Hey,
So this is possibly related to a documented golang deprecation associated with how golang cyrpto package handles TLS certificates. The golang 1.15 release notes have a way to enable the deprecated behavior, but that’s just a short term workaround. If this is your problem, you’ll need to get the certs updated to include the SAN extension.
Just as an aside, the change in cert handling has been a long time coming. This was actually deprecated by an RFC back in 2000, and as far as I personally know golang 1.15 is the first tls implementation in common use that has deprecated the behavior. But I fully expect other TLS implementations to follow suit in the next year now that golang has done it.
I believe there is work inside puppet specifically to update how certs are being built to conform to best practices. I’m not an active puppet user, so I’m not following the puppet issue closely so I don’t know the full details of what part of the puppet stack needs to be changed.
In the meantime please try setting the GODEBUG environment variable to the value documented in the Golang release notes for sensu backend and agent. That should allow for your existing certs to be used until your puppet infra can issue conformant certs.
as I am no GOLANG expert: Is the GODEBUG-variable just a system-variable I could set using puppet or is it something I could set just within the puppet module of sensu?
It’s just an environment variable.
Assuming for example sensu-backend is running as a systemd service using the the systemd service file as packaged in the official sensu packages you have several ways to add an environment variable to a running service:
For sensu-backend as packaged your choices are:
/etc/default/sensu-backend or /etc/sysconfig/sensu-backend . This works for official sensu packages because the provided systemd service files is configured to attempt to read those files for environment variable information.
extend the systemd service configuration with the necessary environment variable statement in a file under /etc/systemd/system/sensu-backend.service.d/. This is a general technique for all systemd services so local admins don’t have to edit vendor provided default service configuration.
Similarly you can set an environment variable for sensu-agent, with file location names changed accordingly.
For systems without systemd, the official sensu packages use a sysvinit script that knows how to do 1. from above.
Based on what I’m reading elsewhere, it appears that
GODEBUG=x509ignoreCN=0
is the sufficient envvar configuration. Let me know if this works for you. We can get it added to our troubleshooting documentation. Right now all my privately generated certs conform to the RFC best practice so I’m having trouble reproducing (like I said not a puppet user) so I can’t test if this GODEBUG configuration works.
Also, if you can report back with regard to anything you find out about how puppet plans to address this, for example if there is a minimum version of puppet that needs to be used to avoid the deprecation workaround. Or if there is a specific puppet configuration change associated with how certs are created that you can share with other users.
Our documented examples for generating self-signed certs uss cfssl tooling have the necessary SAN listing I believe, which is why I didn’t see the problem on the upgrade in my test systems. But we can’t realistically document all possible ways to generate certs (sort of outside the scope of our docs)
But once there’s an understood way to avoid this problem with puppet generated certs, we can probably add the specific puppet learning to our troubleshooting guide to help the next person who runs into this. Outside of puppet now, I’m not sure what other automatic cert generation tooling is impacted this. For example I’m pretty sure lets encrypt generated certs are RFC compliant. Hopefully puppet has a solution for users already or will soon. More and more things are going to start deprecating/disabling support for these out of compliance certs.
The puppet server is acting as a CA itself and in this role it’s signing all certs of the managed hosts. Replacing the cert, which comes with a very long validity period, is not that easy, especially when there are other tools like Foreman (theforeman.org) which make use of the Puppet CA, too.
I will watch this, but I guess I won’t reply back within the next weeks/months. Maybe it would be better, if the sensu module would create a cert itself.
Just to be clear, so from an internal process pov, it would be much easier/faster for you to have bespoke self-signed certs generated by the sensu puppet module?
For me it would be a lot faster, as I would need to replace all certs, not only for the puppet server but also for the foreman-proxies, which are acting as some kind of puppet-proxyserver.
For me it would be the best case to avoid this as I need to check a lot of possible side-effects.
so instead of sensu module doing itself…
How about using an existing puppet openssl module to generate the certs and place them on disk prior to sensu module running?
I think if you use https://forge.puppet.com/modules/camptocamp/openssl and use the openssl ‘template’ configuration (file ending in .cnf ) with alternative names defined similar to what is discussed here you probably get to where you need for self-signed certs.
Sorry, I’m not a puppet user myself so I can’t give you a working example of integrating the openssl module, but I’m pretty confident it should work once you have the correct openssl configuration with alternative names specified.
)