bolyai/CIS490

Fork 0

lab-host.toml.example: ca_bundle pointed at client CA (wg-ca.pem) instead of Caddy root — shipper TLS handshake fails #14

New issue

Closed

opened 2026-04-30 16:35:09 -05:00 by elliott · 1 comment

elliott commented

2026-04-30 16:35:09 -05:00

Owner

Context

During k-gamingcom bring-up, the shipper failed with [SSL: CERTIFICATE_VERIFY_FAILED] unable to get local issuer certificate even after mTLS leaf certs were installed.

What happened

lab-host.toml.example sets:

ca_bundle = "/etc/cis490/certs/wg-ca.pem"

The ca_bundle field is used by ShipperTransport to verify the server's TLS certificate on collector.wg. That cert is signed by the Caddy Local Authority (etc/caddy-root.crt). But wg-ca.pem (from the bootstrap tarball) is the CIS490 Lab-Host Client CA — the receiver's trust anchor for the client cert, not ours.

openssl x509 -in wg-ca.pem -noout -subject
# subject=CN=CIS490 Lab-Host Client CA

openssl x509 -in etc/caddy-root.crt -noout -subject
# subject=CN=Caddy Local Authority - 2026 ECC Root

Fix

Changed ca_bundle to /opt/cis490/etc/caddy-root.crt (the Caddy root bundled in the repo) in etc/lab-host.toml.example. Fixed in Dev_REL2_043026@786b8da.

Also corrected the comment: wg-ca.pem is the receiver's trust anchor for the client cert, not the shipper's server-verification bundle.

Verified

After fix: shipper --ping returns {"ok": true, "status_code": 200} and episodes ship with 201 Created.

Dev_REL2_043026@786b8da
k-gamingcom first bring-up (issue #10)

## Context During k-gamingcom bring-up, the shipper failed with `[SSL: CERTIFICATE_VERIFY_FAILED] unable to get local issuer certificate` even after mTLS leaf certs were installed. ## What happened `lab-host.toml.example` sets: ```toml ca_bundle = "/etc/cis490/certs/wg-ca.pem" ``` The `ca_bundle` field is used by `ShipperTransport` to verify the **server's** TLS certificate on `collector.wg`. That cert is signed by the Caddy Local Authority (`etc/caddy-root.crt`). But `wg-ca.pem` (from the bootstrap tarball) is the **CIS490 Lab-Host Client CA** — the receiver's trust anchor for the client cert, not ours. ``` openssl x509 -in wg-ca.pem -noout -subject # subject=CN=CIS490 Lab-Host Client CA openssl x509 -in etc/caddy-root.crt -noout -subject # subject=CN=Caddy Local Authority - 2026 ECC Root ``` ## Fix Changed `ca_bundle` to `/opt/cis490/etc/caddy-root.crt` (the Caddy root bundled in the repo) in `etc/lab-host.toml.example`. Fixed in `Dev_REL2_043026@786b8da`. Also corrected the comment: `wg-ca.pem` is the receiver's trust anchor for the client cert, not the shipper's server-verification bundle. ## Verified After fix: `shipper --ping` returns `{"ok": true, "status_code": 200}` and episodes ship with `201 Created`. ## Related - `Dev_REL2_043026@786b8da` - k-gamingcom first bring-up (issue #10)

elliott self-assigned this 2026-04-30 16:35:09 -05:00

max referenced this issue from a commit

2026-04-30 17:28:49 -05:00

etc/lab-host.toml.example: pin Caddy root, not wg-pki client CA (closes #14)

max closed this issue

2026-04-30 17:28:49 -05:00

max commented

2026-04-30 17:29:03 -05:00

Owner

Cherry-picked 786b8da onto main as part of the merge train. Verified: ca_bundle now points at /opt/cis490/etc/caddy-root.crt (Caddy server CA, used by the shipper to verify collector.wg's TLS cert). Comment expanded to clarify the wg-pki client CA's role on the receiver side.

Cherry-picked 786b8da onto main as part of the merge train. Verified: ca_bundle now points at /opt/cis490/etc/caddy-root.crt (Caddy server CA, used by the shipper to verify collector.wg's TLS cert). Comment expanded to clarify the wg-pki client CA's role on the receiver side.

max referenced this issue from a commit

2026-05-08 15:59:24 -05:00

deck: reorder + correct eval framing to held-out-by-sample

No labels

No milestone

No project

No assignees

2 participants

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: bolyai/CIS490#14

No description provided.

Rows
Columns