gravitl/netmaker
1
1
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2024-11-10 09:32:32 +08:00
Code Issues Projects Releases Packages Wiki Activity

initial changes to make cert <-> broker comms work

Browse source
This commit is contained in:
0xdcarns 2022-07-05 15:04:45 -04:00
parent d3b84f7814
commit adaf8f1ca6
4 changed files with 96 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
main.go
View file

@ -120,7 +120,9 @@ func initialize() { // Client Mode Prereq Check
} }
} }
genCerts() if err = genCerts(); err != nil {
logger.Log(0, "something went wrong when generating broker certs", err.Error())
}
if servercfg.IsMessageQueueBackend() { if servercfg.IsMessageQueueBackend() {
if err = mq.ServerStartNotify(); err != nil { if err = mq.ServerStartNotify(); err != nil {
@ -251,5 +253,40 @@ func genCerts() error {
} else if err != nil { } else if err != nil {
return err return err
} }
_, scErr := serverctl.ReadClientCertFromDB()
serverClientCert, err := serverctl.ReadCertFromDB(tls.SERVER_CLIENT_PEM)
if errors.Is(err, os.ErrNotExist) || database.IsEmptyRecord(err) || database.IsEmptyRecord(scErr) || serverClientCert.NotAfter.Before(time.Now().Add(time.Hour*24*10)) {
//gen new key
logger.Log(0, "generating new server client key/certificate")
_, key, err := ed25519.GenerateKey(rand.Reader)
if err != nil {
return err
}
serverName := tls.NewCName(servercfg.GetServer())
csr, err := tls.NewCSR(key, serverName)
if err != nil {
return err
}
serverClientCert, err := tls.NewEndEntityCert(*private, csr, ca, tls.CERTIFICATE_VALIDITY)
if err != nil {
return err
}
if err := serverctl.SaveKey(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_CLIENT_KEY, key); err != nil {
return err
}
if err := serverctl.SaveCert(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_CLIENT_PEM, serverClientCert); err != nil {
return err
}
return serverctl.SaveClientCertToDB(
functions.GetNetmakerPath()+ncutils.GetSeparator()+tls.SERVER_CLIENT_PEM,
functions.GetNetmakerPath()+ncutils.GetSeparator()+tls.SERVER_CLIENT_KEY,
ca,
)
} else if err != nil {
return err
}
return nil return nil
} }

9
mq/mq.go
View file

@ -9,6 +9,7 @@ import (
"github.com/gravitl/netmaker/logger" "github.com/gravitl/netmaker/logger"
"github.com/gravitl/netmaker/netclient/ncutils" "github.com/gravitl/netmaker/netclient/ncutils"
"github.com/gravitl/netmaker/servercfg" "github.com/gravitl/netmaker/servercfg"
"github.com/gravitl/netmaker/serverctl"
) )
// KEEPALIVE_TIMEOUT - time in seconds for timeout // KEEPALIVE_TIMEOUT - time in seconds for timeout
@ -27,6 +28,11 @@ func SetupMQTT(publish bool) mqtt.Client {
opts.AddBroker(servercfg.GetMessageQueueEndpoint()) opts.AddBroker(servercfg.GetMessageQueueEndpoint())
id := ncutils.MakeRandomString(23) id := ncutils.MakeRandomString(23)
opts.ClientID = id opts.ClientID = id
tlsConfig, err := serverctl.ReadClientCertFromDB()
if err != nil {
logger.Log(0, "failed to get TLS config for server to broker connection", err.Error())
}
opts.SetTLSConfig(tlsConfig)
opts.SetAutoReconnect(true) opts.SetAutoReconnect(true)
opts.SetConnectRetry(true) opts.SetConnectRetry(true)
opts.SetConnectRetryInterval(time.Second << 2) opts.SetConnectRetryInterval(time.Second << 2)
@ -68,6 +74,9 @@ func SetupMQTT(publish bool) mqtt.Client {
} }
time.Sleep(2 * time.Second) time.Sleep(2 * time.Second)
} }
if !publish {
logger.Log(0, "successfully connected to mq broker")
}
return client return client
} }

40
serverctl/tls.go
View file

@ -2,6 +2,7 @@ package serverctl
import ( import (
"crypto/ed25519" "crypto/ed25519"
ssl "crypto/tls"
"crypto/x509" "crypto/x509"
"encoding/json" "encoding/json"
"encoding/pem" "encoding/pem"
@ -103,3 +104,42 @@ func ReadKeyFromDB(name string) (*ed25519.PrivateKey, error) {
private := key.(ed25519.PrivateKey) private := key.(ed25519.PrivateKey)
return &private, nil return &private, nil
} }
// SaveClientCertToDB - saves client cert for servers to connect to MQ broker with
func SaveClientCertToDB(serverClientPemPath, serverClientKeyPath string, ca *x509.Certificate) error {
certpool := x509.NewCertPool()
ok := certpool.AppendCertsFromPEM(ca.Raw)
if !ok {
return fmt.Errorf("failed to append root cert to server client cert")
}
clientKeyPair, err := ssl.LoadX509KeyPair(serverClientPemPath, serverClientKeyPath)
if err != nil {
return err
}
certs := []ssl.Certificate{clientKeyPair}
netmakerClientCert := ssl.Config{
RootCAs: certpool,
ClientAuth: ssl.NoClientCert,
ClientCAs: nil,
Certificates: certs,
InsecureSkipVerify: false,
}
data, err := json.Marshal(netmakerClientCert)
if err != nil {
return err
}
return database.Insert(tls.SERVER_CLIENT_ENTRY, string(data), database.CERTS_TABLE_NAME)
}
// ReadClientCertFromDB - reads the client cert from the DB
func ReadClientCertFromDB() (*ssl.Config, error) {
var netmakerClientCert ssl.Config
record, err := database.FetchRecord(database.CERTS_TABLE_NAME, tls.SERVER_CLIENT_ENTRY)
if err != nil {
return nil, err
}
if err = json.Unmarshal([]byte(record), &netmakerClientCert); err != nil {
return nil, err
}
return &netmakerClientCert, err
}

10
tls/tls.go
View file

@ -18,7 +18,6 @@ import (
) )
const ( const (
// CERTTIFICATE_VALIDITY duration of certificate validity in days // CERTTIFICATE_VALIDITY duration of certificate validity in days
CERTIFICATE_VALIDITY = 365 CERTIFICATE_VALIDITY = 365
@ -33,6 +32,15 @@ const (
// ROOT_PEM_NAME - name of root pem // ROOT_PEM_NAME - name of root pem
ROOT_PEM_NAME = "root.pem" ROOT_PEM_NAME = "root.pem"
// SERVER_CLIENT_PEM - the name of server client cert
SERVER_CLIENT_PEM = "serverclient.pem"
// SERVER_CLIENT_KEY - the name of server client key
SERVER_CLIENT_KEY = "serverclient.key"
// SERVER_CLIENT_ENTRY - the server client cert key for DB
SERVER_CLIENT_ENTRY = "servercliententry"
) )
type ( type (