Fix CA regeneration (#1013)

databus23 · web-flow · commit 415897d6bcf8 · 2025-06-03T11:00:49.000+02:00
When regenerating the TLS CA certificate we must be careful to keep the subject of the new CA exactly the same byte for byte. Otherwise the old CA is not considered in a cert pool when validating certificates issued by the new CA: https://github.com/golang/go/blob/497cb7c0c3042d3c6605b46a1bf35b7c3bc8b046/src/crypto/x509/cert_pool.go#L144 How the subject is rended into bytes from a pkix.Name struct is not guaranteed to be stable across go versions. We actually ran into this issue before and already filed a bug for this: golang/go#45882 Signed-off-by: Fabian Ruff <fabian.ruff@sap.com>
diff --git a/pkg/util/certificates.go b/pkg/util/certificates.go
@@ -377,6 +377,7 @@ func (cf *CertificateFactory) UserCert(principal *models.Principal, apiURL strin
 
 func loadOrCreateCA(kluster *v1.Kluster, name string, cert, key *string, certUpdates *[]CertUpdates) (*Bundle, error) {
 	var existingKey *rsa.PrivateKey
+	var existingSubject []byte
 	regenerate := false
 
 	if name == "TLS" && *cert != "" {
@@ -400,14 +401,15 @@ func loadOrCreateCA(kluster *v1.Kluster, name string, cert, key *string, certUpd
 			if !isRSAKey {
 				return nil, errors.New("Key does not seem to be of type RSA")
 			}
+			existingSubject = caCert.RawSubject
 		}
 	}
 
 	if *cert != "" && *key != "" && !regenerate {
 		return NewBundle([]byte(*key), []byte(*cert))
 	}
 
-	caBundle, err := createCA(kluster.Name, name, existingKey)
+	caBundle, err := createCA(kluster.Name, name, existingKey, existingSubject)
 	if err != nil {
 		return nil, err
 	}
@@ -512,7 +514,7 @@ func ensureServerCertificate(ca *Bundle, cn string, dnsNames []string, ips []net
 	return nil
 }
 
-func createCA(klusterName, name string, existingKey *rsa.PrivateKey) (*Bundle, error) {
+func createCA(klusterName, name string, existingKey *rsa.PrivateKey, existingSubject []byte) (*Bundle, error) {
 	var privateKey *rsa.PrivateKey
 	var err error
 
@@ -538,6 +540,9 @@ func createCA(klusterName, name string, existingKey *rsa.PrivateKey) (*Bundle, e
 		BasicConstraintsValid: true,
 		IsCA:                  true,
 	}
+	if existingSubject != nil && len(existingSubject) > 0 {
+		tmpl.RawSubject = existingSubject
+	}
 
 	certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, privateKey.Public(), privateKey)
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -377,6 +377,7 @@ func (cf CertificateFactory) UserCert(principal models.Principal, apiURL strin`
`377`	`377`
`378`	`378`	`func loadOrCreateCA(kluster v1.Kluster, name string, cert, key string, certUpdates []CertUpdates) (Bundle, error) {`
`379`	`379`	`var existingKey *rsa.PrivateKey`
	`380`	`+ var existingSubject []byte`
`380`	`381`	`regenerate := false`
`381`	`382`
`382`	`383`	`if name == "TLS" && *cert != "" {`
`@@ -400,14 +401,15 @@ func loadOrCreateCA(kluster v1.Kluster, name string, cert, key string, certUpd`
`400`	`401`	`if !isRSAKey {`
`401`	`402`	`return nil, errors.New("Key does not seem to be of type RSA")`
`402`	`403`	`}`
	`404`	`+ existingSubject = caCert.RawSubject`
`403`	`405`	`}`
`404`	`406`	`}`
`405`	`407`
`406`	`408`	`if cert != "" && key != "" && !regenerate {`
`407`	`409`	`return NewBundle([]byte(key), []byte(cert))`
`408`	`410`	`}`
`409`	`411`
`410`		`- caBundle, err := createCA(kluster.Name, name, existingKey)`
	`412`	`+ caBundle, err := createCA(kluster.Name, name, existingKey, existingSubject)`
`411`	`413`	`if err != nil {`
`412`	`414`	`return nil, err`
`413`	`415`	`}`
`@@ -512,7 +514,7 @@ func ensureServerCertificate(ca *Bundle, cn string, dnsNames []string, ips []net`
`512`	`514`	`return nil`
`513`	`515`	`}`
`514`	`516`
`515`		`-func createCA(klusterName, name string, existingKey rsa.PrivateKey) (Bundle, error) {`
	`517`	`+func createCA(klusterName, name string, existingKey rsa.PrivateKey, existingSubject []byte) (Bundle, error) {`
`516`	`518`	`var privateKey *rsa.PrivateKey`
`517`	`519`	`var err error`
`518`	`520`
`@@ -538,6 +540,9 @@ func createCA(klusterName, name string, existingKey rsa.PrivateKey) (Bundle, e`
`538`	`540`	`BasicConstraintsValid: true,`
`539`	`541`	`IsCA: true,`
`540`	`542`	`}`
	`543`	`+ if existingSubject != nil && len(existingSubject) > 0 {`
	`544`	`+ tmpl.RawSubject = existingSubject`
	`545`	`+ }`
`541`	`546`
`542`	`547`	`certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, privateKey.Public(), privateKey)`
`543`	`548`	`if err != nil {`