certs: x509 check ip san

[ehazlett]

This depends on #756.

This will check the remote host when using config and env commands to see if the remote certificate is valid. If not, it will automatically regenerate new certs and re-configure the engine to use them.

This also implements the regenerate-certs command from #702 against the new driver refactor.

Fixes #531

[ehazlett]

/cc @sthulb @nathanleclaire @md5 @andrewwatson

[md5]

This diff looks much easier to review: https://github.com/ehazlett/machine/compare/driver-refactor...ehazlett:x509-check-ip-san?w=1

I should have some more time to take a look tomorrow.

[ehazlett]

@md5 👍 thx!

[md5]

I actually just amended that URL to add the magical ?w=1 to suppress the whitespace-only changes.

[rossbachp]

After auto regenerate certs, the config isn't changed.
Every access to the server generate the certs again and
you can't use the docker env correct.

see this trace...

$ ./docker-machine_darwin-amd64 start amazonec2-03
$ ./docker-machine_darwin-amd64 ls
NAME           ACTIVE   DRIVER       STATE     URL                        SWARM
amazonec2-03   *        amazonec2    Running   tcp://52.10.115.103:2376   
dev                     virtualbox   Stopped                              
$ ./docker-machine_darwin-amd64 ip
52.11.189.60
$ ./docker-machine_darwin-amd64 env amazonec2-03
export DOCKER_TLS_VERIFY=1
export DOCKER_CERT_PATH=/Users/peter/.docker/machine/machines/amazonec2-03
export DOCKER_HOST=tcp://52.10.115.103:2376
$ ./docker-machine_darwin-amd64 env amazonec2-03
> sudo openssl x509 -noout -in /etc/docker/server.pem -text
...
Validity
    Not Before: Mar 16 05:24:00 2015 GMT
...
X509v3 Subject Alternative Name: 
    IP Address:52.11.189.60
> exit
$ ./docker-machine_darwin-amd64 env amazonec2-03
export DOCKER_TLS_VERIFY=1
export DOCKER_CERT_PATH=/Users/peter/.docker/machine/machines/amazonec2-03
export DOCKER_HOST=tcp://52.10.115.103:2376
$ ./docker-machine_darwin-amd64 env amazonec2-03
> sudo openssl x509 -noout -in /etc/docker/server.pem -text
...
Validity
    Not Before: Mar 16 05:31:00 2015 GMT
...
X509v3 Subject Alternative Name: 
    IP Address:52.11.189.60
> exit

[rossbachp]

If a swarm machine changes its IP, all swarm clients must also be changed there config.

[ehazlett]

@rossbachp thanks. i am trying with elastic ips to see if i can re-create.

[ehazlett]

@rossbachp yes this is a bug in the IP persistence. Addressing. Thanks!

[rossbachp]

Nice, I hope you can fix it:)

[ehazlett]

@rossbachp ok a fix has been pushed to the branch. would you mind testing? thanks!

[rossbachp]

Works for me:) Many Thanks!

[sthulb]

Works for me too. I think. :)

[rossbachp]

I detect another changed IP problem, after I restart my swarm ec2 cluster today.

The master use the old ip's from the swarm machines

time="2015-03-18T18:23:54Z" level=error msg="Get https://54.69.29.90:2376/v1.15/info: dial tcp 54.69.29.90:2376: i/o timeout" 
time="2015-03-18T18:23:54Z" level=error msg="Get https://54.69.230.35:2376/v1.15/info: dial tcp 54.69.230.35:2376: i/o timeout" 
time="2015-03-18T18:23:54Z" level=error msg="Get https://54.69.255.39:2376/v1.15/info: dial tcp 54.69.255.39:2376: i/o timeout" 
time="2015-03-18T18:23:54Z" level=error msg="Get https://52.10.167.59:2376/v1.15/info: dial tcp 52.10.167.59:2376: i/o timeout" 

I analyze the problem:

The swarm agent are join with the old ip 52.10.167.59

$ docker-machine ls
NAME               ACTIVE   DRIVER       STATE     URL                        SWARM
amazonec2-03                amazonec2    Stopped                              
dev                         virtualbox   Stopped                              
ec2-swarm-01                amazonec2    Running   tcp://54.149.27.239:2376   ec2-swarm-master
ec2-swarm-02                amazonec2    Running   tcp://52.10.108.31:2376    ec2-swarm-master
ec2-swarm-03       *        amazonec2    Running   tcp://54.148.5.178:2376    ec2-swarm-master
ec2-swarm-master            amazonec2    Running   tcp://52.11.98.189:2376    ec2-swarm-master (master)
$ $(docker-machine env ec2-swarm-master)
heisenberg:~ peter$ docker ps --no-trunc
CONTAINER ID                                                       IMAGE               COMMAND                                                                                                                                                                                          CREATED             STATUS              PORTS                              NAMES
13d27667155b3b1962b99b8d817c7a9865b47fe5b0d5d9c0af08735b26163efa   swarm:latest        "/swarm join --addr 52.10.167.59:2376 token://5a57a53a13470b1e680c6904ce5b34d1"                                                                                                                  35 hours ago        Up 11 minutes       2375/tcp                           swarm-agent          
810f7ce04b6439c191470a2116197088ee2a3d2e5ed1cc7f4742aacef46317f9   swarm:latest        "/swarm manage --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server.pem --tlskey=/etc/docker/server-key.pem -H tcp://0.0.0.0:3376 token://5a57a53a13470b1e680c6904ce5b34d1"   35 hours ago        Up 11 minutes       2375/tcp, 0.0.0.0:3376->3376/tcp   swarm-agent-master   
$ docker-machine ip ec2-swarm-master
52.11.98.189

After the IP from swarm machine changed, the implementation must reconfigure the swarm agent, remove the old container and start a new one.

Sorry, that I don't detect the problem yesterday!

[ehazlett]

Ok thanks for reporting. I think this is a separate issue -- as it's not related specifically to the TLS issue but more of a side effect of the IPs changing (they are related though). Would you mind filing a separate issue? Thanks!

[rossbachp]

Yes, I create issue #806.

[ehazlett]

@rossbachp thanks!