[
https://issues.apache.org/jira/browse/KNOX-3085?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17952619#comment-17952619
]
Sandeep More commented on KNOX-3085:
------------------------------------
Hello,
We are in the process of releasing 2.1.0, if you think this JIRA should be
included in 2.1.0 let me know else please move it to 2.2.0 by the end of this
week.
Thank you.
> Metadata API should return the certificate chain (if any) instead of only the
> configured Knox instance certificate
> ------------------------------------------------------------------------------------------------------------------
>
> Key: KNOX-3085
> URL: https://issues.apache.org/jira/browse/KNOX-3085
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 2.1.0
> Reporter: Philip Zampino
> Assignee: Philip Zampino
> Priority: Major
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> Currently if you hit the Knox metadata API, it will return the
> locally-configured Knox certificate. This works great if there is nothing
> between the client and Knox. When a LB is in the middle, the returned
> certificate is incorrect. The certificate that should be returned is one for
> the endpoint that is accessed. This means we should try to return the LB
> certificate if there is a LB.
> Since we know what URL was accessed to hit the metadata API, Knox itself
> should be able to grab the certificate chain for that host:port and return
> the PEM and JKS version of it. This will require basically doing an `openssl
> s_client -connect host:port` from Java and converting into the correct
> format. Conveniently, the Knox CLI has something like this today that
> downloads the Knox certificate. We should be able to reuse the same logic in
> the metadata API and return the correct certificate information.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
