mirror of
https://github.com/gravitational/teleport
synced 2024-10-21 01:34:01 +00:00
Don't include port in host certificate principals.
When attempting to guess the IP address of a remote host to add to the host certificate, always remove the port. Improve logging, so it's clear when a nodes host certificate changes due to the principals list being updated.
This commit is contained in:
parent
7ab8b6a3f0
commit
15478ec065
|
@ -865,10 +865,16 @@ func (s *AuthServer) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedK
|
|||
// If the request contains 0.0.0.0, this implies an advertise IP was not
|
||||
// specified on the node. Try and guess what the address by replacing 0.0.0.0
|
||||
// with the RemoteAddr as known to the Auth Server.
|
||||
req.AdditionalPrincipals = utils.ReplaceInSlice(
|
||||
req.AdditionalPrincipals,
|
||||
defaults.AnyAddress,
|
||||
req.RemoteAddr)
|
||||
if utils.SliceContainsStr(req.AdditionalPrincipals, defaults.AnyAddress) {
|
||||
remoteHost, err := utils.Host(req.RemoteAddr)
|
||||
if err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
req.AdditionalPrincipals = utils.ReplaceInSlice(
|
||||
req.AdditionalPrincipals,
|
||||
defaults.AnyAddress,
|
||||
remoteHost)
|
||||
}
|
||||
|
||||
var cryptoPubKey crypto.PublicKey
|
||||
var privateKeyPEM, pubSSHKey []byte
|
||||
|
|
|
@ -616,11 +616,25 @@ func (process *TeleportProcess) rotate(conn *Connector, localState auth.StateV2,
|
|||
defaults.Localhost,
|
||||
)
|
||||
|
||||
principalsOrDNSNamesChanged := (len(additionalPrincipals) != 0 && !conn.ServerIdentity.HasPrincipals(additionalPrincipals)) ||
|
||||
(len(dnsNames) != 0 && !conn.ServerIdentity.HasDNSNames(dnsNames))
|
||||
// If advertise_ip, public_addr, or listen_addr in file configuration were
|
||||
// updated, the list of principals (SSH) and DNS names (TLS) on the
|
||||
// certificate need to be updated.
|
||||
var principalsChanged bool
|
||||
if len(additionalPrincipals) != 0 && !conn.ServerIdentity.HasPrincipals(additionalPrincipals) {
|
||||
principalsChanged = true
|
||||
log.Debugf("Rotation in progress, updating SSH principals from %v to %v.",
|
||||
conn.ServerIdentity.Cert.ValidPrincipals, additionalPrincipals)
|
||||
}
|
||||
var dnsNamesChanged bool
|
||||
if len(dnsNames) != 0 && !conn.ServerIdentity.HasDNSNames(dnsNames) {
|
||||
log.Debugf("Rotation in progress, updating x590 DNS names in SAN from %v to %v.",
|
||||
conn.ServerIdentity.XCert.DNSNames, dnsNames)
|
||||
dnsNamesChanged = true
|
||||
}
|
||||
|
||||
if local.Matches(remote) && !principalsOrDNSNamesChanged {
|
||||
// nothing to do, local state and rotation state are in sync
|
||||
// If the local state matches remote state and neither principals or DNS
|
||||
// names changed, nothing to do. CA is in sync.
|
||||
if local.Matches(remote) && !(principalsChanged || dnsNamesChanged) {
|
||||
return &rotationStatus{}, nil
|
||||
}
|
||||
|
||||
|
@ -648,7 +662,7 @@ func (process *TeleportProcess) rotate(conn *Connector, localState auth.StateV2,
|
|||
// that the old node came up and missed the whole rotation
|
||||
// rollback cycle.
|
||||
case "", services.RotationStateStandby:
|
||||
if principalsOrDNSNamesChanged {
|
||||
if principalsChanged || dnsNamesChanged {
|
||||
process.Infof("Service %v has updated principals to %q, DNS Names to %q, going to request new principals and update.", id.Role, additionalPrincipals, dnsNames)
|
||||
identity, err := process.reRegister(conn, additionalPrincipals, dnsNames, remote)
|
||||
if err != nil {
|
||||
|
|
Loading…
Reference in a new issue