etcd doesn't reload certs from disk when using ip address

Created on 6 Apr 2018  路  2Comments  路  Source: etcd-io/etcd

When certificates change on disk, etcd should pick up new certificates on the next client/peer request. This does not always happen.

Based on the code here, if we set Certificates and clientHello.ServerName is empty (which is true when addressed via ip address), it will fall back to the first element of Certificates instead of calling GetCertificate.
https://github.com/golang/go/blob/master/src/crypto/tls/common.go#L716

According to this comment, the Certificates field needs to be set for integration tests to pass. I don't know why, but this is the cause of the issue. We should always be calling GetCertificates if certs should always be reloaded, never falling back to the certificate that was loaded at startup.
https://github.com/coreos/etcd/pull/7784#issuecomment-297565717

arebug aretls
Source
picture roboll

Most helpful comment

@roboll Good catch! I just confirmed that your fix https://github.com/coreos/etcd/pull/9542 resolves this issue:

CSR

...
  "CN": "s1",
  "hosts": [
    "127.0.0.1"
  ]
}

without localhost

fails but succeeds with that fix.

picture gyuho on 6 Apr 2018
👍2

All 2 comments

@roboll Good catch! I just confirmed that your fix https://github.com/coreos/etcd/pull/9542 resolves this issue:

CSR

...
  "CN": "s1",
  "hosts": [
    "127.0.0.1"
  ]
}

without localhost

fails but succeeds with that fix.

gyuho picture gyuho on 6 Apr 2018
👍2

We should be able to release the patch in 3.2 and 3.3 next week.

gyuho picture gyuho on 20 Apr 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ghost picture ghost  路  3Comments
primeroz picture primeroz  路  3Comments
invidian picture invidian  路  3Comments
suresh-chaudhari picture suresh-chaudhari  路  3Comments
itnikita picture itnikita  路  3Comments