Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VCH with custom certificates behavior #8543

Open
aviratna opened this issue May 3, 2019 · 3 comments
Open

VCH with custom certificates behavior #8543

aviratna opened this issue May 3, 2019 · 3 comments
Assignees

Comments

@aviratna
Copy link

aviratna commented May 3, 2019

Background

We are using Hashicorp Vault to generate CA signed certificates for VCH and Client authentication. During VCH creation, we will keep the custom certificates in folder same as VCH name and the vic-machine-os picks it up automagically.

Issue 1: If we create VCH with custom certificate, we are able to connect to different VCH using same client certificate, so long its signed by the same CA. This doesn't seem right! However, this is not the case with VIC auto created certificates, as the CA is different for each VCH.

Issue 2. Documentation not clear to update custom generated certificates. There are no parameters to pass the client certificate or ca-cert. We tried the below commands as per document, its not working. We can only update the --tls-server-cert and --tls-server-key. Documentation and Error messages are not clear. In fact, some of the error messages are misleading!

Issue 3: VCH Configure --no-tlsverify command doesn't work, it checks for VCH folder and throws error "folder already exists". This doesn't seem logical. Why should disabling TLS worry about existing folder? Workaround is to rename the existing folder to different name.

vSphere and vCenter Server version

vSphere 6.5

VIC version

VIC 1.5 (probably all versions in the past too)

VCH configuration

vic-machine-os configure

####Current Command as per documents:

Command 1: Only VCH Certiticate is getting updated. No option to pass the client certificate.

$ vic-machine-operating_system configure
--target vcenter_server_address
--user [email protected]
--password password
--thumbprint certificate_thumbprint
--id vch_id
--tls-server-cert path_to_cert/certificate_name.pem
--tls-server-key path_to_key/key_name.pem

Command 2: Below command throws error if we copy the custom generated in cert path and try to run command. Regardless, it doesn't seem like client certs are being used appropriately.

$ vic-machine-operating_system configure
--target vcenter_server_address
--user [email protected]
--password password
--thumbprint certificate_thumbprint
--id vch_id
--tls-cname *.example.com
--tls-cert-path path_to_cert_folder

Error: "Folder already exists"

#####Workaround:
We tried the below command and we are able to update the VCH certificate and pass the ca.pem to VCH configure command
Note: Below command fails if we copy the certificate in folder with same name as VCH, so we had to create a folder with different name and copy certs. Error message is not clear.

$ vic-machine-operating_system configure
    --target vcenter_server_address
    --user [email protected]
    --password password
    --thumbprint certificate_thumbprint
    --id vch_id
    --tls-server-cert path_to_cert/server-cert.pem
    --tls-server-key path_to_key/server-key.pem
--tls-ca path_to_key/ca.pem
--tls-cname=""

This is not useful also, as client auth doesn't seem to work.

Document Link

https://vmware.github.io/vic-product/assets/files/html/1.5/vic_vsphere_admin/configure_vch.html

@malikkal
@hickeng

@malikkal
Copy link

malikkal commented May 3, 2019

default certs that are auto generated has one year life. long-term VIC users would be hit with renewal issues.

BTW, if you use CA signed certs, as already explained above, any client certs issued by the CA is accepted! it would be great, if this could be prioritized high. Thank you.

@wjun
Copy link
Contributor

wjun commented May 5, 2019

default certs that are auto generated has one year life. long-term VIC users would be hit with renewal issues.

BTW, if you use CA signed certs, as already explained above, any client certs issued by the CA is accepted! it would be great, if this could be prioritized high. Thank you.

@malikkal Do you expect a authorization user list for each VCH, so only users in this list can access the VCH? If so, as a quick solution, a file based user list looks the simplest solution for access control.

@aviratna
Copy link
Author

aviratna commented Aug 6, 2020

@wjun : Can you please let us know if issue is fixed in latest version.

@cmrajiv

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants