From 2ddcba00c640e7e9a7be0088757e9b0a54a137bd Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Tue, 30 Jun 2020 09:48:42 -0400 Subject: [PATCH] Overwrite agent leaf cert trust domain on the servers --- agent/consul/connect_ca_endpoint.go | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/agent/consul/connect_ca_endpoint.go b/agent/consul/connect_ca_endpoint.go index bbd2c4591f..995cdd3f3d 100644 --- a/agent/consul/connect_ca_endpoint.go +++ b/agent/consul/connect_ca_endpoint.go @@ -4,6 +4,7 @@ import ( "context" "errors" "fmt" + "net/url" "reflect" "strings" "time" @@ -427,6 +428,30 @@ func (s *ConnectCA) Sign( return fmt.Errorf("SPIFFE ID in CSR from a different trust domain: %s, "+ "we are %s", serviceID.Host, signingID.Host()) } + } else { + // isAgent - if we support more ID types then this would need to be an else if + // here we are just automatically fixing the trust domain. For auto-encrypt and + // auto-config they make certificate requests before learning about the roots + // so they will have a dummy trust domain in the CSR. + trustDomain := signingID.Host() + if agentID.Host != trustDomain { + originalURI := agentID.URI() + + agentID.Host = trustDomain + csr.Subject.CommonName = connect.AgentCN(agentID.Agent, trustDomain) + + // recreate the URIs list + uris := make([]*url.URL, len(csr.URIs)) + for i, uri := range csr.URIs { + if originalURI.String() == uri.String() { + uris[i] = agentID.URI() + } else { + uris[i] = uri + } + } + + csr.URIs = uris + } } // Verify that the ACL token provided has permission to act as this service