From 4e8d2bdb0441aadec5db59a1946f3739133472f4 Mon Sep 17 00:00:00 2001 From: elliott Date: Thu, 30 Apr 2026 15:34:10 -0600 Subject: [PATCH] etc/lab-host.toml.example: pin Caddy root, not wg-pki client CA (closes #14) ca_bundle is what the shipper uses to verify collector.wg's TLS cert. That cert is signed by the Caddy Local Authority, bundled in the repo as etc/caddy-root.crt. Pointing it at wg-ca.pem (the wg-pki CIS490 Lab-Host Client CA, which is the *receiver's* trust anchor for our client cert) caused CERTIFICATE_VERIFY_FAILED on every ship. Original fix authored by the on-device agent on k-gamingcom in Dev_REL2_043026@786b8da; cherry-picked here onto main. Co-Authored-By: k-gamingcom on-device agent Co-Authored-By: Claude Opus 4.7 (1M context) --- etc/lab-host.toml.example | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/etc/lab-host.toml.example b/etc/lab-host.toml.example index 9c13a2d..dacc490 100644 --- a/etc/lab-host.toml.example +++ b/etc/lab-host.toml.example @@ -17,10 +17,12 @@ qcow_image = "/var/lib/cis490/vm/images/metasploitable2.qcow2" [receiver] # The receiver lives behind Caddy on the WG-side collector host. The # hostname must resolve over WG (collector.wg in the canonical -# spectral lab). The wg-pki CA must be on every lab-host so the -# Caddy-issued internal cert validates. +# spectral lab). ca_bundle pins the Caddy root CA (bundled in the +# repo) so the shipper can verify the server's TLS cert. The wg-pki +# client CA (wg-ca.pem from the bootstrap tarball) is the RECEIVER's +# trust anchor for our client cert — we don't configure it here. url = "https://collector.wg" -ca_bundle = "/etc/cis490/certs/wg-ca.pem" +ca_bundle = "/opt/cis490/etc/caddy-root.crt" # mTLS: leaf cert + private key issued by wg-pki for THIS host_id. # Comment these out to fall back to bearer-token auth during early