Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ca: relax (or remove) validation of PrivateKeyType/PrivateKeyBits #12246

Closed
dnephin opened this issue Feb 1, 2022 · 1 comment · Fixed by #12267
Closed

ca: relax (or remove) validation of PrivateKeyType/PrivateKeyBits #12246

dnephin opened this issue Feb 1, 2022 · 1 comment · Fixed by #12267
Labels
theme/certificates Related to creating, distributing, and rotating certificates in Consul type/bug Feature does not function as expected

Comments

@dnephin
Copy link
Contributor

dnephin commented Feb 1, 2022
edited

This was added in #10331 as part of #9572.

The current validation works well if Consul is responsible for generating the root CA, but there's no requirement to have Consul generate the root CA. For both the built-in and Vault providers the user can setup the root CA ahead of time, and Consul will use the already configured CA. This manual setup will be required for #11910 (#11598).

For the manually configured root CA scenario, this validation causes problems. An example of the problem can be seen in this test case:

consul/agent/consul/leader_connect_ca_test.go

Lines 649 to 652 in 2881f23

// TODO: there are failures to init the CA system if these are not set
// to the values of the already initialized CA.
"PrivateKeyType": "ec",
"PrivateKeyBits": 256,

The user is required to specify these values in the Consul config exclusively to get past the validation. The config values will never be used by Consul for the root CA.

Another example is this comment on the issue. The validation is preventing the user from changing the key bits used to generate intermediate certificates.
@dnephin dnephin added type/bug Feature does not function as expected theme/certificates Related to creating, distributing, and rotating certificates in Consul labels Feb 1, 2022
This was referenced Feb 1, 2022
Open
Merged
@dnephin
Copy link
Contributor Author

dnephin commented Feb 3, 2022
edited

If you are seeing this error:

cannot update the PrivateKey{Type,Bits} field without choosing a new PKI mount for the root CA

You can work around the problem by running consul connect ca set-config to change the configuration to include PrivateKeyType, PrivateKeyBits with values that match the CA cert that was created in Vault (docs are here). Unfortunately the error message doesn't tell you which values are expected, but you should be able to look them up by getting the public PEM out of vault (the path is the root_pki_path), and running openssl x509 -noout -text on the PEM. The information should be right below "Public Key Algorithm".

If you see this error when restarting a server (i.e. after an upgrade) this workaround should still work. Consul should allow you to change the config even if the CA system has not been initialized.

If anyone has trouble with this workaround, please comment here.

@dnephin dnephin mentioned this issue Feb 3, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
theme/certificates Related to creating, distributing, and rotating certificates in Consul type/bug Feature does not function as expected
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ca: change the PrivateKey type/bits validation hashicorp/consul
1 participant
@dnephin