cli: tls certs not created with correct SANs (#16959)

The `nomad tls cert` command did not create certificates with the correct SANs for
them to work with non default domain and region names. This changset updates the
code to support non default domains and regions in the certificates.
This commit is contained in:
Lance Haig 2023-05-22 15:31:56 +02:00 committed by GitHub
parent 2f702a9f11
commit 568da5918b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
61 changed files with 776 additions and 634 deletions

3
.changelog/16959.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
tls: Fixed a bug where the `nomad tls cert` command did not create certificates with the correct SANs for them to work with non default domain and region names.
```

View File

@ -24,11 +24,11 @@ import (
// work when TLS is enabled. // work when TLS is enabled.
func TestPrevAlloc_StreamAllocDir_TLS(t *testing.T) { func TestPrevAlloc_StreamAllocDir_TLS(t *testing.T) {
const ( const (
caFn = "../helper/tlsutil/testdata/global-ca.pem" caFn = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
serverCertFn = "../helper/tlsutil/testdata/global-server.pem" serverCertFn = "../helper/tlsutil/testdata/global-server-nomad.pem"
serverKeyFn = "../helper/tlsutil/testdata/global-server-key.pem" serverKeyFn = "../helper/tlsutil/testdata/global-server-nomad-key.pem"
clientCertFn = "../helper/tlsutil/testdata/global-client.pem" clientCertFn = "../helper/tlsutil/testdata/global-client-nomad.pem"
clientKeyFn = "../helper/tlsutil/testdata/global-client-key.pem" clientKeyFn = "../helper/tlsutil/testdata/global-client-nomad-key.pem"
) )
ci.Parallel(t) ci.Parallel(t)
require := require.New(t) require := require.New(t)

View File

@ -258,9 +258,9 @@ func TestClient_MixedTLS(t *testing.T) {
ci.Parallel(t) ci.Parallel(t)
const ( const (
cafile = "../helper/tlsutil/testdata/ca.pem" cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../helper/tlsutil/testdata/nomad-foo.pem" fooservercert = "../helper/tlsutil/testdata/regionFoo-server-nomad.pem"
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" fooserverkey = "../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem"
) )
s1, addr, cleanupS1 := testServer(t, func(c *nomad.Config) { s1, addr, cleanupS1 := testServer(t, func(c *nomad.Config) {
c.TLSConfig = &nconfig.TLSConfig{ c.TLSConfig = &nconfig.TLSConfig{
@ -268,8 +268,8 @@ func TestClient_MixedTLS(t *testing.T) {
EnableRPC: true, EnableRPC: true,
VerifyServerHostname: true, VerifyServerHostname: true,
CAFile: cafile, CAFile: cafile,
CertFile: foocert, CertFile: fooservercert,
KeyFile: fookey, KeyFile: fooserverkey,
} }
}) })
defer cleanupS1() defer cleanupS1()
@ -306,12 +306,12 @@ func TestClient_BadTLS(t *testing.T) {
ci.Parallel(t) ci.Parallel(t)
const ( const (
cafile = "../helper/tlsutil/testdata/ca.pem" cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../helper/tlsutil/testdata/nomad-foo.pem" fooclientcert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" fooclientkey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
badca = "../helper/tlsutil/testdata/ca-bad.pem" badca = "../helper/tlsutil/testdata/bad-agent-ca.pem"
badcert = "../helper/tlsutil/testdata/nomad-bad.pem" badcert = "../helper/tlsutil/testdata/badRegion-client-bad.pem"
badkey = "../helper/tlsutil/testdata/nomad-bad-key.pem" badkey = "../helper/tlsutil/testdata/badRegion-client-bad-key.pem"
) )
s1, addr, cleanupS1 := testServer(t, func(c *nomad.Config) { s1, addr, cleanupS1 := testServer(t, func(c *nomad.Config) {
c.TLSConfig = &nconfig.TLSConfig{ c.TLSConfig = &nconfig.TLSConfig{
@ -319,8 +319,8 @@ func TestClient_BadTLS(t *testing.T) {
EnableRPC: true, EnableRPC: true,
VerifyServerHostname: true, VerifyServerHostname: true,
CAFile: cafile, CAFile: cafile,
CertFile: foocert, CertFile: fooclientcert,
KeyFile: fookey, KeyFile: fooclientkey,
} }
}) })
defer cleanupS1() defer cleanupS1()
@ -1078,9 +1078,9 @@ func TestClient_ReloadTLS_UpgradePlaintextToTLS(t *testing.T) {
testutil.WaitForLeader(t, s1.RPC) testutil.WaitForLeader(t, s1.RPC)
const ( const (
cafile = "../helper/tlsutil/testdata/ca.pem" cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../helper/tlsutil/testdata/nomad-foo.pem" fooclientcert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" fooclientkey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
) )
c1, cleanup := TestClient(t, func(c *config.Config) { c1, cleanup := TestClient(t, func(c *config.Config) {
@ -1114,8 +1114,8 @@ func TestClient_ReloadTLS_UpgradePlaintextToTLS(t *testing.T) {
EnableRPC: true, EnableRPC: true,
VerifyServerHostname: true, VerifyServerHostname: true,
CAFile: cafile, CAFile: cafile,
CertFile: foocert, CertFile: fooclientcert,
KeyFile: fookey, KeyFile: fooclientkey,
} }
err := c1.reloadTLSConnections(newConfig) err := c1.reloadTLSConnections(newConfig)
@ -1154,9 +1154,9 @@ func TestClient_ReloadTLS_DowngradeTLSToPlaintext(t *testing.T) {
testutil.WaitForLeader(t, s1.RPC) testutil.WaitForLeader(t, s1.RPC)
const ( const (
cafile = "../helper/tlsutil/testdata/ca.pem" cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../helper/tlsutil/testdata/nomad-foo.pem" fooclientcert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" fooclientkey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
) )
c1, cleanup := TestClient(t, func(c *config.Config) { c1, cleanup := TestClient(t, func(c *config.Config) {
@ -1166,8 +1166,8 @@ func TestClient_ReloadTLS_DowngradeTLSToPlaintext(t *testing.T) {
EnableRPC: true, EnableRPC: true,
VerifyServerHostname: true, VerifyServerHostname: true,
CAFile: cafile, CAFile: cafile,
CertFile: foocert, CertFile: fooclientcert,
KeyFile: fookey, KeyFile: fooclientkey,
} }
}) })
defer cleanup() defer cleanup()

View File

@ -59,9 +59,9 @@ func TestRpc_streamingRpcConn_badEndpoint_TLS(t *testing.T) {
require := require.New(t) require := require.New(t)
const ( const (
cafile = "../helper/tlsutil/testdata/ca.pem" cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../helper/tlsutil/testdata/nomad-foo.pem" fooservercert = "../helper/tlsutil/testdata/regionFoo-server-nomad.pem"
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" fooserverkey = "../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem"
) )
s1, cleanupS1 := nomad.TestServer(t, func(c *nomad.Config) { s1, cleanupS1 := nomad.TestServer(t, func(c *nomad.Config) {
@ -72,8 +72,8 @@ func TestRpc_streamingRpcConn_badEndpoint_TLS(t *testing.T) {
EnableRPC: true, EnableRPC: true,
VerifyServerHostname: true, VerifyServerHostname: true,
CAFile: cafile, CAFile: cafile,
CertFile: foocert, CertFile: fooservercert,
KeyFile: fookey, KeyFile: fooserverkey,
} }
}) })
defer cleanupS1() defer cleanupS1()
@ -87,8 +87,8 @@ func TestRpc_streamingRpcConn_badEndpoint_TLS(t *testing.T) {
EnableRPC: true, EnableRPC: true,
VerifyServerHostname: true, VerifyServerHostname: true,
CAFile: cafile, CAFile: cafile,
CertFile: foocert, CertFile: fooservercert,
KeyFile: fookey, KeyFile: fooserverkey,
} }
}) })
defer cleanupC() defer cleanupC()

View File

@ -920,11 +920,12 @@ func TestServer_Reload_TLS_Shared_Keyloader(t *testing.T) {
// We will start out with a bad cert and then reload with a good one. // We will start out with a bad cert and then reload with a good one.
const ( const (
cafile = "../../helper/tlsutil/testdata/ca.pem" badca = "../../helper/tlsutil/testdata/bad-agent-ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-bad.pem" badcert = "../../helper/tlsutil/testdata/badRegion-client-bad.pem"
fookey = "../../helper/tlsutil/testdata/nomad-bad-key.pem" badkey = "../../helper/tlsutil/testdata/badRegion-client-bad-key.pem"
foocert2 = "../../helper/tlsutil/testdata/nomad-foo.pem" foocafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
fookey2 = "../../helper/tlsutil/testdata/nomad-foo-key.pem" fooclientcert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fooclientkey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
) )
agent := NewTestAgent(t, t.Name(), func(c *Config) { agent := NewTestAgent(t, t.Name(), func(c *Config) {
@ -932,9 +933,9 @@ func TestServer_Reload_TLS_Shared_Keyloader(t *testing.T) {
EnableHTTP: true, EnableHTTP: true,
EnableRPC: true, EnableRPC: true,
VerifyServerHostname: true, VerifyServerHostname: true,
CAFile: cafile, CAFile: badca,
CertFile: foocert, CertFile: badcert,
KeyFile: fookey, KeyFile: badkey,
} }
}) })
defer agent.Shutdown() defer agent.Shutdown()
@ -952,9 +953,9 @@ func TestServer_Reload_TLS_Shared_Keyloader(t *testing.T) {
EnableHTTP: true, EnableHTTP: true,
EnableRPC: true, EnableRPC: true,
VerifyServerHostname: true, VerifyServerHostname: true,
CAFile: cafile, CAFile: foocafile,
CertFile: foocert2, CertFile: fooclientcert,
KeyFile: fookey2, KeyFile: fooclientkey,
}, },
} }
@ -987,11 +988,12 @@ func TestServer_Reload_TLS_Certificate(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
const ( const (
cafile = "../../helper/tlsutil/testdata/ca.pem" badca = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-bad.pem" badcert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../../helper/tlsutil/testdata/nomad-bad-key.pem" badkey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
foocert2 = "../../helper/tlsutil/testdata/nomad-foo.pem" cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
fookey2 = "../../helper/tlsutil/testdata/nomad-foo-key.pem" fooclientcert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fooclientkey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
) )
agentConfig := &Config{ agentConfig := &Config{
@ -999,9 +1001,9 @@ func TestServer_Reload_TLS_Certificate(t *testing.T) {
EnableHTTP: true, EnableHTTP: true,
EnableRPC: true, EnableRPC: true,
VerifyServerHostname: true, VerifyServerHostname: true,
CAFile: cafile, CAFile: badca,
CertFile: foocert, CertFile: badcert,
KeyFile: fookey, KeyFile: badkey,
}, },
} }
@ -1016,8 +1018,8 @@ func TestServer_Reload_TLS_Certificate(t *testing.T) {
EnableRPC: true, EnableRPC: true,
VerifyServerHostname: true, VerifyServerHostname: true,
CAFile: cafile, CAFile: cafile,
CertFile: foocert2, CertFile: fooclientcert,
KeyFile: fookey2, KeyFile: fooclientkey,
}, },
} }
@ -1036,11 +1038,11 @@ func TestServer_Reload_TLS_Certificate_Invalid(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
const ( const (
cafile = "../../helper/tlsutil/testdata/ca.pem" badca = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-bad.pem" badcert = "../../helper/tlsutil/testdata/badRegion-client-bad.pem"
fookey = "../../helper/tlsutil/testdata/nomad-bad-key.pem" badkey = "../../helper/tlsutil/testdata/badRegion-client-bad-key.pem"
foocert2 = "invalid_cert_path" newfoocert = "invalid_cert_path"
fookey2 = "invalid_key_path" newfookey = "invalid_key_path"
) )
agentConfig := &Config{ agentConfig := &Config{
@ -1048,9 +1050,9 @@ func TestServer_Reload_TLS_Certificate_Invalid(t *testing.T) {
EnableHTTP: true, EnableHTTP: true,
EnableRPC: true, EnableRPC: true,
VerifyServerHostname: true, VerifyServerHostname: true,
CAFile: cafile, CAFile: badca,
CertFile: foocert, CertFile: badcert,
KeyFile: fookey, KeyFile: badkey,
}, },
} }
@ -1064,9 +1066,9 @@ func TestServer_Reload_TLS_Certificate_Invalid(t *testing.T) {
EnableHTTP: true, EnableHTTP: true,
EnableRPC: true, EnableRPC: true,
VerifyServerHostname: true, VerifyServerHostname: true,
CAFile: cafile, CAFile: badca,
CertFile: foocert2, CertFile: newfoocert,
KeyFile: fookey2, KeyFile: newfookey,
}, },
} }
@ -1123,9 +1125,9 @@ func TestServer_Reload_TLS_UpgradeToTLS(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
const ( const (
cafile = "../../helper/tlsutil/testdata/ca.pem" cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
) )
logger := testlog.HCLogger(t) logger := testlog.HCLogger(t)
@ -1164,9 +1166,9 @@ func TestServer_Reload_TLS_DowngradeFromTLS(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
const ( const (
cafile = "../../helper/tlsutil/testdata/ca.pem" cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
) )
logger := testlog.HCLogger(t) logger := testlog.HCLogger(t)
@ -1238,9 +1240,9 @@ func TestServer_ShouldReload_ReturnFalseForNoChanges(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
const ( const (
cafile = "../../helper/tlsutil/testdata/ca.pem" cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
) )
sameAgentConfig := &Config{ sameAgentConfig := &Config{
@ -1276,9 +1278,9 @@ func TestServer_ShouldReload_ReturnTrueForOnlyHTTPChanges(t *testing.T) {
require := require.New(t) require := require.New(t)
const ( const (
cafile = "../../helper/tlsutil/testdata/ca.pem" cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
) )
sameAgentConfig := &Config{ sameAgentConfig := &Config{
@ -1314,9 +1316,9 @@ func TestServer_ShouldReload_ReturnTrueForOnlyRPCChanges(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
const ( const (
cafile = "../../helper/tlsutil/testdata/ca.pem" cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
) )
sameAgentConfig := &Config{ sameAgentConfig := &Config{
@ -1352,11 +1354,11 @@ func TestServer_ShouldReload_ReturnTrueForConfigChanges(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
const ( const (
cafile = "../../helper/tlsutil/testdata/ca.pem" cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
foocert2 = "../../helper/tlsutil/testdata/nomad-bad.pem" badcert = "../../helper/tlsutil/testdata/badRegion-client-bad.pem"
fookey2 = "../../helper/tlsutil/testdata/nomad-bad-key.pem" badkey = "../../helper/tlsutil/testdata/badRegion-client-bad-key.pem"
) )
agent := NewTestAgent(t, t.Name(), func(c *Config) { agent := NewTestAgent(t, t.Name(), func(c *Config) {
@ -1377,8 +1379,8 @@ func TestServer_ShouldReload_ReturnTrueForConfigChanges(t *testing.T) {
EnableRPC: true, EnableRPC: true,
VerifyServerHostname: true, VerifyServerHostname: true,
CAFile: cafile, CAFile: cafile,
CertFile: foocert2, CertFile: badcert,
KeyFile: fookey2, KeyFile: badkey,
}, },
} }
@ -1419,8 +1421,8 @@ func TestServer_ShouldReload_ReturnTrueForFileChanges(t *testing.T) {
require.Nil(err) require.Nil(err)
const ( const (
cafile = "../../helper/tlsutil/testdata/ca.pem" cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
key = "../../helper/tlsutil/testdata/nomad-foo-key.pem" key = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
) )
logger := testlog.HCLogger(t) logger := testlog.HCLogger(t)
@ -1491,11 +1493,11 @@ func TestServer_ShouldReload_ShouldHandleMultipleChanges(t *testing.T) {
require := require.New(t) require := require.New(t)
const ( const (
cafile = "../../helper/tlsutil/testdata/ca.pem" cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
foocert2 = "../../helper/tlsutil/testdata/nomad-bad.pem" badcert = "../../helper/tlsutil/testdata/badRegion-client-bad.pem"
fookey2 = "../../helper/tlsutil/testdata/nomad-bad-key.pem" badkey = "../../helper/tlsutil/testdata/badRegion-client-bad-key.pem"
) )
sameAgentConfig := &Config{ sameAgentConfig := &Config{
@ -1515,8 +1517,8 @@ func TestServer_ShouldReload_ShouldHandleMultipleChanges(t *testing.T) {
EnableRPC: true, EnableRPC: true,
VerifyServerHostname: true, VerifyServerHostname: true,
CAFile: cafile, CAFile: cafile,
CertFile: foocert2, CertFile: badcert,
KeyFile: fookey2, KeyFile: badkey,
} }
}) })
defer agent.Shutdown() defer agent.Shutdown()

View File

@ -732,12 +732,12 @@ func TestParsePagination(t *testing.T) {
func TestHTTP_VerifyHTTPSClient(t *testing.T) { func TestHTTP_VerifyHTTPSClient(t *testing.T) {
ci.Parallel(t) ci.Parallel(t)
const ( const (
cafile = "../../helper/tlsutil/testdata/ca.pem" cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../../helper/tlsutil/testdata/regionFoo-server-nomad.pem"
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem"
) )
s := makeHTTPServer(t, func(c *Config) { s := makeHTTPServer(t, func(c *Config) {
c.Region = "foo" // match the region on foocert c.Region = "regionFoo" // match the region on foocert
c.TLSConfig = &config.TLSConfig{ c.TLSConfig = &config.TLSConfig{
EnableHTTP: true, EnableHTTP: true,
VerifyHTTPSClient: true, VerifyHTTPSClient: true,
@ -749,10 +749,29 @@ func TestHTTP_VerifyHTTPSClient(t *testing.T) {
}) })
defer s.Shutdown() defer s.Shutdown()
tlConf := &tls.Config{
ServerName: "client.regionFoo.nomad",
}
cacert, err := os.ReadFile(cafile)
if err != nil {
t.Fatalf("error reading cacert: %v", err)
}
tlConf.RootCAs, err = x509.SystemCertPool()
if err != nil {
t.Fatalf("error reading SystemPool: %v", err)
}
tlConf.RootCAs.AppendCertsFromPEM(cacert)
tr := &http.Transport{TLSClientConfig: tlConf}
clnt := &http.Client{Transport: tr}
reqURL := fmt.Sprintf("https://%s/v1/agent/self", s.Agent.config.AdvertiseAddrs.HTTP) reqURL := fmt.Sprintf("https://%s/v1/agent/self", s.Agent.config.AdvertiseAddrs.HTTP)
request, err := http.NewRequest("GET", reqURL, nil)
must.NoError(t, err, must.Sprintf("error creating request: %v", err))
resp, err := clnt.Do(request)
// FAIL: Requests that expect 127.0.0.1 as the name should fail // FAIL: Requests that expect 127.0.0.1 as the name should fail
resp, err := http.Get(reqURL)
if err == nil { if err == nil {
resp.Body.Close() resp.Body.Close()
t.Fatalf("expected non-nil error but received: %v", resp.StatusCode) t.Fatalf("expected non-nil error but received: %v", resp.StatusCode)
@ -767,14 +786,16 @@ func TestHTTP_VerifyHTTPSClient(t *testing.T) {
if !ok { if !ok {
t.Fatalf("expected a x509.HostnameError but received: %T -> %v", urlErr.Err, urlErr.Err) t.Fatalf("expected a x509.HostnameError but received: %T -> %v", urlErr.Err, urlErr.Err)
} }
if expected := "127.0.0.1"; hostErr.Host != expected { if expected := "client.regionFoo.nomad"; hostErr.Host != expected {
t.Fatalf("expected hostname on error to be %q but found %q", expected, hostErr.Host) t.Fatalf("expected hostname on error to be %q but found %q", expected, hostErr.Host)
} }
// FAIL: Requests that specify a valid hostname but not the CA should // FAIL: Requests that specify a valid hostname but not the CA should
// fail // fail
pool := x509.NewCertPool()
tlsConf := &tls.Config{ tlsConf := &tls.Config{
ServerName: "client.regionFoo.nomad", RootCAs: pool,
ServerName: "server.regionFoo.nomad",
} }
transport := &http.Transport{TLSClientConfig: tlsConf} transport := &http.Transport{TLSClientConfig: tlsConf}
client := &http.Client{Transport: transport} client := &http.Client{Transport: transport}
@ -860,11 +881,11 @@ func TestHTTP_VerifyHTTPSClient_AfterConfigReload(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
const ( const (
cafile = "../../helper/tlsutil/testdata/ca.pem" cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-bad.pem" badcert = "../../helper/tlsutil/testdata/badRegion-client-bad.pem"
fookey = "../../helper/tlsutil/testdata/nomad-bad-key.pem" badkey = "../../helper/tlsutil/testdata/badRegion-client-bad-key.pem"
foocert2 = "../../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey2 = "../../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
) )
agentConfig := &Config{ agentConfig := &Config{
@ -872,8 +893,8 @@ func TestHTTP_VerifyHTTPSClient_AfterConfigReload(t *testing.T) {
EnableHTTP: true, EnableHTTP: true,
VerifyHTTPSClient: true, VerifyHTTPSClient: true,
CAFile: cafile, CAFile: cafile,
CertFile: foocert, CertFile: badcert,
KeyFile: fookey, KeyFile: badkey,
}, },
} }
@ -882,8 +903,8 @@ func TestHTTP_VerifyHTTPSClient_AfterConfigReload(t *testing.T) {
EnableHTTP: true, EnableHTTP: true,
VerifyHTTPSClient: true, VerifyHTTPSClient: true,
CAFile: cafile, CAFile: cafile,
CertFile: foocert2, CertFile: foocert,
KeyFile: fookey2, KeyFile: fookey,
}, },
} }
@ -933,7 +954,7 @@ func TestHTTP_VerifyHTTPSClient_AfterConfigReload(t *testing.T) {
ServerName: "client.regionFoo.nomad", ServerName: "client.regionFoo.nomad",
RootCAs: x509.NewCertPool(), RootCAs: x509.NewCertPool(),
GetClientCertificate: func(*tls.CertificateRequestInfo) (*tls.Certificate, error) { GetClientCertificate: func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
c, err := tls.LoadX509KeyPair(foocert2, fookey2) c, err := tls.LoadX509KeyPair(foocert, fookey)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -1053,9 +1074,9 @@ func TestHTTPServer_Limits_OK(t *testing.T) {
ci.Parallel(t) ci.Parallel(t)
const ( const (
cafile = "../../helper/tlsutil/testdata/ca.pem" cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
maxConns = 10 // limit must be < this for testing maxConns = 10 // limit must be < this for testing
bufSize = 1 // enough to know if something was written bufSize = 1 // enough to know if something was written
) )

View File

@ -139,7 +139,7 @@ func (c *TLSCACreateCommand) Run(args []string) int {
constraints := []string{} constraints := []string{}
if c.constraint { if c.constraint {
constraints = []string{c.domain, "localhost"} constraints = []string{c.domain, "localhost", "nomad"}
constraints = append(constraints, c.additionalDomain...) constraints = append(constraints, c.additionalDomain...)
} }

View File

@ -53,8 +53,8 @@ func TestCACreateCommand(t *testing.T) {
func(t *testing.T, cert *x509.Certificate) { func(t *testing.T, cert *x509.Certificate) {
require.Equal(t, 365*24*time.Hour, time.Until(cert.NotAfter).Round(24*time.Hour)) require.Equal(t, 365*24*time.Hour, time.Until(cert.NotAfter).Round(24*time.Hour))
require.True(t, cert.PermittedDNSDomainsCritical) require.True(t, cert.PermittedDNSDomainsCritical)
require.Len(t, cert.PermittedDNSDomains, 3) require.Len(t, cert.PermittedDNSDomains, 4)
require.ElementsMatch(t, cert.PermittedDNSDomains, []string{"foo", "localhost", "bar"}) require.ElementsMatch(t, cert.PermittedDNSDomains, []string{"nomad", "foo", "localhost", "bar"})
}, },
}, },
{"with common-name", {"with common-name",

View File

@ -33,19 +33,23 @@ type TLSCertCreateCommand struct {
cli bool cli bool
client bool client bool
// key is used to set the custom CA certificate key when creating
// certificates.
key string
// days is the number of days the certificate will be valid for. // days is the number of days the certificate will be valid for.
days int days int
// domain is used to provide a custom domain for the certificate.
domain string
// cluster_region is used to add the region name to the certifacte SAN // cluster_region is used to add the region name to the certifacte SAN
// records // records
cluster_region string cluster_region string
// domain is used to provide a custom domain for the certificate. // key is used to set the custom CA certificate key when creating
domain string // certificates.
key string
// cluster_region is used to add the region name to the certifacte SAN
// records
region string
server bool server bool
} }
@ -79,8 +83,7 @@ Certificate Create Options:
Generate a client certificate. Generate a client certificate.
-cluster-region -cluster-region
Provide the datacenter. Only used for -server certificates. DEPRECATED please use -region.
Defaults to "global".
-days -days
Provide number of days the certificate is valid for from now on. Provide number of days the certificate is valid for from now on.
@ -92,6 +95,10 @@ Certificate Create Options:
-key -key
Provide path to the certificate authority key. Defaults to Provide path to the certificate authority key. Defaults to
#DOMAIN#-agent-ca-key.pem. #DOMAIN#-agent-ca-key.pem.
-region
Provide the region. Only used for -server certificates.
Defaults to "global".
-server -server
Generate a server certificate. Generate a server certificate.
@ -134,10 +141,11 @@ func (c *TLSCertCreateCommand) Run(args []string) int {
flagSet.StringVar(&c.ca, "ca", "#DOMAIN#-agent-ca.pem", "") flagSet.StringVar(&c.ca, "ca", "#DOMAIN#-agent-ca.pem", "")
flagSet.BoolVar(&c.cli, "cli", false, "") flagSet.BoolVar(&c.cli, "cli", false, "")
flagSet.BoolVar(&c.client, "client", false, "") flagSet.BoolVar(&c.client, "client", false, "")
flagSet.StringVar(&c.key, "key", "#DOMAIN#-agent-ca-key.pem", "") // cluster region will be deprecated in the next version
flagSet.StringVar(&c.cluster_region, "cluster-region", "", "")
flagSet.IntVar(&c.days, "days", 365, "") flagSet.IntVar(&c.days, "days", 365, "")
flagSet.StringVar(&c.cluster_region, "cluster-region", "global", "")
flagSet.StringVar(&c.domain, "domain", "nomad", "") flagSet.StringVar(&c.domain, "domain", "nomad", "")
flagSet.StringVar(&c.key, "key", "#DOMAIN#-agent-ca-key.pem", "")
flagSet.BoolVar(&c.server, "server", false, "") flagSet.BoolVar(&c.server, "server", false, "")
if err := flagSet.Parse(args); err != nil { if err := flagSet.Parse(args); err != nil {
return 1 return 1
@ -165,43 +173,42 @@ func (c *TLSCertCreateCommand) Run(args []string) int {
return 1 return 1
} }
var DNSNames []string var dnsNames []string
var IPAddresses []net.IP var ipAddresses []net.IP
var extKeyUsage []x509.ExtKeyUsage var extKeyUsage []x509.ExtKeyUsage
var name, prefix string var name, regionName, prefix string
for _, d := range c.dnsNames { for _, d := range c.dnsNames {
if len(d) > 0 { if len(d) > 0 {
DNSNames = append(DNSNames, strings.TrimSpace(d)) dnsNames = append(dnsNames, strings.TrimSpace(d))
} }
} }
for _, i := range c.ipAddresses { for _, i := range c.ipAddresses {
if len(i) > 0 { if len(i) > 0 {
IPAddresses = append(IPAddresses, net.ParseIP(strings.TrimSpace(i))) ipAddresses = append(ipAddresses, net.ParseIP(strings.TrimSpace(i)))
} }
} }
if c.server { // set region variable to prepare for deprecating cluster_region
name = fmt.Sprintf("server.%s.%s", c.cluster_region, c.domain) switch {
DNSNames = append(DNSNames, name) case c.cluster_region != "":
DNSNames = append(DNSNames, "localhost") regionName = c.cluster_region
case c.clientConfig().Region != "" && c.clientConfig().Region != "global":
regionName = c.clientConfig().Region
default:
regionName = "global"
}
IPAddresses = append(IPAddresses, net.ParseIP("127.0.0.1")) // Set dnsNames and ipAddresses based on whether this is a client, server or cli
extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth} switch {
prefix = fmt.Sprintf("%s-server-%s", c.cluster_region, c.domain) case c.server:
ipAddresses, dnsNames, name, extKeyUsage, prefix = recordPreparation("server", regionName, c.domain, dnsNames, ipAddresses)
} else if c.client { case c.client:
name = fmt.Sprintf("client.%s.%s", c.cluster_region, c.domain) ipAddresses, dnsNames, name, extKeyUsage, prefix = recordPreparation("client", regionName, c.domain, dnsNames, ipAddresses)
DNSNames = append(DNSNames, []string{name, "localhost"}...) case c.cli:
IPAddresses = append(IPAddresses, net.ParseIP("127.0.0.1")) ipAddresses, dnsNames, name, extKeyUsage, prefix = recordPreparation("cli", regionName, c.domain, dnsNames, ipAddresses)
extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth} default:
prefix = fmt.Sprintf("%s-client-%s", c.cluster_region, c.domain)
} else if c.cli {
name = fmt.Sprintf("cli.%s.%s", c.cluster_region, c.domain)
DNSNames = []string{name, "localhost"}
prefix = fmt.Sprintf("%s-cli-%s", c.cluster_region, c.domain)
} else {
c.Ui.Error("Neither client, cli nor server - should not happen") c.Ui.Error("Neither client, cli nor server - should not happen")
return 1 return 1
} }
@ -252,10 +259,9 @@ func (c *TLSCertCreateCommand) Run(args []string) int {
c.Ui.Error(err.Error()) c.Ui.Error(err.Error())
return 1 return 1
} }
pub, priv, err := tlsutil.GenerateCert(tlsutil.CertOpts{ pub, priv, err := tlsutil.GenerateCert(tlsutil.CertOpts{
Signer: signer, CA: string(cert), Name: name, Days: c.days, Signer: signer, CA: string(cert), Name: name, Days: c.days,
DNSNames: DNSNames, IPAddresses: IPAddresses, ExtKeyUsage: extKeyUsage, DNSNames: dnsNames, IPAddresses: ipAddresses, ExtKeyUsage: extKeyUsage,
}) })
if err != nil { if err != nil {
c.Ui.Error(err.Error()) c.Ui.Error(err.Error())
@ -294,3 +300,37 @@ func (c *TLSCertCreateCommand) Run(args []string) int {
return 0 return 0
} }
func recordPreparation(certType string, regionName string, domain string, dnsNames []string, ipAddresses []net.IP) ([]net.IP, []string, string, []x509.ExtKeyUsage, string) {
var (
extKeyUsage []x509.ExtKeyUsage
name, regionUrl, prefix string
)
if certType == "server" || certType == "client" {
extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}
ipAddresses = append(ipAddresses, net.ParseIP("127.0.0.1"))
} else if certType == "cli" {
extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}
}
// prefix is used to generate the filename for the certificate before writing to disk.
prefix = fmt.Sprintf("%s-%s-%s", regionName, certType, domain)
regionUrl = fmt.Sprintf("%s.%s.nomad", certType, regionName)
name = fmt.Sprintf("%s.%s.%s", certType, regionName, domain)
if regionName != "global" && domain != "nomad" {
dnsNames = append(dnsNames, name, regionUrl, fmt.Sprintf("%s.global.nomad", certType), "localhost")
}
if regionName != "global" && domain == "nomad" {
dnsNames = append(dnsNames, regionUrl, fmt.Sprintf("%s.global.nomad", certType), "localhost")
}
if regionName == "global" && domain != "nomad" {
dnsNames = append(dnsNames, regionUrl, fmt.Sprintf("%s.%s.%s", certType, regionName, domain), "localhost")
}
if regionName == "global" && domain == "nomad" {
dnsNames = append(dnsNames, name, "localhost")
}
return ipAddresses, dnsNames, name, extKeyUsage, prefix
}

View File

@ -7,6 +7,7 @@ import (
"crypto/x509" "crypto/x509"
"net" "net"
"os" "os"
"strings"
"testing" "testing"
"github.com/hashicorp/nomad/testutil" "github.com/hashicorp/nomad/testutil"
@ -57,7 +58,7 @@ func TestTlsCertCreateCommand_InvalidArgs(t *testing.T) {
} }
} }
func TestTlsCertCreateCommand_fileCreate(t *testing.T) { func TestTlsCertCreateCommandDefaults_fileCreate(t *testing.T) {
testDir := t.TempDir() testDir := t.TempDir()
previousDirectory, err := os.Getwd() previousDirectory, err := os.Getwd()
require.NoError(t, err) require.NoError(t, err)
@ -97,14 +98,15 @@ func TestTlsCertCreateCommand_fileCreate(t *testing.T) {
[]net.IP{{127, 0, 0, 1}}, []net.IP{{127, 0, 0, 1}},
"==> WARNING: Server Certificates grants authority to become a\n server and access all state in the cluster including root keys\n and all ACL tokens. Do not distribute them to production hosts\n that are not server nodes. Store them as securely as CA keys.\n", "==> WARNING: Server Certificates grants authority to become a\n server and access all state in the cluster including root keys\n and all ACL tokens. Do not distribute them to production hosts\n that are not server nodes. Store them as securely as CA keys.\n",
}, },
{"server0-region2-altdomain", {"server0-region1",
"server", "server",
[]string{"-server", "-cluster-region", "region2", "-domain", "nomad"}, []string{"-server", "-region", "region1"},
"region2-server-nomad.pem", "region1-server-nomad.pem",
"region2-server-nomad-key.pem", "region1-server-nomad-key.pem",
"server.region2.nomad", "server.region1.nomad",
[]string{ []string{
"server.region2.nomad", "server.region1.nomad",
"server.global.nomad",
"localhost", "localhost",
}, },
[]net.IP{{127, 0, 0, 1}}, []net.IP{{127, 0, 0, 1}},
@ -123,19 +125,6 @@ func TestTlsCertCreateCommand_fileCreate(t *testing.T) {
[]net.IP{{127, 0, 0, 1}}, []net.IP{{127, 0, 0, 1}},
"", "",
}, },
{"client0-region2-altdomain",
"client",
[]string{"-client", "-cluster-region", "region2", "-domain", "nomad"},
"region2-client-nomad.pem",
"region2-client-nomad-key.pem",
"client.region2.nomad",
[]string{
"client.region2.nomad",
"localhost",
},
[]net.IP{{127, 0, 0, 1}},
"",
},
{"cli0", {"cli0",
"cli", "cli",
[]string{"-cli"}, []string{"-cli"},
@ -146,20 +135,7 @@ func TestTlsCertCreateCommand_fileCreate(t *testing.T) {
"cli.global.nomad", "cli.global.nomad",
"localhost", "localhost",
}, },
nil, []net.IP(nil),
"",
},
{"cli0-region2-altdomain",
"cli",
[]string{"-cli", "-cluster-region", "region2", "-domain", "nomad"},
"region2-cli-nomad.pem",
"region2-cli-nomad-key.pem",
"cli.region2.nomad",
[]string{
"cli.region2.nomad",
"localhost",
},
nil,
"", "",
}, },
} }
@ -184,10 +160,12 @@ func TestTlsCertCreateCommand_fileCreate(t *testing.T) {
cert.ExtKeyUsage) cert.ExtKeyUsage)
case "client": case "client":
require.Equal(t, require.Equal(t,
[]x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
cert.ExtKeyUsage) cert.ExtKeyUsage)
case "cli": case "cli":
require.Len(t, cert.ExtKeyUsage, 0) require.Equal(t,
[]x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
cert.ExtKeyUsage)
} }
require.False(t, cert.IsCA) require.False(t, cert.IsCA)
require.Equal(t, tc.expectDNS, cert.DNSNames) require.Equal(t, tc.expectDNS, cert.DNSNames)
@ -195,3 +173,156 @@ func TestTlsCertCreateCommand_fileCreate(t *testing.T) {
})) }))
} }
} }
func TestTlsRecordPreparation(t *testing.T) {
type testcase struct {
name string
certType string
regionName string
domain string
dnsNames []string
ipAddresses []string
expectedipAddresses []net.IP
expectedDNSNames []string
expectedName string
expectedextKeyUsage []x509.ExtKeyUsage
expectedPrefix string
}
// The default values are region = global and domain = nomad.
cases := []testcase{
{
name: "server0",
certType: "server",
regionName: "global",
domain: "nomad",
dnsNames: []string{},
ipAddresses: []string{},
expectedipAddresses: []net.IP{net.ParseIP("127.0.0.1")},
expectedDNSNames: []string{
"server.global.nomad",
"localhost",
},
expectedName: "server.global.nomad",
expectedextKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
expectedPrefix: "global-server-nomad",
},
{
name: "server0-region1",
certType: "server",
regionName: "region1",
domain: "nomad",
dnsNames: []string{},
ipAddresses: []string{},
expectedipAddresses: []net.IP{net.ParseIP("127.0.0.1")},
expectedDNSNames: []string{
"server.region1.nomad",
"server.global.nomad",
"localhost",
},
expectedName: "server.region1.nomad",
expectedextKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
expectedPrefix: "region1-server-nomad",
},
{
name: "server0-domain1",
certType: "server",
regionName: "global",
domain: "domain1",
dnsNames: []string{},
ipAddresses: []string{},
expectedipAddresses: []net.IP{net.ParseIP("127.0.0.1")},
expectedDNSNames: []string{
"server.global.nomad",
"server.global.domain1",
"localhost",
},
expectedName: "server.global.domain1",
expectedextKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
expectedPrefix: "global-server-domain1",
},
{
name: "server0-dns",
certType: "server",
regionName: "global",
domain: "nomad",
dnsNames: []string{"server.global.foo"},
ipAddresses: []string{},
expectedipAddresses: []net.IP{net.ParseIP("127.0.0.1")},
expectedDNSNames: []string{
"server.global.foo",
"server.global.nomad",
"localhost",
},
expectedName: "server.global.nomad",
expectedextKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
expectedPrefix: "global-server-nomad",
},
{
name: "server0-ips",
certType: "server",
regionName: "global",
domain: "nomad",
dnsNames: []string{},
ipAddresses: []string{"10.0.0.1"},
expectedipAddresses: []net.IP{net.ParseIP("10.0.0.1"), net.ParseIP("127.0.0.1")},
expectedDNSNames: []string{
"server.global.nomad",
"localhost",
},
expectedName: "server.global.nomad",
expectedextKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
expectedPrefix: "global-server-nomad",
},
{
name: "client0",
certType: "client",
regionName: "global",
domain: "nomad",
dnsNames: []string{},
ipAddresses: []string{},
expectedipAddresses: []net.IP{net.ParseIP("127.0.0.1")},
expectedDNSNames: []string{
"client.global.nomad",
"localhost",
},
expectedName: "client.global.nomad",
expectedextKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
expectedPrefix: "global-client-nomad",
},
{
name: "cli0",
certType: "cli",
regionName: "global",
domain: "nomad",
dnsNames: []string{},
ipAddresses: []string{},
expectedipAddresses: []net.IP(nil),
expectedDNSNames: []string{
"cli.global.nomad",
"localhost",
},
expectedName: "cli.global.nomad",
expectedextKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
expectedPrefix: "global-cli-nomad",
},
}
for _, tc := range cases {
tc := tc
require.True(t, t.Run(tc.name, func(t *testing.T) {
var ipAddresses []net.IP
for _, i := range tc.ipAddresses {
if len(i) > 0 {
ipAddresses = append(ipAddresses, net.ParseIP(strings.TrimSpace(i)))
}
}
ipAddresses, dnsNames, name, extKeyUsage, prefix := recordPreparation(tc.certType, tc.regionName, tc.domain, tc.dnsNames, ipAddresses)
require.Equal(t, tc.expectedipAddresses, ipAddresses)
require.Equal(t, tc.expectedDNSNames, dnsNames)
require.Equal(t, tc.expectedName, name)
require.Equal(t, tc.expectedextKeyUsage, extKeyUsage)
require.Equal(t, tc.expectedPrefix, prefix)
}))
}
}

View File

@ -22,11 +22,13 @@ import (
const ( const (
// See README.md for documentation // See README.md for documentation
cacert = "./testdata/ca.pem" cacert = "./testdata/nomad-agent-ca.pem"
foocert = "./testdata/nomad-foo.pem" fooclientcert = "./testdata/regionFoo-client-nomad.pem"
fookey = "./testdata/nomad-foo-key.pem" fooclientkey = "./testdata/regionFoo-client-nomad-key.pem"
badcert = "./testdata/nomad-bad.pem" fooservercert = "./testdata/regionFoo-server-nomad.pem"
badkey = "./testdata/nomad-bad-key.pem" fooserverkey = "./testdata/regionFoo-server-nomad-key.pem"
badcert = "./testdata/badRegion-client-bad.pem"
badkey = "./testdata/badRegion-client-bad-key.pem"
) )
func TestConfig_AppendCA_None(t *testing.T) { func TestConfig_AppendCA_None(t *testing.T) {
@ -115,7 +117,7 @@ func TestConfig_AppendCA_Valid_Whitespace(t *testing.T) {
require := require.New(t) require := require.New(t)
const cacertWhitespace = "./testdata/ca-whitespace.pem" const cacertWhitespace = "./testdata/whitespace-agent-ca.pem"
conf := &Config{ conf := &Config{
CAFile: cacertWhitespace, CAFile: cacertWhitespace,
} }
@ -296,8 +298,8 @@ func TestConfig_LoadKeyPair_Valid(t *testing.T) {
ci.Parallel(t) ci.Parallel(t)
conf := &Config{ conf := &Config{
CertFile: foocert, CertFile: fooclientcert,
KeyFile: fookey, KeyFile: fooclientkey,
KeyLoader: &config.KeyLoader{}, KeyLoader: &config.KeyLoader{},
} }
cert, err := conf.LoadKeyPair() cert, err := conf.LoadKeyPair()
@ -391,8 +393,8 @@ func TestConfig_OutgoingTLS_WithKeyPair(t *testing.T) {
conf := &Config{ conf := &Config{
VerifyOutgoing: true, VerifyOutgoing: true,
CAFile: cacert, CAFile: cacert,
CertFile: foocert, CertFile: fooclientcert,
KeyFile: fookey, KeyFile: fooclientkey,
KeyLoader: &config.KeyLoader{}, KeyLoader: &config.KeyLoader{},
} }
tlsConf, err := conf.OutgoingTLSConfig() tlsConf, err := conf.OutgoingTLSConfig()
@ -507,8 +509,8 @@ func TestConfig_outgoingWrapper_OK(t *testing.T) {
config := &Config{ config := &Config{
CAFile: cacert, CAFile: cacert,
CertFile: foocert, CertFile: fooservercert,
KeyFile: fookey, KeyFile: fooserverkey,
VerifyServerHostname: true, VerifyServerHostname: true,
VerifyOutgoing: true, VerifyOutgoing: true,
KeyLoader: &config.KeyLoader{}, KeyLoader: &config.KeyLoader{},
@ -545,8 +547,8 @@ func TestConfig_outgoingWrapper_BadCert(t *testing.T) {
t.SkipNow() t.SkipNow()
config := &Config{ config := &Config{
CAFile: cacert, CAFile: cacert,
CertFile: foocert, CertFile: fooclientcert,
KeyFile: fookey, KeyFile: fooclientkey,
VerifyServerHostname: true, VerifyServerHostname: true,
VerifyOutgoing: true, VerifyOutgoing: true,
} }
@ -580,8 +582,8 @@ func TestConfig_wrapTLS_OK(t *testing.T) {
config := &Config{ config := &Config{
CAFile: cacert, CAFile: cacert,
CertFile: foocert, CertFile: fooclientcert,
KeyFile: fookey, KeyFile: fooclientkey,
VerifyOutgoing: true, VerifyOutgoing: true,
KeyLoader: &config.KeyLoader{}, KeyLoader: &config.KeyLoader{},
} }
@ -655,8 +657,8 @@ func TestConfig_IncomingTLS(t *testing.T) {
conf := &Config{ conf := &Config{
VerifyIncoming: true, VerifyIncoming: true,
CAFile: cacert, CAFile: cacert,
CertFile: foocert, CertFile: fooclientcert,
KeyFile: fookey, KeyFile: fooclientkey,
KeyLoader: &config.KeyLoader{}, KeyLoader: &config.KeyLoader{},
} }
tlsC, err := conf.IncomingTLSConfig() tlsC, err := conf.IncomingTLSConfig()
@ -684,8 +686,8 @@ func TestConfig_IncomingTLS_MissingCA(t *testing.T) {
conf := &Config{ conf := &Config{
VerifyIncoming: true, VerifyIncoming: true,
CertFile: foocert, CertFile: fooclientcert,
KeyFile: fookey, KeyFile: fooclientkey,
KeyLoader: &config.KeyLoader{}, KeyLoader: &config.KeyLoader{},
} }
_, err := conf.IncomingTLSConfig() _, err := conf.IncomingTLSConfig()
@ -786,8 +788,8 @@ func TestConfig_ParseCiphers_Valid(t *testing.T) {
require := require.New(t) require := require.New(t)
tlsConfig := &config.TLSConfig{ tlsConfig := &config.TLSConfig{
CertFile: foocert, CertFile: fooclientcert,
KeyFile: fookey, KeyFile: fooclientkey,
KeyLoader: &config.KeyLoader{}, KeyLoader: &config.KeyLoader{},
TLSCipherSuites: strings.Join([]string{ TLSCipherSuites: strings.Join([]string{
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
@ -856,8 +858,8 @@ func TestConfig_ParseCiphers_Default(t *testing.T) {
} }
empty := &config.TLSConfig{ empty := &config.TLSConfig{
CertFile: foocert, CertFile: fooclientcert,
KeyFile: fookey, KeyFile: fooclientkey,
KeyLoader: &config.KeyLoader{}, KeyLoader: &config.KeyLoader{},
} }
parsedCiphers, err := ParseCiphers(empty) parsedCiphers, err := ParseCiphers(empty)
@ -880,8 +882,8 @@ func TestConfig_ParseCiphers_Invalid(t *testing.T) {
for _, cipher := range invalidCiphers { for _, cipher := range invalidCiphers {
tlsConfig := &config.TLSConfig{ tlsConfig := &config.TLSConfig{
TLSCipherSuites: cipher, TLSCipherSuites: cipher,
CertFile: foocert, CertFile: fooclientcert,
KeyFile: fookey, KeyFile: fooclientkey,
KeyLoader: &config.KeyLoader{}, KeyLoader: &config.KeyLoader{},
} }
parsedCiphers, err := ParseCiphers(tlsConfig) parsedCiphers, err := ParseCiphers(tlsConfig)
@ -902,8 +904,8 @@ func TestConfig_ParseCiphers_SupportedSignature(t *testing.T) {
{ {
tlsConfig := &config.TLSConfig{ tlsConfig := &config.TLSConfig{
TLSCipherSuites: "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", TLSCipherSuites: "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
CertFile: foocert, CertFile: fooclientcert,
KeyFile: fookey, KeyFile: fooclientkey,
KeyLoader: &config.KeyLoader{}, KeyLoader: &config.KeyLoader{},
} }
parsedCiphers, err := ParseCiphers(tlsConfig) parsedCiphers, err := ParseCiphers(tlsConfig)
@ -915,8 +917,8 @@ func TestConfig_ParseCiphers_SupportedSignature(t *testing.T) {
{ {
tlsConfig := &config.TLSConfig{ tlsConfig := &config.TLSConfig{
TLSCipherSuites: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", TLSCipherSuites: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
CertFile: foocert, CertFile: fooclientcert,
KeyFile: fookey, KeyFile: fooclientkey,
KeyLoader: &config.KeyLoader{}, KeyLoader: &config.KeyLoader{},
} }
parsedCiphers, err := ParseCiphers(tlsConfig) parsedCiphers, err := ParseCiphers(tlsConfig)
@ -972,8 +974,8 @@ func TestConfig_NewTLSConfiguration(t *testing.T) {
conf := &config.TLSConfig{ conf := &config.TLSConfig{
TLSCipherSuites: "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", TLSCipherSuites: "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
CertFile: foocert, CertFile: fooclientcert,
KeyFile: fookey, KeyFile: fooclientkey,
KeyLoader: &config.KeyLoader{}, KeyLoader: &config.KeyLoader{},
} }
@ -1024,8 +1026,8 @@ func TestConfig_ShouldReloadRPCConnections(t *testing.T) {
}, },
new: &config.TLSConfig{ new: &config.TLSConfig{
CAFile: cacert, CAFile: cacert,
CertFile: foocert, CertFile: fooclientcert,
KeyFile: fookey, KeyFile: fooclientkey,
}, },
shouldReload: true, shouldReload: true,
errorStr: "Different TLS Configuration should reload", errorStr: "Different TLS Configuration should reload",

View File

@ -1,39 +1,67 @@
# Nomad Test Certificate # Nomad Test Certificate
Using [cfssl 1.6.0](https://github.com/cloudflare/cfssl) Nomad has a built in command to generate certificates for setting up tls encryption.
This will generate valid certificates with default settings if run without any configuration.
The command `nomad tls` is used to generate the test certificates in this directory.
| File | Description | | File | Description |
|---------------------|---------------------------| |----------------------------------|---------------------------|
| `ca.pem` | CA certificate | | `nomad-agent-ca.pem` | CA certificate |
| `ca-key.pem` | CA Key | | `nomad-agent-ca-key.pem` | CA Key |
| `nomad-foo.pem` | Nomad cert for foo region | | `regionFoo-client-nomad.pem` | Nomad cert for foo region |
| `nomad-foo-key.pem` | Nomad key for foo region | | `regionFoo-client-nomad-key.pem` | Nomad key for foo region |
| `ca-bad.pem` | CA cert for bad region | | `bad-agent-ca.pem` | CA cert for bad region |
| `ca-key-bad.pem` | CA key for bad region | | `bad-agent-ca-key.pem` | CA key for bad region |
| `nomad-bad.pem` | Nomad cert for bad region | | `badRegion-client-bad.pem` | Nomad cert for bad region |
| `nomad-bad-key.pem` | Nomad key for bad region | | `badRegion-client-bad-key.pem` | Nomad key for bad region |
| `global-*.pem` | For global region | | `global-*.pem` | For global region |
| `whitespace-agent-ca.pem` | For whitespace test |
## Generating self-signed certs with nomad tls
## Generating self-signed certs
```sh ```sh
# Write defaults and update.
# NOTE: this doesn't need to be run if regenerating old certificates and
# shouldn't as it overrides non-default values.
cfssl print-defaults csr > ca-csr.json
cfssl print-defaults csr > ca-bad-csr.json
cfssl print-defaults config > ca-config.json
# Generate CA certificates and keys. # Generate CA certificate and key.
# nomad tls ca create
# 1. Generates ca.csr, ca.pem, and ca-key.pem.
# 2. Generates ca-bad.csr, ca-bad.pem, and ca-bad-key.pem.
cfssl gencert -loglevel=5 -config ca-config.json -initca ca-csr.json | cfssljson -bare ca -
cfssl gencert -loglevel=5 -config ca-config.json -initca ca-bad-csr.json | cfssljson -bare ca-bad -
# Generate certificates and keys. # Generate certificates and keys with default values.
# # 1. Generate server certificate with default values
# 1. Generates nomad-foo.csr, nomad-foo.pem, and nomad-foo-key.pem. # 2. Generate client certificate with default values
# 1. Generates nomad-bad.csr, nomad-bad.pem, and nomad-bad-key.pem. nomad tls cert create -server
cfssl gencert -loglevel=5 -ca ca.pem -ca-key ca-key.pem -config ca-config.json nomad-foo-csr.json | cfssljson -bare nomad-foo nomad tls cert create -client
cfssl gencert -loglevel=5 -ca ca-bad.pem -ca-key ca-bad-key.pem -config ca-config.json nomad-bad-csr.json | cfssljson -bare nomad-bad
# Generate certificates and keys for region regionFoo.
# 1. Generate server certificate for region regionFoo
# 2. Generate client certificate for region regionFoo
nomad tls cert create -server -region regionFoo
nomad tls cert create -client -region regionFoo
``` ```
## Generating additional self-signed certs for testing tls misconfiguration
These certificates are used to test incorrect tls configuration.
They are valid certificates but issued from a different CA
```sh
# Generate CA certificate and key.
nomad tls ca create -name-constraint=true -domain bad
# Generate certificates and keys for region badRegion.
# 1. Generate server certificate for region badRegion
# 2. Generate client certificate for region badRegion
nomad tls cert create -server -region badRegion -domain=bad
nomad tls cert create -client -region badRegion -domain=bad
```
## Generate CA for whitespace test
You will need to edit the pem file to add some whitespace after the
-----END CERTIFICATE----- line
```sh
# Generate CA certificate and key.
nomad tls ca create -name-constraint=true -domain whitespace
```

View File

@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIOtIspf5RTZcXnYsKINVSqrO1aJQBy0Ustei5x3pdrxAoAoGCCqGSM49
AwEHoUQDQgAE4KKQKga9sXh3c+vK8YSkqKx9zAWJfSDsxzX/xzie4FhYcF5IbeVh
EjDZHXhU8AtGhzPIHkPc4PtP4iNdlwkuAw==
-----END EC PRIVATE KEY-----

View File

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDGjCCAsCgAwIBAgIQd7vqgOhuwTDMFXo80ZEyxDAKBggqhkjOPQQDAjCBuDEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZOb21hZCBBZ2VudCBDQSAx
NTkxNTM4NDczMDc5Mzc0NzQzOTQzOTMwMjc3MTAxODQxNDE1MDgwHhcNMjMwNTIw
MDU0NTMyWhcNMjgwNTE4MDU0NTMyWjCBuDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
AkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQJExExMDEgU2Vjb25k
IFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAVBgNVBAoTDkhhc2hpQ29ycCBJbmMu
MT8wPQYDVQQDEzZOb21hZCBBZ2VudCBDQSAxNTkxNTM4NDczMDc5Mzc0NzQzOTQz
OTMwMjc3MTAxODQxNDE1MDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATgopAq
Br2xeHdz68rxhKSorH3MBYl9IOzHNf/HOJ7gWFhwXkht5WESMNkdeFTwC0aHM8ge
Q9zg+0/iI12XCS4Do4GpMIGmMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD
AQH/MCkGA1UdDgQiBCAIUJQLq88JPZcO+4YnsIUi5EinrxH6ffLRUHz+cF972jAr
BgNVHSMEJDAigCAIUJQLq88JPZcO+4YnsIUi5EinrxH6ffLRUHz+cF972jArBgNV
HR4BAf8EITAfoB0wBYIDYmFkMAuCCWxvY2FsaG9zdDAHggVub21hZDAKBggqhkjO
PQQDAgNIADBFAiEArvFAMvwtByJVNZD6ojiUYI8PFGbmzTzkkNNvhsHSOv8CIBKj
MACtGi02f3JS0oz+Ef2TqjiuOClGBhr/x6qG4cxy
-----END CERTIFICATE-----

View File

@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIOXshxnqSDtF5SDD4PWNbhzEhgX89tC1e4vs/YFRdZV2oAoGCCqGSM49
AwEHoUQDQgAE1FmtPIHfG9n5nvJHdkpMwCon8D3c/4Ekg+QnFvleUXB8PoXlYND6
gX/+n7cJ2p5dZ/NcXPAASHKCQFdAIl+jEg==
-----END EC PRIVATE KEY-----

View File

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIICzzCCAnWgAwIBAgIRAPIeOK1i31bByJjW0J471YIwCgYIKoZIzj0EAwIwgbgx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg
MTU5MTUzODQ3MzA3OTM3NDc0Mzk0MzkzMDI3NzEwMTg0MTQxNTA4MB4XDTIzMDUy
MDA1NDYwNloXDTI0MDUxOTA1NDYwNlowHzEdMBsGA1UEAxMUY2xpZW50LmJhZFJl
Z2lvbi5iYWQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATUWa08gd8b2fme8kd2
SkzAKifwPdz/gSSD5CcW+V5RcHw+heVg0PqBf/6ftwnanl1n81xc8ABIcoJAV0Ai
X6MSo4H3MIH0MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADApBgNVHQ4EIgQgIS+aVN7DyWMFuExUlPtR
XqSuFVzBjLJSIBAYeoLekOAwKwYDVR0jBCQwIoAgCFCUC6vPCT2XDvuGJ7CFIuRI
p68R+n3y0VB8/nBfe9owXQYDVR0RBFYwVIIUY2xpZW50LmJhZFJlZ2lvbi5iYWSC
FmNsaWVudC5iYWRSZWdpb24ubm9tYWSCE2NsaWVudC5nbG9iYWwubm9tYWSCCWxv
Y2FsaG9zdIcEfwAAATAKBggqhkjOPQQDAgNIADBFAiA/RK692gWJA3D5GeD6k3a2
+ijWvHxyRWzYCREuN7NasQIhAKR4XOASgzcY4u17ny8v8cxeZMA4aD+UwZnjE3s/
VaNU
-----END CERTIFICATE-----

View File

@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIN1hpOPcd0fHzA+MUq3ImrK/6zwsvxl/gpSL11nFB6UooAoGCCqGSM49
AwEHoUQDQgAE3t6MXDmu0U5jdrTHX6K0wVLantQkytnUipeVWJh+vstUyPQrbREB
aj2mmx6Ckh+8L4qy7b6CFkjK7koP23pe9g==
-----END EC PRIVATE KEY-----

View File

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIICzjCCAnSgAwIBAgIQJb2AONazlSeNtRZNdghuWDAKBggqhkjOPQQDAjCBuDEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZOb21hZCBBZ2VudCBDQSAx
NTkxNTM4NDczMDc5Mzc0NzQzOTQzOTMwMjc3MTAxODQxNDE1MDgwHhcNMjMwNTIw
MDU0NTUzWhcNMjQwNTE5MDU0NTUzWjAfMR0wGwYDVQQDExRzZXJ2ZXIuYmFkUmVn
aW9uLmJhZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABN7ejFw5rtFOY3a0x1+i
tMFS2p7UJMrZ1IqXlViYfr7LVMj0K20RAWo9ppsegpIfvC+Ksu2+ghZIyu5KD9t6
XvajgfcwgfQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCB663RX5DMarQTUbtWE2RS7
ll/r8OuJkGw3kQSmm7PFpTArBgNVHSMEJDAigCAIUJQLq88JPZcO+4YnsIUi5Ein
rxH6ffLRUHz+cF972jBdBgNVHREEVjBUghRzZXJ2ZXIuYmFkUmVnaW9uLmJhZIIW
c2VydmVyLmJhZFJlZ2lvbi5ub21hZIITc2VydmVyLmdsb2JhbC5ub21hZIIJbG9j
YWxob3N0hwR/AAABMAoGCCqGSM49BAMCA0gAMEUCIQDqHUtOtFW/GSCKG8ZGrPGD
Z0TqbqgP8PQglqKMJ3ldtgIgJ1LFcDiv1slRcvCRB4OSZZRtMmgrK1+n7s1b/0JN
01s=
-----END CERTIFICATE-----

View File

@ -1,16 +0,0 @@
{
"CN": "bad.nomad.hashicorp",
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "San Francisco",
"O": "HashiCorp",
"OU": "Nomad",
"ST": "California"
}
]
}

View File

@ -1,5 +0,0 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIM9NSxYeRvnFLx/z6iLN3eJw+hgW2GOf4YDxOWwNxFuKoAoGCCqGSM49
AwEHoUQDQgAEjGPxvMgyhwrYxM6Y7MWdgELE33ut7aXbGO8p+IFlfQUy3q/0OK3p
Fjmpqh1XApvOXo7Z3YjdpO3M2aMOSi6BRg==
-----END EC PRIVATE KEY-----

View File

@ -1,9 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIBNzCB3gIBADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEW
MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzESMBAGA1UEChMJSGFzaGlDb3JwMQ4wDAYD
VQQLEwVOb21hZDEcMBoGA1UEAxMTYmFkLm5vbWFkLmhhc2hpY29ycDBZMBMGByqG
SM49AgEGCCqGSM49AwEHA0IABIxj8bzIMocK2MTOmOzFnYBCxN97re2l2xjvKfiB
ZX0FMt6v9Dit6RY5qaodVwKbzl6O2d2I3aTtzNmjDkougUagADAKBggqhkjOPQQD
AgNIADBFAiEA4IyK8liUiVVaCSmP3BqJpkEPCEiJ3bph7mN2Urrlb7ICIBu1q1Xa
kJunzBkREZcmpwVp2IUlTFaQvvy7eeRL4obB
-----END CERTIFICATE REQUEST-----

View File

@ -1,14 +0,0 @@
-----BEGIN CERTIFICATE-----
MIICOzCCAeKgAwIBAgIUeXTO3L4oiO38Y33Opu8YrQj9HlYwCgYIKoZIzj0EAwIw
fDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh
biBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwGA1UECxMFTm9tYWQx
HDAaBgNVBAMTE2JhZC5ub21hZC5oYXNoaWNvcnAwHhcNMjEwODEzMDg1MjAwWhcN
MjYwODEyMDg1MjAwWjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
YTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzESMBAGA1UEChMJSGFzaGlDb3JwMQ4w
DAYDVQQLEwVOb21hZDEcMBoGA1UEAxMTYmFkLm5vbWFkLmhhc2hpY29ycDBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABIxj8bzIMocK2MTOmOzFnYBCxN97re2l2xjv
KfiBZX0FMt6v9Dit6RY5qaodVwKbzl6O2d2I3aTtzNmjDkougUajQjBAMA4GA1Ud
DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRybjwTW9incERj
Y/Bw7E9iVcdhPDAKBggqhkjOPQQDAgNHADBEAiAkv5FG1AF8VVeytFSsqelinpB2
ETojhNxgm95bFKIqpAIgfhFdNVes9XJflthIJo9mSWsH2ht0CXwcwMuGxNLgy1E=
-----END CERTIFICATE-----

View File

@ -1,14 +0,0 @@
{
"signing": {
"default": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}

View File

@ -1,16 +0,0 @@
{
"CN": "nomad.hashicorp",
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "San Francisco",
"O": "HashiCorp",
"OU": "Nomad",
"ST": "California"
}
]
}

View File

@ -1,5 +0,0 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIM3rBHk5t/VtMgspx2/amPd2/LcaLdXr3FjRac3OrFCaoAoGCCqGSM49
AwEHoUQDQgAEBCIpONsFqQMf1P4Jf5X23mw9wQBIrFfr900fTRXge2R5X8auQEnV
rnCeVomK8sY3B2XAVitL6KIpcNuIkYD7ug==
-----END EC PRIVATE KEY-----

View File

@ -1,15 +0,0 @@
-----BEGIN CERTIFICATE-----
MIICNTCCAZagAwIBAgIRANjgoh5iVZI26+Hz/K65G0UwCgYIKoZIzj0EAwQwNjEb
MBkGA1UEChMSSGFzaGlDb3JwIFRyYWluaW5nMRcwFQYDVQQDEw5zZXJ2aWNlLmNv
bnN1bDAeFw0xODA4MjMxNzM0NTBaFw0xODA5MjIxNzM0NTBaMDYxGzAZBgNVBAoT
Ekhhc2hpQ29ycCBUcmFpbmluZzEXMBUGA1UEAxMOc2VydmljZS5jb25zdWwwgZsw
EAYHKoZIzj0CAQYFK4EEACMDgYYABAGjC4sWsOfirS/DQ9/e7PdQeJwlOjziiOx/
CALjS6ryEDkZPqRqMuoFXfudAmfdk6tl8AT1IKMVcgiQU5jkm7fliwFIk48uh+n2
obqZjwDyM76VYBVSYi6i3BPXown1ivIMJNQS1txnWZLZHsv+WxbHydS+GNOAwKDK
KsXj9dEhd36pvaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w
HQYDVR0OBBYEFIk3oG2hu0FxueW4e7fL+FdMOquBMAoGCCqGSM49BAMEA4GMADCB
iAJCAPIPwPyk+8Ymj7Zlvb5qIUQg+UxoacAeJtFZrJ8xQjro0YjsM33O86rAfw+x
sWWGul4Ews93KFBXvhbKCwb0F0PhAkIAh2z7COsKcQzvBoIy+Kx92+9j/sUjlzzl
TttDu+g2VdbcBwVDZ49X2Md6OY2N3G8Irdlj+n+mCQJaHwVt52DRzz0=
-----END CERTIFICATE-----

View File

@ -1,9 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIBNDCB2gIBADB4MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEW
MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzESMBAGA1UEChMJSGFzaGlDb3JwMQ4wDAYD
VQQLEwVOb21hZDEYMBYGA1UEAxMPbm9tYWQuaGFzaGljb3JwMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAEBCIpONsFqQMf1P4Jf5X23mw9wQBIrFfr900fTRXge2R5
X8auQEnVrnCeVomK8sY3B2XAVitL6KIpcNuIkYD7uqAAMAoGCCqGSM49BAMCA0kA
MEYCIQCmPOKtb8kE6Qof97bu1R3qdi1Q6K5MsxMm4weGGNaKswIhAIibKtTD7xsa
/4vLSZJPdCZTmpllsMHS7dQxnkTzFh/9
-----END CERTIFICATE REQUEST-----

View File

@ -1,14 +0,0 @@
-----BEGIN CERTIFICATE-----
MIICNDCCAdqgAwIBAgIUMOrtAaeiKw9TR7Rq6KI+V2liZZIwCgYIKoZIzj0EAwIw
eDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh
biBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwGA1UECxMFTm9tYWQx
GDAWBgNVBAMTD25vbWFkLmhhc2hpY29ycDAeFw0yMTA4MTMwODQ2MDBaFw0yNjA4
MTIwODQ2MDBaMHgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYw
FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRIwEAYDVQQKEwlIYXNoaUNvcnAxDjAMBgNV
BAsTBU5vbWFkMRgwFgYDVQQDEw9ub21hZC5oYXNoaWNvcnAwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAAQEIik42wWpAx/U/gl/lfbebD3BAEisV+v3TR9NFeB7ZHlf
xq5ASdWucJ5WiYryxjcHZcBWK0vooilw24iRgPu6o0IwQDAOBgNVHQ8BAf8EBAMC
AQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUomQ0rTTqNWz95h/jDTSNyJCP
YwQwCgYIKoZIzj0EAwIDSAAwRQIhAK6StWS84EMx8G73jr66l9L8GQVer2UcpPgy
7wlFD5kQAiA0kjySsH3FzLnqrrUS7f4BrzBv+TDBvVbLFlc41bpTQQ==
-----END CERTIFICATE-----

View File

@ -1,13 +0,0 @@
-----BEGIN CERTIFICATE-----
MIICATCCAaigAwIBAgIUdyw+oCYCUUrIQ68hGVJVRRCxnjMwCgYIKoZIzj0EAwIw
XzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
c2NvMRMwEQYDVQQLEwpOb21hZCBEZW1vMRYwFAYDVQQDEw1leGFtcGxlLm5vbWFk
MB4XDTE4MDkwNTIzNTQwMFoXDTIzMDkwNDIzNTQwMFowXzELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQLEwpO
b21hZCBEZW1vMRYwFAYDVQQDEw1leGFtcGxlLm5vbWFkMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAE6kWmOEIfGJZSh2VHYHuCli+W+dXJOoPN7F01k+bqLcxxuYaS
6ZOT3+J1t7s3zCoF61/m4ITLm/i1GFGcnfzQg6NCMEAwDgYDVR0PAQH/BAQDAgEG
MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCEqBD2o3StC6qePPy6WaDknOPh2
MAoGCCqGSM49BAMCA0cAMEQCIFab4iZ4Of3lBztV8PMzorBCBiUDDaqVswACVMhI
xqltAiA/O7LcVvvVYmtcF27NSQLPhh1ibtRjKnTZviBGzwkV3w==
-----END CERTIFICATE-----

View File

@ -1,5 +0,0 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEICWrWIE3q8UlYau6xKhLz43CO9wg36fxG4Qcy+kBItdeoAoGCCqGSM49
AwEHoUQDQgAEvei5KnuNBvuhGrELae9FL61aJeVvXw0iP0j1XpNvOaYhfMMvq9fY
1q4fVN92D1HQN6FsfLNl/YCvdF+sT4qxnQ==
-----END EC PRIVATE KEY-----

View File

@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIMNiNYgDT0xord/mxPdyNNb5MoQ4L8qXMKysxevqDoePoAoGCCqGSM49
AwEHoUQDQgAEozWvKqFPwy8h/q4HX16eQvLY2WzcSrvX6gZlMTl0P3L/HOrk33jk
eqC+GaSpChuhWZYLRbwacqhifsCDyq+XqQ==
-----END EC PRIVATE KEY-----

View File

@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICnzCCAkagAwIBAgIRANXm75GYbZfpnSAEkdvr+GEwCgYIKoZIzj0EAwIwgbgx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg
MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTIzMDUw
MjE3NTMzOFoXDTI0MDUwMTE3NTMzOFowHjEcMBoGA1UEAxMTY2xpZW50Lmdsb2Jh
bC5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKM1ryqhT8MvIf6uB19e
nkLy2Nls3Eq71+oGZTE5dD9y/xzq5N945HqgvhmkqQoboVmWC0W8GnKoYn7Ag8qv
l6mjgckwgcYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr
BgEFBQcDATAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCAsSQfoSE6Za82gpdlV2awz
Ezkx5X59vYVvj57vTaqFWjArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXHgpqA
x3ja2M6VnTBx7cHEHDAvBgNVHREEKDAmghNjbGllbnQuZ2xvYmFsLm5vbWFkggls
b2NhbGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgaPwQrg4A2eOFUG6Avfuz
EoWdGHSPk3K50jCemtWb/NsCIAQ+NIiGiQFqnhdXGxwhzAFwCNFaRDIizsSm4sr0
NgQn
-----END CERTIFICATE-----

View File

@ -1,15 +0,0 @@
-----BEGIN CERTIFICATE-----
MIICSTCCAe+gAwIBAgIUZ+VBej1K6fCm2QSvnyRCIBw1e1cwCgYIKoZIzj0EAwIw
XzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
c2NvMRMwEQYDVQQLEwpOb21hZCBEZW1vMRYwFAYDVQQDEw1leGFtcGxlLm5vbWFk
MB4XDTE4MDkwNTIzNTQwMFoXDTI4MDkwMjIzNTQwMFowRzELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQLEwpO
b21hZCBEZW1vMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvei5KnuNBvuhGrEL
ae9FL61aJeVvXw0iP0j1XpNvOaYhfMMvq9fY1q4fVN92D1HQN6FsfLNl/YCvdF+s
T4qxnaOBoDCBnTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFBnFzsZ4hOacg/zVkrVT
ChnNTWKTMB8GA1UdIwQYMBaAFCEqBD2o3StC6qePPy6WaDknOPh2MB4GA1UdEQQX
MBWCE2NsaWVudC5nbG9iYWwubm9tYWQwCgYIKoZIzj0EAwIDSAAwRQIhAMjzKDvs
QPw2OX2GXVUABt7czuaP6ZvJhHXkedRkSoNYAiAuYaS0VxaCdSxSXX96FR03Lcaa
FbRG9S396qK/HSlhcA==
-----END CERTIFICATE-----

View File

@ -1,5 +0,0 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEINcyDkLfcVur3bsEvdesW2oUbRMFAyVWyvxAYsNVeSNgoAoGCCqGSM49
AwEHoUQDQgAENcwnm0Z/yFL/hb0xUXu4E7fKebTnt/AWQPyeJtDBGa9NAqw8yCOH
XP8GGSomLgGAvrUj/ZOMgenFNSsUhEJKSA==
-----END EC PRIVATE KEY-----

View File

@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIKkGG3r4oVoWObbU6m1kMf/vwengkstOdNf9LIkcwlI8oAoGCCqGSM49
AwEHoUQDQgAExUEFNlC2277Vl+4gLCLAERa0DPDihUic8FoeWiaSJA7HzBjJE3ue
8+RbfEs3nHJ61uTNEOzsdh0arFMZqz215g==
-----END EC PRIVATE KEY-----

View File

@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICoTCCAkagAwIBAgIRAOgA+9t9J70U/cv8Wx0kGyMwCgYIKoZIzj0EAwIwgbgx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg
MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTIzMDUw
MjE3NTM0M1oXDTI0MDUwMTE3NTM0M1owHjEcMBoGA1UEAxMTc2VydmVyLmdsb2Jh
bC5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMVBBTZQttu+1ZfuICwi
wBEWtAzw4oVInPBaHlomkiQOx8wYyRN7nvPkW3xLN5xyetbkzRDs7HYdGqxTGas9
teajgckwgcYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCBthynn3utQfFpsGsUVNd83
Q075xOyeLlJd7vNJKUckcTArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXHgpqA
x3ja2M6VnTBx7cHEHDAvBgNVHREEKDAmghNzZXJ2ZXIuZ2xvYmFsLm5vbWFkggls
b2NhbGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhAKUl2wTU4GlXH7iBjFax
hVBW16jTDAtkVLmWTUMsh5ZiAiEA9NYSCyTTFLx2C5a5D2OavzkzcIlxQfxyjAbo
PZ8/00U=
-----END CERTIFICATE-----

View File

@ -1,15 +0,0 @@
-----BEGIN CERTIFICATE-----
MIICSjCCAe+gAwIBAgIUN/zxE9m1ROiJGALka29tm1ThVDUwCgYIKoZIzj0EAwIw
XzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
c2NvMRMwEQYDVQQLEwpOb21hZCBEZW1vMRYwFAYDVQQDEw1leGFtcGxlLm5vbWFk
MB4XDTE4MDkwNTIzNTQwMFoXDTI4MDkwMjIzNTQwMFowRzELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQLEwpO
b21hZCBEZW1vMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENcwnm0Z/yFL/hb0x
UXu4E7fKebTnt/AWQPyeJtDBGa9NAqw8yCOHXP8GGSomLgGAvrUj/ZOMgenFNSsU
hEJKSKOBoDCBnTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFHAAhBdKRVqlgjVWEa5V
vyrSwl13MB8GA1UdIwQYMBaAFCEqBD2o3StC6qePPy6WaDknOPh2MB4GA1UdEQQX
MBWCE3NlcnZlci5nbG9iYWwubm9tYWQwCgYIKoZIzj0EAwIDSQAwRgIhAOsmkXXS
mIVm+zEki3IapO+yD9Te6YA6jmmCszEiWYPbAiEA5irkdcc/27jL3i+Woc38kCxa
Den1x+p62mD/LV+76oI=
-----END CERTIFICATE-----

View File

@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIJzq2OYwVRT7HC3g4Lab3c//8w/hO+/4+KbodUMa+3DNoAoGCCqGSM49
AwEHoUQDQgAE9qb3BfDs0ZooB/J1KIKqwgh8xFmB1moyFNqU8Q5ZwVm0dwsBcf7U
Ayn32XCBJ9jFTuIZmZy5n33efM22C9JApA==
-----END EC PRIVATE KEY-----

View File

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC6zCCApKgAwIBAgIRAMUnaddCxpcrFtOZu4J6gFAwCgYIKoZIzj0EAwIwgbgx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg
MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTIzMDUw
MjE3NTMwNFoXDTI4MDQzMDE3NTMwNFowgbgxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEaMBgGA1UECRMRMTAxIFNlY29u
ZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcwFQYDVQQKEw5IYXNoaUNvcnAgSW5j
LjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0EgMjYyMDYyNTYxNDU0ODQwNzAxMDY0
NDc1OTg0MjIzMzE0NTQyNjcyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9qb3
BfDs0ZooB/J1KIKqwgh8xFmB1moyFNqU8Q5ZwVm0dwsBcf7UAyn32XCBJ9jFTuIZ
mZy5n33efM22C9JApKN7MHkwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMB
Af8wKQYDVR0OBCIEIDVSNgVCiLhcb7DNl8fNlceCmoDHeNrYzpWdMHHtwcQcMCsG
A1UdIwQkMCKAIDVSNgVCiLhcb7DNl8fNlceCmoDHeNrYzpWdMHHtwcQcMAoGCCqG
SM49BAMCA0cAMEQCIFfKD/8Ek2yfvciuOEr0DB7OiHuRCFiC38B1I6W4AErwAiAa
6Jexd1AfuvJA2kBcHn4GrB0u3nOvVKighqgCJ4RqJg==
-----END CERTIFICATE-----

View File

@ -1,20 +0,0 @@
{
"CN": "regionBad.nomad",
"hosts": [
"server.regionBad.nomad",
"client.regionBad.nomad"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "San Francisco",
"O": "HashiCorp",
"OU": "Nomad",
"ST": "California"
}
]
}

View File

@ -1,5 +0,0 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIIdLbfRt+KZFZrn6BsaCmi/8n3+gzqDgU2KYEc3bs/YLoAoGCCqGSM49
AwEHoUQDQgAE5EO2FyHkS9sgGpNwnXg22Lnolp1WwyChw+ONMGyG3i9GKQp7m39D
1TaarEHl1d1Xt/SH+nFObPuIk3rHZcZ3JA==
-----END EC PRIVATE KEY-----

View File

@ -1,11 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIBgDCCASYCAQAweDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
FjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwG
A1UECxMFTm9tYWQxGDAWBgNVBAMTD3JlZ2lvbkJhZC5ub21hZDBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABORDthch5EvbIBqTcJ14Nti56JadVsMgocPjjTBsht4v
RikKe5t/Q9U2mqxB5dXdV7f0h/pxTmz7iJN6x2XGdySgTDBKBgkqhkiG9w0BCQ4x
PTA7MDkGA1UdEQQyMDCCFnNlcnZlci5yZWdpb25CYWQubm9tYWSCFmNsaWVudC5y
ZWdpb25CYWQubm9tYWQwCgYIKoZIzj0EAwIDSAAwRQIhAKnj9VZmqXp8kZ7akGpz
yP04Gyz5b6JnSDalkaaUekdBAiAAqqna5G8NLoQDQ5Kj8uLm5FyTuhE7eDHN1Xiz
PBWAaQ==
-----END CERTIFICATE REQUEST-----

View File

@ -1,17 +0,0 @@
-----BEGIN CERTIFICATE-----
MIICtTCCAlqgAwIBAgIUBXPfd1hp+fQszuZVdTyZZh0KoAUwCgYIKoZIzj0EAwIw
fDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh
biBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwGA1UECxMFTm9tYWQx
HDAaBgNVBAMTE2JhZC5ub21hZC5oYXNoaWNvcnAwIBcNMjEwODEzMDg1ODAwWhgP
MjEyMTA3MjAwODU4MDBaMHgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y
bmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRIwEAYDVQQKEwlIYXNoaUNvcnAx
DjAMBgNVBAsTBU5vbWFkMRgwFgYDVQQDEw9yZWdpb25CYWQubm9tYWQwWTATBgcq
hkjOPQIBBggqhkjOPQMBBwNCAATkQ7YXIeRL2yAak3CdeDbYueiWnVbDIKHD440w
bIbeL0YpCnubf0PVNpqsQeXV3Ve39If6cU5s+4iTesdlxncko4G7MIG4MA4GA1Ud
DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0T
AQH/BAIwADAdBgNVHQ4EFgQU16VwMPbF5dy1XF9mSokSVhH7DTEwHwYDVR0jBBgw
FoAUcm48E1vYp3BEY2PwcOxPYlXHYTwwOQYDVR0RBDIwMIIWc2VydmVyLnJlZ2lv
bkJhZC5ub21hZIIWY2xpZW50LnJlZ2lvbkJhZC5ub21hZDAKBggqhkjOPQQDAgNJ
ADBGAiEA6d+gBYWuAiOUU/wWXAoiSBgeNM0JXA82idFaVRVm7TYCIQDrX6O783ZM
FG0XIRoriOWNq9ysmP8D73KrMHkJtTRSTg==
-----END CERTIFICATE-----

View File

@ -1,5 +0,0 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIBxaGxJxJXnAXVmb8E3ALsWqva9F01R0cr/1Ap75YyeAoAoGCCqGSM49
AwEHoUQDQgAEXSLJPcA7b9P6y0Ls7zR4997+F3251hwEUn8qR01AEVGjYrAjk/ns
qaq7P9y/w4k9TvhWaq9/L6id468a0/VWCw==
-----END EC PRIVATE KEY-----

View File

@ -1,15 +0,0 @@
-----BEGIN CERTIFICATE-----
MIICWTCCAgCgAwIBAgIQOW7/CDB2IhlMyfh16erD/jAKBggqhkjOPQQDAjB4MQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy
YW5jaXNjbzESMBAGA1UEChMJSGFzaGlDb3JwMQ4wDAYDVQQLEwVOb21hZDEYMBYG
A1UEAxMPbm9tYWQuaGFzaGljb3JwMCAXDTIyMTEyOTE5MjY0MloYDzIxMjIxMTA1
MTkyNjQyWjAhMR8wHQYDVQQDExZjbGllbnQucmVnaW9uRm9vLm5vbWFkMFkwEwYH
KoZIzj0CAQYIKoZIzj0DAQcDQgAEXSLJPcA7b9P6y0Ls7zR4997+F3251hwEUn8q
R01AEVGjYrAjk/nsqaq7P9y/w4k9TvhWaq9/L6id468a0/VWC6OBwDCBvTAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1Ud
EwEB/wQCMAAwKQYDVR0OBCIEII1J2DmAAcPAaNLFlxFpdBzjhRFRd9E9fedoz9I8
vHPPMB8GA1UdIwQYMBaAFKJkNK006jVs/eYf4w00jciQj2MEMDIGA1UdEQQrMCmC
FmNsaWVudC5yZWdpb25Gb28ubm9tYWSCCWxvY2FsaG9zdIcEfwAAATAKBggqhkjO
PQQDAgNHADBEAiAXzlb98iqyXvtlkThR13ojgjwjP25JBysDKf4vnXjQuwIgFpkB
0B7bPy5VNIAVsw6n5ocvsB7w0rgBPJyS3I2YCi0=
-----END CERTIFICATE-----

View File

@ -1,20 +0,0 @@
{
"CN": "regionFoo.nomad",
"hosts": [
"server.regionFoo.nomad",
"client.regionFoo.nomad"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "San Francisco",
"O": "HashiCorp",
"OU": "Nomad",
"ST": "California"
}
]
}

View File

@ -1,5 +0,0 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIH2tGBcTtZ43pPNsyLcO44eBOcp8Bevnf2kCcZeLhpzAoAoGCCqGSM49
AwEHoUQDQgAECXq2d0JCbbmFAMnQ8rBj7nYa47NxiluAi3ybk7sxh8LWpYU3Rsdh
P71yaSkAYkMhNcBDjuacjH4A00bMVA1L6Q==
-----END EC PRIVATE KEY-----

View File

@ -1,11 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIBgDCCASYCAQAweDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
FjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwG
A1UECxMFTm9tYWQxGDAWBgNVBAMTD3JlZ2lvbkZvby5ub21hZDBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABAl6tndCQm25hQDJ0PKwY+52GuOzcYpbgIt8m5O7MYfC
1qWFN0bHYT+9cmkpAGJDITXAQ47mnIx+ANNGzFQNS+mgTDBKBgkqhkiG9w0BCQ4x
PTA7MDkGA1UdEQQyMDCCFnNlcnZlci5yZWdpb25Gb28ubm9tYWSCFmNsaWVudC5y
ZWdpb25Gb28ubm9tYWQwCgYIKoZIzj0EAwIDSAAwRQIgFeVjmQ2F+uBGlox+mBBb
PlIjygPhplQjHXC3ap8FsAMCIQDa2Y8K1o8uLrKfdptePbx7WguXEslmbDg9szce
wXq+Rg==
-----END CERTIFICATE REQUEST-----

View File

@ -1,17 +0,0 @@
-----BEGIN CERTIFICATE-----
MIICsDCCAlagAwIBAgIUE+pHx/F3dQUcTwu3G6be0EV8jAcwCgYIKoZIzj0EAwIw
eDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh
biBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwGA1UECxMFTm9tYWQx
GDAWBgNVBAMTD25vbWFkLmhhc2hpY29ycDAgFw0yMTA4MTMwODU3MDBaGA8yMTIx
MDcyMDA4NTcwMFoweDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
FjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwG
A1UECxMFTm9tYWQxGDAWBgNVBAMTD3JlZ2lvbkZvby5ub21hZDBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABAl6tndCQm25hQDJ0PKwY+52GuOzcYpbgIt8m5O7MYfC
1qWFN0bHYT+9cmkpAGJDITXAQ47mnIx+ANNGzFQNS+mjgbswgbgwDgYDVR0PAQH/
BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8E
AjAAMB0GA1UdDgQWBBRX6gUtfRUruhfd6Cu0GX37vPFYzDAfBgNVHSMEGDAWgBSi
ZDStNOo1bP3mH+MNNI3IkI9jBDA5BgNVHREEMjAwghZzZXJ2ZXIucmVnaW9uRm9v
Lm5vbWFkghZjbGllbnQucmVnaW9uRm9vLm5vbWFkMAoGCCqGSM49BAMCA0gAMEUC
IQDKQZj6D4M0T2dgzUYAv57gsGVmr/dvPr1uJ8q0fom8NwIgKN1WmRmkz810/t0D
Fqj+tcXqE3NaagnBPfBs0Eq8Om4=
-----END CERTIFICATE-----

View File

@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIBFfKnmgGcVDrDeFyU3c0IeYrqJZrQwasXo+2dtcc4TCoAoGCCqGSM49
AwEHoUQDQgAEziQFRhmwFsRMdIKZNQF0LcIs98u2iuRwGiDO10iKqx1wVY4pbupF
77P8zclVjFfYyDFW5SCT3QtDKwJKGxT4ow==
-----END EC PRIVATE KEY-----

View File

@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICuzCCAmGgAwIBAgIRAOAmpejcZSrltFovtOi1nnkwCgYIKoZIzj0EAwIwgbgx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg
MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTIzMDUw
MjE4MDA1OVoXDTI0MDUwMTE4MDA1OVowITEfMB0GA1UEAxMWY2xpZW50LnJlZ2lv
bkZvby5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABM4kBUYZsBbETHSC
mTUBdC3CLPfLtorkcBogztdIiqsdcFWOKW7qRe+z/M3JVYxX2MgxVuUgk90LQysC
ShsU+KOjgeEwgd4wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMC
BggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCAdSV5IX2uJQ35a6ngC
OzKGr1x2NOqMZRk8VhDMjtyxUDArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXH
gpqAx3ja2M6VnTBx7cHEHDBHBgNVHREEQDA+ghZjbGllbnQucmVnaW9uRm9vLm5v
bWFkghNjbGllbnQuZ2xvYmFsLm5vbWFkgglsb2NhbGhvc3SHBH8AAAEwCgYIKoZI
zj0EAwIDSAAwRQIhAKxhm9OUsD4DDPYueB7zsW2wyToksvv2MTDcRC2XDDAOAiBs
ZJi59bACZyp7P+bGaowrPF+PTKcuG8Vi/PpiUdnIrg==
-----END CERTIFICATE-----

View File

@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIEifr5oheNXaez/snF4nzH4YLWZ8v5kV6+0h9yPZiglXoAoGCCqGSM49
AwEHoUQDQgAESpxIME2rOLbstfWkS6NCqwtPQDwlAI0k42WUxMHuZPaYWq9KyH73
OAT5Z1a/MT+NQFltFODh8ui9ZjIAYEFt7g==
-----END EC PRIVATE KEY-----

View File

@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICvDCCAmGgAwIBAgIRAM2RSbtHDbvrtarqCX0tZNYwCgYIKoZIzj0EAwIwgbgx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg
MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTIzMDUw
MjE4MjU0N1oXDTI0MDUwMTE4MjU0N1owITEfMB0GA1UEAxMWc2VydmVyLnJlZ2lv
bkZvby5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEqcSDBNqzi27LX1
pEujQqsLT0A8JQCNJONllMTB7mT2mFqvSsh+9zgE+WdWvzE/jUBZbRTg4fLovWYy
AGBBbe6jgeEwgd4wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCBByMxUroSyPLJeid7e
8zrsfNAY1BjQ7kLpc/CE9RTFADArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXH
gpqAx3ja2M6VnTBx7cHEHDBHBgNVHREEQDA+ghZzZXJ2ZXIucmVnaW9uRm9vLm5v
bWFkghNzZXJ2ZXIuZ2xvYmFsLm5vbWFkgglsb2NhbGhvc3SHBH8AAAEwCgYIKoZI
zj0EAwIDSQAwRgIhANrnyPFKJ4V+93cgM3/A96wxFeBuTWHr4N6p/Xnyo40vAiEA
73GJzSkzew0LophXV+mqoPcjhnNV2dJPTvMouKUhNmQ=
-----END CERTIFICATE-----

View File

@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIO2Eo72jUx4iZid6ppygk2B8pyslwTGLr+NhrPvhplMaoAoGCCqGSM49
AwEHoUQDQgAE9Iqti3cT5EIWKK1VdlsoKwKv67eRcIWuxzPaEjG1tfKV9kWMnPx2
1pS2XqL72QdFVjXgajomqXOrfDawtO/kAQ==
-----END EC PRIVATE KEY-----

View File

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDITCCAsegAwIBAgIQaG4+rrdqZeTWIqnbLbBqKTAKBggqhkjOPQQDAjCBuDEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZOb21hZCBBZ2VudCBDQSAx
Mzg4MTIxMzU1Njc5MzAxNjk4MjExODMxMTM4MTI4NDk0ODYzNzcwHhcNMjMwNTIw
MDYwNjE1WhcNMjgwNTE4MDYwNjE1WjCBuDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
AkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQJExExMDEgU2Vjb25k
IFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAVBgNVBAoTDkhhc2hpQ29ycCBJbmMu
MT8wPQYDVQQDEzZOb21hZCBBZ2VudCBDQSAxMzg4MTIxMzU1Njc5MzAxNjk4MjEx
ODMxMTM4MTI4NDk0ODYzNzcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT0iq2L
dxPkQhYorVV2WygrAq/rt5Fwha7HM9oSMbW18pX2RYyc/HbWlLZeovvZB0VWNeBq
Oiapc6t8NrC07+QBo4GwMIGtMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD
AQH/MCkGA1UdDgQiBCAAKucq/HIgPpQtrO7PUat83n1eyoZRzeMG2f/kdqYzljAr
BgNVHSMEJDAigCAAKucq/HIgPpQtrO7PUat83n1eyoZRzeMG2f/kdqYzljAyBgNV
HR4BAf8EKDAmoCQwDIIKd2hpdGVzcGFjZTALgglsb2NhbGhvc3QwB4IFbm9tYWQw
CgYIKoZIzj0EAwIDSAAwRQIhANB+qjXAK6pXL6o2u9v+5I3vnJdKpniIBKYH2s1f
AXTLAiBDzIRmMexCtC6wX0Q1oxnbbmHE09ESl7oDiBECz4G7aQ==
-----END CERTIFICATE-----

View File

@ -34,13 +34,13 @@ func TestAuthenticate_mTLS(t *testing.T) {
EnableHTTP: true, EnableHTTP: true,
EnableRPC: true, EnableRPC: true,
VerifyServerHostname: true, VerifyServerHostname: true,
CAFile: "../helper/tlsutil/testdata/ca.pem", CAFile: "../helper/tlsutil/testdata/nomad-agent-ca.pem",
CertFile: "../helper/tlsutil/testdata/nomad-foo.pem", CertFile: "../helper/tlsutil/testdata/regionFoo-server-nomad.pem",
KeyFile: "../helper/tlsutil/testdata/nomad-foo-key.pem", KeyFile: "../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem",
} }
clientTLSCfg := tlsCfg.Copy() clientTLSCfg := tlsCfg.Copy()
clientTLSCfg.CertFile = "../helper/tlsutil/testdata/nomad-foo-client.pem" clientTLSCfg.CertFile = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
clientTLSCfg.KeyFile = "../helper/tlsutil/testdata/nomad-foo-client-key.pem" clientTLSCfg.KeyFile = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
setCfg := func(name string, bootstrapExpect int) func(*Config) { setCfg := func(name string, bootstrapExpect int) func(*Config) {
return func(c *Config) { return func(c *Config) {
@ -178,7 +178,7 @@ func TestAuthenticate_mTLS(t *testing.T) {
{ {
name: "from peer to leader without token", // ex. Eval.Dequeue name: "from peer to leader without token", // ex. Eval.Dequeue
tlsCfg: tlsCfg, tlsCfg: tlsCfg,
expectTLSName: "regionFoo.nomad", expectTLSName: "server.regionFoo.nomad",
expectAccessor: "anonymous", expectAccessor: "anonymous",
expectIP: follower.GetConfig().RPCAddr.IP.String(), expectIP: follower.GetConfig().RPCAddr.IP.String(),
sendFromPeer: follower, sendFromPeer: follower,
@ -190,7 +190,7 @@ func TestAuthenticate_mTLS(t *testing.T) {
name: "anonymous forwarded from peer to leader", name: "anonymous forwarded from peer to leader",
tlsCfg: tlsCfg, tlsCfg: tlsCfg,
expectAccessor: "anonymous", expectAccessor: "anonymous",
expectTLSName: "regionFoo.nomad", expectTLSName: "server.regionFoo.nomad",
expectIP: "127.0.0.1", expectIP: "127.0.0.1",
expectIDKey: "token:anonymous", expectIDKey: "token:anonymous",
}, },
@ -198,16 +198,16 @@ func TestAuthenticate_mTLS(t *testing.T) {
name: "invalid token", name: "invalid token",
tlsCfg: clientTLSCfg, tlsCfg: clientTLSCfg,
testToken: uuid.Generate(), testToken: uuid.Generate(),
expectTLSName: "regionFoo.nomad", expectTLSName: "server.regionFoo.nomad",
expectIP: follower.GetConfig().RPCAddr.IP.String(), expectIP: follower.GetConfig().RPCAddr.IP.String(),
expectIDKey: "regionFoo.nomad:127.0.0.1", expectIDKey: "server.regionFoo.nomad:127.0.0.1",
expectErr: "rpc error: Permission denied", expectErr: "rpc error: Permission denied",
}, },
{ {
name: "from peer to leader with leader ACL", // ex. core job GC name: "from peer to leader with leader ACL", // ex. core job GC
tlsCfg: tlsCfg, tlsCfg: tlsCfg,
testToken: leader.getLeaderAcl(), testToken: leader.getLeaderAcl(),
expectTLSName: "regionFoo.nomad", expectTLSName: "server.regionFoo.nomad",
expectAccessor: "leader", expectAccessor: "leader",
expectIP: follower.GetConfig().RPCAddr.IP.String(), expectIP: follower.GetConfig().RPCAddr.IP.String(),
sendFromPeer: follower, sendFromPeer: follower,
@ -224,7 +224,7 @@ func TestAuthenticate_mTLS(t *testing.T) {
name: "from client missing secret", // ex. Node.Register name: "from client missing secret", // ex. Node.Register
tlsCfg: clientTLSCfg, tlsCfg: clientTLSCfg,
expectAccessor: "anonymous", expectAccessor: "anonymous",
expectTLSName: "regionFoo.nomad", expectTLSName: "server.regionFoo.nomad",
expectIP: follower.GetConfig().RPCAddr.IP.String(), expectIP: follower.GetConfig().RPCAddr.IP.String(),
}, },
{ {

View File

@ -223,9 +223,9 @@ func TestRPC_PlaintextRPCSucceedsWhenInUpgradeMode(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
const ( const (
cafile = "../helper/tlsutil/testdata/ca.pem" cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
) )
dir := t.TempDir() dir := t.TempDir()
@ -265,9 +265,9 @@ func TestRPC_PlaintextRPCFailsWhenNotInUpgradeMode(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
const ( const (
cafile = "../helper/tlsutil/testdata/ca.pem" cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
) )
dir := t.TempDir() dir := t.TempDir()
@ -331,9 +331,9 @@ func TestRPC_streamingRpcConn_badMethod_TLS(t *testing.T) {
require := require.New(t) require := require.New(t)
const ( const (
cafile = "../helper/tlsutil/testdata/ca.pem" cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../helper/tlsutil/testdata/regionFoo-server-nomad.pem"
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem"
) )
dir := t.TempDir() dir := t.TempDir()
s1, cleanupS1 := TestServer(t, func(c *Config) { s1, cleanupS1 := TestServer(t, func(c *Config) {
@ -441,9 +441,9 @@ func TestRPC_streamingRpcConn_goodMethod_TLS(t *testing.T) {
require := require.New(t) require := require.New(t)
const ( const (
cafile = "../helper/tlsutil/testdata/ca.pem" cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../helper/tlsutil/testdata/regionFoo-server-nomad.pem"
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem"
) )
dir := t.TempDir() dir := t.TempDir()
s1, cleanupS1 := TestServer(t, func(c *Config) { s1, cleanupS1 := TestServer(t, func(c *Config) {
@ -579,9 +579,9 @@ func TestRPC_TLS_in_TLS(t *testing.T) {
ci.Parallel(t) ci.Parallel(t)
const ( const (
cafile = "../helper/tlsutil/testdata/ca.pem" cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
) )
s, cleanup := TestServer(t, func(c *Config) { s, cleanup := TestServer(t, func(c *Config) {
@ -639,9 +639,9 @@ func TestRPC_Limits_OK(t *testing.T) {
ci.Parallel(t) ci.Parallel(t)
const ( const (
cafile = "../helper/tlsutil/testdata/ca.pem" cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
maxConns = 10 // limit must be < this for testing maxConns = 10 // limit must be < this for testing
) )

View File

@ -40,9 +40,9 @@ func TestServer_RPC_TLS(t *testing.T) {
ci.Parallel(t) ci.Parallel(t)
const ( const (
cafile = "../helper/tlsutil/testdata/ca.pem" cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../helper/tlsutil/testdata/regionFoo-server-nomad.pem"
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem"
) )
dir := t.TempDir() dir := t.TempDir()
@ -105,9 +105,9 @@ func TestServer_RPC_MixedTLS(t *testing.T) {
ci.Parallel(t) ci.Parallel(t)
const ( const (
cafile = "../helper/tlsutil/testdata/ca.pem" cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../helper/tlsutil/testdata/regionFoo-server-nomad.pem"
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../helper/tlsutil/testdata/regionFoo-server-nomad-key.pem"
) )
dir := t.TempDir() dir := t.TempDir()
@ -244,9 +244,9 @@ func TestServer_Reload_TLSConnections_PlaintextToTLS(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
const ( const (
cafile = "../helper/tlsutil/testdata/ca.pem" cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
) )
dir := t.TempDir() dir := t.TempDir()
@ -292,9 +292,9 @@ func TestServer_Reload_TLSConnections_TLSToPlaintext_RPC(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
const ( const (
cafile = "../helper/tlsutil/testdata/ca.pem" cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
) )
dir := t.TempDir() dir := t.TempDir()
@ -338,9 +338,9 @@ func TestServer_Reload_TLSConnections_TLSToPlaintext_OnlyRPC(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
const ( const (
cafile = "../helper/tlsutil/testdata/ca.pem" cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
) )
dir := t.TempDir() dir := t.TempDir()
@ -391,9 +391,9 @@ func TestServer_Reload_TLSConnections_PlaintextToTLS_OnlyRPC(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
const ( const (
cafile = "../helper/tlsutil/testdata/ca.pem" cafile = "../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
) )
dir := t.TempDir() dir := t.TempDir()
@ -446,9 +446,9 @@ func TestServer_Reload_TLSConnections_Raft(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
const ( const (
cafile = "../../helper/tlsutil/testdata/ca.pem" cafile = "../../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
barcert = "../dev/tls_cluster/certs/nomad.pem" barcert = "../dev/tls_cluster/certs/nomad.pem"
barkey = "../dev/tls_cluster/certs/nomad-key.pem" barkey = "../dev/tls_cluster/certs/nomad-key.pem"
) )

View File

@ -52,11 +52,11 @@ func TestTLS_CertificateInfoIsEqual_FalseWhenUnequal(t *testing.T) {
require := require.New(t) require := require.New(t)
const ( const (
cafile = "../../../helper/tlsutil/testdata/ca.pem" cafile = "../../../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../../../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../../../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
foocert2 = "../../../helper/tlsutil/testdata/nomad-bad.pem" badcert = "../../../helper/tlsutil/testdata/badRegion-client-bad.pem"
fookey2 = "../../../helper/tlsutil/testdata/nomad-bad-key.pem" badkey = "../../../helper/tlsutil/testdata/badRegion-client-bad-key.pem"
) )
// Assert that both mismatching certificate and key files are considered // Assert that both mismatching certificate and key files are considered
@ -71,8 +71,8 @@ func TestTLS_CertificateInfoIsEqual_FalseWhenUnequal(t *testing.T) {
b := &TLSConfig{ b := &TLSConfig{
CAFile: cafile, CAFile: cafile,
CertFile: foocert2, CertFile: badcert,
KeyFile: fookey2, KeyFile: badkey,
} }
isEqual, err := a.CertificateInfoIsEqual(b) isEqual, err := a.CertificateInfoIsEqual(b)
require.Nil(err) require.Nil(err)
@ -90,7 +90,7 @@ func TestTLS_CertificateInfoIsEqual_FalseWhenUnequal(t *testing.T) {
b := &TLSConfig{ b := &TLSConfig{
CAFile: cafile, CAFile: cafile,
CertFile: foocert2, CertFile: badcert,
KeyFile: fookey, KeyFile: fookey,
} }
isEqual, err := a.CertificateInfoIsEqual(b) isEqual, err := a.CertificateInfoIsEqual(b)
@ -110,7 +110,7 @@ func TestTLS_CertificateInfoIsEqual_FalseWhenUnequal(t *testing.T) {
b := &TLSConfig{ b := &TLSConfig{
CAFile: cafile, CAFile: cafile,
CertFile: foocert, CertFile: foocert,
KeyFile: fookey2, KeyFile: badkey,
} }
isEqual, err := a.CertificateInfoIsEqual(b) isEqual, err := a.CertificateInfoIsEqual(b)
require.Nil(err) require.Nil(err)
@ -124,7 +124,7 @@ func TestTLS_CertificateInfoIsEqual_FalseWhenUnequal(t *testing.T) {
b := &TLSConfig{ b := &TLSConfig{
CAFile: cafile, CAFile: cafile,
CertFile: foocert, CertFile: foocert,
KeyFile: fookey2, KeyFile: badkey,
} }
isEqual, err := a.CertificateInfoIsEqual(b) isEqual, err := a.CertificateInfoIsEqual(b)
require.Nil(err) require.Nil(err)
@ -136,13 +136,13 @@ func TestTLS_CertificateInfoIsEqual_FalseWhenUnequal(t *testing.T) {
a := &TLSConfig{ a := &TLSConfig{
CAFile: cafile, CAFile: cafile,
CertFile: foocert, CertFile: foocert,
KeyFile: fookey2, KeyFile: badkey,
} }
b := &TLSConfig{ b := &TLSConfig{
CAFile: cafile, CAFile: cafile,
CertFile: "invalid_file", CertFile: "invalid_file",
KeyFile: fookey2, KeyFile: badkey,
} }
isEqual, err := a.CertificateInfoIsEqual(b) isEqual, err := a.CertificateInfoIsEqual(b)
require.NotNil(err) require.NotNil(err)
@ -157,9 +157,9 @@ func TestTLS_CertificateInfoIsEqual_TrueWhenEqual(t *testing.T) {
require := require.New(t) require := require.New(t)
const ( const (
cafile = "../../../helper/tlsutil/testdata/ca.pem" cafile = "../../../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../../../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../../../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
) )
a := &TLSConfig{ a := &TLSConfig{
CAFile: cafile, CAFile: cafile,
@ -183,9 +183,9 @@ func TestTLS_Copy(t *testing.T) {
require := require.New(t) require := require.New(t)
const ( const (
cafile = "../../../helper/tlsutil/testdata/ca.pem" cafile = "../../../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../../../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../../../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
) )
a := &TLSConfig{ a := &TLSConfig{
CAFile: cafile, CAFile: cafile,
@ -216,11 +216,11 @@ func TestTLS_GetKeyloader(t *testing.T) {
func TestTLS_SetChecksum(t *testing.T) { func TestTLS_SetChecksum(t *testing.T) {
require := require.New(t) require := require.New(t)
const ( const (
cafile = "../../../helper/tlsutil/testdata/ca.pem" cafile = "../../../helper/tlsutil/testdata/nomad-agent-ca.pem"
foocert = "../../../helper/tlsutil/testdata/nomad-foo.pem" foocert = "../../../helper/tlsutil/testdata/regionFoo-client-nomad.pem"
fookey = "../../../helper/tlsutil/testdata/nomad-foo-key.pem" fookey = "../../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem"
foocert2 = "../../../helper/tlsutil/testdata/nomad-bad.pem" badcert = "../../../helper/tlsutil/testdata/badRegion-client-bad.pem"
fookey2 = "../../../helper/tlsutil/testdata/nomad-bad-key.pem" badkey = "../../../helper/tlsutil/testdata/badRegion-client-bad-key.pem"
) )
a := &TLSConfig{ a := &TLSConfig{
@ -231,8 +231,8 @@ func TestTLS_SetChecksum(t *testing.T) {
a.SetChecksum() a.SetChecksum()
oldChecksum := a.Checksum oldChecksum := a.Checksum
a.CertFile = foocert2 a.CertFile = badcert
a.KeyFile = fookey2 a.KeyFile = badkey
a.SetChecksum() a.SetChecksum()

View File

@ -35,8 +35,7 @@ Usage: `nomad tls cert create [options]`
- `-days=<int>`: Provide number of days the certificate is valid for from now - `-days=<int>`: Provide number of days the certificate is valid for from now
on. Defaults to 1 year. on. Defaults to 1 year.
- `-dc=<string>`: Provide the datacenter. Matters only for `-server` - `-cluster-region=<string>`: DEPRECATED please use `-region`.
certificates. Defaults to `dc1`.
- `-domain=<string>`: Provide the domain. Matters only for `-server` - `-domain=<string>`: Provide the domain. Matters only for `-server`
certificates. certificates.
@ -44,9 +43,7 @@ Usage: `nomad tls cert create [options]`
- `-key=<string>`: Provide path to the key. Defaults to - `-key=<string>`: Provide path to the key. Defaults to
`#DOMAIN#-agent-ca-key.pem`. `#DOMAIN#-agent-ca-key.pem`.
- `-node=<string>`: When generating a server cert and this server is set an - `-region=<string>`: Provide the region. Defaults to "global".
additional DNS name is included of the form
`<node>.server.<datacenter>.<domain>`.
- `-server`: Generate server certificate. - `-server`: Generate server certificate.

View File

@ -34,6 +34,12 @@ called this endpoint or used this command using tokens with just the `read-job`
capability or the `read` policy must update their tokens to use the capability or the `read` policy must update their tokens to use the
`submit-job` capability or the `write` policy. `submit-job` capability or the `write` policy.
#### Command `nomad tls cert create` flag `-cluster-region` deprecated
Nomad 1.6.0 will deprecate the command `nomad tls cert create` flag `-cluster-region`
in favour of using the standard flag `-region`. The `-cluster-region` flag
will be removed in Nomad 1.7.0
## Nomad 1.5.5 ## Nomad 1.5.5
Nomad 1.5.5 fixed a bug where allocations that are rescheduled for jobs Nomad 1.5.5 fixed a bug where allocations that are rescheduled for jobs