Skip to content
This repository has been archived by the owner on Jul 16, 2020. It is now read-only.

Commit

Permalink
Merge pull request #984 from tpepper/misc
Browse files Browse the repository at this point in the history 
small certificate related cleanups
  • Loading branch information
@rbradford
rbradford authored Jan 5, 2017
2 parents cc283e2 + 6aaf9cb commit 10e7261
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 1 deletion.
36 changes: 36 additions & 0 deletions ciao-cert/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,3 +123,39 @@ For host: ciao-ctl.intel.com
For IP: 192.168.1.118
Private key: RSA PRIVATE KEY
```

## Dealing with certificate issues

### Role mismatches

Ciao cluster certificates implement a role base access control (RBAC) system of
cluster membership. If a ciao cluster client attempts access using a
certificate whose embedded role does not match the SSNTP client connection
indicated role, the access will be disallowed. The cluster logs will show
a message, eg:
```
Wrong certificate or missing/mismatched role OID
```
If this is observed, insure your client certificates are created with the
correct roles as indicated above, and your client binaries are run with
configuration using the correct certificate.

### Certificate signed by unknown authority

Ciao cluster certificates are signed by a common certificate authority
(CA). The above documentation example creates a trust anchor CA with
the ```-anchor```, but you can also use a pre-existing one via the
```-anchor-cert``` option.

Either way, for ciao components to correctly operate, the CA's
certificate must be in the system trust store on each host running a
ciao component. If it is not, you will see cluster log messages, eg:
```
x509: certificate signed by unknown authority
```
and the cluster will not form.

Depending on your linux distribution, golang runtime, and local IT
policies, the correct way to add your cluster's CA certificate to
your cluster systems' trust stores will vary. Consult your applicable
documentation.
2 changes: 1 addition & 1 deletion ssntp/ssntp.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1068,7 +1068,7 @@ func GetOIDsFromRole(role Role) ([]asn1.ObjectIdentifier, error) {
}

func verifyRole(conn interface{}, role Role) (bool, error) {
var oidError = fmt.Errorf("**** TEMPORARY WARNING ****\n*** Wrong certificate or missing/mismatched role OID ***\nIn order to fix this, use the -role option when generating your certificates with the ciao-cert tool")
var oidError = fmt.Errorf("Wrong certificate or missing/mismatched role OID")
switch tlsConn := conn.(type) {
case *tls.Conn:
state := tlsConn.ConnectionState()
Expand Down

0 comments on commit 10e7261

Please sign in to comment.