From 865b42d6d08f2ac932ae38179b84e03e933ad23c Mon Sep 17 00:00:00 2001 From: Tim Pepper Date: Wed, 4 Jan 2017 10:21:44 -0800 Subject: [PATCH 1/2] ssntp: remove "TEMPORARY WARNING" This message is stale. The RBAC scheme is described in the ciao-cert and other documentation, but I add an additional footnote to the ciao-cert readme to help an operator. And then simplify the error message. Signed-off-by: Tim Pepper --- ciao-cert/README.md | 16 ++++++++++++++++ ssntp/ssntp.go | 2 +- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/ciao-cert/README.md b/ciao-cert/README.md index bed986458..a0d48126a 100644 --- a/ciao-cert/README.md +++ b/ciao-cert/README.md @@ -123,3 +123,19 @@ For host: ciao-ctl.intel.com For IP: 192.168.1.118 Private key: RSA PRIVATE KEY ``` + +## Dealing with certificate issues + +### Role mismatches + +Ciao cluster certificates implement a role base access control (RBAC) system of +cluster membership. If a ciao cluster client attempts access using a +certificate whose embedded role does not match the SSNTP client connection +indicated role, the access will be disallowed. The cluster logs will show +a message, eg: +``` +Wrong certificate or missing/mismatched role OID +``` +If this is observed, insure your client certificates are created with the +correct roles as indicated above, and your client binaries are run with +configuration using the correct certificate. diff --git a/ssntp/ssntp.go b/ssntp/ssntp.go index 6f8344c6e..fd78b396c 100644 --- a/ssntp/ssntp.go +++ b/ssntp/ssntp.go @@ -1068,7 +1068,7 @@ func GetOIDsFromRole(role Role) ([]asn1.ObjectIdentifier, error) { } func verifyRole(conn interface{}, role Role) (bool, error) { - var oidError = fmt.Errorf("**** TEMPORARY WARNING ****\n*** Wrong certificate or missing/mismatched role OID ***\nIn order to fix this, use the -role option when generating your certificates with the ciao-cert tool") + var oidError = fmt.Errorf("Wrong certificate or missing/mismatched role OID") switch tlsConn := conn.(type) { case *tls.Conn: state := tlsConn.ConnectionState() From 6aaf9cbc279f324b621a23665fff337ad1764d41 Mon Sep 17 00:00:00 2001 From: Tim Pepper Date: Wed, 4 Jan 2017 10:35:09 -0800 Subject: [PATCH 2/2] ciao-cert: add README help section on CA issues There's a lot of variation between distros, golang runtime builds, and possible operator configuration choices around certificate authorities. How to interpret the "x509: certificate signed by unknown authority" error message is becoming a FAQ. Signed-off-by: Tim Pepper --- ciao-cert/README.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/ciao-cert/README.md b/ciao-cert/README.md index a0d48126a..5e5de8b22 100644 --- a/ciao-cert/README.md +++ b/ciao-cert/README.md @@ -139,3 +139,23 @@ Wrong certificate or missing/mismatched role OID If this is observed, insure your client certificates are created with the correct roles as indicated above, and your client binaries are run with configuration using the correct certificate. + +### Certificate signed by unknown authority + +Ciao cluster certificates are signed by a common certificate authority +(CA). The above documentation example creates a trust anchor CA with +the ```-anchor```, but you can also use a pre-existing one via the +```-anchor-cert``` option. + +Either way, for ciao components to correctly operate, the CA's +certificate must be in the system trust store on each host running a +ciao component. If it is not, you will see cluster log messages, eg: +``` +x509: certificate signed by unknown authority +``` +and the cluster will not form. + +Depending on your linux distribution, golang runtime, and local IT +policies, the correct way to add your cluster's CA certificate to +your cluster systems' trust stores will vary. Consult your applicable +documentation.