How does one injects ca certs (custom self signed authorities) via cloud config in core OS?

[Ignas Brašiškis]

I am trying to inject ca-cert via cloud-config.
According cloud init documentation there is even special property in cloud configuration:
http://cloudinit.readthedocs.org/en/latest/topics/examples.html#configure-an-instances-trusted-ca-certificates

However when I tried to inject coreos just ignored everything:

#cloud-config

coreos:
  etcd2:
    # generate a new token for each unique cluster from https://discovery.etcd.io/new?size=3
    discovery: "https://discovery.etcd.io/..........................."
    # multi-region and multi-cloud deployments need to use $public_ipv4
    advertise-client-urls: "http://$public_ipv4:2379"
    initial-advertise-peer-urls: "http://$private_ipv4:2380"
    # listen on both the official ports and the legacy ports
    # legacy ports can be omitted if your application doesn't depend on them
    listen-client-urls: "http://0.0.0.0:2379,http://0.0.0.0:4001"
    listen-peer-urls: "http://$private_ipv4:2380,http://$private_ipv4:7001"
  units:
    - name: etcd2.service
      command: start
    - name: fleet.service
      command: start
     
ca-certs:
    trusted:
  - |
    -----BEGIN CERTIFICATE-----
    .......................................................
    -----END CERTIFICATE-----

Do CoreOS support ca-certs options, if not how to make it work or manually append everything to trusted certificates?

IGNAS

[kyle....@coreos.com]

The cloud-config tool doesn't support ca-cert options. You can use write-file as shown in the docs: https://coreos.com/os/docs/latest/customize-etcd-unit.html

[Alex Crawford]

On 09/28, kyle....@coreos.com wrote:
> The cloud-config tool doesn't support ca-cert options.

Minor correction: _our_ cloud-config implementation doesn't support it.
We implement a subset of the upstream project which does support
ca-cert.

-Alex

[Ignas Brašiškis]

Indeed, however I need ca-cert to be accesible for docker itself (I have private registry) and http clients, not etcd daemon. I have to register certificate authority on other OSes via crt files via appending to bundle, (according this cryptic message similar thing possible in CoreOS): https://coreos.com/os/docs/latest/adding-certificate-authorities.html

I tried putting .crt file in that folder and exec update keys in cloud config result was nothing happened. Tried to convert to pem (it just renamed it) and it didn't get added.
I will try it a little bit more and see will I manage to solve my issue

[Ignas Brašiškis]

Yes it does work wget works somewhat however curl behaves strangely:

curl: (77) error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs

both locations exists and still it denies to work.

[anton....@coreos.com]

Hi Ignas,

Could you please check if your certificate has been stored inside "/etc/ssl/certs/ca-certificates.crt" file. Also please try to debug curl with the "-v" flag.

Looking forward to hearing from you soon.

Regards,

Anton

[anton....@coreos.com]

Hi Ignas,

I've just reproduced similar issue with malformed "ca-certificates.crt" file. Please check that your custom CA cert doesn't have any hidden symbols and readable. In addition, could you please post your CA certificate somewhere so we can test it?

Looking forward to hearing from you soon.

Regards,

Anton

On Tuesday, September 29, 2015 at 8:39:01 AM UTC+2, Ignas Brašiškis wrote: