Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Account Resolver TLS (Docker) #1207

Closed
3 tasks
Ryner51 opened this issue Dec 4, 2019 · 1 comment · Fixed by #2483
Closed
3 tasks

Account Resolver TLS (Docker) #1207

Ryner51 opened this issue Dec 4, 2019 · 1 comment · Fixed by #2483
Assignees
@wallyqs @matthiashanel

Comments

@Ryner51
Copy link

Ryner51 commented Dec 4, 2019

  • Defect
  • [ X ] Feature Request or Change Proposal

Defects

Make sure that these boxes are checked before submitting your issue -- thank you!

Versions of nats-server and affected client libraries used:

2.0.4

OS/Container environment:

Docker Image

Steps or code to reproduce the issue:

resolver: URL(http://:/jwt/v1/accounts/)

Expected result:

Nats should be able to connect to the account resolver using HTTPS with Docker Images.

Actual result:

/etc/stan/nats-secret.conf:2:1: could not fetch <"https://nats-account-service.eventhorizon.svc.cluster.local:9090/jwt/v1/accounts/">: Get https://nats-account-service.eventhorizon.svc.cluster.local:9090/jwt/v1/accounts/: x509: certificate signed by unknown authority

Feature Requests

Allow configuration to pass in trusted cert in configuration

Use Case:

Using a Docker Image to deploy FT to K8S

Proposed Change:

Allow configuration to pass in trusted cert in configuration

Who Benefits From The Change(s)?

Deployment to K8S with Account Server HTTPS Traffic

Alternative Approaches

Create own Docker image with base image, other than Scratch, that pulls in static binaries and then place trusted CA's in OS.
@ronaldslc
Copy link

I thought this was solved with introduction of resolver_tls using:

resolver_tls: {
  ca_file: <path>
}

But it seems it doesn't work, because the code assumes resolver_tls is for Client TLS authentication, and does not assign CA to RootCAs pool in the golang code.

The only current alternative is to set

resolver_tls: {
  insecure: true
}

Which is not recommended for production. And so the original alternative above is the only viable method, which is to update the OS CA store.

The documentation: https://docs.nats.io/nats-server/configuration/securing_nats/jwt/resolver is currently misleading.

I've forked the NATS helm chart to add resolver TLS CA to achieve this in kubernetes configuration instead of rebuilding and hosting a docker image.

kozlovic added a commit that referenced this issue Sep 2, 2021
@kozlovic
[FIXED] Account resolver TLS configuration
063432a 
The RootCAs was not properly set, which could prevent the server
to create a TLS connection to the account resolver with an error
such as:
```
x509: certificate signed by unknown authority
```

Resolves #1207

Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
@kozlovic kozlovic mentioned this issue Sep 2, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wallyqs wallyqs

@matthiashanel matthiashanel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[FIXED] Account resolver TLS configuration nats-io/nats-server
4 participants
@wallyqs @ronaldslc @Ryner51 @matthiashanel