|
||||||
"OU": "Nomad",
|
|
||||||
"ST": "California"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
|
@ -1,5 +0,0 @@
|
||||||
-----BEGIN EC PRIVATE KEY-----
|
|
||||||
MHcCAQEEIH2tGBcTtZ43pPNsyLcO44eBOcp8Bevnf2kCcZeLhpzAoAoGCCqGSM49
|
|
||||||
AwEHoUQDQgAECXq2d0JCbbmFAMnQ8rBj7nYa47NxiluAi3ybk7sxh8LWpYU3Rsdh
|
|
||||||
P71yaSkAYkMhNcBDjuacjH4A00bMVA1L6Q==
|
|
||||||
-----END EC PRIVATE KEY-----
|
|
|
@ -1,11 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE REQUEST-----
|
|
||||||
MIIBgDCCASYCAQAweDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
|
|
||||||
FjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwG
|
|
||||||
A1UECxMFTm9tYWQxGDAWBgNVBAMTD3JlZ2lvbkZvby5ub21hZDBZMBMGByqGSM49
|
|
||||||
AgEGCCqGSM49AwEHA0IABAl6tndCQm25hQDJ0PKwY+52GuOzcYpbgIt8m5O7MYfC
|
|
||||||
1qWFN0bHYT+9cmkpAGJDITXAQ47mnIx+ANNGzFQNS+mgTDBKBgkqhkiG9w0BCQ4x
|
|
||||||
PTA7MDkGA1UdEQQyMDCCFnNlcnZlci5yZWdpb25Gb28ubm9tYWSCFmNsaWVudC5y
|
|
||||||
ZWdpb25Gb28ubm9tYWQwCgYIKoZIzj0EAwIDSAAwRQIgFeVjmQ2F+uBGlox+mBBb
|
|
||||||
PlIjygPhplQjHXC3ap8FsAMCIQDa2Y8K1o8uLrKfdptePbx7WguXEslmbDg9szce
|
|
||||||
wXq+Rg==
|
|
||||||
-----END CERTIFICATE REQUEST-----
|
|
|
@ -1,17 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIICsDCCAlagAwIBAgIUE+pHx/F3dQUcTwu3G6be0EV8jAcwCgYIKoZIzj0EAwIw
|
|
||||||
eDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh
|
|
||||||
biBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwGA1UECxMFTm9tYWQx
|
|
||||||
GDAWBgNVBAMTD25vbWFkLmhhc2hpY29ycDAgFw0yMTA4MTMwODU3MDBaGA8yMTIx
|
|
||||||
MDcyMDA4NTcwMFoweDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
|
|
||||||
FjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwG
|
|
||||||
A1UECxMFTm9tYWQxGDAWBgNVBAMTD3JlZ2lvbkZvby5ub21hZDBZMBMGByqGSM49
|
|
||||||
AgEGCCqGSM49AwEHA0IABAl6tndCQm25hQDJ0PKwY+52GuOzcYpbgIt8m5O7MYfC
|
|
||||||
1qWFN0bHYT+9cmkpAGJDITXAQ47mnIx+ANNGzFQNS+mjgbswgbgwDgYDVR0PAQH/
|
|
||||||
BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8E
|
|
||||||
AjAAMB0GA1UdDgQWBBRX6gUtfRUruhfd6Cu0GX37vPFYzDAfBgNVHSMEGDAWgBSi
|
|
||||||
ZDStNOo1bP3mH+MNNI3IkI9jBDA5BgNVHREEMjAwghZzZXJ2ZXIucmVnaW9uRm9v
|
|
||||||
Lm5vbWFkghZjbGllbnQucmVnaW9uRm9vLm5vbWFkMAoGCCqGSM49BAMCA0gAMEUC
|
|
||||||
IQDKQZj6D4M0T2dgzUYAv57gsGVmr/dvPr1uJ8q0fom8NwIgKN1WmRmkz810/t0D
|
|
||||||
Fqj+tcXqE3NaagnBPfBs0Eq8Om4=
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
MHcCAQEEIBFfKnmgGcVDrDeFyU3c0IeYrqJZrQwasXo+2dtcc4TCoAoGCCqGSM49
|
||||||
|
AwEHoUQDQgAEziQFRhmwFsRMdIKZNQF0LcIs98u2iuRwGiDO10iKqx1wVY4pbupF
|
||||||
|
77P8zclVjFfYyDFW5SCT3QtDKwJKGxT4ow==
|
||||||
|
-----END EC PRIVATE KEY-----
|
|
@ -0,0 +1,17 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICuzCCAmGgAwIBAgIRAOAmpejcZSrltFovtOi1nnkwCgYIKoZIzj0EAwIwgbgx
|
||||||
|
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
|
||||||
|
bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
|
||||||
|
FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg
|
||||||
|
MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTIzMDUw
|
||||||
|
MjE4MDA1OVoXDTI0MDUwMTE4MDA1OVowITEfMB0GA1UEAxMWY2xpZW50LnJlZ2lv
|
||||||
|
bkZvby5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABM4kBUYZsBbETHSC
|
||||||
|
mTUBdC3CLPfLtorkcBogztdIiqsdcFWOKW7qRe+z/M3JVYxX2MgxVuUgk90LQysC
|
||||||
|
ShsU+KOjgeEwgd4wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMC
|
||||||
|
BggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCAdSV5IX2uJQ35a6ngC
|
||||||
|
OzKGr1x2NOqMZRk8VhDMjtyxUDArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXH
|
||||||
|
gpqAx3ja2M6VnTBx7cHEHDBHBgNVHREEQDA+ghZjbGllbnQucmVnaW9uRm9vLm5v
|
||||||
|
bWFkghNjbGllbnQuZ2xvYmFsLm5vbWFkgglsb2NhbGhvc3SHBH8AAAEwCgYIKoZI
|
||||||
|
zj0EAwIDSAAwRQIhAKxhm9OUsD4DDPYueB7zsW2wyToksvv2MTDcRC2XDDAOAiBs
|
||||||
|
ZJi59bACZyp7P+bGaowrPF+PTKcuG8Vi/PpiUdnIrg==
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,5 @@
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
MHcCAQEEIEifr5oheNXaez/snF4nzH4YLWZ8v5kV6+0h9yPZiglXoAoGCCqGSM49
|
||||||
|
AwEHoUQDQgAESpxIME2rOLbstfWkS6NCqwtPQDwlAI0k42WUxMHuZPaYWq9KyH73
|
||||||
|
OAT5Z1a/MT+NQFltFODh8ui9ZjIAYEFt7g==
|
||||||
|
-----END EC PRIVATE KEY-----
|
|
@ -0,0 +1,17 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICvDCCAmGgAwIBAgIRAM2RSbtHDbvrtarqCX0tZNYwCgYIKoZIzj0EAwIwgbgx
|
||||||
|
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
|
||||||
|
bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
|
||||||
|
FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg
|
||||||
|
MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTIzMDUw
|
||||||
|
MjE4MjU0N1oXDTI0MDUwMTE4MjU0N1owITEfMB0GA1UEAxMWc2VydmVyLnJlZ2lv
|
||||||
|
bkZvby5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEqcSDBNqzi27LX1
|
||||||
|
pEujQqsLT0A8JQCNJONllMTB7mT2mFqvSsh+9zgE+WdWvzE/jUBZbRTg4fLovWYy
|
||||||
|
AGBBbe6jgeEwgd4wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
|
||||||
|
BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCBByMxUroSyPLJeid7e
|
||||||
|
8zrsfNAY1BjQ7kLpc/CE9RTFADArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXH
|
||||||
|
gpqAx3ja2M6VnTBx7cHEHDBHBgNVHREEQDA+ghZzZXJ2ZXIucmVnaW9uRm9vLm5v
|
||||||
|
bWFkghNzZXJ2ZXIuZ2xvYmFsLm5vbWFkgglsb2NhbGhvc3SHBH8AAAEwCgYIKoZI
|
||||||
|
zj0EAwIDSQAwRgIhANrnyPFKJ4V+93cgM3/A96wxFeBuTWHr4N6p/Xnyo40vAiEA
|
||||||
|
73GJzSkzew0LophXV+mqoPcjhnNV2dJPTvMouKUhNmQ=
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,5 @@
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
MHcCAQEEIO2Eo72jUx4iZid6ppygk2B8pyslwTGLr+NhrPvhplMaoAoGCCqGSM49
|
||||||
|
AwEHoUQDQgAE9Iqti3cT5EIWKK1VdlsoKwKv67eRcIWuxzPaEjG1tfKV9kWMnPx2
|
||||||
|
1pS2XqL72QdFVjXgajomqXOrfDawtO/kAQ==
|
||||||
|
-----END EC PRIVATE KEY-----
|
|
@ -0,0 +1,22 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDITCCAsegAwIBAgIQaG4+rrdqZeTWIqnbLbBqKTAKBggqhkjOPQQDAjCBuDEL
|
||||||
|
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
|
||||||
|
MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
|
||||||
|
BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZOb21hZCBBZ2VudCBDQSAx
|
||||||
|
Mzg4MTIxMzU1Njc5MzAxNjk4MjExODMxMTM4MTI4NDk0ODYzNzcwHhcNMjMwNTIw
|
||||||
|
MDYwNjE1WhcNMjgwNTE4MDYwNjE1WjCBuDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
|
||||||
|
AkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQJExExMDEgU2Vjb25k
|
||||||
|
IFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAVBgNVBAoTDkhhc2hpQ29ycCBJbmMu
|
||||||
|
MT8wPQYDVQQDEzZOb21hZCBBZ2VudCBDQSAxMzg4MTIxMzU1Njc5MzAxNjk4MjEx
|
||||||
|
ODMxMTM4MTI4NDk0ODYzNzcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT0iq2L
|
||||||
|
dxPkQhYorVV2WygrAq/rt5Fwha7HM9oSMbW18pX2RYyc/HbWlLZeovvZB0VWNeBq
|
||||||
|
Oiapc6t8NrC07+QBo4GwMIGtMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD
|
||||||
|
AQH/MCkGA1UdDgQiBCAAKucq/HIgPpQtrO7PUat83n1eyoZRzeMG2f/kdqYzljAr
|
||||||
|
BgNVHSMEJDAigCAAKucq/HIgPpQtrO7PUat83n1eyoZRzeMG2f/kdqYzljAyBgNV
|
||||||
|
HR4BAf8EKDAmoCQwDIIKd2hpdGVzcGFjZTALgglsb2NhbGhvc3QwB4IFbm9tYWQw
|
||||||
|
CgYIKoZIzj0EAwIDSAAwRQIhANB+qjXAK6pXL6o2u9v+5I3vnJdKpniIBKYH2s1f
|
||||||
|
AXTLAiBDzIRmMexCtC6wX0Q1oxnbbmHE09ESl7oDiBECz4G7aQ==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -34,13 +34,13 @@ func TestAuthenticate_mTLS(t *testing.T) {
|
||||||
EnableHTTP: true,
|
EnableHTTP: true,
|
||||||
EnableRPC: true,
|
EnableRPC: true,
|
||||||
VerifyServerHostname: true,
|
VerifyServerHostname: true,
|
||||||
CAFile: "../helper/tlsutil/testdata/ca.pem",
|
CAFile: "../helper/tlsutil/testdata/nomad-agent-ca.pem",
|
||||||
CertFile: "../helper/tlsutil/testdata/nomad-foo.pem",
|
CertFile: "../helper/tlsutil/testdata/regionFoo-server-nomad.pem",
|
||||||
KeyFile: "../helper/tlsutil/testdata/nomad-foo-key.pem",
|
KeyFile: "../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem",
|
||||||
}
|
}
|
||||||
clientTLSCfg := tlsCfg.Copy()
|
clientTLSCfg := tlsCfg.Copy()
|
||||||
clientTLSCfg.CertFile = "../helper/tlsutil/testdata/nomad-foo-client.pem"
|
clientTLSCfg.CertFile = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
clientTLSCfg.KeyFile = "../helper/tlsutil/testdata/nomad-foo-client-key.pem"
|
clientTLSCfg.KeyFile = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
|
|
||||||
setCfg := func(name string, bootstrapExpect int) func(*Config) {
|
setCfg := func(name string, bootstrapExpect int) func(*Config) {
|
||||||
return func(c *Config) {
|
return func(c *Config) {
|
||||||
|
@ -178,7 +178,7 @@ func TestAuthenticate_mTLS(t *testing.T) {
|
||||||
{
|
{
|
||||||
name: "from peer to leader without token", // ex. Eval.Dequeue
|
name: "from peer to leader without token", // ex. Eval.Dequeue
|
||||||
tlsCfg: tlsCfg,
|
tlsCfg: tlsCfg,
|
||||||
expectTLSName: "regionFoo.nomad",
|
expectTLSName: "server.regionFoo.nomad",
|
||||||
expectAccessor: "anonymous",
|
expectAccessor: "anonymous",
|
||||||
expectIP: follower.GetConfig().RPCAddr.IP.String(),
|
expectIP: follower.GetConfig().RPCAddr.IP.String(),
|
||||||
sendFromPeer: follower,
|
sendFromPeer: follower,
|
||||||
|
@ -190,7 +190,7 @@ func TestAuthenticate_mTLS(t *testing.T) {
|
||||||
name: "anonymous forwarded from peer to leader",
|
name: "anonymous forwarded from peer to leader",
|
||||||
tlsCfg: tlsCfg,
|
tlsCfg: tlsCfg,
|
||||||
expectAccessor: "anonymous",
|
expectAccessor: "anonymous",
|
||||||
expectTLSName: "regionFoo.nomad",
|
expectTLSName: "server.regionFoo.nomad",
|
||||||
expectIP: "127.0.0.1",
|
expectIP: "127.0.0.1",
|
||||||
expectIDKey: "token:anonymous",
|
expectIDKey: "token:anonymous",
|
||||||
},
|
},
|
||||||
|
@ -198,16 +198,16 @@ func TestAuthenticate_mTLS(t *testing.T) {
|
||||||
name: "invalid token",
|
name: "invalid token",
|
||||||
tlsCfg: clientTLSCfg,
|
tlsCfg: clientTLSCfg,
|
||||||
testToken: uuid.Generate(),
|
testToken: uuid.Generate(),
|
||||||
expectTLSName: "regionFoo.nomad",
|
expectTLSName: "server.regionFoo.nomad",
|
||||||
expectIP: follower.GetConfig().RPCAddr.IP.String(),
|
expectIP: follower.GetConfig().RPCAddr.IP.String(),
|
||||||
expectIDKey: "regionFoo.nomad:127.0.0.1",
|
expectIDKey: "server.regionFoo.nomad:127.0.0.1",
|
||||||
expectErr: "rpc error: Permission denied",
|
expectErr: "rpc error: Permission denied",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "from peer to leader with leader ACL", // ex. core job GC
|
name: "from peer to leader with leader ACL", // ex. core job GC
|
||||||
tlsCfg: tlsCfg,
|
tlsCfg: tlsCfg,
|
||||||
testToken: leader.getLeaderAcl(),
|
testToken: leader.getLeaderAcl(),
|
||||||
expectTLSName: "regionFoo.nomad",
|
expectTLSName: "server.regionFoo.nomad",
|
||||||
expectAccessor: "leader",
|
expectAccessor: "leader",
|
||||||
expectIP: follower.GetConfig().RPCAddr.IP.String(),
|
expectIP: follower.GetConfig().RPCAddr.IP.String(),
|
||||||
sendFromPeer: follower,
|
sendFromPeer: follower,
|
||||||
|
@ -224,7 +224,7 @@ func TestAuthenticate_mTLS(t *testing.T) {
|
||||||
name: "from client missing secret", // ex. Node.Register
|
name: "from client missing secret", // ex. Node.Register
|
||||||
tlsCfg: clientTLSCfg,
|
tlsCfg: clientTLSCfg,
|
||||||
expectAccessor: "anonymous",
|
expectAccessor: "anonymous",
|
||||||
expectTLSName: "regionFoo.nomad",
|
expectTLSName: "server.regionFoo.nomad",
|
||||||
expectIP: follower.GetConfig().RPCAddr.IP.String(),
|
expectIP: follower.GetConfig().RPCAddr.IP.String(),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
|
|
@ -223,9 +223,9 @@ func TestRPC_PlaintextRPCSucceedsWhenInUpgradeMode(t *testing.T) {
|
||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../helper/tlsutil/testdata/ca.pem"
|
cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
)
|
)
|
||||||
dir := t.TempDir()
|
dir := t.TempDir()
|
||||||
|
|
||||||
|
@ -265,9 +265,9 @@ func TestRPC_PlaintextRPCFailsWhenNotInUpgradeMode(t *testing.T) {
|
||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../helper/tlsutil/testdata/ca.pem"
|
cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
)
|
)
|
||||||
dir := t.TempDir()
|
dir := t.TempDir()
|
||||||
|
|
||||||
|
@ -331,9 +331,9 @@ func TestRPC_streamingRpcConn_badMethod_TLS(t *testing.T) {
|
||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../helper/tlsutil/testdata/ca.pem"
|
cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../helper/tlsutil/testdata/regionFoo-server-nomad.pem"
|
||||||
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem"
|
||||||
)
|
)
|
||||||
dir := t.TempDir()
|
dir := t.TempDir()
|
||||||
s1, cleanupS1 := TestServer(t, func(c *Config) {
|
s1, cleanupS1 := TestServer(t, func(c *Config) {
|
||||||
|
@ -441,9 +441,9 @@ func TestRPC_streamingRpcConn_goodMethod_TLS(t *testing.T) {
|
||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../helper/tlsutil/testdata/ca.pem"
|
cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../helper/tlsutil/testdata/regionFoo-server-nomad.pem"
|
||||||
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem"
|
||||||
)
|
)
|
||||||
dir := t.TempDir()
|
dir := t.TempDir()
|
||||||
s1, cleanupS1 := TestServer(t, func(c *Config) {
|
s1, cleanupS1 := TestServer(t, func(c *Config) {
|
||||||
|
@ -579,9 +579,9 @@ func TestRPC_TLS_in_TLS(t *testing.T) {
|
||||||
ci.Parallel(t)
|
ci.Parallel(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../helper/tlsutil/testdata/ca.pem"
|
cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
||||||
s, cleanup := TestServer(t, func(c *Config) {
|
s, cleanup := TestServer(t, func(c *Config) {
|
||||||
|
@ -639,9 +639,9 @@ func TestRPC_Limits_OK(t *testing.T) {
|
||||||
ci.Parallel(t)
|
ci.Parallel(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../helper/tlsutil/testdata/ca.pem"
|
cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
maxConns = 10 // limit must be < this for testing
|
maxConns = 10 // limit must be < this for testing
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -40,9 +40,9 @@ func TestServer_RPC_TLS(t *testing.T) {
|
||||||
ci.Parallel(t)
|
ci.Parallel(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../helper/tlsutil/testdata/ca.pem"
|
cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../helper/tlsutil/testdata/regionFoo-server-nomad.pem"
|
||||||
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem"
|
||||||
)
|
)
|
||||||
dir := t.TempDir()
|
dir := t.TempDir()
|
||||||
|
|
||||||
|
@ -105,9 +105,9 @@ func TestServer_RPC_MixedTLS(t *testing.T) {
|
||||||
ci.Parallel(t)
|
ci.Parallel(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../helper/tlsutil/testdata/ca.pem"
|
cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../helper/tlsutil/testdata/regionFoo-server-nomad.pem"
|
||||||
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem"
|
||||||
)
|
)
|
||||||
dir := t.TempDir()
|
dir := t.TempDir()
|
||||||
|
|
||||||
|
@ -244,9 +244,9 @@ func TestServer_Reload_TLSConnections_PlaintextToTLS(t *testing.T) {
|
||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../helper/tlsutil/testdata/ca.pem"
|
cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
)
|
)
|
||||||
dir := t.TempDir()
|
dir := t.TempDir()
|
||||||
|
|
||||||
|
@ -292,9 +292,9 @@ func TestServer_Reload_TLSConnections_TLSToPlaintext_RPC(t *testing.T) {
|
||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../helper/tlsutil/testdata/ca.pem"
|
cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
||||||
dir := t.TempDir()
|
dir := t.TempDir()
|
||||||
|
@ -338,9 +338,9 @@ func TestServer_Reload_TLSConnections_TLSToPlaintext_OnlyRPC(t *testing.T) {
|
||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../helper/tlsutil/testdata/ca.pem"
|
cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
||||||
dir := t.TempDir()
|
dir := t.TempDir()
|
||||||
|
@ -391,9 +391,9 @@ func TestServer_Reload_TLSConnections_PlaintextToTLS_OnlyRPC(t *testing.T) {
|
||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../helper/tlsutil/testdata/ca.pem"
|
cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
||||||
dir := t.TempDir()
|
dir := t.TempDir()
|
||||||
|
@ -446,9 +446,9 @@ func TestServer_Reload_TLSConnections_Raft(t *testing.T) {
|
||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
cafile = "../../helper/tlsutil/testdata/ca.pem"
|
cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
barcert = "../dev/tls_cluster/certs/nomad.pem"
|
barcert = "../dev/tls_cluster/certs/nomad.pem"
|
||||||
barkey = "../dev/tls_cluster/certs/nomad-key.pem"
|
barkey = "../dev/tls_cluster/certs/nomad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
|
@ -52,11 +52,11 @@ func TestTLS_CertificateInfoIsEqual_FalseWhenUnequal(t *testing.T) {
|
||||||
|
|
||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
const (
|
const (
|
||||||
cafile = "../../../helper/tlsutil/testdata/ca.pem"
|
cafile = "../../../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../../../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
foocert2 = "../../../helper/tlsutil/testdata/nomad-bad.pem"
|
badcert = "../../../helper/tlsutil/testdata/badRegion-client-bad.pem"
|
||||||
fookey2 = "../../../helper/tlsutil/testdata/nomad-bad-key.pem"
|
badkey = "../../../helper/tlsutil/testdata/badRegion-client-bad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Assert that both mismatching certificate and key files are considered
|
// Assert that both mismatching certificate and key files are considered
|
||||||
|
@ -71,8 +71,8 @@ func TestTLS_CertificateInfoIsEqual_FalseWhenUnequal(t *testing.T) {
|
||||||
|
|
||||||
b := &TLSConfig{
|
b := &TLSConfig{
|
||||||
CAFile: cafile,
|
CAFile: cafile,
|
||||||
CertFile: foocert2,
|
CertFile: badcert,
|
||||||
KeyFile: fookey2,
|
KeyFile: badkey,
|
||||||
}
|
}
|
||||||
isEqual, err := a.CertificateInfoIsEqual(b)
|
isEqual, err := a.CertificateInfoIsEqual(b)
|
||||||
require.Nil(err)
|
require.Nil(err)
|
||||||
|
@ -90,7 +90,7 @@ func TestTLS_CertificateInfoIsEqual_FalseWhenUnequal(t *testing.T) {
|
||||||
|
|
||||||
b := &TLSConfig{
|
b := &TLSConfig{
|
||||||
CAFile: cafile,
|
CAFile: cafile,
|
||||||
CertFile: foocert2,
|
CertFile: badcert,
|
||||||
KeyFile: fookey,
|
KeyFile: fookey,
|
||||||
}
|
}
|
||||||
isEqual, err := a.CertificateInfoIsEqual(b)
|
isEqual, err := a.CertificateInfoIsEqual(b)
|
||||||
|
@ -110,7 +110,7 @@ func TestTLS_CertificateInfoIsEqual_FalseWhenUnequal(t *testing.T) {
|
||||||
b := &TLSConfig{
|
b := &TLSConfig{
|
||||||
CAFile: cafile,
|
CAFile: cafile,
|
||||||
CertFile: foocert,
|
CertFile: foocert,
|
||||||
KeyFile: fookey2,
|
KeyFile: badkey,
|
||||||
}
|
}
|
||||||
isEqual, err := a.CertificateInfoIsEqual(b)
|
isEqual, err := a.CertificateInfoIsEqual(b)
|
||||||
require.Nil(err)
|
require.Nil(err)
|
||||||
|
@ -124,7 +124,7 @@ func TestTLS_CertificateInfoIsEqual_FalseWhenUnequal(t *testing.T) {
|
||||||
b := &TLSConfig{
|
b := &TLSConfig{
|
||||||
CAFile: cafile,
|
CAFile: cafile,
|
||||||
CertFile: foocert,
|
CertFile: foocert,
|
||||||
KeyFile: fookey2,
|
KeyFile: badkey,
|
||||||
}
|
}
|
||||||
isEqual, err := a.CertificateInfoIsEqual(b)
|
isEqual, err := a.CertificateInfoIsEqual(b)
|
||||||
require.Nil(err)
|
require.Nil(err)
|
||||||
|
@ -136,13 +136,13 @@ func TestTLS_CertificateInfoIsEqual_FalseWhenUnequal(t *testing.T) {
|
||||||
a := &TLSConfig{
|
a := &TLSConfig{
|
||||||
CAFile: cafile,
|
CAFile: cafile,
|
||||||
CertFile: foocert,
|
CertFile: foocert,
|
||||||
KeyFile: fookey2,
|
KeyFile: badkey,
|
||||||
}
|
}
|
||||||
|
|
||||||
b := &TLSConfig{
|
b := &TLSConfig{
|
||||||
CAFile: cafile,
|
CAFile: cafile,
|
||||||
CertFile: "invalid_file",
|
CertFile: "invalid_file",
|
||||||
KeyFile: fookey2,
|
KeyFile: badkey,
|
||||||
}
|
}
|
||||||
isEqual, err := a.CertificateInfoIsEqual(b)
|
isEqual, err := a.CertificateInfoIsEqual(b)
|
||||||
require.NotNil(err)
|
require.NotNil(err)
|
||||||
|
@ -157,9 +157,9 @@ func TestTLS_CertificateInfoIsEqual_TrueWhenEqual(t *testing.T) {
|
||||||
|
|
||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
const (
|
const (
|
||||||
cafile = "../../../helper/tlsutil/testdata/ca.pem"
|
cafile = "../../../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../../../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
)
|
)
|
||||||
a := &TLSConfig{
|
a := &TLSConfig{
|
||||||
CAFile: cafile,
|
CAFile: cafile,
|
||||||
|
@ -183,9 +183,9 @@ func TestTLS_Copy(t *testing.T) {
|
||||||
|
|
||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
const (
|
const (
|
||||||
cafile = "../../../helper/tlsutil/testdata/ca.pem"
|
cafile = "../../../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../../../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
)
|
)
|
||||||
a := &TLSConfig{
|
a := &TLSConfig{
|
||||||
CAFile: cafile,
|
CAFile: cafile,
|
||||||
|
@ -216,11 +216,11 @@ func TestTLS_GetKeyloader(t *testing.T) {
|
||||||
func TestTLS_SetChecksum(t *testing.T) {
|
func TestTLS_SetChecksum(t *testing.T) {
|
||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
const (
|
const (
|
||||||
cafile = "../../../helper/tlsutil/testdata/ca.pem"
|
cafile = "../../../helper/tlsutil/testdata/nomad-agent-ca.pem"
|
||||||
foocert = "../../../helper/tlsutil/testdata/nomad-foo.pem"
|
foocert = "../../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
|
||||||
fookey = "../../../helper/tlsutil/testdata/nomad-foo-key.pem"
|
fookey = "../../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
|
||||||
foocert2 = "../../../helper/tlsutil/testdata/nomad-bad.pem"
|
badcert = "../../../helper/tlsutil/testdata/badRegion-client-bad.pem"
|
||||||
fookey2 = "../../../helper/tlsutil/testdata/nomad-bad-key.pem"
|
badkey = "../../../helper/tlsutil/testdata/badRegion-client-bad-key.pem"
|
||||||
)
|
)
|
||||||
|
|
||||||
a := &TLSConfig{
|
a := &TLSConfig{
|
||||||
|
@ -231,8 +231,8 @@ func TestTLS_SetChecksum(t *testing.T) {
|
||||||
a.SetChecksum()
|
a.SetChecksum()
|
||||||
oldChecksum := a.Checksum
|
oldChecksum := a.Checksum
|
||||||
|
|
||||||
a.CertFile = foocert2
|
a.CertFile = badcert
|
||||||
a.KeyFile = fookey2
|
a.KeyFile = badkey
|
||||||
|
|
||||||
a.SetChecksum()
|
a.SetChecksum()
|
||||||
|
|
||||||
|
|
|
@ -35,8 +35,7 @@ Usage: `nomad tls cert create [options]`
|
||||||
- `-days=<int>`: Provide number of days the certificate is valid for from now
|
- `-days=<int>`: Provide number of days the certificate is valid for from now
|
||||||
on. Defaults to 1 year.
|
on. Defaults to 1 year.
|
||||||
|
|
||||||
- `-dc=<string>`: Provide the datacenter. Matters only for `-server`
|
- `-cluster-region=<string>`: DEPRECATED please use `-region`.
|
||||||
certificates. Defaults to `dc1`.
|
|
||||||
|
|
||||||
- `-domain=<string>`: Provide the domain. Matters only for `-server`
|
- `-domain=<string>`: Provide the domain. Matters only for `-server`
|
||||||
certificates.
|
certificates.
|
||||||
|
@ -44,9 +43,7 @@ Usage: `nomad tls cert create [options]`
|
||||||
- `-key=<string>`: Provide path to the key. Defaults to
|
- `-key=<string>`: Provide path to the key. Defaults to
|
||||||
`#DOMAIN#-agent-ca-key.pem`.
|
`#DOMAIN#-agent-ca-key.pem`.
|
||||||
|
|
||||||
- `-node=<string>`: When generating a server cert and this server is set an
|
- `-region=<string>`: Provide the region. Defaults to "global".
|
||||||
additional DNS name is included of the form
|
|
||||||
`<node>.server.<datacenter>.<domain>`.
|
|
||||||
|
|
||||||
- `-server`: Generate server certificate.
|
- `-server`: Generate server certificate.
|
||||||
|
|
||||||
|
|
|
@ -34,6 +34,12 @@ called this endpoint or used this command using tokens with just the `read-job`
|
||||||
capability or the `read` policy must update their tokens to use the
|
capability or the `read` policy must update their tokens to use the
|
||||||
`submit-job` capability or the `write` policy.
|
`submit-job` capability or the `write` policy.
|
||||||
|
|
||||||
|
#### Command `nomad tls cert create` flag `-cluster-region` deprecated
|
||||||
|
|
||||||
|
Nomad 1.6.0 will deprecate the command `nomad tls cert create` flag `-cluster-region`
|
||||||
|
in favour of using the standard flag `-region`. The `-cluster-region` flag
|
||||||
|
will be removed in Nomad 1.7.0
|
||||||
|
|
||||||
## Nomad 1.5.5
|
## Nomad 1.5.5
|
||||||
|
|
||||||
Nomad 1.5.5 fixed a bug where allocations that are rescheduled for jobs
|
Nomad 1.5.5 fixed a bug where allocations that are rescheduled for jobs
|
||||||
|
|
Loading…
Reference in New Issue