regenerate expired certs (#11462)

* regenerate expired certs * add documentation to generate tests certificates
2021-11-01 11:40:16 -04:00 · 2021-11-01 11:40:16 -04:00 · 2801785710
parent 0854e1d684
commit 2801785710
21 changed files with 182 additions and 124 deletions
--- a/agent/agent_test.go
+++ b/agent/agent_test.go
@ -4531,6 +4531,8 @@ LOOP:
 // TODO(rb): implement something similar to this as a full containerized test suite with proper
 // isolation so requests can't "cheat" and bypass the mesh gateways
 func TestAgent_JoinWAN_viaMeshGateway(t *testing.T) {
 	// if this test is failing because of expired certificates
 	// use the procedure in test/CA-GENERATION.md
 	if testing.Short() {
 		t.Skip("too slow for testing.Short")
 	}
--- a/agent/consul/rpc_test.go
+++ b/agent/consul/rpc_test.go
@ -448,6 +448,8 @@ func TestRPC_MagicByteTimeout(t *testing.T) {
 }
 func TestRPC_TLSHandshakeTimeout(t *testing.T) {
 	// if this test is failing because of expired certificates
 	// use the procedure in test/CA-GENERATION.md
 	if testing.Short() {
 		t.Skip("too slow for testing.Short")
 	}
@ -684,6 +686,8 @@ func connectClient(t *testing.T, s1 *Server, mb pool.RPCType, useTLS, wantOpen b
 }
 func TestRPC_RPCMaxConnsPerClient(t *testing.T) {
 	// if this test is failing because of expired certificates
 	// use the procedure in test/CA-GENERATION.md
 	if testing.Short() {
 		t.Skip("too slow for testing.Short")
 	}
--- a/agent/consul/server_test.go
+++ b/agent/consul/server_test.go
@ -641,6 +641,8 @@ func TestServer_JoinWAN_Flood(t *testing.T) {
 // This is a mirror of a similar test in agent/agent_test.go
 func TestServer_JoinWAN_viaMeshGateway(t *testing.T) {
 	// if this test is failing because of expired certificates
 	// use the procedure in test/CA-GENERATION.md
 	if testing.Short() {
 		t.Skip("too slow for testing.Short")
 	}
--- a/agent/grpc/client_test.go
+++ b/agent/grpc/client_test.go
@ -148,6 +148,8 @@ func TestNewDialer_WithALPNWrapper(t *testing.T) {
 }
 func TestNewDialer_IntegrationWithTLSEnabledHandler(t *testing.T) {
 	// if this test is failing because of expired certificates
 	// use the procedure in test/CA-GENERATION.md
 	res := resolver.NewServerResolverBuilder(newConfig(t))
 	registerWithGRPC(t, res)
@ -189,6 +191,8 @@ func TestNewDialer_IntegrationWithTLSEnabledHandler(t *testing.T) {
 }
 func TestNewDialer_IntegrationWithTLSEnabledHandler_viaMeshGateway(t *testing.T) {
 	// if this test is failing because of expired certificates
 	// use the procedure in test/CA-GENERATION.md
 	ports := freeport.MustTake(1)
 	defer freeport.Return(ports)
--- a/agent/streaming_test.go
+++ b/agent/streaming_test.go
@ -34,6 +34,8 @@ func testGRPCStreamingWorking(t *testing.T, config string) {
 }
 func TestGRPCWithTLSConfigs(t *testing.T) {
 	// if this test is failing because of expired certificates
 	// use the procedure in test/CA-GENERATION.md
 	t.Parallel()
 	testCases := []struct {
 		name   string
--- a/api/api_test.go
+++ b/api/api_test.go
@ -405,6 +405,8 @@ func TestAPI_DefaultConfig_env(t *testing.T) {
 	// (environment) which has non-deterministic effects on the other tests
 	// which derive their default configuration from the environment
 	// if this test is failing because of expired certificates
 	// use the procedure in test/CA-GENERATION.md
 	addr := "1.2.3.4:5678"
 	token := "abcd1234"
 	auth := "username:password"
@ -486,6 +488,8 @@ func TestAPI_DefaultConfig_env(t *testing.T) {
 }
 func TestAPI_SetupTLSConfig(t *testing.T) {
 	// if this test is failing because of expired certificates
 	// use the procedure in test/CA-GENERATION.md
 	t.Parallel()
 	// A default config should result in a clean default client config.
 	tlsConfig := &TLSConfig{}
--- a/test/CA-GENERATION.md
+++ b/test/CA-GENERATION.md
@ -0,0 +1,26 @@
 # CA certificate generation procedure
 ## Client certificates
 if tests like `TestAPI_ClientTLSOptions` (or any other test using certificates located in `./test/client_certs` ) are failing because of expired certificates, use `./generate.sh` script to regenerate a new set of certificate.
 ``` bash
 cd test/client_certs/
 rm -rf *.pem *.crt *.key && ./generate.sh
 ```
 ## CA certificates
 if tests like `TestAgent_ReloadConfigTLSConfigFailure` (or any other test using certificates located in `./test/ca` ) are failing because of expired certificates, use `./generate.sh` script to regenerate a new set of certificate.
 ``` bash
 cd test/ca/
 rm -rf *.pem *.crt *.key && ./generate.sh
 ```
 ## Hostname certificates
 if tests like `TestNewDialer_WithALPNWrapper` (or any other test using certificates located in `./test/hostname` ) are failing because of expired certificates, use `./generate.sh` script to regenerate a new set of certificate.
 ``` bash
 cd test/hostname/
 rm -rf *.pem *.crt *.key && ./generate.sh
 ```
--- a/test/client_certs/client.crt
+++ b/test/client_certs/client.crt
@ -1,16 +1,16 @@
 -----BEGIN CERTIFICATE-----
-MIICnDCCAkOgAwIBAgIRAOnKNzSoGq53Rq/G5tbm85swCgYIKoZIzj0EAwIwgbkx
+MIICmjCCAkGgAwIBAgIQVDAApftts3C9eO+JONBsNTAKBggqhkjOPQQDAjCBuDEL
-CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
+MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
-bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
+MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
-FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB
+BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg
-IDE4NTU3MTQ5MTMzMTA0NzczNDYwMjQyMDcxODI5NjUzMzQzNTQ0MzAeFw0yMDEw
+MTczNzc4NzkyNTY5MTI1NTgwMTIxMzk4OTk2MjY5OTEyNzM0NzQwHhcNMjExMTAx
-MjgyMjI3NTZaFw0yMTEwMjgyMjI3NTZaMBwxGjAYBgNVBAMTEWNsaWVudC5kYzEu
+MTQ0NTAzWhcNMjIxMTAxMTQ0NTAzWjAcMRowGAYDVQQDExFjbGllbnQuZGMxLmNv
-Y29uc3VsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMtVdDd8tDZBaOaDFFzWD
+bnN1bDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGF9ORXwWyUFj1bTD7GzFIvQ
-0hTxO7soxUuz1dWaO8FGhIS07dfSBjYumEOgfNtfOzAILvkBd4gS8DrQZ2Rbks86
+U6L+eMoEiba2tD1HkKWHaDAx/I7Df3wcHmBzVaqjgMsRChjMmJ3cDDGuLt1/BHGj
-iKOBxzCBxDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG
+gccwgcQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF
-AQUFBwMBMAwGA1UdEwEB/wQCMAAwKQYDVR0OBCIEIEJWUjlDw7H2fbRpGG8fpqCq
+BQcDATAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCAka8yiBZ22z4cNL8yjkN1DOd/b
-GEX80iDpQqXOU0wg6fEPMCsGA1UdIwQkMCKAIAu+td60D/Er7Xjtyg0B6XflfKYm
+oN7QIaohoQ6ViYI9kzArBgNVHSMEJDAigCANnhDl60rkQhnDjjZwPgCC258oC68G
-IdXjPfiFy8SGeKS2MC0GA1UdEQQmMCSCEWNsaWVudC5kYzEuY29uc3Vsgglsb2Nh
+b9bIeY63KVL/7jAtBgNVHREEJjAkghFjbGllbnQuZGMxLmNvbnN1bIIJbG9jYWxo
-bGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgYAZTf8VcZ4nQl4lbm579BfXy
+b3N0hwR/AAABMAoGCCqGSM49BAMCA0cAMEQCIE4Dl1LytCVq1CDQfflE6dpIQR0z
-6YpYz/DdfkEODUBxUyYCIDXhfmxtL/gTSkIh1E+fV7H7ZmqPKgTDH1XBV2zYnj/C
+D8EJ0v2d8Bx1YdVWAiB6Fhj7vrjevlmKGNZzk87xNZiMNB1/C3QvmWJYPpMPNQ==
 -----END CERTIFICATE-----
--- a/test/client_certs/client.key
+++ b/test/client_certs/client.key
@ -1,5 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIDxDVYnUL3LCN7kSKF/ShH1c8HacmeUyU/2qJ/fo+5kDoAoGCCqGSM49
+MHcCAQEEIFz6x9ap6/v3Q0ZzKD8VfCXxNOlF1ELxyosxLj+yqltsoAoGCCqGSM49
-AwEHoUQDQgAEMtVdDd8tDZBaOaDFFzWD0hTxO7soxUuz1dWaO8FGhIS07dfSBjYu
+AwEHoUQDQgAEYX05FfBbJQWPVtMPsbMUi9BTov54ygSJtra0PUeQpYdoMDH8jsN/
-mEOgfNtfOzAILvkBd4gS8DrQZ2Rbks86iA==
+fBweYHNVqqOAyxEKGMyYndwMMa4u3X8EcQ==
 -----END EC PRIVATE KEY-----
--- a/test/client_certs/consul-agent-ca-key.pem
+++ b/test/client_certs/consul-agent-ca-key.pem
@ -1,5 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEINtFYGWAzcVyRRQKjadE83olH8xAwZYe5sEn4rfPtI8xoAoGCCqGSM49
+MHcCAQEEIEULa3Bb3xemvewpjiqz57wN+WwQSw/K7jUhwiUgAQXToAoGCCqGSM49
-AwEHoUQDQgAErHueX3t67iU5Bj7Nh53zhggnF4pLwjuDbmTDSYIe/Tbeixc2M2Nb
+AwEHoUQDQgAE1EENJOb0u3rmKNX7/svm4O0bXGsqZGQ+G+vHxNECsXgk4wDzi94Z
-7cGr9/Bk9cH8exB/o2KzbQ2nxPZ+ftBTAQ==
+cFGIyrN8nTKJJU0j+p6YtY3P6D1K2lp9Vw==
 -----END EC PRIVATE KEY-----
--- a/test/client_certs/consul-agent-ca.pem
+++ b/test/client_certs/consul-agent-ca.pem
@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIC7zCCApSgAwIBAgIRAIubxOonau4Z6UJRYv5KBDMwCgYIKoZIzj0EAwIwgbkx
+MIIC6zCCApGgAwIBAgIQDRLbmPude64vjjBAnHZGAjAKBggqhkjOPQQDAjCBuDEL
-CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
+MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
-bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
+MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
-FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB
+BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg
-IDE4NTU3MTQ5MTMzMTA0NzczNDYwMjQyMDcxODI5NjUzMzQzNTQ0MzAeFw0yMDEw
+MTczNzc4NzkyNTY5MTI1NTgwMTIxMzk4OTk2MjY5OTEyNzM0NzQwHhcNMjExMTAx
-MjgyMjI3NTZaFw0yNTEwMjcyMjI3NTZaMIG5MQswCQYDVQQGEwJVUzELMAkGA1UE
+MTQ0NTAzWhcNMjYxMDMxMTQ0NTAzWjCBuDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
-CBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGjAYBgNVBAkTETEwMSBTZWNv
+AkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQJExExMDEgU2Vjb25k
-bmQgU3RyZWV0MQ4wDAYDVQQREwU5NDEwNTEXMBUGA1UEChMOSGFzaGlDb3JwIElu
+IFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAVBgNVBAoTDkhhc2hpQ29ycCBJbmMu
-Yy4xQDA+BgNVBAMTN0NvbnN1bCBBZ2VudCBDQSAxODU1NzE0OTEzMzEwNDc3MzQ2
+MT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0EgMTczNzc4NzkyNTY5MTI1NTgwMTIx
-MDI0MjA3MTgyOTY1MzM0MzU0NDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASs
+Mzk4OTk2MjY5OTEyNzM0NzQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATUQQ0k
-e55fe3ruJTkGPs2HnfOGCCcXikvCO4NuZMNJgh79Nt6LFzYzY1vtwav38GT1wfx7
+5vS7euYo1fv+y+bg7RtcaypkZD4b68fE0QKxeCTjAPOL3hlwUYjKs3ydMoklTSP6
-EH+jYrNtDafE9n5+0FMBo3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUw
+npi1jc/oPUraWn1Xo3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB
-AwEB/zApBgNVHQ4EIgQgC7613rQP8SvteO3KDQHpd+V8piYh1eM9+IXLxIZ4pLYw
+/zApBgNVHQ4EIgQgDZ4Q5etK5EIZw442cD4AgtufKAuvBm/WyHmOtylS/+4wKwYD
-KwYDVR0jBCQwIoAgC7613rQP8SvteO3KDQHpd+V8piYh1eM9+IXLxIZ4pLYwCgYI
+VR0jBCQwIoAgDZ4Q5etK5EIZw442cD4AgtufKAuvBm/WyHmOtylS/+4wCgYIKoZI
-KoZIzj0EAwIDSQAwRgIhALoE4RO8DHR4AkxmO5ostQxAYMIpiSTC9VZsWva3hHj4
+zj0EAwIDSAAwRQIhAPab5jGWHNZkbDRqhQoZrA+0D9cqfJNcCOJVEB69E3f5AiBv
-AiEAijGw7bHPearXh9I2ghGE4jGJbGK4R9JHcLOq3+GE2Ng=
+tbI2DANB3S6Atg8+PsRXJxCT5R1TrbPX63udY5O5GA==
 -----END CERTIFICATE-----
--- a/test/client_certs/dc1-client-consul-0-key.pem
+++ b/test/client_certs/dc1-client-consul-0-key.pem
@ -1,5 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIDxDVYnUL3LCN7kSKF/ShH1c8HacmeUyU/2qJ/fo+5kDoAoGCCqGSM49
+MHcCAQEEIFz6x9ap6/v3Q0ZzKD8VfCXxNOlF1ELxyosxLj+yqltsoAoGCCqGSM49
-AwEHoUQDQgAEMtVdDd8tDZBaOaDFFzWD0hTxO7soxUuz1dWaO8FGhIS07dfSBjYu
+AwEHoUQDQgAEYX05FfBbJQWPVtMPsbMUi9BTov54ygSJtra0PUeQpYdoMDH8jsN/
-mEOgfNtfOzAILvkBd4gS8DrQZ2Rbks86iA==
+fBweYHNVqqOAyxEKGMyYndwMMa4u3X8EcQ==
 -----END EC PRIVATE KEY-----
--- a/test/client_certs/dc1-client-consul-0.pem
+++ b/test/client_certs/dc1-client-consul-0.pem
@ -1,16 +1,16 @@
 -----BEGIN CERTIFICATE-----
-MIICnDCCAkOgAwIBAgIRAOnKNzSoGq53Rq/G5tbm85swCgYIKoZIzj0EAwIwgbkx
+MIICmjCCAkGgAwIBAgIQVDAApftts3C9eO+JONBsNTAKBggqhkjOPQQDAjCBuDEL
-CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
+MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
-bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
+MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
-FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB
+BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg
-IDE4NTU3MTQ5MTMzMTA0NzczNDYwMjQyMDcxODI5NjUzMzQzNTQ0MzAeFw0yMDEw
+MTczNzc4NzkyNTY5MTI1NTgwMTIxMzk4OTk2MjY5OTEyNzM0NzQwHhcNMjExMTAx
-MjgyMjI3NTZaFw0yMTEwMjgyMjI3NTZaMBwxGjAYBgNVBAMTEWNsaWVudC5kYzEu
+MTQ0NTAzWhcNMjIxMTAxMTQ0NTAzWjAcMRowGAYDVQQDExFjbGllbnQuZGMxLmNv
-Y29uc3VsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMtVdDd8tDZBaOaDFFzWD
+bnN1bDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGF9ORXwWyUFj1bTD7GzFIvQ
-0hTxO7soxUuz1dWaO8FGhIS07dfSBjYumEOgfNtfOzAILvkBd4gS8DrQZ2Rbks86
+U6L+eMoEiba2tD1HkKWHaDAx/I7Df3wcHmBzVaqjgMsRChjMmJ3cDDGuLt1/BHGj
-iKOBxzCBxDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG
+gccwgcQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF
-AQUFBwMBMAwGA1UdEwEB/wQCMAAwKQYDVR0OBCIEIEJWUjlDw7H2fbRpGG8fpqCq
+BQcDATAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCAka8yiBZ22z4cNL8yjkN1DOd/b
-GEX80iDpQqXOU0wg6fEPMCsGA1UdIwQkMCKAIAu+td60D/Er7Xjtyg0B6XflfKYm
+oN7QIaohoQ6ViYI9kzArBgNVHSMEJDAigCANnhDl60rkQhnDjjZwPgCC258oC68G
-IdXjPfiFy8SGeKS2MC0GA1UdEQQmMCSCEWNsaWVudC5kYzEuY29uc3Vsgglsb2Nh
+b9bIeY63KVL/7jAtBgNVHREEJjAkghFjbGllbnQuZGMxLmNvbnN1bIIJbG9jYWxo
-bGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgYAZTf8VcZ4nQl4lbm579BfXy
+b3N0hwR/AAABMAoGCCqGSM49BAMCA0cAMEQCIE4Dl1LytCVq1CDQfflE6dpIQR0z
-6YpYz/DdfkEODUBxUyYCIDXhfmxtL/gTSkIh1E+fV7H7ZmqPKgTDH1XBV2zYnj/C
+D8EJ0v2d8Bx1YdVWAiB6Fhj7vrjevlmKGNZzk87xNZiMNB1/C3QvmWJYPpMPNQ==
 -----END CERTIFICATE-----
--- a/test/client_certs/dc1-server-consul-0-key.pem
+++ b/test/client_certs/dc1-server-consul-0-key.pem
@ -1,5 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEICYdaRvHDtbGbReTekgKf9uyKFEnR7kr7VU3kw3uGzAhoAoGCCqGSM49
+MHcCAQEEIGYeUPTLPIffkIx9mAmw5stoepPHQz6hxtuwJdv2y+fvoAoGCCqGSM49
-AwEHoUQDQgAE0etZvg/aUTU+HPwDHtEwZslBuEshwHl7AcERHQeFTuhtfjpwHQw+
+AwEHoUQDQgAEuZ7Iacvo0TN8oB5JkSw8xvm9QC0Q6DROqE/V46XYM+1PvwhPiyoJ
-uTunFkmQoqNmE+n7P4v7fe771lpxif8VwA==
+ZIt2zTYATwV5Z7gIvnW1BEoGtNAt4f8pZg==
 -----END EC PRIVATE KEY-----
--- a/test/client_certs/dc1-server-consul-0.pem
+++ b/test/client_certs/dc1-server-consul-0.pem
@ -1,17 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIICxjCCAmugAwIBAgIRAOKZmO0GuFJUOfJ7Ycf0WOEwCgYIKoZIzj0EAwIwgbkx
+MIICwzCCAmmgAwIBAgIQLMLWUI6B0ebm1Ii/WuRZ8DAKBggqhkjOPQQDAjCBuDEL
-CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
+MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
-bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
+MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
-FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB
+BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg
-IDE4NTU3MTQ5MTMzMTA0NzczNDYwMjQyMDcxODI5NjUzMzQzNTQ0MzAeFw0yMDEw
+MTczNzc4NzkyNTY5MTI1NTgwMTIxMzk4OTk2MjY5OTEyNzM0NzQwHhcNMjExMTAx
-MjgyMjI3NTZaFw0yMTEwMjgyMjI3NTZaMBwxGjAYBgNVBAMTEXNlcnZlci5kYzEu
+MTQ0NTAzWhcNMjIxMTAxMTQ0NTAzWjAcMRowGAYDVQQDExFzZXJ2ZXIuZGMxLmNv
-Y29uc3VsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0etZvg/aUTU+HPwDHtEw
+bnN1bDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLmeyGnL6NEzfKAeSZEsPMb5
-ZslBuEshwHl7AcERHQeFTuhtfjpwHQw+uTunFkmQoqNmE+n7P4v7fe771lpxif8V
+vUAtEOg0TqhP1eOl2DPtT78IT4sqCWSLds02AE8FeWe4CL51tQRKBrTQLeH/KWaj
-wKOB7zCB7DAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
+ge8wgewwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
-AQUFBwMCMAwGA1UdEwEB/wQCMAAwKQYDVR0OBCIEIEA1xxAYluRqg6wFwGu75o/5
+BQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCCg/S6k7agUE+aei8EyDz0c76Oo
-8Ty6FWR9RgIYvZzCM2N9MCsGA1UdIwQkMCKAIAu+td60D/Er7Xjtyg0B6XflfKYm
+rvZaXkQwVwFzjPSsRzArBgNVHSMEJDAigCANnhDl60rkQhnDjjZwPgCC258oC68G
-IdXjPfiFy8SGeKS2MFUGA1UdEQROMEyCC2NvbnN1bC50ZXN0ghlzZXJ2ZXIwLnNl
+b9bIeY63KVL/7jBVBgNVHREETjBMggtjb25zdWwudGVzdIIZc2VydmVyMC5zZXJ2
-cnZlci5kYzEuY29uc3VsghFzZXJ2ZXIuZGMxLmNvbnN1bIIJbG9jYWxob3N0hwR/
+ZXIuZGMxLmNvbnN1bIIRc2VydmVyLmRjMS5jb25zdWyCCWxvY2FsaG9zdIcEfwAA
-AAABMAoGCCqGSM49BAMCA0kAMEYCIQDz9YnCvKkgGqw5M0HLDI82rqwQsH2SRQUs
+ATAKBggqhkjOPQQDAgNIADBFAiAREeH2p06CtuScx/d9iBrA4cLJgDzjyeHJBbDH
-kogKi3oGmQIhAPBA5AgF3y1E94PbeYfvoDBJy1JiY3KsckY2Gz+M8Iyc
+ETHRxgIhAIzsPAVVnbuMx1+R/VWh9EWAOGvI1V/sKWqFdID8Krdp
 -----END CERTIFICATE-----
--- a/test/client_certs/path/rootca.crt
+++ b/test/client_certs/path/rootca.crt
@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIC7zCCApSgAwIBAgIRAIubxOonau4Z6UJRYv5KBDMwCgYIKoZIzj0EAwIwgbkx
+MIIC6zCCApGgAwIBAgIQDRLbmPude64vjjBAnHZGAjAKBggqhkjOPQQDAjCBuDEL
-CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
+MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
-bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
+MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
-FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB
+BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg
-IDE4NTU3MTQ5MTMzMTA0NzczNDYwMjQyMDcxODI5NjUzMzQzNTQ0MzAeFw0yMDEw
+MTczNzc4NzkyNTY5MTI1NTgwMTIxMzk4OTk2MjY5OTEyNzM0NzQwHhcNMjExMTAx
-MjgyMjI3NTZaFw0yNTEwMjcyMjI3NTZaMIG5MQswCQYDVQQGEwJVUzELMAkGA1UE
+MTQ0NTAzWhcNMjYxMDMxMTQ0NTAzWjCBuDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
-CBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGjAYBgNVBAkTETEwMSBTZWNv
+AkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQJExExMDEgU2Vjb25k
-bmQgU3RyZWV0MQ4wDAYDVQQREwU5NDEwNTEXMBUGA1UEChMOSGFzaGlDb3JwIElu
+IFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAVBgNVBAoTDkhhc2hpQ29ycCBJbmMu
-Yy4xQDA+BgNVBAMTN0NvbnN1bCBBZ2VudCBDQSAxODU1NzE0OTEzMzEwNDc3MzQ2
+MT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0EgMTczNzc4NzkyNTY5MTI1NTgwMTIx
-MDI0MjA3MTgyOTY1MzM0MzU0NDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASs
+Mzk4OTk2MjY5OTEyNzM0NzQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATUQQ0k
-e55fe3ruJTkGPs2HnfOGCCcXikvCO4NuZMNJgh79Nt6LFzYzY1vtwav38GT1wfx7
+5vS7euYo1fv+y+bg7RtcaypkZD4b68fE0QKxeCTjAPOL3hlwUYjKs3ydMoklTSP6
-EH+jYrNtDafE9n5+0FMBo3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUw
+npi1jc/oPUraWn1Xo3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB
-AwEB/zApBgNVHQ4EIgQgC7613rQP8SvteO3KDQHpd+V8piYh1eM9+IXLxIZ4pLYw
+/zApBgNVHQ4EIgQgDZ4Q5etK5EIZw442cD4AgtufKAuvBm/WyHmOtylS/+4wKwYD
-KwYDVR0jBCQwIoAgC7613rQP8SvteO3KDQHpd+V8piYh1eM9+IXLxIZ4pLYwCgYI
+VR0jBCQwIoAgDZ4Q5etK5EIZw442cD4AgtufKAuvBm/WyHmOtylS/+4wCgYIKoZI
-KoZIzj0EAwIDSQAwRgIhALoE4RO8DHR4AkxmO5ostQxAYMIpiSTC9VZsWva3hHj4
+zj0EAwIDSAAwRQIhAPab5jGWHNZkbDRqhQoZrA+0D9cqfJNcCOJVEB69E3f5AiBv
-AiEAijGw7bHPearXh9I2ghGE4jGJbGK4R9JHcLOq3+GE2Ng=
+tbI2DANB3S6Atg8+PsRXJxCT5R1TrbPX63udY5O5GA==
 -----END CERTIFICATE-----
--- a/test/client_certs/rootca.crt
+++ b/test/client_certs/rootca.crt
@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIC7zCCApSgAwIBAgIRAIubxOonau4Z6UJRYv5KBDMwCgYIKoZIzj0EAwIwgbkx
+MIIC6zCCApGgAwIBAgIQDRLbmPude64vjjBAnHZGAjAKBggqhkjOPQQDAjCBuDEL
-CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
+MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
-bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
+MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
-FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB
+BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg
-IDE4NTU3MTQ5MTMzMTA0NzczNDYwMjQyMDcxODI5NjUzMzQzNTQ0MzAeFw0yMDEw
+MTczNzc4NzkyNTY5MTI1NTgwMTIxMzk4OTk2MjY5OTEyNzM0NzQwHhcNMjExMTAx
-MjgyMjI3NTZaFw0yNTEwMjcyMjI3NTZaMIG5MQswCQYDVQQGEwJVUzELMAkGA1UE
+MTQ0NTAzWhcNMjYxMDMxMTQ0NTAzWjCBuDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
-CBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGjAYBgNVBAkTETEwMSBTZWNv
+AkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQJExExMDEgU2Vjb25k
-bmQgU3RyZWV0MQ4wDAYDVQQREwU5NDEwNTEXMBUGA1UEChMOSGFzaGlDb3JwIElu
+IFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAVBgNVBAoTDkhhc2hpQ29ycCBJbmMu
-Yy4xQDA+BgNVBAMTN0NvbnN1bCBBZ2VudCBDQSAxODU1NzE0OTEzMzEwNDc3MzQ2
+MT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0EgMTczNzc4NzkyNTY5MTI1NTgwMTIx
-MDI0MjA3MTgyOTY1MzM0MzU0NDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASs
+Mzk4OTk2MjY5OTEyNzM0NzQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATUQQ0k
-e55fe3ruJTkGPs2HnfOGCCcXikvCO4NuZMNJgh79Nt6LFzYzY1vtwav38GT1wfx7
+5vS7euYo1fv+y+bg7RtcaypkZD4b68fE0QKxeCTjAPOL3hlwUYjKs3ydMoklTSP6
-EH+jYrNtDafE9n5+0FMBo3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUw
+npi1jc/oPUraWn1Xo3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB
-AwEB/zApBgNVHQ4EIgQgC7613rQP8SvteO3KDQHpd+V8piYh1eM9+IXLxIZ4pLYw
+/zApBgNVHQ4EIgQgDZ4Q5etK5EIZw442cD4AgtufKAuvBm/WyHmOtylS/+4wKwYD
-KwYDVR0jBCQwIoAgC7613rQP8SvteO3KDQHpd+V8piYh1eM9+IXLxIZ4pLYwCgYI
+VR0jBCQwIoAgDZ4Q5etK5EIZw442cD4AgtufKAuvBm/WyHmOtylS/+4wCgYIKoZI
-KoZIzj0EAwIDSQAwRgIhALoE4RO8DHR4AkxmO5ostQxAYMIpiSTC9VZsWva3hHj4
+zj0EAwIDSAAwRQIhAPab5jGWHNZkbDRqhQoZrA+0D9cqfJNcCOJVEB69E3f5AiBv
-AiEAijGw7bHPearXh9I2ghGE4jGJbGK4R9JHcLOq3+GE2Ng=
+tbI2DANB3S6Atg8+PsRXJxCT5R1TrbPX63udY5O5GA==
 -----END CERTIFICATE-----
--- a/test/client_certs/rootca.key
+++ b/test/client_certs/rootca.key
@ -1,5 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEINtFYGWAzcVyRRQKjadE83olH8xAwZYe5sEn4rfPtI8xoAoGCCqGSM49
+MHcCAQEEIEULa3Bb3xemvewpjiqz57wN+WwQSw/K7jUhwiUgAQXToAoGCCqGSM49
-AwEHoUQDQgAErHueX3t67iU5Bj7Nh53zhggnF4pLwjuDbmTDSYIe/Tbeixc2M2Nb
+AwEHoUQDQgAE1EENJOb0u3rmKNX7/svm4O0bXGsqZGQ+G+vHxNECsXgk4wDzi94Z
-7cGr9/Bk9cH8exB/o2KzbQ2nxPZ+ftBTAQ==
+cFGIyrN8nTKJJU0j+p6YtY3P6D1K2lp9Vw==
 -----END EC PRIVATE KEY-----
--- a/test/client_certs/server.crt
+++ b/test/client_certs/server.crt
@ -1,17 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIICxjCCAmugAwIBAgIRAOKZmO0GuFJUOfJ7Ycf0WOEwCgYIKoZIzj0EAwIwgbkx
+MIICwzCCAmmgAwIBAgIQLMLWUI6B0ebm1Ii/WuRZ8DAKBggqhkjOPQQDAjCBuDEL
-CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
+MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
-bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
+MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
-FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB
+BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg
-IDE4NTU3MTQ5MTMzMTA0NzczNDYwMjQyMDcxODI5NjUzMzQzNTQ0MzAeFw0yMDEw
+MTczNzc4NzkyNTY5MTI1NTgwMTIxMzk4OTk2MjY5OTEyNzM0NzQwHhcNMjExMTAx
-MjgyMjI3NTZaFw0yMTEwMjgyMjI3NTZaMBwxGjAYBgNVBAMTEXNlcnZlci5kYzEu
+MTQ0NTAzWhcNMjIxMTAxMTQ0NTAzWjAcMRowGAYDVQQDExFzZXJ2ZXIuZGMxLmNv
-Y29uc3VsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0etZvg/aUTU+HPwDHtEw
+bnN1bDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLmeyGnL6NEzfKAeSZEsPMb5
-ZslBuEshwHl7AcERHQeFTuhtfjpwHQw+uTunFkmQoqNmE+n7P4v7fe771lpxif8V
+vUAtEOg0TqhP1eOl2DPtT78IT4sqCWSLds02AE8FeWe4CL51tQRKBrTQLeH/KWaj
-wKOB7zCB7DAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
+ge8wgewwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
-AQUFBwMCMAwGA1UdEwEB/wQCMAAwKQYDVR0OBCIEIEA1xxAYluRqg6wFwGu75o/5
+BQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCCg/S6k7agUE+aei8EyDz0c76Oo
-8Ty6FWR9RgIYvZzCM2N9MCsGA1UdIwQkMCKAIAu+td60D/Er7Xjtyg0B6XflfKYm
+rvZaXkQwVwFzjPSsRzArBgNVHSMEJDAigCANnhDl60rkQhnDjjZwPgCC258oC68G
-IdXjPfiFy8SGeKS2MFUGA1UdEQROMEyCC2NvbnN1bC50ZXN0ghlzZXJ2ZXIwLnNl
+b9bIeY63KVL/7jBVBgNVHREETjBMggtjb25zdWwudGVzdIIZc2VydmVyMC5zZXJ2
-cnZlci5kYzEuY29uc3VsghFzZXJ2ZXIuZGMxLmNvbnN1bIIJbG9jYWxob3N0hwR/
+ZXIuZGMxLmNvbnN1bIIRc2VydmVyLmRjMS5jb25zdWyCCWxvY2FsaG9zdIcEfwAA
-AAABMAoGCCqGSM49BAMCA0kAMEYCIQDz9YnCvKkgGqw5M0HLDI82rqwQsH2SRQUs
+ATAKBggqhkjOPQQDAgNIADBFAiAREeH2p06CtuScx/d9iBrA4cLJgDzjyeHJBbDH
-kogKi3oGmQIhAPBA5AgF3y1E94PbeYfvoDBJy1JiY3KsckY2Gz+M8Iyc
+ETHRxgIhAIzsPAVVnbuMx1+R/VWh9EWAOGvI1V/sKWqFdID8Krdp
 -----END CERTIFICATE-----
--- a/test/client_certs/server.key
+++ b/test/client_certs/server.key
@ -1,5 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEICYdaRvHDtbGbReTekgKf9uyKFEnR7kr7VU3kw3uGzAhoAoGCCqGSM49
+MHcCAQEEIGYeUPTLPIffkIx9mAmw5stoepPHQz6hxtuwJdv2y+fvoAoGCCqGSM49
-AwEHoUQDQgAE0etZvg/aUTU+HPwDHtEwZslBuEshwHl7AcERHQeFTuhtfjpwHQw+
+AwEHoUQDQgAEuZ7Iacvo0TN8oB5JkSw8xvm9QC0Q6DROqE/V46XYM+1PvwhPiyoJ
-uTunFkmQoqNmE+n7P4v7fe771lpxif8VwA==
+ZIt2zTYATwV5Z7gIvnW1BEoGtNAt4f8pZg==
 -----END EC PRIVATE KEY-----
--- a/tlsutil/config_test.go
+++ b/tlsutil/config_test.go
@ -72,6 +72,8 @@ func startTLSServer(config *Config, alpnProtos []string, doAlpnVariant bool) (ne
 }
 func TestConfigurator_outgoingWrapper_OK(t *testing.T) {
 	// if this test is failing because of expired certificates
 	// use the procedure in test/CA-GENERATION.md
 	config := Config{
 		CAFile:               "../test/hostname/CertAuth.crt",
 		CertFile:             "../test/hostname/Alice.crt",
@ -103,6 +105,8 @@ func TestConfigurator_outgoingWrapper_OK(t *testing.T) {
 }
 func TestConfigurator_outgoingWrapper_noverify_OK(t *testing.T) {
 	// if this test is failing because of expired certificates
 	// use the procedure in test/CA-GENERATION.md
 	config := Config{
 		VerifyOutgoing: true,
 		CAFile:         "../test/hostname/CertAuth.crt",
@ -133,6 +137,8 @@ func TestConfigurator_outgoingWrapper_noverify_OK(t *testing.T) {
 }
 func TestConfigurator_outgoingWrapper_BadDC(t *testing.T) {
 	// if this test is failing because of expired certificates
 	// use the procedure in test/CA-GENERATION.md
 	config := Config{
 		CAFile:               "../test/hostname/CertAuth.crt",
 		CertFile:             "../test/hostname/Alice.crt",
@ -194,6 +200,8 @@ func TestConfigurator_outgoingWrapper_BadCert(t *testing.T) {
 }
 func TestConfigurator_outgoingWrapperALPN_OK(t *testing.T) {
 	// if this test is failing because of expired certificates
 	// use the procedure in test/CA-GENERATION.md
 	config := Config{
 		CAFile:               "../test/hostname/CertAuth.crt",
 		CertFile:             "../test/hostname/Bob.crt",
@ -226,6 +234,8 @@ func TestConfigurator_outgoingWrapperALPN_OK(t *testing.T) {
 }
 func TestConfigurator_outgoingWrapperALPN_serverHasNoNodeNameInSAN(t *testing.T) {
 	// if this test is failing because of expired certificates
 	// use the procedure in test/CA-GENERATION.md
 	srvConfig := Config{
 		CAFile:               "../test/hostname/CertAuth.crt",
 		CertFile:             "../test/hostname/Alice.crt",
@ -264,6 +274,8 @@ func TestConfigurator_outgoingWrapperALPN_serverHasNoNodeNameInSAN(t *testing.T)
 }
 func TestConfigurator_outgoingWrapperALPN_BadDC(t *testing.T) {
 	// if this test is failing because of expired certificates
 	// use the procedure in test/CA-GENERATION.md
 	config := Config{
 		CAFile:               "../test/hostname/CertAuth.crt",
 		CertFile:             "../test/hostname/Bob.crt",
@ -761,6 +773,8 @@ func TestConfigurator_OutgoingRPCTLSDisabled(t *testing.T) {
 }
 func TestConfigurator_MutualTLSCapable(t *testing.T) {
 	// if this test is failing because of expired certificates
 	// use the procedure in test/CA-GENERATION.md
 	t.Run("no ca", func(t *testing.T) {
 		config := Config{
 			Domain: "consul",