6def5bc4f9
Not setting the host name led the Go HTTP client to expect a certificate
with a DNS-resolvable name. Since Nomad uses `${role}.${region}.nomad`
names ephemeral dir migrations were broken when TLS was enabled.
Added an e2e test to ensure this doesn't break again as it's very
difficult to test and the TLS configuration is very easy to get wrong.
1.3 KiB
1.3 KiB
Nomad Test Certificate
Using cfssl 1.2.0
| File | Description |
|---|---|
ca.pem |
CA certificate |
ca-key.pem |
CA Key |
nomad-foo.pem |
Nomad cert for foo region |
nomad-foo-key.pem |
Nomad key for foo region |
ca-bad.pem |
CA cert for bad region |
ca-key-bad.pem |
CA key for bad region |
nomad-bad.pem |
Nomad cert for bad region |
nomad-bad-key.pem |
Nomad key for bad region |
global-*.pem |
For global region |
Generating self-signed certs
# Write defaults and update
cfssl print-defaults csr > ca-csr.json
cfssl print-defaults config > ca-config.json
# Generate CA certificate and key
cfssl gencert -config ca-config.json -initca ca-csr.json | cfssljson -bare ca -
# Generate Nomad certificate and key
cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json nomad-foo-csr.json | cfssljson -bare nomad-foo
# Generate bad region CA and certificate
cfssl gencert -config ca-config.json -initca ca-bad-csr.json | cfssljson -bare ca-bad -
cfssl gencert -ca ca-bad.pem -ca-key ca-bad-key.pem -config ca-config.json nomad-bad-csr.json | cfssljson -bare nomad-bad