Undocumented Features: Salt File Source mTLS


By Nicholas M. Hughes

April 06, 2022

It’s funny what you can find when you start digging around in source code. This might become a regular column on the EITR Blog if I keep finding interesting things like this…

It’s like TLS… but Mutual

A few weeks ago, I was looking at the level of effort involved in adding a feature to Salt Project which would allow retrieving files from web servers secured with Mutual TLS (mTLS). Salt can handle web sources just fine in states like file.managed or archive.extracted, as shown below:

get_important_file:
  file.managed:
    - name: /var/tmp/so_important.txt
    - source: https://docs.eitr.tech/stuff/important.txt
    - use_etag: True

install_cool_thing:
  archive.extracted:
    - name: /opt/awesome
    - source: https://repo.eitr.tech/apps/superawesome-1.0.0.tar.gz
    - use_etag: True

…but what if those files are sensitive? Or maybe you just want to increase the security of your file delivery mechanisms. Well, there isn’t a way to provide a client certificate and key directly to file.managed or archive.extracted as state parameters. However, it seems there is an undocumented feature nestled down in the http.query utility that allows the desired behavior in file.managed, archive.extracted, and potentially other states as well.

So Much Mutual-ness! Mutual-ality? Mutual… osity.

The http utility will attempt to pull the cert key from the minion configuration and use that as a client certificate and key if none is provided to the function directly… which it isn’t in the case of the aforementioned states since you can’t pass it directly as a paramter at this time. The value of the cert key is expected to be a list where the first item is the path to the certificate and the second item is the path to the key. Assuming your Certificate Authority (CA) trust chains are loaded system-wide, that’s all you need. If you do need to pass the CA, the ca_bundle minion configuration option can be passed.

So, we’d end up with a new minion configuration that looked something like this:

# /etc/salt/minion.d/mtls.conf

cert:
  - /etc/ssl/certs/srv.crt
  - /etc/ssl/private/srv.key

# optional
ca_bundle: /etc/ssl/certs/ca-certificates.crt

Pretty cool! Now our minion can provide its TLS certificate to the web server when it attempts to retrieve our super important, awesome files and the server can verify that the system is allowed to grab them.

Stay Mutual, San Diego

Well… that’s all for that undocumented feature. I hope you found it useful. If you’re interested in other Salt use cases with mTLS, you should check out this Cloudflare Blog post where they announce that an mTLS-based transport system is on the way!



Nicholas Hughes helps businesses integrate cloud and cybersecurity automation into their IT lifecycle processes in order to amplify the efforts of the existing workforce, prevent employee burnout, and free them to do the more important tasks that might be currently neglected. As part of his daily duties as a founding partner and CEO of EITR Technologies LLC., he’s responsible for all of those super awesome elements of the CEO job that you read about as a kid, like setting the strategic direction of the company and modeling corporate values. Additionally, Nick stills performs technical consulting work with specializations in Automation & Orchestration, Cloud Infrastructure, Cloud Security, and Systems Architecture. He has nearly 20 years of experience in a wide breadth of roles within Information Technology, which is invaluable to clients seeking comprehensive technical solutions to business problems. Nick highly values pragmatism, logical thinking, and integrity in both his business and personal life… which is a decidedly boring set of core values that reap great results when applied to the task at hand. He also has a wonderful wife and two boys who keep him on his toes.