Skip to content

Fix CRLs in the backend#57822

Merged
zmb3 merged 5 commits intomasterfrom
zmb3/crl-fix
Aug 14, 2025
Merged

Fix CRLs in the backend#57822
zmb3 merged 5 commits intomasterfrom
zmb3/crl-fix

Conversation

@zmb3
Copy link
Copy Markdown
Collaborator

@zmb3 zmb3 commented Aug 12, 2025
edited
Loading

In #55429 we added an empty certificate revocation list to the TLS keypairs in the certificate_authority backend resource.

The intent was that the CRL would be signed by the keypair it is assocaited with, but the code mistakenly used a function that would find any suitable keypair, which could create CRLS signed by the wrong key.

This commit corrects both the initial CRL generation as well as any existing CRLs that have invalid signatures.

Changelog: fixed an issue that could cause revocation checks to fail in Windows environments.

@zmb3 zmb3 requested a review from nklaassen August 12, 2025 17:00
nklaassen
nklaassen reviewed Aug 12, 2025
View reviewed changes
Comment thread lib/auth/keystore/manager.go Outdated
Comment thread lib/auth/init.go Outdated
@zmb3
Fix CRLs in the backend
2616761 
In #55429 we added an empty certificate revocation list to the
TLS keypairs in the certificate_authority backend resource.

The intent was that the CRL would be signed by the keypair it is
assocaited with, but the code mistakenly used a function that would
find _any_ suitable keypair, which could create CRLS signed by the
wrong key.

This commit corrects both the initial CRL generation as well as
any existing CRLs that have invalid signatures.
@zmb3 zmb3 marked this pull request as ready for review August 12, 2025 17:31
@zmb3
Copy link
Copy Markdown
Collaborator Author

zmb3 commented Aug 12, 2025

I manually validated this by putting the CRL from a different CA from a different Teleport cluster in my backend and restarting auth.

On the first restart, it identified the one invalid CRL and regenerated it.
On the next restart, all CRLs checked out as valid and no edits were made.

zmb3 added 2 commits August 12, 2025 15:28
@zmb3
Add some extra warnings re: CRL generation
6d7e525 
In clusters with multiple active signers (like those using HSMs or
KMS for private keys), the only safe way to get a CRL is to use
the one that's already present in the certificate_authority resource.

Generating a CRL with GenerateCertAuthorityCRL will give you a valid
CRL, but you have no control over which certificate signs it, which
is likely to cause revocation failures later on.
@zmb3
Rename GenerateCRLForCA
0669331 
In most cases, we're looking up an existing CRL, not generating one.
@zmb3 zmb3 mentioned this pull request Aug 13, 2025
Merged
@zmb3 zmb3 enabled auto-merge August 14, 2025 00:20
@zmb3 zmb3 added this pull request to the merge queue Aug 14, 2025
Merged via the queue into master with commit 0f1d7ac Aug 14, 2025
40 checks passed
@zmb3 zmb3 deleted the zmb3/crl-fix branch August 14, 2025 01:02
@backport-bot-workflows
Copy link
Copy Markdown
Contributor

backport-bot-workflows bot commented Aug 14, 2025

@zmb3 See the table below for backport results.

Branch Result
branch/v17 Create PR
branch/v18 Create PR

@zmb3 zmb3 mentioned this pull request Aug 14, 2025
Merged
@zmb3 zmb3 mentioned this pull request Aug 14, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greedy52 greedy52 greedy52 approved these changes

@nklaassen nklaassen nklaassen approved these changes

Assignees

No one assigned

Labels

backport/branch/v17 backport/branch/v18 size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zmb3 @greedy52 @nklaassen