mirror of
https://github.com/gravitl/netmaker.git
synced 2025-09-06 05:04:27 +08:00
first connection established
This commit is contained in:
0xdcarns
parent
adaf8f1ca6
commit
393102ad69
3 changed files with 27 additions and 39 deletions
14
main.go
14
main.go
|
|
@ -254,9 +254,8 @@ func genCerts() error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
_, scErr := serverctl.ReadClientCertFromDB()
|
|
||||||
serverClientCert, err := serverctl.ReadCertFromDB(tls.SERVER_CLIENT_PEM)
|
serverClientCert, err := serverctl.ReadCertFromDB(tls.SERVER_CLIENT_PEM)
|
||||||
if errors.Is(err, os.ErrNotExist) || database.IsEmptyRecord(err) || database.IsEmptyRecord(scErr) || serverClientCert.NotAfter.Before(time.Now().Add(time.Hour*24*10)) {
|
if errors.Is(err, os.ErrNotExist) || database.IsEmptyRecord(err) || serverClientCert.NotAfter.Before(time.Now().Add(time.Hour*24*10)) {
|
||||||
//gen new key
|
//gen new key
|
||||||
logger.Log(0, "generating new server client key/certificate")
|
logger.Log(0, "generating new server client key/certificate")
|
||||||
_, key, err := ed25519.GenerateKey(rand.Reader)
|
_, key, err := ed25519.GenerateKey(rand.Reader)
|
||||||
|
|
@ -279,14 +278,13 @@ func genCerts() error {
|
||||||
if err := serverctl.SaveCert(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_CLIENT_PEM, serverClientCert); err != nil {
|
if err := serverctl.SaveCert(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_CLIENT_PEM, serverClientCert); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
return serverctl.SaveClientCertToDB(
|
|
||||||
functions.GetNetmakerPath()+ncutils.GetSeparator()+tls.SERVER_CLIENT_PEM,
|
|
||||||
functions.GetNetmakerPath()+ncutils.GetSeparator()+tls.SERVER_CLIENT_KEY,
|
|
||||||
ca,
|
|
||||||
)
|
|
||||||
} else if err != nil {
|
} else if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return serverctl.SetClientTLSConf(
|
||||||
|
functions.GetNetmakerPath()+ncutils.GetSeparator()+tls.SERVER_CLIENT_PEM,
|
||||||
|
functions.GetNetmakerPath()+ncutils.GetSeparator()+tls.SERVER_CLIENT_KEY,
|
||||||
|
ca,
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
11
mq/mq.go
11
mq/mq.go
|
|
@ -2,7 +2,6 @@ package mq
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"log"
|
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
mqtt "github.com/eclipse/paho.mqtt.golang"
|
mqtt "github.com/eclipse/paho.mqtt.golang"
|
||||||
|
|
@ -28,11 +27,7 @@ func SetupMQTT(publish bool) mqtt.Client {
|
||||||
opts.AddBroker(servercfg.GetMessageQueueEndpoint())
|
opts.AddBroker(servercfg.GetMessageQueueEndpoint())
|
||||||
id := ncutils.MakeRandomString(23)
|
id := ncutils.MakeRandomString(23)
|
||||||
opts.ClientID = id
|
opts.ClientID = id
|
||||||
tlsConfig, err := serverctl.ReadClientCertFromDB()
|
opts.SetTLSConfig(&serverctl.TlsConfig)
|
||||||
if err != nil {
|
|
||||||
logger.Log(0, "failed to get TLS config for server to broker connection", err.Error())
|
|
||||||
}
|
|
||||||
opts.SetTLSConfig(tlsConfig)
|
|
||||||
opts.SetAutoReconnect(true)
|
opts.SetAutoReconnect(true)
|
||||||
opts.SetConnectRetry(true)
|
opts.SetConnectRetry(true)
|
||||||
opts.SetConnectRetryInterval(time.Second << 2)
|
opts.SetConnectRetryInterval(time.Second << 2)
|
||||||
|
|
@ -64,9 +59,9 @@ func SetupMQTT(publish bool) mqtt.Client {
|
||||||
logger.Log(2, "unable to connect to broker, retrying ...")
|
logger.Log(2, "unable to connect to broker, retrying ...")
|
||||||
if time.Now().After(tperiod) {
|
if time.Now().After(tperiod) {
|
||||||
if token.Error() == nil {
|
if token.Error() == nil {
|
||||||
log.Fatal(0, "could not connect to broker, token timeout, exiting ...")
|
logger.FatalLog("could not connect to broker, token timeout, exiting ...")
|
||||||
} else {
|
} else {
|
||||||
log.Fatal(0, "could not connect to broker, exiting ...", token.Error())
|
logger.FatalLog("could not connect to broker, exiting ...", token.Error().Error())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
|
|
||||||
|
|
@ -13,6 +13,9 @@ import (
|
||||||
"github.com/gravitl/netmaker/tls"
|
"github.com/gravitl/netmaker/tls"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// TlsConfig - holds this servers TLS conf in memory
|
||||||
|
var TlsConfig ssl.Config
|
||||||
|
|
||||||
// SaveCert - save a certificate to file and DB
|
// SaveCert - save a certificate to file and DB
|
||||||
func SaveCert(path, name string, cert *x509.Certificate) error {
|
func SaveCert(path, name string, cert *x509.Certificate) error {
|
||||||
if err := SaveCertToDB(name, cert); err != nil {
|
if err := SaveCertToDB(name, cert); err != nil {
|
||||||
|
|
@ -105,41 +108,33 @@ func ReadKeyFromDB(name string) (*ed25519.PrivateKey, error) {
|
||||||
return &private, nil
|
return &private, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// SaveClientCertToDB - saves client cert for servers to connect to MQ broker with
|
// SetClientTLSConf - saves client cert for servers to connect to MQ broker with
|
||||||
func SaveClientCertToDB(serverClientPemPath, serverClientKeyPath string, ca *x509.Certificate) error {
|
func SetClientTLSConf(serverClientPemPath, serverClientKeyPath string, ca *x509.Certificate) error {
|
||||||
certpool := x509.NewCertPool()
|
certpool := x509.NewCertPool()
|
||||||
ok := certpool.AppendCertsFromPEM(ca.Raw)
|
if caData := pem.EncodeToMemory(&pem.Block{
|
||||||
|
Type: "CERTIFICATE",
|
||||||
|
Bytes: ca.Raw,
|
||||||
|
}); len(caData) <= 0 {
|
||||||
|
return fmt.Errorf("could not encode CA cert to memory for server client")
|
||||||
|
} else {
|
||||||
|
ok := certpool.AppendCertsFromPEM(caData)
|
||||||
if !ok {
|
if !ok {
|
||||||
return fmt.Errorf("failed to append root cert to server client cert")
|
return fmt.Errorf("failed to append root cert to server client cert")
|
||||||
}
|
}
|
||||||
|
}
|
||||||
clientKeyPair, err := ssl.LoadX509KeyPair(serverClientPemPath, serverClientKeyPath)
|
clientKeyPair, err := ssl.LoadX509KeyPair(serverClientPemPath, serverClientKeyPath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
certs := []ssl.Certificate{clientKeyPair}
|
certs := []ssl.Certificate{clientKeyPair}
|
||||||
netmakerClientCert := ssl.Config{
|
|
||||||
|
TlsConfig = ssl.Config{
|
||||||
RootCAs: certpool,
|
RootCAs: certpool,
|
||||||
ClientAuth: ssl.NoClientCert,
|
ClientAuth: ssl.NoClientCert,
|
||||||
ClientCAs: nil,
|
ClientCAs: nil,
|
||||||
Certificates: certs,
|
Certificates: certs,
|
||||||
InsecureSkipVerify: false,
|
InsecureSkipVerify: false,
|
||||||
}
|
}
|
||||||
data, err := json.Marshal(netmakerClientCert)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
return database.Insert(tls.SERVER_CLIENT_ENTRY, string(data), database.CERTS_TABLE_NAME)
|
|
||||||
}
|
|
||||||
|
|
||||||
// ReadClientCertFromDB - reads the client cert from the DB
|
return nil
|
||||||
func ReadClientCertFromDB() (*ssl.Config, error) {
|
|
||||||
var netmakerClientCert ssl.Config
|
|
||||||
record, err := database.FetchRecord(database.CERTS_TABLE_NAME, tls.SERVER_CLIENT_ENTRY)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
if err = json.Unmarshal([]byte(record), &netmakerClientCert); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
return &netmakerClientCert, err
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue