英文:
Adding certificate to a rest call
问题
我正在进行REST API调用以获取一些数据,但是我得到了以下错误信息:
Post "https://url:8200/v1/login": x509: certificate signed by unknown authority
然后我尝试了以下修改后发送crt证书:
certPath := "path/certficate.crt"
cert, crtErr := ioutil.ReadFile(certPath)
if crtErr != nil {
//
}
//var crtErr error
tp := http.DefaultTransport.(*http.Transport).Clone()
if tp.TLSClientConfig.RootCAs, crtErr = x509.SystemCertPool(); crtErr != nil {
//error
}
if tp.TLSClientConfig.RootCAs == nil {
tp.TLSClientConfig.RootCAs = x509.NewCertPool()
}
if tp.TLSClientConfig.RootCAs == nil {
// error msg
}
caCertPool, crtErr := x509.SystemCertPool()
if crtErr != nil {
//error
}
if tp.TLSClientConfig.RootCAs == nil {
caCertPool = x509.NewCertPool()
}
caCertPool.AppendCertsFromPEM(cert)
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
ClientCAs: caCertPool,
// tried this too RootCAs: caCertPool},
},
},
}
// Due to security reason below code is not reommended.
// this works if added.
// tr := &http.Transport{}
//TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
//}
var jsonByte *bytes.Buffer
jsonByte = bytes.NewBuffer(payloadMap)
req, err := http.NewRequest(httpMethod, url, jsonByte) // URL-encoded payload
if err != nil {
// error
}
req.Header.Add("Content-Type", "application/json")
if headerData != "" {
req.Header.Add("X-Vault-Token", headerData)
}
resp, errr := client.Do(req)
这并没有解决问题,我尝试使用以下命令通过Docker文件生成crt证书,但由于交互式命令运行,它也没有起作用:
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -key rootCA.key -days 3650 -out rootCA.crt
需要解决以下错误:Post "https://url:8200/v1/login": x509: certificate signed by unknown authority。
#golang #dockeriamge #vaultrestapi-integration
英文:
I am making rest api call to fetch some data but I am getting
Post \"https://url:8200/v1/login\": x509: certificate signed by unknown authority]
then I started sending crt with below modification
<!-- begin snippet: js hide: false console: true babel: false -->
<!-- language: lang-html -->
certPath := "path/certficate.crt"
cert, crtErr := ioutil.ReadFile(certPath)
if crtErr != nil {
//
}
//var crtErr error
tp := http.DefaultTransport.(*http.Transport).Clone()
if tp.TLSClientConfig.RootCAs, crtErr = x509.SystemCertPool(); crtErr != nil {
//error
}
if tp.TLSClientConfig.RootCAs == nil {
tp.TLSClientConfig.RootCAs = x509.NewCertPool()
}
if tp.TLSClientConfig.RootCAs == nil {
// error msg
}
caCertPool, crtErr := x509.SystemCertPool()
if crtErr != nil {
//error
}
if tp.TLSClientConfig.RootCAs == nil {
caCertPool = x509.NewCertPool()
}
caCertPool.AppendCertsFromPEM(cert)
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
ClientCAs: caCertPool,
// tried this too RootCAs: caCertPool},
},
},
}
// Due to security reason below code is not reommended.
// this works if added.
// tr := &http.Transport{}
//TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
//}
var jsonByte *bytes.Buffer
jsonByte = bytes.NewBuffer(payloadMap)
req, err := http.NewRequest(httpMethod, url, jsonByte) // URL-encoded payload
if err != nil {
// error
}
req.Header.Add("Content-Type", "application/json")
if headerData != "" {
req.Header.Add("X-Vault-Token", headerData)
}
resp, errr := client.Do(req)
<!-- end snippet -->
This is not helping, I did try generating crt via docker file using below command
due to the interactive command run, it didn't work either
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -key rootCA.key -days 3650 -out rootCA.crt
Need to resolve this Post "https://url:8200/v1/login": x509: certificate signed by unknown authority] .
#golang #dockeriamge #vaultrestapi-integration
答案1
得分: 2
你正在遇到的客户端错误(certificate signed by unknown authority
)与客户端不信任服务器有关,与你的客户端证书逻辑无关(我将在下面解释):
通过tls.Config,有两种方法可以解决客户端对服务器身份的信任问题:
// 正确的方式
&tls.Config{
RootCAs: caCertPool, // 定义根信任池
}
或者:
// 错误的方式
&tls.Config{
InsecureSkipVerify: true, // 不要在生产环境中使用此选项!
}
应该优先选择前一种方法,后一种方法只用于测试目的。
下面是如何使用客户端证书进行身份验证的示例。
关于双向 TLS 身份验证,有很多博客都有介绍。从客户端的角度来看,基本的步骤如下:
caCert, _ := ioutil.ReadFile("ca.crt")
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
cert, _ := tls.LoadX509KeyPair("client.crt", "client.key")
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: caCertPool,
Certificates: []tls.Certificate{cert},
},
},
}
如果你对服务器有控制权,服务器应该做如下操作:
caCert, _ := ioutil.ReadFile("ca.crt")
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
server := &http.Server{
Addr: ":9443",
TLSConfig: &tls.Config{
ClientCAs: caCertPool,
ClientAuth: tls.RequireAndVerifyClientCert,
},
}
英文:
The client-side error you are getting (certificate signed by unknown authority
) is related to the client not trusting the server - so has nothing to do with your client cert logic (which I'll address below):
There are two ways to address server identity trust from a client via tls.Config:
// the right way
&tls.Config{
RootCAs: caCertPool, // define a root trust pool
}
or:
// the wrong-way
&tls.Config{
InsecureSkipVerify: true, // DONT USE THIS IN PRODUCTION!
}
the former method should be preferred - the latter should only be used for testing purposes.
See below on how to try this with client certificate authentication.
Mutual TLS authentication is covered in many blogs. From a client perspective, the basic gist is:
caCert, _ := ioutil.ReadFile("ca.crt")
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
cert, _ := tls.LoadX509KeyPair("client.crt", "client.key")
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: caCertPool,
Certificates: []tls.Certificate{cert},
},
},
}
the server (if you have control over this) should do something like:
caCert, _ := ioutil.ReadFile("ca.crt")
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
server := &http.Server{
Addr: ":9443",
TLSConfig: &tls.Config{
ClientCAs: caCertPool,
ClientAuth: tls.RequireAndVerifyClientCert,
},
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论