Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RKE strips multiple certs from pem file when using intermediate/sub ca #2597

Closed
chaudhryfaisal opened this issue Jul 2, 2021 · 3 comments
Closed

RKE strips multiple certs from pem file when using intermediate/sub ca #2597

chaudhryfaisal opened this issue Jul 2, 2021 · 3 comments
Labels
status/stale

Comments

@chaudhryfaisal
Copy link
Contributor

RKE strips multiple certs from pem file when using intermediate/sub ca with sub ca and root ca in kube-ca.pem file

RKE version: 1.2.8

cluster.yml file:

cluster_name: k8s-cluster-with-ca-chain
kubernetes_version: v1.19.7-rancher1-1
nodes:
  - address: 127.0.0.1
    role: [ controlplane,etcd,worker ]
    user: ubuntu

Steps to Reproduce:

  1. generate CSRs: rke cert generate-csr
  2. Sign CSRs with intermediate/sub ca
  3. initialize cluster.rkestate: rke up -init --custom-certs

Results:

  1. check kube-ca.pem
# cat kube-ca.pem
-----BEGIN CERTIFICATE-----
MIIDqTCCApGgAwIBAgIUMiXn5PbZBgP9Oygd7Mx4MULILSIwDQYJKoZIhvcNAQEL
BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5ZMQwwCgYDVQQHEwNMSUMxDDAK
BgNVBAoTA0s4UzEMMAoGA1UECxMDUktFMRQwEgYDVQQDEwtSS0UgUm9vdCBDQTAg
Fw0yMTA3MDIxNDE2MDBaGA8yMDUxMDYyNTE0MTYwMFowWTELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAk5ZMQwwCgYDVQQHEwNMSUMxDDAKBgNVBAoTA0s4UzEMMAoGA1UE
CxMDUktFMRMwEQYDVQQDEwpSS0UgU3ViIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAztg5dQzx0s+VJqEToPmlbcGkIu1/r+ZoNO9J0oL5EX095PCb
jE5gbT6xsw7rWAS2mwF770BRt6ToprXeY2MfstsqDBGddvAdVp3VUXKhPWoabL7P
DdAITSEE6uy3C7zvw39el9IKo4pWsjn+PeICgnr/4TgMszxo2MOE04SH1pGVcwam
DWs7jImT6kY0ciERJ+DK3KWgTHr+xd+s+tUJ0w/kWGYY0x1B44wZBBsO2ZcAYbmz
hJa78zkb7KYnstPVFFIj2RdZnTlfFZCsBXiw2sPGeFE/dL3tKH4UCN5KlG92Y9Gc
WHoZvXzaRS5rC1TDxmik/V+J4WGj5+ksFCGjowIDAQABo2YwZDAOBgNVHQ8BAf8E
BAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUi9jJSlVQdOjtKi2h
QSVZIl0yllkwHwYDVR0jBBgwFoAU1o2GSUHHvmI58TGUREgQhIHukvcwDQYJKoZI
hvcNAQELBQADggEBAGfSRQ4ApzYYcidar+UQuDrWQkAey3tQquHa814tTcYSVzin
GqXe7lfKgNeE13Ipv86sowysEBDiIUHXNygiLvK+AhmNfyzG/sOugHUVFvMWZfBz
iq83rojk563vw6E23YcELic3GCYAXkQBnTUpY5Q8sNsCfYsdbTKpcpn8btNjLz7x
pOz+audFEm/QeTKwJsV2D7a7aIyWmn6AYC+BzfCYdhF+VdgukjIMY5clSkbEuHkK
MlOivjqzlGXXh5hRsamUk/WLBRA4VsdoyXmPFe70frlQBUE/fMSBr4kXH2jvbCwN
Jxr79+879Olc01jgXognCNAeqUPHVWlFNnMC/ek=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDhDCCAmygAwIBAgIUY8SO3+QfUHrSQG4k328I2tOch7MwDQYJKoZIhvcNAQEL
BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5ZMQwwCgYDVQQHEwNMSUMxDDAK
BgNVBAoTA0s4UzEMMAoGA1UECxMDUktFMRQwEgYDVQQDEwtSS0UgUm9vdCBDQTAe
Fw0yMTA3MDIxNDE2MDBaFw0zMTA2MzAxNDE2MDBaMFoxCzAJBgNVBAYTAlVTMQsw
CQYDVQQIEwJOWTEMMAoGA1UEBxMDTElDMQwwCgYDVQQKEwNLOFMxDDAKBgNVBAsT
A1JLRTEUMBIGA1UEAxMLUktFIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDSQBlFmBdgcrB9tMw2UsaW4hpdiS9FIjhROnrTyzJzB50P3zGO
YwJ0Df+utIqN5K1QU+KqKkDwuBPX5UOr7r0Ss6uur/AhfEMgnrhNGqGoLI5D5vag
dWYAcwMZtmIIKSr2O/19mAW4FTOyPKkkfX693iowu/xEfKzJG1upM/ta0UtYlC8i
DpEO1Q76nrU+SX2XiCYIP2MFZ9FrJwXCiLgQlCxSddL+89Rd0TRjcoGYHdJZr3lo
UTJmcXierqjaWUhYOhPQBV2VwCj6TV0z8+csbq0PqWU+UMnYVshlpq2ZqFfWYcFK
E60T/zq5INUTTzIiGo/x8T6Yo1N1goNbRkJfAgMBAAGjQjBAMA4GA1UdDwEB/wQE
AwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTWjYZJQce+YjnxMZRESBCE
ge6S9zANBgkqhkiG9w0BAQsFAAOCAQEARG4pQIVoNzVwONf5/DoZvqNY1YmFeHy/
Ds0YXzz2BontZyAdv25VD2rRU1xQCAB8bgHOWUxv6aJV9LzmgHlEwPnAunh+sgUm
0jViIieenCW0Ds1ZRHhUfd1DkiMGlgGLL9AofvwUGNPRo96LylTa1F52LKziLXOV
+yzZkHtjFo1bmEL3oLAs/H85DIHWHLdPWWIDKk1VdUWIYtHcZOZDFgZrg+c1PAMJ
HuWuGzkkZ1huniE2LDhWYgJBjiyMNu8yR8400GGAY5pjFbwxCfUBrYrBfqPbVM7f
dbGThbJ5GzU7l9zdRCi5z6BWD95SMbMbRaidzT5wi/hgeI/8hB7VHQ==
-----END CERTIFICATE-----
  1. check kube-ca certificatePEM in cluster.rkestate
# cat cluster.rkestate | jq -r '.desiredState.certificatesBundle."kube-ca".certificatePEM'
-----BEGIN CERTIFICATE-----
MIIDqTCCApGgAwIBAgIUMiXn5PbZBgP9Oygd7Mx4MULILSIwDQYJKoZIhvcNAQEL
BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5ZMQwwCgYDVQQHEwNMSUMxDDAK
BgNVBAoTA0s4UzEMMAoGA1UECxMDUktFMRQwEgYDVQQDEwtSS0UgUm9vdCBDQTAg
Fw0yMTA3MDIxNDE2MDBaGA8yMDUxMDYyNTE0MTYwMFowWTELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAk5ZMQwwCgYDVQQHEwNMSUMxDDAKBgNVBAoTA0s4UzEMMAoGA1UE
CxMDUktFMRMwEQYDVQQDEwpSS0UgU3ViIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAztg5dQzx0s+VJqEToPmlbcGkIu1/r+ZoNO9J0oL5EX095PCb
jE5gbT6xsw7rWAS2mwF770BRt6ToprXeY2MfstsqDBGddvAdVp3VUXKhPWoabL7P
DdAITSEE6uy3C7zvw39el9IKo4pWsjn+PeICgnr/4TgMszxo2MOE04SH1pGVcwam
DWs7jImT6kY0ciERJ+DK3KWgTHr+xd+s+tUJ0w/kWGYY0x1B44wZBBsO2ZcAYbmz
hJa78zkb7KYnstPVFFIj2RdZnTlfFZCsBXiw2sPGeFE/dL3tKH4UCN5KlG92Y9Gc
WHoZvXzaRS5rC1TDxmik/V+J4WGj5+ksFCGjowIDAQABo2YwZDAOBgNVHQ8BAf8E
BAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUi9jJSlVQdOjtKi2h
QSVZIl0yllkwHwYDVR0jBBgwFoAU1o2GSUHHvmI58TGUREgQhIHukvcwDQYJKoZI
hvcNAQELBQADggEBAGfSRQ4ApzYYcidar+UQuDrWQkAey3tQquHa814tTcYSVzin
GqXe7lfKgNeE13Ipv86sowysEBDiIUHXNygiLvK+AhmNfyzG/sOugHUVFvMWZfBz
iq83rojk563vw6E23YcELic3GCYAXkQBnTUpY5Q8sNsCfYsdbTKpcpn8btNjLz7x
pOz+audFEm/QeTKwJsV2D7a7aIyWmn6AYC+BzfCYdhF+VdgukjIMY5clSkbEuHkK
MlOivjqzlGXXh5hRsamUk/WLBRA4VsdoyXmPFe70frlQBUE/fMSBr4kXH2jvbCwN
Jxr79+879Olc01jgXognCNAeqUPHVWlFNnMC/ek=
-----END CERTIFICATE-----

Analysis:

rke/pki/util.go

Line 643 in b8e94c9

certificate = certificates[0]

@superseb
Copy link
Contributor

superseb commented Jul 2, 2021

I think this is the same as #1834

@chaudhryfaisal
Copy link
Contributor Author

Yes, I couldn't find the issue so I created new one so I can submit PR

@chaudhryfaisal chaudhryfaisal mentioned this issue Jul 2, 2021
Closed
@stale
Copy link

stale bot commented Aug 31, 2021

This issue/PR has been automatically marked as stale because it has not had activity (commit/comment/label) for 60 days. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the status/stale label Aug 31, 2021
@stale stale bot closed this as completed Sep 14, 2021
@chaudhryfaisal chaudhryfaisal mentioned this issue Nov 11, 2021
Merged
@Agalin Agalin mentioned this issue Apr 11, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status/stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

extend pki with support for ed25519/ecdsa certs and certificate chains operasoftware/rke
2 participants
@superseb @chaudhryfaisal