英文:
Adding certificate to a rest call
问题
我正在进行REST API调用以获取一些数据,但是我得到了以下错误信息:
Post "https://url:8200/v1/login": x509: certificate signed by unknown authority
然后我尝试了以下修改后发送crt证书:
certPath := "path/certficate.crt"cert, crtErr := ioutil.ReadFile(certPath)if crtErr != nil {//}//var crtErr errortp := http.DefaultTransport.(*http.Transport).Clone()if tp.TLSClientConfig.RootCAs, crtErr = x509.SystemCertPool(); crtErr != nil {//error}if tp.TLSClientConfig.RootCAs == nil {tp.TLSClientConfig.RootCAs = x509.NewCertPool()}if tp.TLSClientConfig.RootCAs == nil {// error msg}caCertPool, crtErr := x509.SystemCertPool()if crtErr != nil {//error}if tp.TLSClientConfig.RootCAs == nil {caCertPool = x509.NewCertPool()}caCertPool.AppendCertsFromPEM(cert)client := &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{ClientCAs: caCertPool,// tried this too RootCAs: caCertPool},},},}// Due to security reason below code is not reommended.// this works if added.// tr := &http.Transport{}//TLSClientConfig: &tls.Config{InsecureSkipVerify: true},//}var jsonByte *bytes.BufferjsonByte = bytes.NewBuffer(payloadMap)req, err := http.NewRequest(httpMethod, url, jsonByte) // URL-encoded payloadif err != nil {// error}req.Header.Add("Content-Type", "application/json")if headerData != "" {req.Header.Add("X-Vault-Token", headerData)}resp, errr := client.Do(req)
这并没有解决问题,我尝试使用以下命令通过Docker文件生成crt证书,但由于交互式命令运行,它也没有起作用:
openssl genrsa -out rootCA.key 4096openssl req -x509 -new -key rootCA.key -days 3650 -out rootCA.crt
需要解决以下错误:Post "https://url:8200/v1/login": x509: certificate signed by unknown authority。
#golang #dockeriamge #vaultrestapi-integration
英文:
I am making rest api call to fetch some data but I am getting
Post \"https://url:8200/v1/login\": x509: certificate signed by unknown authority]
then I started sending crt with below modification
<!-- begin snippet: js hide: false console: true babel: false -->
<!-- language: lang-html -->
certPath := "path/certficate.crt"cert, crtErr := ioutil.ReadFile(certPath)if crtErr != nil {//}//var crtErr errortp := http.DefaultTransport.(*http.Transport).Clone()if tp.TLSClientConfig.RootCAs, crtErr = x509.SystemCertPool(); crtErr != nil {//error}if tp.TLSClientConfig.RootCAs == nil {tp.TLSClientConfig.RootCAs = x509.NewCertPool()}if tp.TLSClientConfig.RootCAs == nil {// error msg}caCertPool, crtErr := x509.SystemCertPool()if crtErr != nil {//error}if tp.TLSClientConfig.RootCAs == nil {caCertPool = x509.NewCertPool()}caCertPool.AppendCertsFromPEM(cert)client := &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{ClientCAs: caCertPool,// tried this too RootCAs: caCertPool},},},}// Due to security reason below code is not reommended.// this works if added.// tr := &http.Transport{}//TLSClientConfig: &tls.Config{InsecureSkipVerify: true},//}var jsonByte *bytes.BufferjsonByte = bytes.NewBuffer(payloadMap)req, err := http.NewRequest(httpMethod, url, jsonByte) // URL-encoded payloadif err != nil {// error}req.Header.Add("Content-Type", "application/json")if headerData != "" {req.Header.Add("X-Vault-Token", headerData)}resp, errr := client.Do(req)
<!-- end snippet -->
This is not helping, I did try generating crt via docker file using below command
due to the interactive command run, it didn't work either
openssl genrsa -out rootCA.key 4096openssl req -x509 -new -key rootCA.key -days 3650 -out rootCA.crt
Need to resolve this Post "https://url:8200/v1/login": x509: certificate signed by unknown authority] .
#golang #dockeriamge #vaultrestapi-integration
答案1
得分: 2
你正在遇到的客户端错误(certificate signed by unknown authority)与客户端不信任服务器有关,与你的客户端证书逻辑无关(我将在下面解释):
通过tls.Config,有两种方法可以解决客户端对服务器身份的信任问题:
// 正确的方式&tls.Config{RootCAs: caCertPool, // 定义根信任池}
或者:
// 错误的方式&tls.Config{InsecureSkipVerify: true, // 不要在生产环境中使用此选项!}
应该优先选择前一种方法,后一种方法只用于测试目的。
下面是如何使用客户端证书进行身份验证的示例。
关于双向 TLS 身份验证,有很多博客都有介绍。从客户端的角度来看,基本的步骤如下:
caCert, _ := ioutil.ReadFile("ca.crt")caCertPool := x509.NewCertPool()caCertPool.AppendCertsFromPEM(caCert)cert, _ := tls.LoadX509KeyPair("client.crt", "client.key")client := &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{RootCAs: caCertPool,Certificates: []tls.Certificate{cert},},},}
如果你对服务器有控制权,服务器应该做如下操作:
caCert, _ := ioutil.ReadFile("ca.crt")caCertPool := x509.NewCertPool()caCertPool.AppendCertsFromPEM(caCert)server := &http.Server{Addr: ":9443",TLSConfig: &tls.Config{ClientCAs: caCertPool,ClientAuth: tls.RequireAndVerifyClientCert,},}
英文:
The client-side error you are getting (certificate signed by unknown authority) is related to the client not trusting the server - so has nothing to do with your client cert logic (which I'll address below):
There are two ways to address server identity trust from a client via tls.Config:
// the right way&tls.Config{RootCAs: caCertPool, // define a root trust pool}
or:
// the wrong-way&tls.Config{InsecureSkipVerify: true, // DONT USE THIS IN PRODUCTION!}
the former method should be preferred - the latter should only be used for testing purposes.
See below on how to try this with client certificate authentication.
Mutual TLS authentication is covered in many blogs. From a client perspective, the basic gist is:
caCert, _ := ioutil.ReadFile("ca.crt")caCertPool := x509.NewCertPool()caCertPool.AppendCertsFromPEM(caCert)cert, _ := tls.LoadX509KeyPair("client.crt", "client.key")client := &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{RootCAs: caCertPool,Certificates: []tls.Certificate{cert},},},}
the server (if you have control over this) should do something like:
caCert, _ := ioutil.ReadFile("ca.crt")caCertPool := x509.NewCertPool()caCertPool.AppendCertsFromPEM(caCert)server := &http.Server{Addr: ":9443",TLSConfig: &tls.Config{ClientCAs: caCertPool,ClientAuth: tls.RequireAndVerifyClientCert,},}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论