What would you like to be added?
/kind enhancement
Please allow to choose the authentication type (password or tls auth) for machines and bouncers separately by either offering separate configuration options or allow to use certificates in the lapi credentials alongside a password so that the certificates are used for encryption, but not authentication which is handled by the password.
Why is this needed?
In my crowdsec setup, I would like to only use a password authenticated localhost machine (that acquire from a centralised Loki), but then combine that with many bouncers that use TLS authentication. I want this setup, because I already have certificates set up, but not with a differing OU for the crowdsec server and I don't want to authorise other servers with machine permissions.
Currently, I have tls auth configured for the bouncers, but when I try to connect with a machine through its registered credentials, I get the following error message:
"crowdsec init: while initialising LAPIClient: authenticate watcher (188b82b05a1f4befbe3673ef63bd3d53BSM8vMRB6qBemcKa): Post \"https://[::]:443/v1/watchers/login\": performing jwt auth: tls: failed to verify certificate: x509: cannot validate certificate for :: because it doesn't contain any IP SANs"
I suspect that this is because the lapi expects clients to have certificates which my machine does not use when I put a password in its lapi credentials. I have tried putting both the certificate paths and the password there, but then it complains about both authentication mechanisms are mutually exclusive.
While setting this up, I have also encountered a small bug: When generating lapi credentials through cscli machines add -a --force --error, a http url is written to the credentials file even though my lapi uses https. Due to that, crowdsec fails to start. If I add the missing s to the url, everything runs fine. Shall I open a separate issue for this?
I am running crowdsec 1.7.6 on debian bookworm.
What would you like to be added?
/kind enhancement
Please allow to choose the authentication type (password or tls auth) for machines and bouncers separately by either offering separate configuration options or allow to use certificates in the lapi credentials alongside a password so that the certificates are used for encryption, but not authentication which is handled by the password.
Why is this needed?
In my crowdsec setup, I would like to only use a password authenticated localhost machine (that acquire from a centralised Loki), but then combine that with many bouncers that use TLS authentication. I want this setup, because I already have certificates set up, but not with a differing OU for the crowdsec server and I don't want to authorise other servers with machine permissions.
Currently, I have tls auth configured for the bouncers, but when I try to connect with a machine through its registered credentials, I get the following error message:
I suspect that this is because the lapi expects clients to have certificates which my machine does not use when I put a password in its lapi credentials. I have tried putting both the certificate paths and the password there, but then it complains about both authentication mechanisms are mutually exclusive.
While setting this up, I have also encountered a small bug: When generating lapi credentials through
cscli machines add -a --force --error, ahttpurl is written to the credentials file even though my lapi uses https. Due to that, crowdsec fails to start. If I add the missingsto the url, everything runs fine. Shall I open a separate issue for this?I am running crowdsec 1.7.6 on debian bookworm.