Adventures in PKI: 
Ok so here is the story so far as a recap....
- The starting point was Crowdsec. Crowdsec has three components: agents which parse logs/events, remediation engines, which act on decisions, and a local API (lapi) which the first two connect to, and tracks the decisions and pulls from public block lists
- I realized I could also get external hosts involved, and also wait Crowdsec can parse logs from an aggregator, in this case Loki
- Awesome, step one, get logs into Loki. This lead to a whole chain of events that caused me to deploy Grafana/Alloy to collect those logs
- At this point I realized that shit, the remote nodes need auth and I'd need to copy around tokens everywhere
- Right, tokens everywhere, on remote nodes, etc. but wait, both alloy and Crowdsec support mTLS, all I need is client certs
record scratch
- Right so this would be easy if it wasn't for the pesky external nodes
- This lead me to setting up smallstep's step-ca with an ACME provider
- I got rsyslog setting logs to a central log server via mTLS! Even without the rest of this the log collection is a win.
- (Aside, I also got ssh certs working)
- And I got the Traefik bouncer plus agent to lapi connections working over mTLS but there was a little bit of strangeness there
- Crowdsec's components do not understand cert lifespans,and will not reload certs if they're renewed, hilarious. Fine they get certs with a lifespan measured in "eh, I'll probably reboot a node before then"
Ok and here we are caught up with current day. The very last part is getting the various non cluster nodes connected so their ssh is covered by the block lists. I go to edit the config, and...
nothing
In the logs of the lapi there is a bad cert error. After some browsing of the issue tracker I see mention of and allowed OU setting. Huh. Yeah. The certs created by the helm chart have an OU setting.
Ok but can I ask for a specific OU via ACME?
Whelp.
@homelab@fedigroups.social
#Homelab #Suffering #PKI #Grafana #Crowdsec