Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing support for wildcard domain names #312

Open
troyanov opened this issue Jan 10, 2025 · 0 comments · May be fixed by #313
Open

Missing support for wildcard domain names #312

troyanov opened this issue Jan 10, 2025 · 0 comments · May be fixed by #313

Comments

@troyanov
Copy link
Member

MicroCluster requires the name of the cluster member to be a FQDN and it also checks that this name is among certificate SAN.

microcluster/internal/rest/resources/control.go

Line 83 in d50fa50

certNameMatches := shared.ValueInSlice(req.Name, serverCert.DNSNames) 

// Subject Alternate Name values. (Note that these values may not be valid
// if invalid values were contained within a parsed certificate. For
// example, an element of DNSNames may not be a valid DNS domain name.)
DNSNames       []string

However usage of ValueInSlice doesn't work for certificates that have wildcard DNS
This certificate won't work for member1.maas.internal

X509v3 Subject Alternative Name:
    DNS:*.maas.internal, DNS:maas, IP Address:127.0.0.1, URI:*

// ValueInSlice returns true if key is in list.
func ValueInSlice[T comparable](key T, list []T) bool {
	for _, entry := range list {
		if entry == key {
			return true
		}
	}

	return false
}
troyanov added a commit to troyanov/microcluster that referenced this issue Jan 12, 2025
@troyanov
feat: support wildcard certificates
6fbd4a4 
Use VerifyHostname [0] instead of a string comparison, as it allows usage
of wildcard certificate (*.maas.internal) for every cluster member.

Release unique constraint on certificate, as in case of wildcard
certificate it can be the same for all the cluster members.

[0]: https://pkg.go.dev/crypto/x509#Certificate.VerifyHostname

Resolves canonical#312
troyanov added a commit to troyanov/microcluster that referenced this issue Jan 12, 2025
@troyanov
feat: support wildcard certificates
e125b45 
Use VerifyHostname [0] instead of a string comparison, as it allows usage
of wildcard certificate for every cluster member.

Release unique constraint on certificate, as in case of wildcard
certificate it can be the same for all the cluster members.

[0]: https://pkg.go.dev/crypto/x509#Certificate.VerifyHostname

Resolves canonical#312
@troyanov troyanov linked a pull request Jan 12, 2025 that will close this issue
Open
troyanov added a commit to troyanov/microcluster that referenced this issue Jan 12, 2025
@troyanov
feat: support wildcard certificates
9bab265 
Use VerifyHostname [0] instead of a string comparison, as it allows usage
of wildcard certificate for every cluster member.

Release unique constraint on certificate, as in case of wildcard
certificate it can be the same for all the cluster members.

[0]: https://pkg.go.dev/crypto/x509#Certificate.VerifyHostname

Resolves canonical#312

Signed-off-by: Anton Troyanov <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: support wildcard certificates troyanov/microcluster
1 participant
@troyanov