Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 21:47:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 117
fleet/tools/test-certs/README.md
Lucas Manuel Rodriguez 8cbcf3f9f7
Add fake certificates for testing TLS issues (#20390) 
Changes to help QA #6085.
2024-07-16 13:21:39 -03:00

57 lines
2.6 KiB
Markdown
Raw Blame History

# test-certs
This directory contains a fake certificate chain to test TLS functionality in `fleet`, `fleetctl` and `fleetd`.
> The certificates were generated using the following guide: [OpenSSL create certificate chain](https://www.golinuxcloud.com/openssl-create-certificate-chain-linux/#Step_6_Generate_and_sign_server_certificate_using_Intermediate_CA)
## Directories
### root-ca directory
Contains a self-signed certificate considered as the "root CA" certificate.
### intermediate-ca directory
Contains a certificate signed by the "root CA" and considered as the "intermediate CA" certificate.
Additionaly contains a `intermediate-and-root.cert.pem` which contains `intermediate.cert.pem` + `root-ca.cert.pem`.
### server
Contains a server certificate signed by the "intermediate CA" certificate.
Contains certificates that can be used by a Fleet server:
- `server.key.pem`: TLS server private key.
- `leaf.cert.pem`: TLS server certificate alone.
- `leaf-and-intermediate.cert.pem`: Contains `leaf.cert.pem` + `intermediate.cert.pem`.
- `fullchain.cert.pem`: Contains `leaf.cert.pem` + `intermediate-ca.cert.pem` + `root-ca.crt.pem`.
## Usage
Run the Fleet server with the leaf certificate only:
```sh
fleet serve --dev --dev_license \
--server_cert ./tools/test-certs/server/leaf.cert.pem \
--server_key ./tools/test-certs/server/server.key.pem \
--logging_debug
```
You will see that `fleetctl debug connection` will fail if only pinning the `root-ca.cert.pem` (because TLS client doesn't know about the intermediate certificate):
```sh
fleetctl debug connection \
--fleet-certificate ./tools/test-certs/root-ca/root-ca.cert.pem \
https://localhost:8080
Debugging connection to localhost; Configuration context: none - using provided address; Root CA: ./tools/test-certs/root-ca/root-ca.cert.pem; TLS: secure.
Success: can resolve host localhost.
Success: can dial server at localhost:8080.
Error: Fail: certificate: dial for validate: verify certificate: x509: certificate signed by unknown authority
```
And `fleetctl debug connection` will succeed if pinning with `intermediate-and-root.cert.pem`:
```sh
fleetctl debug connection --fleet-certificate ./tools/test-certs/intermediate-ca/intermediate-and-root.cert.pem https://localhost:8080
Debugging connection to localhost; Configuration context: none - using provided address; Root CA: ./tools/test-certs/intermediate-ca/intermediate-and-root.cert.pem; TLS: secure.
Success: can resolve host localhost.
Success: can dial server at localhost:8080.
Success: TLS certificate seems valid.
Success: agent API endpoints are available.
```
Reference in a new issue View git blame Copy permalink