From 216140255dfc91fd153b583649107316d9d293c6 Mon Sep 17 00:00:00 2001 From: James Rasell Date: Wed, 25 Jun 2025 07:35:56 +0100 Subject: [PATCH] cli: Do not always add global DNS name to certificate DNS names. (#26086) No matter the passed region identifier, the CLI was always adding ".global.nomad" to the certificate DNS names. This is not what we expect and has been removed. While here, the long deprecated cluster-region flag has been removed. This removal only impacts CLI functionality, so is safe to do. --- .changelog/26086.txt | 3 + command/tls_cert_create.go | 73 +++++++------------ command/tls_cert_create_test.go | 3 - .../testdata/badRegion-client-bad-key.pem | 6 +- .../tlsutil/testdata/badRegion-client-bad.pem | 25 +++---- .../testdata/badRegion-server-bad-key.pem | 6 +- .../tlsutil/testdata/badRegion-server-bad.pem | 25 +++---- .../testdata/global-client-nomad-key.pem | 6 +- .../tlsutil/testdata/global-client-nomad.pem | 30 ++++---- .../testdata/global-server-nomad-key.pem | 6 +- .../tlsutil/testdata/global-server-nomad.pem | 22 +++--- .../testdata/regionFoo-client-nomad-key.pem | 6 +- .../testdata/regionFoo-client-nomad.pem | 24 +++--- .../testdata/regionFoo-server-nomad-key.pem | 6 +- .../testdata/regionFoo-server-nomad.pem | 24 +++--- .../content/docs/commands/tls/cert-create.mdx | 2 - 16 files changed, 122 insertions(+), 145 deletions(-) create mode 100644 .changelog/26086.txt diff --git a/.changelog/26086.txt b/.changelog/26086.txt new file mode 100644 index 000000000..506071fc7 --- /dev/null +++ b/.changelog/26086.txt @@ -0,0 +1,3 @@ +```release-note:bug +cli: Fixed a bug in the `tls cert create` command that always added ``".global.nomad"` to the certificate DNS names, even when the specified region was not ``"global"`. +``` diff --git a/command/tls_cert_create.go b/command/tls_cert_create.go index 59a818386..9061da77c 100644 --- a/command/tls_cert_create.go +++ b/command/tls_cert_create.go @@ -39,16 +39,12 @@ type TLSCertCreateCommand struct { // domain is used to provide a custom domain for the certificate. domain string - // cluster_region is used to add the region name to the certifacte SAN - // records - cluster_region string - // key is used to set the custom CA certificate key when creating // certificates. key string - // cluster_region is used to add the region name to the certifacte SAN - // records + // region is used to add the Nomad region name to the certificate SAN + // records. region string server bool @@ -82,9 +78,6 @@ Certificate Create Options: -client Generate a client certificate. - -cluster-region - DEPRECATED please use -region. - -days Provide number of days the certificate is valid for from now on. Defaults to 1 year. @@ -141,8 +134,6 @@ func (c *TLSCertCreateCommand) Run(args []string) int { flagSet.StringVar(&c.ca, "ca", "#DOMAIN#-agent-ca.pem", "") flagSet.BoolVar(&c.cli, "cli", false, "") flagSet.BoolVar(&c.client, "client", false, "") - // cluster region will be deprecated in the next version - flagSet.StringVar(&c.cluster_region, "cluster-region", "", "") flagSet.IntVar(&c.days, "days", 365, "") flagSet.StringVar(&c.domain, "domain", "nomad", "") flagSet.StringVar(&c.key, "key", "#DOMAIN#-agent-ca-key.pem", "") @@ -176,7 +167,7 @@ func (c *TLSCertCreateCommand) Run(args []string) int { var dnsNames []string var ipAddresses []net.IP var extKeyUsage []x509.ExtKeyUsage - var name, regionName, prefix string + var name, prefix string for _, d := range c.dnsNames { if len(d) > 0 { @@ -190,24 +181,21 @@ func (c *TLSCertCreateCommand) Run(args []string) int { } } - // set region variable to prepare for deprecating cluster_region - switch { - case c.cluster_region != "": - regionName = c.cluster_region - case c.clientConfig().Region != "" && c.clientConfig().Region != "global": - regionName = c.clientConfig().Region - default: - regionName = "global" + regionIdentifier := "global" + + if r := c.clientConfig().Region; r != "" { + regionIdentifier = r } - // Set dnsNames and ipAddresses based on whether this is a client, server or cli + // Set dnsNames and ipAddresses based on whether this is a client, server or + // cli. switch { case c.server: - ipAddresses, dnsNames, name, extKeyUsage, prefix = recordPreparation("server", regionName, c.domain, dnsNames, ipAddresses) + ipAddresses, dnsNames, name, extKeyUsage, prefix = recordPreparation("server", regionIdentifier, c.domain, dnsNames, ipAddresses) case c.client: - ipAddresses, dnsNames, name, extKeyUsage, prefix = recordPreparation("client", regionName, c.domain, dnsNames, ipAddresses) + ipAddresses, dnsNames, name, extKeyUsage, prefix = recordPreparation("client", regionIdentifier, c.domain, dnsNames, ipAddresses) case c.cli: - ipAddresses, dnsNames, name, extKeyUsage, prefix = recordPreparation("cli", regionName, c.domain, dnsNames, ipAddresses) + ipAddresses, dnsNames, name, extKeyUsage, prefix = recordPreparation("cli", regionIdentifier, c.domain, dnsNames, ipAddresses) default: c.Ui.Error("Neither client, cli nor server - should not happen") return 1 @@ -301,36 +289,29 @@ func (c *TLSCertCreateCommand) Run(args []string) int { return 0 } -func recordPreparation(certType string, regionName string, domain string, dnsNames []string, ipAddresses []net.IP) ([]net.IP, []string, string, []x509.ExtKeyUsage, string) { - var ( - extKeyUsage []x509.ExtKeyUsage - name, regionUrl, prefix string - ) +func recordPreparation(certType, regionName, domain string, dnsNames []string, ipAddresses []net.IP) ( + []net.IP, []string, string, []x509.ExtKeyUsage, string) { + + var extKeyUsage []x509.ExtKeyUsage + if certType == "server" || certType == "client" { extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth} ipAddresses = append(ipAddresses, net.ParseIP("127.0.0.1")) } else if certType == "cli" { extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth} } - // prefix is used to generate the filename for the certificate before writing to disk. - prefix = fmt.Sprintf("%s-%s-%s", regionName, certType, domain) - regionUrl = fmt.Sprintf("%s.%s.nomad", certType, regionName) - name = fmt.Sprintf("%s.%s.%s", certType, regionName, domain) - if regionName != "global" && domain != "nomad" { - dnsNames = append(dnsNames, name, regionUrl, fmt.Sprintf("%s.global.nomad", certType), "localhost") - } + // Generate the file prefix used to write the certificate and key files to + // local disk. + prefix := fmt.Sprintf("%s-%s-%s", regionName, certType, domain) - if regionName != "global" && domain == "nomad" { - dnsNames = append(dnsNames, regionUrl, fmt.Sprintf("%s.global.nomad", certType), "localhost") - } + // The TLS common name is a combination of the certificate role (server, + // client, or cli), the Nomad region name, and the domain. + commonName := fmt.Sprintf("%s.%s.%s", certType, regionName, domain) - if regionName == "global" && domain != "nomad" { - dnsNames = append(dnsNames, regionUrl, fmt.Sprintf("%s.%s.%s", certType, regionName, domain), "localhost") - } + // Generate a new list of DNS names which includes the original array, the + // common name, and "localhost". + dnsNames = append(dnsNames, commonName, "localhost") - if regionName == "global" && domain == "nomad" { - dnsNames = append(dnsNames, name, "localhost") - } - return ipAddresses, dnsNames, name, extKeyUsage, prefix + return ipAddresses, dnsNames, commonName, extKeyUsage, prefix } diff --git a/command/tls_cert_create_test.go b/command/tls_cert_create_test.go index 75d6f659b..a385ca074 100644 --- a/command/tls_cert_create_test.go +++ b/command/tls_cert_create_test.go @@ -107,7 +107,6 @@ func TestTlsCertCreateCommandDefaults_fileCreate(t *testing.T) { "server.region1.nomad", []string{ "server.region1.nomad", - "server.global.nomad", "localhost", }, []net.IP{{127, 0, 0, 1}}, @@ -217,7 +216,6 @@ func TestTlsRecordPreparation(t *testing.T) { expectedipAddresses: []net.IP{net.ParseIP("127.0.0.1")}, expectedDNSNames: []string{ "server.region1.nomad", - "server.global.nomad", "localhost", }, expectedName: "server.region1.nomad", @@ -233,7 +231,6 @@ func TestTlsRecordPreparation(t *testing.T) { ipAddresses: []string{}, expectedipAddresses: []net.IP{net.ParseIP("127.0.0.1")}, expectedDNSNames: []string{ - "server.global.nomad", "server.global.domain1", "localhost", }, diff --git a/helper/tlsutil/testdata/badRegion-client-bad-key.pem b/helper/tlsutil/testdata/badRegion-client-bad-key.pem index 7b56a389b..2a9bfe620 100644 --- a/helper/tlsutil/testdata/badRegion-client-bad-key.pem +++ b/helper/tlsutil/testdata/badRegion-client-bad-key.pem @@ -1,5 +1,5 @@ -----BEGIN EC PRIVATE KEY----- -MHcCAQEEIEbr9QQxvZRlT+WFHAZnw/pwsNhGkbHVtkRWSTfYh0GtoAoGCCqGSM49 -AwEHoUQDQgAEdmOVwqDMhWyP/YXJekbyILsk4CV6L9W0mK3MjD148g0XjhT8yDUL -FHFqm8bNNAO+gBbI1EDS8TpHIWtiQ86QSg== +MHcCAQEEIKk8d2emRn2ogBXZY6vrZzN/LWr0+nloUfUDVaTMa25ooAoGCCqGSM49 +AwEHoUQDQgAEyHsxg78wuPB8FG45YJIjDy5XNvkRuF7kge3Qto2NMUObdXlpYEBM +kBi5s5ow4Bqjp9LpQFT77Ts+xpFqZ3mi2A== -----END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/badRegion-client-bad.pem b/helper/tlsutil/testdata/badRegion-client-bad.pem index c919fe5a4..8c4c2d26c 100644 --- a/helper/tlsutil/testdata/badRegion-client-bad.pem +++ b/helper/tlsutil/testdata/badRegion-client-bad.pem @@ -1,18 +1,17 @@ -----BEGIN CERTIFICATE----- -MIICzzCCAnWgAwIBAgIRAIFUltA5xgNPcFFlo2aKtIcwCgYIKoZIzj0EAwIwgbgx +MIICozCCAkigAwIBAgIRAPZum3AsvBr+eZ5eX1cBrtcwCgYIKoZIzj0EAwIwgbgx CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg -MTU5MTUzODQ3MzA3OTM3NDc0Mzk0MzkzMDI3NzEwMTg0MTQxNTA4MB4XDTI1MDUw -MjEyMDc1OVoXDTI2MDUwMjEyMDc1OVowHzEdMBsGA1UEAxMUY2xpZW50LmJhZFJl -Z2lvbi5iYWQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR2Y5XCoMyFbI/9hcl6 -RvIguyTgJXov1bSYrcyMPXjyDReOFPzINQsUcWqbxs00A76AFsjUQNLxOkcha2JD -zpBKo4H3MIH0MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI -KwYBBQUHAwIwDAYDVR0TAQH/BAIwADApBgNVHQ4EIgQgWG3m916eQoU94ufqaBPi -812f+iKn0HmqJ0hdqjxjxGMwKwYDVR0jBCQwIoAgCFCUC6vPCT2XDvuGJ7CFIuRI -p68R+n3y0VB8/nBfe9owXQYDVR0RBFYwVIIUY2xpZW50LmJhZFJlZ2lvbi5iYWSC -FmNsaWVudC5iYWRSZWdpb24ubm9tYWSCE2NsaWVudC5nbG9iYWwubm9tYWSCCWxv -Y2FsaG9zdIcEfwAAATAKBggqhkjOPQQDAgNIADBFAiEApczLizCiPhkoDDOzouO0 -z5XsRN0z60srWf+1cfU9A34CIGQnoGDM943exxkQQe6ZBI6BR1nfB/IemxNlvrMs -K+s4 +MTU5MTUzODQ3MzA3OTM3NDc0Mzk0MzkzMDI3NzEwMTg0MTQxNTA4MB4XDTI1MDYy +MDEyNTI0MFoXDTI2MDYyMDEyNTI0MFowHzEdMBsGA1UEAxMUY2xpZW50LmJhZFJl +Z2lvbi5iYWQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATIezGDvzC48HwUbjlg +kiMPLlc2+RG4XuSB7dC2jY0xQ5t1eWlgQEyQGLmzmjDgGqOn0ulAVPvtOz7GkWpn +eaLYo4HKMIHHMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI +KwYBBQUHAwIwDAYDVR0TAQH/BAIwADApBgNVHQ4EIgQgEd/0T23L8jJLRtwWl1+5 +qYyBqm9nlfsIZm+vaYBSVPYwKwYDVR0jBCQwIoAgCFCUC6vPCT2XDvuGJ7CFIuRI +p68R+n3y0VB8/nBfe9owMAYDVR0RBCkwJ4IUY2xpZW50LmJhZFJlZ2lvbi5iYWSC +CWxvY2FsaG9zdIcEfwAAATAKBggqhkjOPQQDAgNJADBGAiEAyTdYI/7s5tY+RJjz +5n/jBPyISA+trpcXwYNJ4qQbo+wCIQDuYlit9Gi9DLkLgGd8vsvcLy+j3b9qBE3Y +r08brTf1zQ== -----END CERTIFICATE----- diff --git a/helper/tlsutil/testdata/badRegion-server-bad-key.pem b/helper/tlsutil/testdata/badRegion-server-bad-key.pem index 74aadc7b9..b8e84b00f 100644 --- a/helper/tlsutil/testdata/badRegion-server-bad-key.pem +++ b/helper/tlsutil/testdata/badRegion-server-bad-key.pem @@ -1,5 +1,5 @@ -----BEGIN EC PRIVATE KEY----- -MHcCAQEEIJXs4LOqeaYEyWLjc/d1dyDMfgIU5UQRxcVoRivOPMcioAoGCCqGSM49 -AwEHoUQDQgAEdffb4T11XNYkIMJHawSigBhGRGw8cD9TB663nWG8AgWh/V9uk9mw -yWcoRETDx7Y4athINsD66fRwelKNN/SMnw== +MHcCAQEEIFYpihoMQZc5KiQnRhbjuG3Z3Zz+6CZmPBrlGnL2ISrWoAoGCCqGSM49 +AwEHoUQDQgAESOj4nVa+vZO7V/LZN+mPl3iIgYhFciOrSTJhy4qjQgOqo/PTH6jZ +U7lRHNDSMGUPATbqapL/tlv19UB3Bkuvdg== -----END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/badRegion-server-bad.pem b/helper/tlsutil/testdata/badRegion-server-bad.pem index 2f962c0d8..71cbf8270 100644 --- a/helper/tlsutil/testdata/badRegion-server-bad.pem +++ b/helper/tlsutil/testdata/badRegion-server-bad.pem @@ -1,18 +1,17 @@ -----BEGIN CERTIFICATE----- -MIICzzCCAnSgAwIBAgIQa3qvui9MXrlD1JulWcYlGjAKBggqhkjOPQQDAjCBuDEL +MIICoDCCAkegAwIBAgIQEA4wMi/TMrcu3WC6wB+1CjAKBggqhkjOPQQDAjCBuDEL MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZOb21hZCBBZ2VudCBDQSAx -NTkxNTM4NDczMDc5Mzc0NzQzOTQzOTMwMjc3MTAxODQxNDE1MDgwHhcNMjUwNTAy -MTIwNzU5WhcNMjYwNTAyMTIwNzU5WjAfMR0wGwYDVQQDExRzZXJ2ZXIuYmFkUmVn -aW9uLmJhZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHX32+E9dVzWJCDCR2sE -ooAYRkRsPHA/Uweut51hvAIFof1fbpPZsMlnKEREw8e2OGrYSDbA+un0cHpSjTf0 -jJ+jgfcwgfQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr -BgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCAZeiGRew0bfMMbbJ+U5dHS -dfGgA+rI+aqUj25tDSlmDzArBgNVHSMEJDAigCAIUJQLq88JPZcO+4YnsIUi5Ein -rxH6ffLRUHz+cF972jBdBgNVHREEVjBUghRzZXJ2ZXIuYmFkUmVnaW9uLmJhZIIW -c2VydmVyLmJhZFJlZ2lvbi5ub21hZIITc2VydmVyLmdsb2JhbC5ub21hZIIJbG9j -YWxob3N0hwR/AAABMAoGCCqGSM49BAMCA0kAMEYCIQDzIf0rL1FAYn5KSxhfVKdJ -dGkYqeiL9YUsAw72uFxHbgIhAKqK1JNRv53rBAjzmjZJw/5Xn7TE8nnbDuYyKnxG -S7eT +NTkxNTM4NDczMDc5Mzc0NzQzOTQzOTMwMjc3MTAxODQxNDE1MDgwHhcNMjUwNjIw +MTI1MjQwWhcNMjYwNjIwMTI1MjQwWjAfMR0wGwYDVQQDExRzZXJ2ZXIuYmFkUmVn +aW9uLmJhZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEjo+J1Wvr2Tu1fy2Tfp +j5d4iIGIRXIjq0kyYcuKo0IDqqPz0x+o2VO5URzQ0jBlDwE26mqS/7Zb9fVAdwZL +r3ajgcowgccwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr +BgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCBa/ZDAdDv0vC8t//nHWvq3 +3xY+0Zp76TtJ27abvhOmazArBgNVHSMEJDAigCAIUJQLq88JPZcO+4YnsIUi5Ein +rxH6ffLRUHz+cF972jAwBgNVHREEKTAnghRzZXJ2ZXIuYmFkUmVnaW9uLmJhZIIJ +bG9jYWxob3N0hwR/AAABMAoGCCqGSM49BAMCA0cAMEQCIHJuKQNm4jgAx++eOL84 +mrUWBEaezWpk2efZLcPdGsWSAiA3R80THTDKwlzpspVqggvyNRbk+k7cYQRr4pcY +ty6nBQ== -----END CERTIFICATE----- diff --git a/helper/tlsutil/testdata/global-client-nomad-key.pem b/helper/tlsutil/testdata/global-client-nomad-key.pem index 6eacb5c3c..ec1b32a85 100644 --- a/helper/tlsutil/testdata/global-client-nomad-key.pem +++ b/helper/tlsutil/testdata/global-client-nomad-key.pem @@ -1,5 +1,5 @@ -----BEGIN EC PRIVATE KEY----- -MHcCAQEEIJShzvcArPG0/VBQBenDVEOdlqK0c05GOZsK7+lwynMcoAoGCCqGSM49 -AwEHoUQDQgAETXS/uB8i2LnrhIkHS9zjVEa14CAkz53QZPIEKpwIbF1OxcVWhXkx -rpSc2JQpERbIDAIvHkqsZbAjVQU9hmvrvg== +MHcCAQEEID5Gr6PKtaffTAmqejQXR+NGXMAcCulRLf86TVs577Q+oAoGCCqGSM49 +AwEHoUQDQgAEyo1HmrxdII2+L5TyY9jPluzo031FF6BC5VXaP8PbPnD1G49vlm7Q +W0xVOqKUwJF5MnrXfzoBnTZcdIrPruuDdw== -----END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/global-client-nomad.pem b/helper/tlsutil/testdata/global-client-nomad.pem index c29bad36c..bc7a36f94 100644 --- a/helper/tlsutil/testdata/global-client-nomad.pem +++ b/helper/tlsutil/testdata/global-client-nomad.pem @@ -1,17 +1,17 @@ -----BEGIN CERTIFICATE----- -MIICoDCCAkWgAwIBAgIQJsb/Lvp0/3ZYEmdrXK5s6TAKBggqhkjOPQQDAjCBuDEL -MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv -MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV -BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZOb21hZCBBZ2VudCBDQSAy -NjIwNjI1NjE0NTQ4NDA3MDEwNjQ0NzU5ODQyMjMzMTQ1NDI2NzIwHhcNMjUwNTAy -MTIwNjIyWhcNMjYwNTAyMTIwNjIyWjAeMRwwGgYDVQQDExNjbGllbnQuZ2xvYmFs -Lm5vbWFkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETXS/uB8i2LnrhIkHS9zj -VEa14CAkz53QZPIEKpwIbF1OxcVWhXkxrpSc2JQpERbIDAIvHkqsZbAjVQU9hmvr -vqOByTCBxjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG -AQUFBwMCMAwGA1UdEwEB/wQCMAAwKQYDVR0OBCIEIFACuyxFeOccwzTiOpsf2kz2 -170j7ksaJcdvmDBIcl89MCsGA1UdIwQkMCKAIDVSNgVCiLhcb7DNl8fNlceCmoDH -eNrYzpWdMHHtwcQcMC8GA1UdEQQoMCaCE2NsaWVudC5nbG9iYWwubm9tYWSCCWxv -Y2FsaG9zdIcEfwAAATAKBggqhkjOPQQDAgNJADBGAiEA4ixue8guhYI9c7E0wlDF -zYIeopTlFnrDGbrd7FPqDSECIQDFly6cAQ9mQejWEzsdv520jc71U3UC77lcdLbs -4d/y0A== +MIICoTCCAkagAwIBAgIRAN/p3iuXI/+dJX3wshZUwyAwCgYIKoZIzj0EAwIwgbgx +CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj +bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw +FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg +MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTI1MDYy +MDEyNTA1NloXDTI2MDYyMDEyNTA1NlowHjEcMBoGA1UEAxMTY2xpZW50Lmdsb2Jh +bC5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMqNR5q8XSCNvi+U8mPY +z5bs6NN9RRegQuVV2j/D2z5w9RuPb5Zu0FtMVTqilMCReTJ61386AZ02XHSKz67r +g3ejgckwgcYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr +BgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCAaW8uBoxrKhEjNXKEPXiMr +nQaDH9Npipl/CCP1V+CrlzArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXHgpqA +x3ja2M6VnTBx7cHEHDAvBgNVHREEKDAmghNjbGllbnQuZ2xvYmFsLm5vbWFkggls +b2NhbGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhAJIUMdRmMJSi3hT5PU/W +G0hJJG8Vxh7VT8ebNxnz9VhGAiEAnfBPT+JsgEMqlX7nZPFGhoOKIOfuozaWSbBz +hAsns14= -----END CERTIFICATE----- diff --git a/helper/tlsutil/testdata/global-server-nomad-key.pem b/helper/tlsutil/testdata/global-server-nomad-key.pem index 435d48374..37adc3a08 100644 --- a/helper/tlsutil/testdata/global-server-nomad-key.pem +++ b/helper/tlsutil/testdata/global-server-nomad-key.pem @@ -1,5 +1,5 @@ -----BEGIN EC PRIVATE KEY----- -MHcCAQEEIHtMohNhWUCJ7+5iEFE0xVcmjO+8HtZ/Xy6YTraBykZooAoGCCqGSM49 -AwEHoUQDQgAEG0x5ksFPi1LA4pDOewaYaMXE5ML9vmYaOttoFbgRfaSowSBx6wpa -fN6b565RRhRuPkI8eQa6hwSJL1JSlBwdhQ== +MHcCAQEEIF7gRiwEqYZhlloKsMyAMZ0zynvDVyUimEAEnI43z7/RoAoGCCqGSM49 +AwEHoUQDQgAEQ1wTyHo3vjISeiL5ql7e03zUYeQRTdl2iOeqfTyn6dITR0mgsPe/ +qzPhlGMlW+/2aFkIvmvkD0JumTu6wIPqyQ== -----END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/global-server-nomad.pem b/helper/tlsutil/testdata/global-server-nomad.pem index 0f02a3200..47b640988 100644 --- a/helper/tlsutil/testdata/global-server-nomad.pem +++ b/helper/tlsutil/testdata/global-server-nomad.pem @@ -1,17 +1,17 @@ -----BEGIN CERTIFICATE----- -MIICnzCCAkWgAwIBAgIQVReOD344n4OOValJVWIapjAKBggqhkjOPQQDAjCBuDEL +MIICnzCCAkWgAwIBAgIQHj3goiF3rxOXBp5KyJPVuDAKBggqhkjOPQQDAjCBuDEL MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZOb21hZCBBZ2VudCBDQSAy -NjIwNjI1NjE0NTQ4NDA3MDEwNjQ0NzU5ODQyMjMzMTQ1NDI2NzIwHhcNMjUwNTAy -MTIwNjIyWhcNMjYwNTAyMTIwNjIyWjAeMRwwGgYDVQQDExNzZXJ2ZXIuZ2xvYmFs -Lm5vbWFkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEG0x5ksFPi1LA4pDOewaY -aMXE5ML9vmYaOttoFbgRfaSowSBx6wpafN6b565RRhRuPkI8eQa6hwSJL1JSlBwd -haOByTCBxjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG -AQUFBwMCMAwGA1UdEwEB/wQCMAAwKQYDVR0OBCIEIDj3UwkShqXCLRBqp8AztARh -PgpKwXTXs8HV12AegN8YMCsGA1UdIwQkMCKAIDVSNgVCiLhcb7DNl8fNlceCmoDH +NjIwNjI1NjE0NTQ4NDA3MDEwNjQ0NzU5ODQyMjMzMTQ1NDI2NzIwHhcNMjUwNjIw +MTI1MDU2WhcNMjYwNjIwMTI1MDU2WjAeMRwwGgYDVQQDExNzZXJ2ZXIuZ2xvYmFs +Lm5vbWFkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQ1wTyHo3vjISeiL5ql7e +03zUYeQRTdl2iOeqfTyn6dITR0mgsPe/qzPhlGMlW+/2aFkIvmvkD0JumTu6wIPq +yaOByTCBxjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG +AQUFBwMCMAwGA1UdEwEB/wQCMAAwKQYDVR0OBCIEIFUATGblzDY9ZPhh2Hxqtcq9 +Ik/SOt+csC4sbDlHx0bAMCsGA1UdIwQkMCKAIDVSNgVCiLhcb7DNl8fNlceCmoDH eNrYzpWdMHHtwcQcMC8GA1UdEQQoMCaCE3NlcnZlci5nbG9iYWwubm9tYWSCCWxv -Y2FsaG9zdIcEfwAAATAKBggqhkjOPQQDAgNIADBFAiBLWW+t+HR8pFlisUXF8fVQ -vGvw5Q3zzuMmghNdMfulqAIhAJLT64jAXQFmFNeJpMMQO7NbhV1cLHf8tXo2GOCE -ipU0 +Y2FsaG9zdIcEfwAAATAKBggqhkjOPQQDAgNIADBFAiBi9n1J2vwM4Eh18pY9qdZd +28h+3cpQYbFGLCcEjknXgQIhAPPxdhNbQ6fyuwDrkbF/gOUftTUtNhhpO8DY3Zjv +mTMt -----END CERTIFICATE----- diff --git a/helper/tlsutil/testdata/regionFoo-client-nomad-key.pem b/helper/tlsutil/testdata/regionFoo-client-nomad-key.pem index 541001bba..bf5d64d3f 100644 --- a/helper/tlsutil/testdata/regionFoo-client-nomad-key.pem +++ b/helper/tlsutil/testdata/regionFoo-client-nomad-key.pem @@ -1,5 +1,5 @@ -----BEGIN EC PRIVATE KEY----- -MHcCAQEEIIti9mUkwepjy83t+p4sR2vt+1LoWDBTB5XxOu5k3LHzoAoGCCqGSM49 -AwEHoUQDQgAEu5MA5D0M20MnluzjwAPH3taoSNGdpEFOgED2m5o+G1yWnBu5YaHu -Hx6xsGyvyAT1GZ2BZiMVY8aQPPUpBvdHTQ== +MHcCAQEEIC6Zb2A2b0eHOL1P0TreEeyyPhF7ga4tHRQy1oBPENmDoAoGCCqGSM49 +AwEHoUQDQgAEDkAbolF7vLkCF/cNglYmBP3TK6TwpwSTR60AneZKyXLY9ZjQND17 +X9avu80cyJkktcKMXMDV2iHowPxWmlxAjA== -----END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/regionFoo-client-nomad.pem b/helper/tlsutil/testdata/regionFoo-client-nomad.pem index c33a057bf..43bdebe53 100644 --- a/helper/tlsutil/testdata/regionFoo-client-nomad.pem +++ b/helper/tlsutil/testdata/regionFoo-client-nomad.pem @@ -1,17 +1,17 @@ -----BEGIN CERTIFICATE----- -MIICuzCCAmGgAwIBAgIRAPnUAMiIhB6p3fddfmZQliMwCgYIKoZIzj0EAwIwgbgx +MIICpjCCAkygAwIBAgIRAL9bNTwXnAjd6l7LeWLFpucwCgYIKoZIzj0EAwIwgbgx CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg -MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTI1MDUw -MjEyMDk0NFoXDTI2MDUwMjEyMDk0NFowITEfMB0GA1UEAxMWY2xpZW50LnJlZ2lv -bkZvby5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLuTAOQ9DNtDJ5bs -48ADx97WqEjRnaRBToBA9puaPhtclpwbuWGh7h8esbBsr8gE9RmdgWYjFWPGkDz1 -KQb3R02jgeEwgd4wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB -BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCBHcLp6utfmnR9b8wvt -7QDzBzd/s4PGriiFaZfAHSZlQzArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXH -gpqAx3ja2M6VnTBx7cHEHDBHBgNVHREEQDA+ghZjbGllbnQucmVnaW9uRm9vLm5v -bWFkghNjbGllbnQuZ2xvYmFsLm5vbWFkgglsb2NhbGhvc3SHBH8AAAEwCgYIKoZI -zj0EAwIDSAAwRQIgdOu1JQrrMH43dbFFsbxETXQr2USdq6ZJ0WBOkd/mTGkCIQDl -lNgf8BQsbnOSNT+ZpiIk00ifUVvpHNnnL2Pv3OZmGA== +MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTI1MDYy +MDEyNTEyMFoXDTI2MDYyMDEyNTEyMFowITEfMB0GA1UEAxMWY2xpZW50LnJlZ2lv +bkZvby5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABA5AG6JRe7y5Ahf3 +DYJWJgT90yuk8KcEk0etAJ3mSsly2PWY0DQ9e1/Wr7vNHMiZJLXCjFzA1doh6MD8 +VppcQIyjgcwwgckwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB +BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCD1NbLrtvFb+0vhwdb+ +Y+9FKsZKypoqQBy1Wgu4GMv+XDArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXH +gpqAx3ja2M6VnTBx7cHEHDAyBgNVHREEKzApghZjbGllbnQucmVnaW9uRm9vLm5v +bWFkgglsb2NhbGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIgNIS7OemovXSg +gShooyH9s/6/KDhE7hBWP80tkfU9VTkCIQC6lYDoq2IPaL0pqzFy1Z5BUdIeTUJh +PYKQ8PrLAbNJLQ== -----END CERTIFICATE----- diff --git a/helper/tlsutil/testdata/regionFoo-server-nomad-key.pem b/helper/tlsutil/testdata/regionFoo-server-nomad-key.pem index 28e1c3c8f..3b7695bbc 100644 --- a/helper/tlsutil/testdata/regionFoo-server-nomad-key.pem +++ b/helper/tlsutil/testdata/regionFoo-server-nomad-key.pem @@ -1,5 +1,5 @@ -----BEGIN EC PRIVATE KEY----- -MHcCAQEEIPpZY+Oy7aj127fsvANb9bQCJ+X6jPZLgXC6RrrozjzioAoGCCqGSM49 -AwEHoUQDQgAErhTVsvE0FIT66/kZfrP4se5sTxZK60BVoCCuQOKBW47VUgZbIjjF -zhoSCyXko3Z1NET7FxwyOSGjdXOF5m5yZA== +MHcCAQEEIAL8PR3BeBaVaAalDh3RkusdUjyVIHR+OGYRXTVOKEdcoAoGCCqGSM49 +AwEHoUQDQgAEK8IsGS6VJdf1Ik14y+PgBOZdVJRZDlKFlvU0isVEnoSAmmFjoZpT +wgTAf0QdoCwlfakwqljmbmE5E/QrA3ySCw== -----END EC PRIVATE KEY----- diff --git a/helper/tlsutil/testdata/regionFoo-server-nomad.pem b/helper/tlsutil/testdata/regionFoo-server-nomad.pem index 4a90c1f05..ac9ca010e 100644 --- a/helper/tlsutil/testdata/regionFoo-server-nomad.pem +++ b/helper/tlsutil/testdata/regionFoo-server-nomad.pem @@ -1,17 +1,17 @@ -----BEGIN CERTIFICATE----- -MIICuzCCAmGgAwIBAgIRAJ2sg8BGYUbhmhraFRZIXhgwCgYIKoZIzj0EAwIwgbgx +MIICpzCCAkygAwIBAgIRAOgSVlcFdzGslL3laKW29Z0wCgYIKoZIzj0EAwIwgbgx CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg -MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTI1MDUw -MjEyMDk0M1oXDTI2MDUwMjEyMDk0M1owITEfMB0GA1UEAxMWc2VydmVyLnJlZ2lv -bkZvby5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABK4U1bLxNBSE+uv5 -GX6z+LHubE8WSutAVaAgrkDigVuO1VIGWyI4xc4aEgsl5KN2dTRE+xccMjkho3Vz -heZucmSjgeEwgd4wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB -BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCCl/G2fQsqZaGSzTY6Y -szXpu5V6d0k1XbVa9xrjksEmzDArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXH -gpqAx3ja2M6VnTBx7cHEHDBHBgNVHREEQDA+ghZzZXJ2ZXIucmVnaW9uRm9vLm5v -bWFkghNzZXJ2ZXIuZ2xvYmFsLm5vbWFkgglsb2NhbGhvc3SHBH8AAAEwCgYIKoZI -zj0EAwIDSAAwRQIhALMTV8TEhQ4gAni39w26nxrtKYJCTTST12oATeOvhq70AiBw -yKcrkJuD0p4F9+0Z9NC0CiindYtn+3mWGmDb5ohOmw== +MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTI1MDYy +MDEyNTEyMFoXDTI2MDYyMDEyNTEyMFowITEfMB0GA1UEAxMWc2VydmVyLnJlZ2lv +bkZvby5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCvCLBkulSXX9SJN +eMvj4ATmXVSUWQ5ShZb1NIrFRJ6EgJphY6GaU8IEwH9EHaAsJX2pMKpY5m5hORP0 +KwN8kgujgcwwgckwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB +BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCBf0aPAgkM3OB1at2BG +IkN+gpuXXNToVgdtVc39cGAAbTArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXH +gpqAx3ja2M6VnTBx7cHEHDAyBgNVHREEKzApghZzZXJ2ZXIucmVnaW9uRm9vLm5v +bWFkgglsb2NhbGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhAICI9TqZTmd5 +t9Pc99FyOhEYb0Ql8djO/3XdeLOQa91lAiEAkMU2sSheRbUZCa5GAQlHNYPsUs50 +qgTsuoR6u4512rw= -----END CERTIFICATE----- diff --git a/website/content/docs/commands/tls/cert-create.mdx b/website/content/docs/commands/tls/cert-create.mdx index d744737a5..bff5f8571 100644 --- a/website/content/docs/commands/tls/cert-create.mdx +++ b/website/content/docs/commands/tls/cert-create.mdx @@ -35,8 +35,6 @@ Usage: `nomad tls cert create [options]` - `-days=`: Provide number of days the certificate is valid for from now on. Defaults to 1 year. -- `-cluster-region=`: DEPRECATED please use `-region`. - - `-domain=`: Provide the domain. Matters only for `-server` certificates.