Skip to content

[v11] Connect: Detect & reissue expired db certs#19096

Merged
ravicious merged 3 commits intobranch/v11from
ravicious/v11/backport-17950
Dec 12, 2022
Merged

[v11] Connect: Detect & reissue expired db certs#19096
ravicious merged 3 commits intobranch/v11from
ravicious/v11/backport-17950

Conversation

@ravicious
Copy link
Copy Markdown
Member

@ravicious ravicious commented Dec 6, 2022

Backport #17950.

@ravicious
Connect: Detect & reissue expired db certs (#17950)
fc34d82 
* Add TTL field to integration/helpers.UserCredsRequest

This will let us create expired user certs by providing a negative TTL.

* Reissue gateway cert if middleware detects it expired

* Add integration test for gateway cert renewal
@ravicious
Copy link
Copy Markdown
Member Author

ravicious commented Dec 6, 2022

That new integration test I wrote works on master but seems to fail on branch/v11, I'm investigating why.

--- FAIL: TestALPNSNIProxyDatabaseAccess (16.70s)
    --- FAIL: TestALPNSNIProxyDatabaseAccess/teleterm_gateways_cert_renewal (0.01s)
        --- FAIL: TestALPNSNIProxyDatabaseAccess/teleterm_gateways_cert_renewal/root_cluster (0.22s)
            teleterm_test.go:158:
                	Error Trace:	/Users/rav/Projects/teleport/integration/proxy/teleterm_test.go:158
                	            				/Users/rav/Projects/teleport/integration/proxy/teleterm_test.go:58
                	Error:      	Received unexpected error:
                	            	io.ReadFull(header) failed. err EOF: connection was bad
                	Test:       	TestALPNSNIProxyDatabaseAccess/teleterm_gateways_cert_renewal/root_cluster
        --- FAIL: TestALPNSNIProxyDatabaseAccess/teleterm_gateways_cert_renewal/leaf_cluster (0.24s)
            teleterm_test.go:158:
                	Error Trace:	/Users/rav/Projects/teleport/integration/proxy/teleterm_test.go:158
                	            				/Users/rav/Projects/teleport/integration/proxy/teleterm_test.go:68
                	Error:      	Received unexpected error:
                	            	io.ReadFull(header) failed. err EOF: connection was bad
                	Test:       	TestALPNSNIProxyDatabaseAccess/teleterm_gateways_cert_renewal/leaf_cluster

@ravicious
Copy link
Copy Markdown
Member Author

ravicious commented Dec 7, 2022

I figured out where the issue is. #17610 (comment)

If that PR cannot be backported to v11, then I need to find another way of simulating a relogin through Connect in the integration test.

@ravicious ravicious mentioned this pull request Dec 7, 2022
Merged
@ravicious
Copy link
Copy Markdown
Member Author

ravicious commented Dec 9, 2022
edited
Loading

Could I get approvals here? Once #19218 gets merged, the integration test on this backport branch is going to pass.

@github-actions github-actions Bot removed the request for review from GavinFrazar December 9, 2022 16:15
@ravicious ravicious mentioned this pull request Dec 12, 2022
Merged
@ravicious ravicious merged commit 52a9d13 into branch/v11 Dec 12, 2022
@ravicious ravicious deleted the ravicious/v11/backport-17950 branch December 12, 2022 11:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zmb3 zmb3 zmb3 approved these changes

+1 more reviewer

@AntonAM AntonAM AntonAM approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ravicious @AntonAM @zmb3