etc/lab-host.toml.example: pin Caddy root, not wg-pki client CA (closes #14)
ca_bundle is what the shipper uses to verify collector.wg's TLS cert. That cert is signed by the Caddy Local Authority, bundled in the repo as etc/caddy-root.crt. Pointing it at wg-ca.pem (the wg-pki CIS490 Lab-Host Client CA, which is the *receiver's* trust anchor for our client cert) caused CERTIFICATE_VERIFY_FAILED on every ship. Original fix authored by the on-device agent on k-gamingcom in Dev_REL2_043026@786b8da; cherry-picked here onto main. Co-Authored-By: k-gamingcom on-device agent Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
max
parent
8d2d0d2e99
commit
4e8d2bdb04
1 changed files with 5 additions and 3 deletions
|
|
@ -17,10 +17,12 @@ qcow_image = "/var/lib/cis490/vm/images/metasploitable2.qcow2"
|
|||
[receiver]
|
||||
# The receiver lives behind Caddy on the WG-side collector host. The
|
||||
# hostname must resolve over WG (collector.wg in the canonical
|
||||
# spectral lab). The wg-pki CA must be on every lab-host so the
|
||||
# Caddy-issued internal cert validates.
|
||||
# spectral lab). ca_bundle pins the Caddy root CA (bundled in the
|
||||
# repo) so the shipper can verify the server's TLS cert. The wg-pki
|
||||
# client CA (wg-ca.pem from the bootstrap tarball) is the RECEIVER's
|
||||
# trust anchor for our client cert — we don't configure it here.
|
||||
url = "https://collector.wg"
|
||||
ca_bundle = "/etc/cis490/certs/wg-ca.pem"
|
||||
ca_bundle = "/opt/cis490/etc/caddy-root.crt"
|
||||
|
||||
# mTLS: leaf cert + private key issued by wg-pki for THIS host_id.
|
||||
# Comment these out to fall back to bearer-token auth during early
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue