talos icon indicating copy to clipboard operation
talos copied to clipboard
verified publisher icon siderolabs

Support api client cert generation via openssl/vault

Open markeijsermans opened this issue 1 month ago • 1 comments

Feature Request

I am trying to create client certs for the talos api ultimately with Hashicorp Vault, but I'm demonstrating here with openssl. I need to delegate api access to my team, and creating talosconfigs via talosctl config new isn't a scalable solution.

Description

I'm trying to follow the same formats, algorithm, and key usages as the certs generated by talos itself.

  1. Generate a CA key
openssl genpkey -algorithm Ed25519 -out ca.key
  1. Generate a CA cert
openssl req -x509 -new -nodes -key ca.key -subj "/O=talos" -days 3650 \
     -addext "extendedKeyUsage=clientAuth,serverAuth" \
     -addext "keyUsage=critical,digitalSignature,keyCertSign" \
     -out ca.crt
  1. Generate a user key
openssl genpkey -algorithm Ed25519 -out user.key
  1. Generate the user CSR with the following config
# csr.conf
[ req ]
prompt = no
default_md = Ed25519
req_extensions = req_ext
distinguished_name = dn

[ dn ]
O = os:admin

[ req_ext ]

[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=critical,keyEncipherment,dataEncipherment,digitalSignature
extendedKeyUsage=serverAuth,clientAuth

openssl req -new -key user.key -out user.csr -config csr.conf
  1. Generate the user cert
openssl x509 -req -in user.csr -CA ca.crt -CAkey ca.key \
    -CAcreateserial -out user.crt -days 365 \
    -extensions v3_ext -extfile csr.conf -Ed25519
  1. Patch talos with the new CA
# acceptedCAs.yaml
- op: replace
  path: /machine/acceptedCAs
  value:
  - crt: ... # ca.crt  - base64

talosctl patch machineconfig --patch @acceptedCAs.yaml
  1. Create a new tolosconfig context, and make request:
context: test
contexts:
  test:
    endpoints:
      - https://k8s....
    nodes:
      - ...
    ca: ... # existing server CA
    crt: ... # user.crt - base64
    key: ... # user.key - base64

I get the following errors on any api request. No other logs are created in apid

$ talosctl logs apid
error fetching logs: rpc error: code = Unavailable desc = connection error: desc = "error reading server preface: remote error: tls: bad certificate"

I'm running these versions:

$ talosctl version
Client:
        Tag:         v1.11.3
        SHA:         a0243ef7
        Built:       
        Go version:  go1.24.9
        OS/Arch:     linux/amd64
Server:
        NODE:        10.0.1.12
        Tag:         v1.11.5
        SHA:         bc34de6e
        Built:       
        Go version:  go1.24.9
        OS/Arch:     linux/amd64
        Enabled:     RBAC
        ...
$ openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

Certs generated: certs.tar.gz

markeijsermans avatar Nov 26 '25 00:11 markeijsermans

Unfortunately TLS protocol doesn't give back meaningful errors.

So something in your client certificate makes Talos TLS server reject it, and it' hard to guess what exactly.

You might need to match more closely options used in Talos.

One immediate guess is that you require both server and client auth, which makes zero sense.

smira avatar Nov 26 '25 10:11 smira