Unrecognized x509 Certificate Error #397
-
|
Hey guys, I have my intermediate certificate authority configured and running in an AWS account, and I am able to successfully bootstrap off of it as seen below: And inspecting the certificate shows that I have downloaded the correct file. However, any subsequent calls to the certificate authority fail. For example: The certificate authority is sitting behind an application load balancer in AWS which is using a managed certificate from Amazon Certificate Manager. From the latter error, it looks like the step cli doesn't trust Amazon's certificate, so it is refusing to connect. When I check the certificate authority logs, I do not see my request. Additionally, I'm not even seeing the request come through in the application load balancer logs, so it looks like no connection is being established from my computer to the CA. Has anyone troubleshooted such an error before or have any suggestions on how to work around this? It seems like I should use the root CA to create a custom x509 certificate for the ALB, but I would like to avoid this route if possible. Thanks in advance! |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 1 reply
-
|
Hi @J-Hunter-Hawke, Good question. I think you're not even making it through the TLS handshake with the load balancer, and that's why nothing is showing in any of your request logs. Best to have the CA and client speak directly to each other or via network load balancing or TLS passthrough. Best, |
Beta Was this translation helpful? Give feedback.
-
|
@J-Hunter-Hawke |
Beta Was this translation helpful? Give feedback.
-
|
Thank you @tashian and @maraino for the suggestions. I have switched over to using an NLB without an ACM certificate, and the certificate authority is working as expected. However, I will keep note that we can append a second certificate if need be in the future. |
Beta Was this translation helpful? Give feedback.
-
|
That's a better option, with the TLS termination in the LB there are some operations like mTLS renewal that are not going to work. |
Beta Was this translation helpful? Give feedback.
Hi @J-Hunter-Hawke,
Good question. I think you're not even making it through the TLS handshake with the load balancer, and that's why nothing is showing in any of your request logs.
stepexpects to be able to establish a mutual TLS connection with the CA. Application load balancing would require your ALB to decrypt and encrypt messages and essentially impersonate the CA, and we don't recommend that from a security standpoint. It's also a pain to configure.Best to have the CA and client speak directly to each other or via network load balancing or TLS passthrough.
Best,
Carl