GeneralBots/botserver
2
1
Fork 0
Code Issues Pull requests Projects Releases 323 Packages Wiki Activity Actions

fix: Smart mTLS for Vault - use client cert if exists, plain TLS during bootstrap

Browse source 
- Add vault_health_check() function that checks if client certs exist
- If certs exist: use mTLS (secure, post-installation)
- If certs don't exist yet: use plain TLS (during initial bootstrap)
- This allows bootstrap to complete while maintaining mTLS security after setup
- No security hole: mTLS is enforced once certs are generated
This commit is contained in:
Rodrigo Rodriguez (Pragmatismo) 2026-01-09 11:23:49 -03:00
parent 63aee6f6bc
commit cb59ceb60f
2 changed files with 30 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
src/core/bootstrap/mod.rs
View file

@ -50,6 +50,29 @@ fn safe_curl(args: &[&str]) -> Option<std::process::Output> {
.and_then(|cmd| cmd.execute().ok())
}
fn vault_health_check() -> bool {
let client_cert = std::path::Path::new("./botserver-stack/conf/system/certificates/botserver/client.crt");
let client_key = std::path::Path::new("./botserver-stack/conf/system/certificates/botserver/client.key");
if client_cert.exists() && client_key.exists() {
safe_curl(&[
"-f", "-sk", "--connect-timeout", "2", "-m", "5",
"--cert", "./botserver-stack/conf/system/certificates/botserver/client.crt",
"--key", "./botserver-stack/conf/system/certificates/botserver/client.key",
"https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200"
])
.map(|o| o.status.success())
.unwrap_or(false)
} else {
safe_curl(&[
"-f", "-sk", "--connect-timeout", "2", "-m", "5",
"https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200"
])
.map(|o| o.status.success())
.unwrap_or(false)
}
}
fn safe_fuser(args: &[&str]) {
if let Ok(cmd) = SafeCommand::new("fuser")
.and_then(|c| c.args(args))
@ -227,9 +250,7 @@ impl BootstrapManager {
let pm = PackageManager::new(self.install_mode.clone(), self.tenant.clone())?;
if pm.is_installed("vault") {
let vault_already_running = safe_sh_command("curl -f -sk --cert ./botserver-stack/conf/system/certificates/botserver/client.crt --key ./botserver-stack/conf/system/certificates/botserver/client.key 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1")
.map(|o| o.status.success())
.unwrap_or(false);
let vault_already_running = vault_health_check();
if vault_already_running {
info!("Vault is already running");
@ -245,9 +266,7 @@ impl BootstrapManager {
}
for i in 0..10 {
let vault_ready = safe_sh_command("curl -f -sk --cert ./botserver-stack/conf/system/certificates/botserver/client.crt --key ./botserver-stack/conf/system/certificates/botserver/client.key 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1")
.map(|o| o.status.success())
.unwrap_or(false);
let vault_ready = vault_health_check();
if vault_ready {
info!("Vault is responding");
@ -436,9 +455,7 @@ impl BootstrapManager {
}
if installer.is_installed("vault") {
let vault_running = safe_sh_command("curl -f -sk --cert ./botserver-stack/conf/system/certificates/botserver/client.crt --key ./botserver-stack/conf/system/certificates/botserver/client.key 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1")
.map(|o| o.status.success())
.unwrap_or(false);
let vault_running = vault_health_check();
if vault_running {
info!("Vault is already running");
@ -1403,18 +1420,9 @@ meet IN A 127.0.0.1
}
}
let health_check = safe_curl(&["-f", "-sk", "--cert", "./botserver-stack/conf/system/certificates/botserver/client.crt", "--key", "./botserver-stack/conf/system/certificates/botserver/client.key", "https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200"]);
if let Some(output) = health_check {
if output.status.success() {
info!("Vault is responding");
break;
}
let stderr = String::from_utf8_lossy(&output.stderr);
if !stderr.is_empty() && attempts % 5 == 0 {
debug!("Vault health check attempt {}: {}", attempts + 1, stderr);
}
if vault_health_check() {
info!("Vault is responding");
break;
} else if attempts % 5 == 0 {
warn!("Vault health check curl failed (attempt {})", attempts + 1);
}

2
src/core/package_manager/installer.rs
View file

@ -965,7 +965,7 @@ EOF"#.to_string(),
data_download_list: Vec::new(),
exec_cmd: "nohup {{BIN_PATH}}/vault server -config={{CONF_PATH}}/vault/config.hcl > {{LOGS_PATH}}/vault.log 2>&1 &"
.to_string(),
check_cmd: "curl -f -sk --connect-timeout 2 -m 5 --cert {{CONF_PATH}}/system/certificates/botserver/client.crt --key {{CONF_PATH}}/system/certificates/botserver/client.key 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1"
check_cmd: "if [ -f {{CONF_PATH}}/system/certificates/botserver/client.crt ]; then curl -f -sk --connect-timeout 2 -m 5 --cert {{CONF_PATH}}/system/certificates/botserver/client.crt --key {{CONF_PATH}}/system/certificates/botserver/client.key 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1; else curl -f -sk --connect-timeout 2 -m 5 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1; fi"
.to_string(),
},
);