From 54aaa6590f6f6bb2c9033abbb608479290bf7ac5 Mon Sep 17 00:00:00 2001 From: Mihai-Carol Bazga Date: Fri, 3 Jul 2026 15:54:23 +0300 Subject: [PATCH] fix(seuxdr): trust TLS CA in agent register client The manager serves its API/TLS server cert on the mTLS registration port (:8081) so agents can verify it, but InitmTLSClient only trusted the mTLS CA (server-ca-crt.pem). Agent registration failed with 'certificate signed by unknown authority'. Also append the TLS CA (certs/server-ca.crt) to the register client's RootCAs pool. --- backend/seuxdr/agent/comms/tlsconfig.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/backend/seuxdr/agent/comms/tlsconfig.go b/backend/seuxdr/agent/comms/tlsconfig.go index 1128912..955d239 100644 --- a/backend/seuxdr/agent/comms/tlsconfig.go +++ b/backend/seuxdr/agent/comms/tlsconfig.go @@ -95,6 +95,14 @@ func (commSvc *CommunicationService) InitmTLSClient(servermTLSCaCrtPath, clientC return fmt.Errorf("failed to append CA certificate to the pool") } + // The manager serves its API/TLS server cert (signed by the TLS CA + // certs/server-ca.crt) on the mTLS registration port so agents can verify + // it. Trust that CA too, otherwise TLS verification of /api/register fails + // with "certificate signed by unknown authority". + if tlsCACert, tlsErr := commSvc.EmbeddedFiles.ReadFile("certs/server-ca.crt"); tlsErr == nil { + caCertPool.AppendCertsFromPEM(tlsCACert) + } + // Decode the PEM file block, _ := pem.Decode(caCert) if block == nil || block.Type != "CERTIFICATE" {