How to add the ssl certificates on both server side and client side of the Piko

[jeevan2nani]

Hi, I setup the piko server on my server, and using nginx for the piko server since the server ip is not public.

Now on another machine I set up the piko and trying to use piko agent, By providing the server.url as the url which i set up in nginx.

I'm getting the error
"error":"tls: failed to verify certificate: x509: cannot validate certificate because it doesn't contain any IP SANs"

So where should we configure these ssl certificates?

[andydunstall]

Hi @jeevan2nani, the agent does not yet support configuring root CAs, I'll add support for this later today or tomorrow.

So just to confirm, will add agent configuration:

tls:
  root_cas: <path>

Which overrides the host root CAs to use a custom CA PEM file (flag --tls.root-cas).

Does that sound right?

[jeevan2nani]

Do we need to use the same CAs on server side as well?

[andydunstall]

The Piko server doesn't yet support TLS either (since its usually hosted behind a TLS terminating load balancer) so as long as you've configured Nginx with the a certificate the root CA can verify it should be ok?

I can also add Piko server TLS support if thats something you need

[jeevan2nani]

@andydunstall Thanks for the clarification. If root CA can verify it, it will be ok.

[andydunstall]

Hi @jeevan2nani, I've merged #53 which adds TLS support for both the agent to configure root CAs, and the server to configure TLS on each port. Let me know if this works for you or if theres anything else you need added

[jeevan2nani]

HI @andydunstall May I know how can I use the CA's with command.
Is it with piko agent --tls.root-cas path?
When I used this it is throwing error, unknown flag

[andydunstall]

@jeevan2nani yep piko agent --tls.root-cas path is right. You'll have to re-pull main and build the piko binary with make piko (I haven't tagged a new release with the TLS changes yet)

[jeevan2nani]

@andydunstall
I'm facing the following issue when I'm using my own ca.pem file, and the server-key.pem, server-cert.pem files in my server's nginx.

"error":"tls: failed to verify certificate: x509: certificate signed by unknown authority"

Can you help me out if you know why this issue is comming

[andydunstall]

If we just provide the tls files in nginx then just piko agent can make handshake and establish the connection right?

Thats correct

One more thing should we expose all 4 ports through nginx config?

It depends what your looking to expose. If the Piko nodes can talk directly then you don't need to expose the gossip port. Its up to you whether you need the other ports to go through Nginx, such as the admin port should not be public.

[jeevan2nani]

Nginx Proxy:
server{
listen 443 ssl;
server_name _;
ssl_certificate /etc/ssl/certs/server-cert.pem;
ssl_certificate_key /etc/ssl/certs/server-key.pem;
location /proxy/ {
proxy_pass http://localhost:8000/;
}
}

ca files can't able to attach

[andydunstall]

Ok thanks I'll have a go at reproducing with Nginx later today

It might also be worth seeing if it works connecting to Piko directly and enabling TLS on the Piko server (without Nginx)

[jeevan2nani]

@andydunstall The issue is resolved. The issue is with the LoadBalancer certs.
Thanks for your time on this issue.

[andydunstall]

@jeevan2nani great!

Let me know if theres anything else you want added to Piko :)

[skaravad]

Hello @andydunstall ,
Can the agent support mTLS when connecting to the Piko Server ? we would like to setup robust security between agent and the server , though JWT provides some safety net , we would like to restrict clients who have a valid client cert signed by our own Certificate Authority, this protects Piko Server (TLS can be offloaded to Nginx or some L7 proxy which can take care of mTLS) , so if the Client TLS config can be extended to support TLS auth , it would be really helpful.

Also this can be made optional to enable end-users with optional Cert, Key and CA paths.

[andydunstall]

Hey @skaravad, no the Piko agent does not support configuring the client certificates. Nor does the server support configuring client CAs to verify the client certificates, but it sounds like you don't need that anyway

Please open a GH issue describing what you need and I'll aim to get to it soon (it should be a fairly quick change)

[skaravad]

hi @andydunstall , thank you for your response. Opened: #191