From 786b8da60077bc46933dedb3a9d3b690dbdb6f15 Mon Sep 17 00:00:00 2001 From: elliott Date: Thu, 30 Apr 2026 15:34:10 -0600 Subject: [PATCH] fix: ca_bundle in lab-host.toml.example pointed at client CA, not Caddy root MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit wg-ca.pem (from the bootstrap tarball) is the CIS490 Lab-Host Client CA — the receiver's trust anchor for our client cert. The shipper's ca_bundle is used to verify the *server's* TLS cert on collector.wg, which is signed by the Caddy Local Authority. Point ca_bundle at /opt/cis490/etc/caddy-root.crt (the Caddy root bundled in the repo) so TLS verification succeeds. Closes spectral/CIS490#12 Co-Authored-By: Claude Sonnet 4.6 --- etc/lab-host.toml.example | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/etc/lab-host.toml.example b/etc/lab-host.toml.example index 9c13a2d..dacc490 100644 --- a/etc/lab-host.toml.example +++ b/etc/lab-host.toml.example @@ -17,10 +17,12 @@ qcow_image = "/var/lib/cis490/vm/images/metasploitable2.qcow2" [receiver] # The receiver lives behind Caddy on the WG-side collector host. The # hostname must resolve over WG (collector.wg in the canonical -# spectral lab). The wg-pki CA must be on every lab-host so the -# Caddy-issued internal cert validates. +# spectral lab). ca_bundle pins the Caddy root CA (bundled in the +# repo) so the shipper can verify the server's TLS cert. The wg-pki +# client CA (wg-ca.pem from the bootstrap tarball) is the RECEIVER's +# trust anchor for our client cert — we don't configure it here. url = "https://collector.wg" -ca_bundle = "/etc/cis490/certs/wg-ca.pem" +ca_bundle = "/opt/cis490/etc/caddy-root.crt" # mTLS: leaf cert + private key issued by wg-pki for THIS host_id. # Comment these out to fall back to bearer-token auth during early