Details
-
Improvement
-
Resolution: Fixed
-
Major
-
Cheshire-Cat
-
1
Description
Problem: Currently there is one cluster root CA + one root cert for ldap server + one root ca for remote xdcr server. In all those cases it would be super useful or even absolutely necessary to be able to specify at least 2 root certs in order to do seamless cert rotation (on local cluster or remote ldap or xdcr clusters).
Suggested solution: ns_server should maintain a single list of all trusted CAs that will include all the root certs that couchbase server should trust, including ldap servers, xdcr server and so on. There should be no difference between cluster root cert, xdcr root cert or ldap root cert. All these trusted certs will be used for all outgoing TLS connections (node2node encryption, xdcr, ldap).
Customers should be able to manage (view, add, remove) the list of trusted certificates via UI and CLI.
Attachments
Issue Links
- relates to
-
MB-50033 XDCR mTLS Appears Broken
- Closed
-
DOC-8715 Multiple Root CA Certs
- Resolved
-
MB-47172 Multiple Root CA Certs management (couchbase-cli)
- Closed
-
MB-47174 [CBBS] Multiple Root CA Certs
- Closed
-
MB-47179 Multiple Root CA Certs - Analytics
- Closed
-
MB-48210 [CLI Tools] Multiple Root CA Certs
- Closed
-
K8S-2287 Multiple Root CA Certs - CAO
- Closed
-
MB-47171 Multiple Root CA Certs - KV
- Closed
-
MB-47173 Multiple Root CA Certs - XDCR
- Closed
-
MB-47175 Multiple Root CA Certs - Query
- Closed
-
MB-47176 Multiple Root CA Certs - Index
- Closed
-
MB-47177 Multiple Root CA Certs - FTS
- Closed
-
MB-47178 Multiple Root CA Certs - Eventing
- Closed
-
MB-47180 Multiple Root CA Certs - Views
- Closed
-
MB-47181 Multiple Root CA Certs - UI
- Closed
- links to
For Gerrit Dashboard: MB-44361 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
162873,4 | MB-44361 : Enable passing of ca.pem to eventing | master | ns_server | Status: NEW | +2 | +1 |
158779,11 | MB-44361: Multiple CA support core changes and refactoring | master | ns_server | Status: MERGED | +2 | +1 |
158780,9 | MB-44361: Switch ssl_dist_opts to new cert files | master | ns_server | Status: MERGED | +2 | +1 |
158781,9 | MB-44361: Switch LDAP code to use multi CA | master | ns_server | Status: MERGED | +2 | +1 |
158784,62 | MB-44361: Pass ca file to eventing | master | ns_server | Status: MERGED | +2 | +1 |
158785,9 | MB-44361: Temporarily save separate cert file for erlang | master | ns_server | Status: MERGED | +2 | +1 |
158787,11 | MB-44361: Add cluster's CA to the list of trusted certs on ... | master | ns_server | Status: MERGED | +2 | +1 |
158788,11 | MB-44361: Add audit for load CAs API | master | ns_server | Status: MERGED | +2 | +1 |
158789,11 | MB-44361: Adjust cert warnings calculation | master | ns_server | Status: MERGED | +2 | +1 |
158790,12 | MB-44361: Backward compat for GET /pools/default/certificate | master | ns_server | Status: MERGED | +2 | +1 |
158791,15 | MB-44361: Update /controller/uploadClusterCA | master | ns_server | Status: MERGED | +2 | +1 |
158792,15 | MB-44361: Upgrade code for certs | master | ns_server | Status: MERGED | +2 | +1 |
158845,14 | MB-44361: Temporarily generate cert file in old format... | master | ns_server | Status: MERGED | +2 | +1 |
159178,15 | MB-44361: Push TLS settings to memcached using ifconfig cmd | master | ns_server | Status: MERGED | +2 | +1 |
160241,3 | MB-44361: Fix GET /pools/default/certificate/node/<node> | master | ns_server | Status: MERGED | +2 | +1 |
160364,2 | MB-44361: Rename loadCAcertificates -> loadTrustedCAs | master | ns_server | Status: MERGED | +2 | +1 |
160830,4 | MB-44361: Pass ca file to analytics | master | ns_server | Status: MERGED | +2 | +1 |
161127,5 | MB-44361: Add GET /pools/default/trustedCAs | master | ns_server | Status: MERGED | +2 | +1 |
161433,2 | MB-44361: Enable passing of ca.pem to query | master | ns_server | Status: MERGED | +2 | +1 |
161508,7 | MB-44361: Add DELETE /pools/default/trustedCAs/<id> | master | ns_server | Status: MERGED | +2 | +1 |
161509,8 | MB-44361: Add audit for CA removing | master | ns_server | Status: MERGED | +2 | +1 |
161571,6 | MB-44361: Add 'nodes' field in GET /trustedCAs... | master | ns_server | Status: MERGED | +2 | +1 |
162128,14 | MB-44361: Fix /regenerateCertificates endpoint | master | ns_server | Status: MERGED | +2 | +1 |
162130,18 | MB-38457: MB-44361: Pass encr pkey and ca file to indexer | master | ns_server | Status: MERGED | +2 | +1 |
162428,5 | MB-44361: Allow cert regeneration when n2n encr is enabled | master | ns_server | Status: MERGED | +2 | +1 |
162429,10 | MB-44361: Migrate cert_and_pkey to chronicle | master | ns_server | Status: MERGED | +2 | +1 |
162488,10 | MB-44361: Add newly generated CA to trusted CA list in txn | master | ns_server | Status: MERGED | +2 | +1 |
162751,16 | MB-46868: Revert "MB-44361: Temporarily save separate cert file.." | master | ns_server | Status: MERGED | +2 | +1 |
162962,5 | MB-44361: Introduce GET /pools/default/certificates | master | ns_server | Status: MERGED | +2 | +1 |
162963,5 | MB-44361: Show warnings for node certs in API | master | ns_server | Status: MERGED | +2 | +1 |
163411,4 | Revert "MB-44361: Temporarily generate cert file in old format..." | master | ns_server | Status: MERGED | +2 | +1 |