Skip to content

Commit

Permalink
[#23445]yugabyted: Node not starting with DNS name and --secure option
Browse files Browse the repository at this point in the history
Summary:
We have to use `DNS.1` for DNS names in Subject alt names while creating server certs instead of `IP.1`. `IP.1` expects only an IP.
Jira: DB-12366

Test Plan: ./yb_build.sh --java-test 'org.yb.yugabyted.*'

Reviewers: nikhil

Reviewed By: nikhil

Subscribers: yugabyted-dev, sgarg-yb

Differential Revision: https://phorge.dev.yugabyte.com/D37161
  • Loading branch information
gargsans-yb committed Aug 8, 2024
1 parent 4a2657e commit b9d2e9d
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 5 deletions.
16 changes: 14 additions & 2 deletions bin/openssl_proxy.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ temp_certs_path=""
key_path=""
keyname=""
hostname=""
hostname_type=""

show_help() {
cat >&1 <<-EOT
Expand Down Expand Up @@ -47,6 +48,9 @@ node certs generation)
--keyname, --kn, -kn
Name of the key to be generated.
--hostname-type, --ht, -ht
Hostname type. Accepted vales: IP/DNS
---------------------------------------------------------------------------------------------------
EOT
}
Expand Down Expand Up @@ -107,9 +111,13 @@ generate_node_certs() {
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
IP.1 = '"$hostname"'' > "$temp_certs_path"/node.conf
[alt_names]' > "$temp_certs_path"/node.conf

if [[ $hostname_type == "DNS" ]]; then
echo 'DNS.1 = '"$hostname"'' >> "$temp_certs_path"/node.conf
else
echo 'IP.1 = '"$hostname"'' >> "$temp_certs_path"/node.conf
fi

openssl genrsa -out "$temp_certs_path"/node."$hostname".key
chmod 400 "$temp_certs_path"/node."$hostname".key
Expand Down Expand Up @@ -169,6 +177,10 @@ while [[ $# -gt 0 ]]; do
hostname="$2"
shift
;;
--hostname_type|--ht|-ht)
hostname_type="$2"
shift
;;
generate-key)
key_generation=true
;;
Expand Down
11 changes: 8 additions & 3 deletions bin/yugabyted
Original file line number Diff line number Diff line change
Expand Up @@ -1954,8 +1954,12 @@ class ControlScript(object):
"root-ca certs database. Removing...")
shutil.rmtree(node_certs_dir)

if self.configs.saved_data.get("dns_enabled"):
hostname_type = "DNS"
else:
hostname_type = "IP"
status = OpenSSLProxy.generate_node_server_certs(root_certs_dir=root_certs_dir,
hostname=hostname, server_cert_dir=node_certs_dir)
hostname=hostname, server_cert_dir=node_certs_dir, hostname_type=hostname_type)

if not status:
status_details = [
Expand Down Expand Up @@ -9094,9 +9098,10 @@ class OpenSSLProxy(object):

# Generate node server certificates
@staticmethod
def generate_node_server_certs(root_certs_dir, server_cert_dir, hostname, timeout=60):
def generate_node_server_certs(root_certs_dir, server_cert_dir, hostname, hostname_type,
timeout=60):
cmd = OpenSSLProxy.cmd_args + ['generate-server-cert', '-rcp', root_certs_dir,
'-scp', server_cert_dir, '-hn', hostname]
'-scp', server_cert_dir, '-hn', hostname, '-ht', hostname_type]
out, err, ret = run_process(cmd, timeout=timeout, log_cmd=True)

return (0 == ret)
Expand Down

0 comments on commit b9d2e9d

Please sign in to comment.