Don't include port in host certificate principals.

When attempting to guess the IP address of a remote host to add to the host certificate, always remove the port. Improve logging, so it's clear when a nodes host certificate changes due to the principals list being updated.
2024-10-21 01:34:01 +00:00 · 2019-06-21 00:04:13 +00:00 · 2019-06-21 00:04:13 +00:00 · 15478ec065
parent 7ab8b6a3f0
commit 15478ec065
2 changed files with 29 additions and 9 deletions
--- a/lib/auth/auth.go
+++ b/lib/auth/auth.go
@ -865,10 +865,16 @@ func (s *AuthServer) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedK
 	// If the request contains 0.0.0.0, this implies an advertise IP was not
 	// specified on the node. Try and guess what the address by replacing 0.0.0.0
 	// with the RemoteAddr as known to the Auth Server.
-	req.AdditionalPrincipals = utils.ReplaceInSlice(
-		req.AdditionalPrincipals,
-		defaults.AnyAddress,
-		req.RemoteAddr)
+	if utils.SliceContainsStr(req.AdditionalPrincipals, defaults.AnyAddress) {
+		remoteHost, err := utils.Host(req.RemoteAddr)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		req.AdditionalPrincipals = utils.ReplaceInSlice(
+			req.AdditionalPrincipals,
+			defaults.AnyAddress,
+			remoteHost)
+	}

 	var cryptoPubKey crypto.PublicKey
 	var privateKeyPEM, pubSSHKey []byte
--- a/lib/service/connect.go
+++ b/lib/service/connect.go
@ -616,11 +616,25 @@ func (process *TeleportProcess) rotate(conn *Connector, localState auth.StateV2,
 		defaults.Localhost,
 	)

-	principalsOrDNSNamesChanged := (len(additionalPrincipals) != 0 && !conn.ServerIdentity.HasPrincipals(additionalPrincipals)) ||
-		(len(dnsNames) != 0 && !conn.ServerIdentity.HasDNSNames(dnsNames))
+	// If advertise_ip, public_addr, or listen_addr in file configuration were
+	// updated, the list of principals (SSH) and DNS names (TLS) on the
+	// certificate need to be updated.
+	var principalsChanged bool
+	if len(additionalPrincipals) != 0 && !conn.ServerIdentity.HasPrincipals(additionalPrincipals) {
+		principalsChanged = true
+		log.Debugf("Rotation in progress, updating SSH principals from %v to %v.",
+			conn.ServerIdentity.Cert.ValidPrincipals, additionalPrincipals)
+	}
+	var dnsNamesChanged bool
+	if len(dnsNames) != 0 && !conn.ServerIdentity.HasDNSNames(dnsNames) {
+		log.Debugf("Rotation in progress, updating x590 DNS names in SAN from %v to %v.",
+			conn.ServerIdentity.XCert.DNSNames, dnsNames)
+		dnsNamesChanged = true
+	}

-	if local.Matches(remote) && !principalsOrDNSNamesChanged {
-		// nothing to do, local state and rotation state are in sync
+	// If the local state matches remote state and neither principals or DNS
+	// names changed, nothing to do. CA is in sync.
+	if local.Matches(remote) && !(principalsChanged || dnsNamesChanged) {
 		return &rotationStatus{}, nil
 	}

@ -648,7 +662,7 @@ func (process *TeleportProcess) rotate(conn *Connector, localState auth.StateV2,
 		// that the old node came up and missed the whole rotation
 		// rollback cycle.
 		case "", services.RotationStateStandby:
-			if principalsOrDNSNamesChanged {
+			if principalsChanged || dnsNamesChanged {
 				process.Infof("Service %v has updated principals to %q, DNS Names to %q, going to request new principals and update.", id.Role, additionalPrincipals, dnsNames)
 				identity, err := process.reRegister(conn, additionalPrincipals, dnsNames, remote)
 				if err != nil {