CA certificates provided to the agent (and possibly other components) are not properly validated, since they need to be in the PEM format.
1) We need to verify the boolean value returned by AppendCertsFromPEM: https://github.com/sensu/sensu-go/blob/be7ea1d67eb990cfb0373d11882d34a375bb9190/types/tls.go#L55
2) The agent accepts a TLS config (https://github.com/sensu/sensu-go/blob/be7ea1d67eb990cfb0373d11882d34a375bb9190/agent/config.go#L88) but it's not possible to specify it through the sensu-agent flags
3) We need to make sure the documentation specifies that only certificates in PEM format are accepted.
We also need to support specifying a trusted CA cert for sensuctl via flags and/or configuration file
@cwjohnston: After investigation, I'm putting the work for sensuctl in a separate issue. See #2541. Everything mentioned by @palourde in the original issue will be part of 5.0.2 though.
After working on this, I also plan to open a more general TLS ticket to address some higher level issues.
Most helpful comment
@cwjohnston: After investigation, I'm putting the work for
sensuctlin a separate issue. See #2541. Everything mentioned by @palourde in the original issue will be part of 5.0.2 though.After working on this, I also plan to open a more general TLS ticket to address some higher level issues.