Skip to content

[ca/node] Maybe update the root CA when renewing the TLS cert#2238

Merged
aaronlehmann merged 1 commit intomoby:masterfrom
cyli:download-ca-when-requesting
Jun 12, 2017
Merged

[ca/node] Maybe update the root CA when renewing the TLS cert#2238
aaronlehmann merged 1 commit intomoby:masterfrom
cyli:download-ca-when-requesting

Conversation

@cyli
Copy link
Copy Markdown
Contributor

@cyli cyli commented Jun 10, 2017

When renewing the TLS certificate, if we get an x509.UnknownAuthorityError,
try to update the root CA such that it validates against the old TLS creds
before renewing again.

This can help with edge cases where a manager might have been demoted, and
thus not be able to push the latest root certificate to its agent, but
the node needs to renew the TLS cert to get one for the worker role (but
root rotation has already finished, and hence any certificate it gets will
no longer have the intermediate and won't validate).

Signed-off-by: Ying Li ying.li@docker.com

Still needs test. The ideal scenario @aaronlehmann and I discussed was to separate the Root CA used to sign new certs from the root CA the node itself uses to validate incoming connections and external servers, but that may be a bigger change.

This functionality may still be useful, however, to account for edge cases.

@cyli cyli mentioned this pull request Jun 12, 2017
Closed
40 tasks
@aaronlehmann
Copy link
Copy Markdown
Collaborator

aaronlehmann commented Jun 12, 2017

This isn't compiling yet but the concept looks sound.

@cyli cyli force-pushed the download-ca-when-requesting branch 2 times, most recently from 520262f to ecf9b7f Compare June 12, 2017 21:38
@codecov
Copy link
Copy Markdown

codecov bot commented Jun 12, 2017
edited
Loading

Codecov Report

Merging #2238 into master will decrease coverage by 0.04%.
The diff coverage is 78.78%.

@@            Coverage Diff             @@
##           master    #2238      +/-   ##
==========================================
- Coverage   60.27%   60.22%   -0.05%     
==========================================
  Files         124      124              
  Lines       20220    20212       -8     
==========================================
- Hits        12187    12173      -14     
- Misses       6675     6677       +2     
- Partials     1358     1362       +4

@cyli cyli changed the title WIP: [ca/node] Maybe update the root CA when renewing the TLS cert [ca/node] Maybe update the root CA when renewing the TLS cert Jun 12, 2017
@cyli
When renewing the TLS certificate, if we get an x509.UnknownAuthority…
7492f2a 
…Error,

try to update the root CA such that it validates against the old TLS creds
before renewing again.

This can help with edge cases where a manager might have been demoted, and
thus not be able to push the latest root certificate to its agent, but
the node needs to renew the TLS cert to get one for the worker role (but
root rotation has already finished, and hence any certificate it gets will
no longer have the intermediate and won't validate).

Signed-off-by: Ying Li <ying.li@docker.com>
@cyli cyli force-pushed the download-ca-when-requesting branch from ecf9b7f to 7492f2a Compare June 12, 2017 22:01
@cyli cyli mentioned this pull request Jun 12, 2017
Closed
@cyli
Copy link
Copy Markdown
Contributor Author

cyli commented Jun 12, 2017

Ok, test written and CI passing, ready for another look.

diogomonica
diogomonica approved these changes Jun 12, 2017
View reviewed changes
Copy link
Copy Markdown
Contributor

@diogomonica diogomonica left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@aaronlehmann
Copy link
Copy Markdown
Collaborator

aaronlehmann commented Jun 12, 2017

LGTM

@aaronlehmann aaronlehmann merged commit ad6d216 into moby:master Jun 12, 2017
@cyli cyli deleted the download-ca-when-requesting branch June 12, 2017 23:10
@andrewhsu andrewhsu mentioned this pull request Jun 13, 2017
Merged
@cyli cyli mentioned this pull request May 22, 2018
Open
silvin-lubecki pushed a commit to silvin-lubecki/docker-ce that referenced this pull request Feb 3, 2020
@andrewhsu
revendor github.com/docker/swarmkit to 6083c76
cd38044 
To get the changes:
* moby/swarmkit#2234
* moby/swarmkit#2237
* moby/swarmkit#2238

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
silvin-lubecki pushed a commit to silvin-lubecki/engine-extract that referenced this pull request Feb 3, 2020
@andrewhsu @silvin-lubecki
revendor github.com/docker/swarmkit to 6083c76
58471c2 
To get the changes:
* moby/swarmkit#2234
* moby/swarmkit#2237
* moby/swarmkit#2238

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
silvin-lubecki pushed a commit to silvin-lubecki/engine-extract that referenced this pull request Mar 10, 2020
@andrewhsu @silvin-lubecki
revendor github.com/docker/swarmkit to 6083c76
83aa94f 
To get the changes:
* moby/swarmkit#2234
* moby/swarmkit#2237
* moby/swarmkit#2238

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
silvin-lubecki pushed a commit to silvin-lubecki/engine-extract that referenced this pull request Mar 23, 2020
@andrewhsu @silvin-lubecki
revendor github.com/docker/swarmkit to 6083c76
dcbaad5 
To get the changes:
* moby/swarmkit#2234
* moby/swarmkit#2237
* moby/swarmkit#2238

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@diogomonica diogomonica diogomonica approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cyli @aaronlehmann @diogomonica