6def5bc4f9
Not setting the host name led the Go HTTP client to expect a certificate
with a DNS-resolvable name. Since Nomad uses `${role}.${region}.nomad`
names ephemeral dir migrations were broken when TLS was enabled.
Added an e2e test to ensure this doesn't break again as it's very
difficult to test and the TLS configuration is very easy to get wrong.
33 lines
1.3 KiB
Markdown
33 lines
1.3 KiB
Markdown
# Nomad Test Certificate
|
|
|
|
Using [cfssl 1.2.0](https://github.com/cloudflare/cfssl)
|
|
|
|
| File | Description |
|
|
|---------------------|---------------------------|
|
|
| `ca.pem` | CA certificate |
|
|
| `ca-key.pem` | CA Key |
|
|
| `nomad-foo.pem` | Nomad cert for foo region |
|
|
| `nomad-foo-key.pem` | Nomad key for foo region |
|
|
| `ca-bad.pem` | CA cert for bad region |
|
|
| `ca-key-bad.pem` | CA key for bad region |
|
|
| `nomad-bad.pem` | Nomad cert for bad region |
|
|
| `nomad-bad-key.pem` | Nomad key for bad region |
|
|
| `global-*.pem` | For global region |
|
|
|
|
## Generating self-signed certs
|
|
```sh
|
|
# Write defaults and update
|
|
cfssl print-defaults csr > ca-csr.json
|
|
cfssl print-defaults config > ca-config.json
|
|
|
|
# Generate CA certificate and key
|
|
cfssl gencert -config ca-config.json -initca ca-csr.json | cfssljson -bare ca -
|
|
|
|
# Generate Nomad certificate and key
|
|
cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json nomad-foo-csr.json | cfssljson -bare nomad-foo
|
|
|
|
# Generate bad region CA and certificate
|
|
cfssl gencert -config ca-config.json -initca ca-bad-csr.json | cfssljson -bare ca-bad -
|
|
cfssl gencert -ca ca-bad.pem -ca-key ca-bad-key.pem -config ca-config.json nomad-bad-csr.json | cfssljson -bare nomad-bad
|
|
```
|