icinga2: custom certificate CN

icinga2_common_name, or Icinga2CommonName in Go, allows overriding the expected Common Name of the Certificate from the Icinga 2 API. For testing, I acquired the CA's PEM by: > openssl s_client \ > -connect docker-master:5665 \ > -showcerts < /dev/null 2> /dev/null \ > | awk '/BEGIN CERTIFICATE/ || p { p = 1; print } /END CERTIFICATE/ { exit }' and populated the source table as follows: > UPDATE source SET > icinga2_ca_pem = $$-----BEGIN CERTIFICATE----- > [ . . . ] > -----END CERTIFICATE-----$$, > icinga2_common_name = 'docker-master', > icinga2_insecure_tls = 'n'; Afterwards, one can verify the check by altering icinga2_common_name either to NULL or an invalid common name.
Icinga · Jan 17, 2024 · 24a4843 · 24a4843
1 parent d6c4d36
commit 24a4843
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 0 deletions.
diff --git a/internal/config/source.go b/internal/config/source.go
@@ -22,6 +22,7 @@ type Source struct {
 	Icinga2AuthUser    types.String `db:"icinga2_auth_user"`
 	Icinga2AuthPass    types.String `db:"icinga2_auth_pass"`
 	Icinga2CAPem       types.String `db:"icinga2_ca_pem"`
+	Icinga2CommonName  types.String `db:"icinga2_common_name"`
 	Icinga2InsecureTLS types.Bool   `db:"icinga2_insecure_tls"`
 
 	// Icinga2SourceConf for Event Stream API sources, only if Source.Type == SourceTypeIcinga2.
@@ -41,6 +42,7 @@ func (source *Source) fieldEquals(other *Source) bool {
 		stringEq(source.Icinga2AuthUser, other.Icinga2AuthUser) &&
 		stringEq(source.Icinga2AuthPass, other.Icinga2AuthPass) &&
 		stringEq(source.Icinga2CAPem, other.Icinga2CAPem) &&
+		stringEq(source.Icinga2CommonName, other.Icinga2CommonName) &&
 		boolEq(source.Icinga2InsecureTLS, other.Icinga2InsecureTLS)
 }
 

diff --git a/internal/icinga2/launcher.go b/internal/icinga2/launcher.go
@@ -129,6 +129,10 @@ func (launcher *Launcher) launch(src *config.Source) {
 		client.ApiHttpTransport.TLSClientConfig.RootCAs = certPool
 	}
 
+	if src.Icinga2CommonName.Valid {
+		client.ApiHttpTransport.TLSClientConfig.ServerName = src.Icinga2CommonName.String
+	}
+
 	if src.Icinga2InsecureTLS.Valid && src.Icinga2InsecureTLS.Bool {
 		client.ApiHttpTransport.TLSClientConfig.InsecureSkipVerify = true
 	}

diff --git a/schema/pgsql/schema.sql b/schema/pgsql/schema.sql
@@ -140,7 +140,11 @@ CREATE TABLE source (
     icinga2_base_url text,
     icinga2_auth_user text,
     icinga2_auth_pass text,
+    -- icinga2_ca_pem specifies a custom CA to be used in the PEM format, if not NULL.
     icinga2_ca_pem text,
+    -- icinga2_common_name requires Icinga 2's certificate to hold this Common Name if not NULL. This allows using a
+    -- differing Common Name - maybe an Icinga 2 Endpoint object name - from the FQDN within icinga2_base_url.
+    icinga2_common_name text,
     icinga2_insecure_tls boolenum NOT NULL DEFAULT 'n',
 
     -- The hash is a PHP password_hash with PASSWORD_DEFAULT algorithm, defaulting to bcrypt. This check roughly ensures

diff --git a/schema/pgsql/upgrades/022.sql b/schema/pgsql/upgrades/022.sql
@@ -5,6 +5,7 @@ ALTER TABLE source
     ADD COLUMN icinga2_auth_user text,
     ADD COLUMN icinga2_auth_pass text,
     ADD COLUMN icinga2_ca_pem text,
+    ADD COLUMN icinga2_common_name text,
     ADD COLUMN icinga2_insecure_tls boolenum NOT NULL DEFAULT 'n',
 
     DROP CONSTRAINT source_listener_password_hash_check;