fleet icon indicating copy to clipboard operation
fleet copied to clipboard

Published 20 hours ago verified publisher icon fleetdm

Change APNs validation at startup to use HTTP/HTTPS instead of TCP+TLS

Open ddribeiro opened this issue 1 year ago • 6 comments

Fleet version: 4.54.1

💥  Actual behavior

A customer whose Fleet server is behind a proxy is unable to start their server after inserting their APNS certificate in their configuration file to enable Apple MDM features. It appears the HTTP_PROXY and HTTPS_PROXY environment variables are not being used when communicating with Apple servers.

The following error appears:

Failed to start: validate authentication with Apple APNs certificate: TLS dial: dial tcp 17.188.143.66:443: i/o timeout

@lucasmrod: Yeah, it seems our checks at startup do not use HTTPS_PROXY/HTTP_PROXY because to verify connection we just do a TCP+TLS connection, no HTTP. We should instead do a HTTP/HTTPS just like we do when communicating with Apple servers after the startup.

🧑‍💻  Steps to reproduce

  1. Insert values for mdm.apple_apns_* and mdm.apple_scep* in the Fleet server configuration file.
  2. With the Fleet server behind a proxy and HTTP_PROXY and HTTPS_PROXY environment variables correctly set, start the Fleet server.
  3. Observe the Fleet server is unable to start due to an error validating authentication with the APNs certificate.

🕯️ More info (optional)

N/A

ddribeiro avatar Aug 29 '24 19:08 ddribeiro

Related to a Slack conversation

JoStableford avatar Aug 29 '24 19:08 JoStableford

@georgekarrv this is not just workflow blocking, but blocking the entire MDM setup flow (can't start Fleet server with the existing APNS cert). i would like to push for this to be a p1 - is this something you can review and confirm if your team can tackle sooner?

@lukeheath fyi

zayhanlon avatar Aug 29 '24 20:08 zayhanlon

Also it seems the connection test uses https://api.sandbox.push.apple.com, maybe it should use https://api.push.apple.com (production endpoint)?

lucasmrod avatar Aug 29 '24 20:08 lucasmrod

rationale for using the sandbox endpoint here https://github.com/fleetdm/fleet/pull/8730/files#r1028145802 (not saying it can't be changed! just adding historical context)

roperzh avatar Aug 29 '24 21:08 roperzh

@zayhanlon @georgekarrv I agree, this is a P1 critical bug.

lukeheath avatar Aug 29 '24 22:08 lukeheath

I had Sarah start looking at this today, hopefully we can get it into the RC

georgekarrv avatar Aug 30 '24 01:08 georgekarrv

With HTTP in use, Fleet's servers find their path, Data flows, no ruse.

fleet-release avatar Sep 05 '24 04:09 fleet-release

Behind proxies' veil, Fleet's reach expands with grace, Apple's secrets hail.

fleet-release avatar Sep 05 '24 21:09 fleet-release