etcd - beginners question on ETCD_CLIENT_CERT_AUTH

[robu...@gmail.com]

Hi all,

I'm new to etcd and struggeling to get  ETCD_CLIENT_CERT_AUTH working.

I hope somebody here can point me in the right direction.

OS: debian stretch

ETCD version: 3.3.0-rc.1

using ETCDCTL_API=3

So far I have managed to setup a three node etcd cluster that uses https for the client and client connections.

for the etcd server and clients (I want to use etcdctl) I followed

https://coreos.com/os/docs/latest/generate-self-signed-certificates.html

to create certificates.

But when I swtuch on ETCD_CLIENT_CERT_AUTH 

the client can not connect to the cluster anymore and I get tons of this logllines:  

rejected connection from "<ip>:46094" (error "tls: client didn't provide a certificate", ServerName "")

Also I got the https peer connection working only with ETCD_PEER_AUTO_TLS=true

I tried to use the same key/cert for peer connection as for client connection, but that didn't worked?

my expectation would be that I can connect to the cluster and, as mentioned here:

https://coreos.com/etcd/docs/latest/op-guide/authentication.html / using tls common name

I wouldn't have to provide a name or password

(do I have to create  users that match the fqdn of each client before the clients can connect?)

All hints are appreciated,

TIA

here my relevant settings:

/etc/default/etcd (here without ETCD_CLIENT_CERT_AUTH="true"): 

ETCD_NAME="<hostname>"

ETCD_DATA_DIR="/var/lib/etcd"

ETCD_LISTEN_CLIENT_URLS="https://XXXX:2379"

ETCD_ADVERTISE_CLIENT_URLS="https://XXXX:2379"

ETCD_LISTEN_PEER_URLS="https://XXXX:2380"

ETCD_INITIAL_ADVERTISE_PEER_URLS="https://XXXX:2380"

ETCD_INITIAL_CLUSTER="<hostname>=https://XXXX:2380,<hostname_srv2>=https://XXXX:2380,<hostname_srv3>=https://XXXX:2380"

ETCD_INITIAL_CLUSTER_TOKEN="my-etcd-token"

ETCD_INITIAL_CLUSTER_STATE="new"

ETCD_PEER_AUTO_TLS="true"

ETCD_CERT_FILE="/etc/etcd/tls/<hostname>-cert.pem"

ETCD_KEY_FILE="/etc/etcd/tls/<hostname>.pem"

ETCD_TRUSTED_CA_FILE="/etc/etcd/tls/ca.pem"

ca-config.json (for cfssl)

{

    "signing": {

        "default": {

            "expiry": "8760h"

        },

        "profiles": {

            "server": {

                "expiry": "8760h",

                "usages": [

                    "signing",

                    "key encipherment",

                    "server auth"

                ]

            },

            "client": {

                "expiry": "8760h",

                "usages": [

                    "signing",

                    "key encipherment",

                    "client auth"

                ]

            },

            "peer": {

                "expiry": "8760h",

                "usages": [

                    "signing",

                    "key encipherment",

                    "server auth",

                    "client auth"

                ]

            }

        }

    }

}

ca-csr.json (for cfssl)

{

    "CN": "<domain_name>",

    "key": {

        "algo": "rsa",

        "size": 4096

    },

    "names": [

        {

            "C": "<country>",

            "L": "<state>",

            "ST": "<city>"

        }

    ]

}

<server>.json (for cffsl)

{

    "CN": "<hostname>",

    "hosts": [

        "<hostname -f>",

        "<hostname>",

        "<ip_of_hostname>"

    ],

    "key": {

        "algo": "ecdsa",

        "size": 256

    },

    "names": [

        {

            "C": "<country>",

            "L": "<state>",

            "ST": "<city>"

        }

    ]

}

[robu...@gmail.com]

is it maybe that cfssl is broken?

https://github.com/cloudflare/cfssl/issues/717