Bug generating certificates using multiple DNS in the Wazuh manager

[davidcr01]

Wazuh version	Install type	Action performed	Platform
4.5.0	Installation Assistant	Generating certificates	Any

In #2350, a new bug has been found while generating the certificates of the Wazuh server nodes when using multiple DNS.

If an invalid DNS is specified in the config.yml file (for example, localhost), the script does not generate any error and its certificate is skipped, but the rest of them are created:

The config.yml file, the server configuration:

server:
    - name: wazuh-1
      ip: www.google.es
      ip: localhost
      ip: wikipedia.org

The certificates are created:

24/08/2023 11:25:37 DEBUG: Creating the Wazuh server certificates.
Ignoring -days without -x509; not generating a certificate
........+......+..................+..+......+....+...+..+....+.........+...+..+...............+...+....+......+...+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+..............+...+......+....+............+.....+.+...+.....+.........+...+....+...........+....+...+..+.+...............+...+......+...+.....+......+.......+.........+...+.....+......+.......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..+...+..........+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...+............+..................+.+..+....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+..+...+...............+.+...+..+.+.....+...+......+....+...........+...+.+.....+....+.....+..........+.....+.+.....+......+.+..+.......+...+.....+................+...............+..+....+.....+...+.+..+.......+...+..+............+.+..+.............+..+.+...........+.+.........+.....+....+..+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
Certificate request self-signature ok
subject=C = US, L = California, O = Wazuh, OU = Wazuh, CN = wazuh-1

But, if the code is debugged, it seems that the invalid DNS is ignored:

++ server_node_ip_1=("www.google.es" "wikipedia.org")
+ set +x

On the other hand, if there is just one DNS specified, an error is generated and the certificates are not generated:

24/08/2023 12:21:59 ERROR: Invalid IP or DNS localhost

Tasks

• Investigate a fix that validates every DNS specified in the Wazuh manager section.
• Apply the fix.
• Check that the certificates are not generated if an invalid DNS is specified using multiple DNS.

[davidcr01]

This issue goes to On Hold due to wazuh/wazuh-ansible#1001

[davidcr01]

This issue goes to "Blocked" due to #2417.

[davidcr01]

Update Report

The line which was causing the localhost DNS disappear was the following:

eval "server_node_ip_$i=( $( cert_parseYaml "${config_file}" | grep -E "${nodes_server}" | sed '/\./!d' | cut -d = -f 2 | sed -r 's/\s+//g') )"

This line saves in a variable the nodes of the server by filtering them. The sed command ignores those DNSes that does not have a dot in the DNS. That's why the localhost DNS was ignored.

A simple check has been added in order to avoid this. Now, for the same config.yml file, the execution is stopped as expected:

root@ubuntu22:/home/vagrant# cat config.yml 
nodes:
  server:
    - name: wazuh-server
      ip: www.google.es
      ip: localhost
      ip: wikipedia.org
root@ubuntu22:/home/vagrant# bash wazuh-certs-tool.sh -A -v
17/06/2024 16:11:51 INFO: Verbose logging redirected to /home/vagrant/wazuh-certificates-tool.log
17/06/2024 16:11:51 DEBUG: Reading configuration file.
17/06/2024 16:11:52 ERROR: The DNS localhost is not valid.
root@ubuntu22:/home/vagrant# 

If all the DNSes specified are correct, the certificates are generated as expected:

root@ubuntu22:/home/vagrant# cat config.yml 
nodes:
  server:
    - name: wazuh-server
      ip: www.google.es
      ip: facebook.es
      ip: wikipedia.org
root@ubuntu22:/home/vagrant# bash wazuh-certs-tool.sh -A -v
17/06/2024 16:12:25 INFO: Verbose logging redirected to /home/vagrant/wazuh-certificates-tool.log
17/06/2024 16:12:25 DEBUG: Reading configuration file.
17/06/2024 16:12:26 DEBUG: Checking if the root CA exists.
17/06/2024 16:12:26 INFO: Generating the root certificate.
17/06/2024 16:12:26 INFO: Generating Admin certificates.
17/06/2024 16:12:26 DEBUG: Generating Admin private key.
17/06/2024 16:12:26 DEBUG: Converting Admin private key to PKCS8 format.
17/06/2024 16:12:26 DEBUG: Generating Admin CSR.
17/06/2024 16:12:26 DEBUG: Creating Admin certificate.
17/06/2024 16:12:26 INFO: Admin certificates created.
17/06/2024 16:12:26 INFO: Generating Filebeat certificates.
17/06/2024 16:12:26 DEBUG: Generating the certificates for wazuh-server server node.
17/06/2024 16:12:26 DEBUG: Generating certificate configuration.
17/06/2024 16:12:26 DEBUG: Creating the Wazuh server tmp key pair.
17/06/2024 16:12:26 DEBUG: Creating the Wazuh server certificates.
17/06/2024 16:12:26 INFO: Wazuh Filebeat certificates created.
17/06/2024 16:12:26 DEBUG: Cleaning certificate files.

root@ubuntu22:/home/vagrant# ls wazuh-certificates/
admin-key.pem  admin.pem  root-ca.key  root-ca.pem  wazuh-server-key.pem  wazuh-server.pem
root@ubuntu22:/home/vagrant# 

Also, this change does not affect when IPs are specified. It still working as expected:

root@ubuntu22:/home/vagrant# cat config.yml 
nodes:
  server:
    - name: wazuh-server
      ip: 192.168.1.156
      ip: 127.0.0.1
root@ubuntu22:/home/vagrant# bash wazuh-certs-tool.sh -A -v
17/06/2024 16:15:11 INFO: Verbose logging redirected to /home/vagrant/wazuh-certificates-tool.log
17/06/2024 16:15:11 DEBUG: Reading configuration file.
17/06/2024 16:15:11 DEBUG: Checking if 192.168.1.156 is private.
17/06/2024 16:15:11 DEBUG: Checking if 127.0.0.1 is private.
17/06/2024 16:15:12 DEBUG: Checking if the root CA exists.
17/06/2024 16:15:12 INFO: Generating the root certificate.
17/06/2024 16:15:12 INFO: Generating Admin certificates.
17/06/2024 16:15:12 DEBUG: Generating Admin private key.
17/06/2024 16:15:12 DEBUG: Converting Admin private key to PKCS8 format.
17/06/2024 16:15:12 DEBUG: Generating Admin CSR.
17/06/2024 16:15:12 DEBUG: Creating Admin certificate.
17/06/2024 16:15:12 INFO: Admin certificates created.
17/06/2024 16:15:12 INFO: Generating Filebeat certificates.
17/06/2024 16:15:12 DEBUG: Generating the certificates for wazuh-server server node.
17/06/2024 16:15:12 DEBUG: Generating certificate configuration.
17/06/2024 16:15:12 DEBUG: Creating the Wazuh server tmp key pair.
17/06/2024 16:15:13 DEBUG: Creating the Wazuh server certificates.
17/06/2024 16:15:13 INFO: Wazuh Filebeat certificates created.
17/06/2024 16:15:13 DEBUG: Cleaning certificate files.
root@ubuntu22:/home/vagrant#