TLS certificate error with OpenSSL

Nomad
1

Bonjour, :wave:

I just want to say before I’m beginner with TLS certificates, I tried to understand whole concept. :smiling_face:

For Consul and Vault, it works (I used consul create ca) but I have a little problem with activation of TLS for Nomad.

My nomad TLS config part:

tls {
    http = true
    rpc = true
    ca_file = "/etc/vault.d/ssl/nomad-ca.pem"
    cert_file = "/etc/vault.d/ssl/server.pem"
    key_file = "/etc/vault.d/ssl/server.key"
    rpc_upgrade_mode = false
    verify_server_hostname = "true"
    verify_https_client = "true"
}

I create CA and TLS certificates with OpenSSL but ansible module. Because certificates generated by consul create ca not working with Nomad. Issue with domain name.

WIth OpenSSL, I have this error in log:

    2023-02-08T15:50:31.684+0100 [ERROR] client: error registering: error="rpc error: failed to get conn: x509: certificate signed by unknown authority (possibly because of \"x509: invalid signature: parent certificate cannot sign this kind of certificate\" while trying to verify candidate authority certificate \"serial:387998798588550154155810081398460306095881826677\")"
    2023-02-08T15:50:31.678+0100 [ERROR] client.rpc: error performing RPC to server: error="rpc error: failed to get conn: rpc error: lead thread didn't get connection" rpc=Node.GetClientAllocs server=192.168.64.65:4647
    2023-02-08T15:50:31.684+0100 [ERROR] client.rpc: error performing RPC to server which is not safe to automatically retry: error="rpc error: failed to get conn: rpc error: lead thread didn't get connection" rpc=Node.GetClientAllocs server=192.168.64.65:4647

I don’t understand failed to get conn: x509: certificate signed by unknown authority , It’s my own CA.

I see documentation about Enable TLS Encryption for Nomad. In explanatiions, it’s CFSSL to generate TLS certificates.

But what is difference between CFSSL and OpenSSL . I prefer to use OpenSSL because there is already a ansible module for.

Can you give me somes advices about this? Or the way to follow for the solution.

If nobody help me! I will ask ChatGPT, Because he is nice with me! :rofl:

Thanks a lot :slight_smile:

2

Hi @fred-gb,

Nomad recently added its own tls command, which might be useful seeing as you’ve had success with Consul and Vault in a similar way. The process should closely follow the one used for Consul. I have also raised #16122 to track moving our tutorial over to use this.

But what is difference between CFSSL and OpenSSL . I prefer to use OpenSSL because there is already a ansible module for.

You should be able to use either equivalently, we just chose cfssl for the tutorial as I believe it was consistent with other HashiCorp product tutorials.

I don’t understand failed to get conn: x509: certificate signed by unknown authority , It’s my own CA.

My TLS is not great, but it feels like potentially the CA passed to Nomad is missing the entire chain, or something similar.

I will ask ChatGPT, Because he is nice with me!

Underneath it all, ChatGPT is just a cold hearted machine, don’t be fooled! :smiley:

Thanks,
jrasell and the Nomad team

3

Hi @jrasell

Thanks for this news! It looks great.

Since my last post, I tried differents strategies to generate and find this useful hashilearn:

But I’m stuck at create certification because I don’t find an ansible solution to create at same time private key and csr.

I already create a CA.

And when I launch consul for testing, I have an error key:

"rpc error getting client: failed to get conn: x509: certificate relies on legacy Common Name field, use SANs instead"

I will continue to looking for ansible solution with openssl. But maybe I will use Hashicorp’s solution about generate certs.

I try to understand mechanism.

This is my proto playbook, if that can help someone or give the way. It’s not working for this moment.

### CREATE CA
        - name: Create private key for CA
          community.crypto.openssl_privatekey:
            path: /tmp/hashistack/hashistack-ca-key.pem

        - name: Generate an OpenSSL Certificate Signing Request for CA
          community.crypto.openssl_csr:
            path:  /tmp/hashistack/hashistack-ca.csr
            privatekey_path: /tmp/hashistack/hashistack-ca-key.pem
            common_name: Nomad CA

        - name: Create self-signed CA certificate from CSR for CA
          community.crypto.x509_certificate:
            path: /tmp/hashistack/hashistack-ca.pem
            privatekey_path: /tmp/hashistack/hashistack-ca-key.pem
            provider: selfsigned

### CREATE CERTS
        - name: Create private key for CA
          community.crypto.openssl_privatekey:
            path: /tmp/hashistack/{{ item }}/server.{{ hashistack_deploy_dc_name }}.{{ item }}.key
          loop:
          - consul
          - vault
          - nomad

        - name: Generate an OpenSSL Certificate Signing Request for Consul Server
          community.crypto.openssl_csr:
            path: /tmp/hashistack/{{ item.dir }}/server.{{ hashistack_deploy_dc_name }}.{{ item.dir }}.csr
            privatekey_path: /tmp/hashistack/hashistack-ca-key.pem
            subject_alt_name: '{{ item.subject_alt_name }}'
          loop:
          - { dir: "consul", subject_alt_name: "DNS:localhost,IP:127.0.0.1,DNS:server.global.nomad,DNS:server.{{ hashistack_deploy_dc_name }}.consul"}
          - { dir: "vault", subject_alt_name: "DNS:localhost,IP:127.0.0.1,DNS:server.global.nomad,DNS:server.{{ hashistack_deploy_dc_name }}.vault"}
          - { dir: "nomad", subject_alt_name: "DNS:localhost,IP:127.0.0.1,DNS:server.global.nomad,DNS:server.{{ hashistack_deploy_dc_name }}.nomad"}

        - name: Generate an OpenSSL certificate signed with your own CA certificate
          community.crypto.x509_certificate:
            path: /tmp/hashistack/{{ item }}/server.{{ hashistack_deploy_dc_name }}.{{ item }}.crt
            csr_path: /tmp/hashistack/{{ item }}/server.{{ hashistack_deploy_dc_name }}.{{ item }}.csr
            ownca_path: /tmp/hashistack/hashistack-ca.pem
            ownca_privatekey_path: /tmp/hashistack/hashistack-ca-key.pem
            provider: ownca
          loop:
          - consul
          - vault
          - nomad

Thanks

And I will share a real cold :beers: with @jrasell ? Instead cold chatGPT?