tls: support multiple key/cert pairs, for SNI #2029
Conversation
philpennock
requested review from
davidkemper,
derekcollison,
matthiashanel,
ripienaar and
wallyqs
|
Thanks @philpennock ok sounds like we should add a field to support multiple certs optionally then: tls {
certs = [{cert_file = "first.pem", key_file = "first.key"}]
} |
|
Agree with @wallyqs that's a lot clearer |
philpennock
force-pushed
the
pdp/multi-cert-tls
branch
from
a811592
to
8139801
Compare
|
It's still my intent to find time to work on the new config layout and write the tests (but I'm happy for someone else to take it if they have time). The push just now is not me doubling-down on the quick hack proof-of-concept, it's just that I have this live at home and I wanted to install 2.2.3 so I rebased and pushed after confirming it works. |
|
What is the status here? |
philpennock
force-pushed
the
pdp/multi-cert-tls
branch
from
8139801
to
56f54fb
Compare
|
This is still useful functionality to have, but needs to be done more cleanly, as wally requested. I'm still running with this at home (to dual-name with a .lan hostname from my personal cert authority, and with a Let's Encrypt cert for the current external IP) and we today used this patch for a fiddly migration, to be able to cut DNS over to a box at our leisure. So the use-case is definitely there and it needs a better integration than the proof-of-concept with the path-separator strings, and tests to protect against regression. |
|
Is this worth revisiting and prioritizing? |
|
You should sync with @philpennock |
This does not add tests or docs, this is to sound out how people feel about the API. Turn the TLS options cert_file and key_file into list-separated paths (so colon-delimited if on Unix, like `$PATH`); the count of entries must match, and the keys and certs should zip together. With this change, TLS SNI works to pick the correct cert to return for a given connection, allowing a NATS server to have multiple identities.
philpennock
force-pushed
the
pdp/multi-cert-tls
branch
from
56f54fb
to
0e8ba8c
Compare
|
Closing in favor of Wally's #4889 which does the configuration the Right Way for nats-server, instead of the old-fashioned Unix way. 😆 |
This adds a `certs` option to the `tls` block to support loading
multiple certs:
```hcl
tls {
certs = [
{
cert_file: "./configs/certs/srva-cert.pem"
key_file: "./configs/certs/srva-key.pem"
},
{
cert_file: "./configs/certs/srvb-cert.pem"
key_file: "./configs/certs/srvb-key.pem"
}
]
ca_file: "./configs/certs/ca.pem"
verify: true
timeout: 2
}
```
Follow up from #2029
This does not add tests or docs, this is to sound out how people feel about the
API. If we like it, we can dress it up formally.
Turn the TLS options cert_file and key_file into list-separated paths (so
colon-delimited if on Unix, like
$PATH); the count of entries must match, andthe keys and certs should zip together.
With this change, TLS SNI works to pick the correct cert to return for a given
connection, allowing a NATS server to have multiple identities.
/cc @nats-io/core