From cb59ceb60ff9f778b543835cbc7d1bb06c266ef9 Mon Sep 17 00:00:00 2001 From: "Rodrigo Rodriguez (Pragmatismo)" Date: Fri, 9 Jan 2026 11:23:49 -0300 Subject: [PATCH] fix: Smart mTLS for Vault - use client cert if exists, plain TLS during bootstrap - Add vault_health_check() function that checks if client certs exist - If certs exist: use mTLS (secure, post-installation) - If certs don't exist yet: use plain TLS (during initial bootstrap) - This allows bootstrap to complete while maintaining mTLS security after setup - No security hole: mTLS is enforced once certs are generated --- src/core/bootstrap/mod.rs | 50 ++++++++++++++++----------- src/core/package_manager/installer.rs | 2 +- 2 files changed, 30 insertions(+), 22 deletions(-) diff --git a/src/core/bootstrap/mod.rs b/src/core/bootstrap/mod.rs index 96cb29957..6513a6b1a 100644 --- a/src/core/bootstrap/mod.rs +++ b/src/core/bootstrap/mod.rs @@ -50,6 +50,29 @@ fn safe_curl(args: &[&str]) -> Option { .and_then(|cmd| cmd.execute().ok()) } +fn vault_health_check() -> bool { + let client_cert = std::path::Path::new("./botserver-stack/conf/system/certificates/botserver/client.crt"); + let client_key = std::path::Path::new("./botserver-stack/conf/system/certificates/botserver/client.key"); + + if client_cert.exists() && client_key.exists() { + safe_curl(&[ + "-f", "-sk", "--connect-timeout", "2", "-m", "5", + "--cert", "./botserver-stack/conf/system/certificates/botserver/client.crt", + "--key", "./botserver-stack/conf/system/certificates/botserver/client.key", + "https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200" + ]) + .map(|o| o.status.success()) + .unwrap_or(false) + } else { + safe_curl(&[ + "-f", "-sk", "--connect-timeout", "2", "-m", "5", + "https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200" + ]) + .map(|o| o.status.success()) + .unwrap_or(false) + } +} + fn safe_fuser(args: &[&str]) { if let Ok(cmd) = SafeCommand::new("fuser") .and_then(|c| c.args(args)) @@ -227,9 +250,7 @@ impl BootstrapManager { let pm = PackageManager::new(self.install_mode.clone(), self.tenant.clone())?; if pm.is_installed("vault") { - let vault_already_running = safe_sh_command("curl -f -sk --cert ./botserver-stack/conf/system/certificates/botserver/client.crt --key ./botserver-stack/conf/system/certificates/botserver/client.key 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1") - .map(|o| o.status.success()) - .unwrap_or(false); + let vault_already_running = vault_health_check(); if vault_already_running { info!("Vault is already running"); @@ -245,9 +266,7 @@ impl BootstrapManager { } for i in 0..10 { - let vault_ready = safe_sh_command("curl -f -sk --cert ./botserver-stack/conf/system/certificates/botserver/client.crt --key ./botserver-stack/conf/system/certificates/botserver/client.key 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1") - .map(|o| o.status.success()) - .unwrap_or(false); + let vault_ready = vault_health_check(); if vault_ready { info!("Vault is responding"); @@ -436,9 +455,7 @@ impl BootstrapManager { } if installer.is_installed("vault") { - let vault_running = safe_sh_command("curl -f -sk --cert ./botserver-stack/conf/system/certificates/botserver/client.crt --key ./botserver-stack/conf/system/certificates/botserver/client.key 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1") - .map(|o| o.status.success()) - .unwrap_or(false); + let vault_running = vault_health_check(); if vault_running { info!("Vault is already running"); @@ -1403,18 +1420,9 @@ meet IN A 127.0.0.1 } } - let health_check = safe_curl(&["-f", "-sk", "--cert", "./botserver-stack/conf/system/certificates/botserver/client.crt", "--key", "./botserver-stack/conf/system/certificates/botserver/client.key", "https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200"]); - - if let Some(output) = health_check { - if output.status.success() { - info!("Vault is responding"); - break; - } - - let stderr = String::from_utf8_lossy(&output.stderr); - if !stderr.is_empty() && attempts % 5 == 0 { - debug!("Vault health check attempt {}: {}", attempts + 1, stderr); - } + if vault_health_check() { + info!("Vault is responding"); + break; } else if attempts % 5 == 0 { warn!("Vault health check curl failed (attempt {})", attempts + 1); } diff --git a/src/core/package_manager/installer.rs b/src/core/package_manager/installer.rs index 81f0ecff6..aa6d3a9c7 100644 --- a/src/core/package_manager/installer.rs +++ b/src/core/package_manager/installer.rs @@ -965,7 +965,7 @@ EOF"#.to_string(), data_download_list: Vec::new(), exec_cmd: "nohup {{BIN_PATH}}/vault server -config={{CONF_PATH}}/vault/config.hcl > {{LOGS_PATH}}/vault.log 2>&1 &" .to_string(), - check_cmd: "curl -f -sk --connect-timeout 2 -m 5 --cert {{CONF_PATH}}/system/certificates/botserver/client.crt --key {{CONF_PATH}}/system/certificates/botserver/client.key 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1" + check_cmd: "if [ -f {{CONF_PATH}}/system/certificates/botserver/client.crt ]; then curl -f -sk --connect-timeout 2 -m 5 --cert {{CONF_PATH}}/system/certificates/botserver/client.crt --key {{CONF_PATH}}/system/certificates/botserver/client.key 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1; else curl -f -sk --connect-timeout 2 -m 5 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1; fi" .to_string(), }, );