Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

etcd doesn't reload certs from disk when using ip address #9541

Closed
roboll opened this issue Apr 6, 2018 · 2 comments
Closed

etcd doesn't reload certs from disk when using ip address #9541

roboll opened this issue Apr 6, 2018 · 2 comments
Assignees
@gyuho
Labels
area/tls type/bug
Milestone
etcd-v3.4

Comments

@roboll
Copy link
Contributor

roboll commented Apr 6, 2018

When certificates change on disk, etcd should pick up new certificates on the next client/peer request. This does not always happen.

Based on the code here, if we set Certificates and clientHello.ServerName is empty (which is true when addressed via ip address), it will fall back to the first element of Certificates instead of calling GetCertificate.
https://github.com/golang/go/blob/master/src/crypto/tls/common.go#L716

According to this comment, the Certificates field needs to be set for integration tests to pass. I don't know why, but this is the cause of the issue. We should always be calling GetCertificates if certs should always be reloaded, never falling back to the certificate that was loaded at startup.
#7784 (comment)
@roboll roboll mentioned this issue Apr 6, 2018
Closed
@gyuho
Copy link
Contributor

gyuho commented Apr 6, 2018
edited
Loading

@roboll Good catch! I just confirmed that your fix #9542 resolves this issue:

CSR

...
  "CN": "s1",
  "hosts": [
    "127.0.0.1"
  ]
}

without localhost

fails but succeeds with that fix.

@gyuho gyuho added this to the etcd-v3.4 milestone Apr 9, 2018
@gyuho gyuho self-assigned this Apr 10, 2018
@gyuho gyuho mentioned this issue Apr 13, 2018
Merged
@gyuho
Copy link
Contributor

gyuho commented Apr 20, 2018

We should be able to release the patch in 3.2 and 3.3 next week.

@gyuho gyuho closed this as completed Apr 20, 2018
@hexfusion hexfusion mentioned this issue Jan 29, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gyuho gyuho

Labels
area/tls type/bug
Milestone
etcd-v3.4
Development

No branches or pull requests
2 participants
@roboll @gyuho