将证书添加到 REST 调用中

huangapple go评论85阅读模式
英文:

Adding certificate to a rest call

问题

我正在进行REST API调用以获取一些数据,但是我得到了以下错误信息:

Post "https://url:8200/v1/login": x509: certificate signed by unknown authority

然后我尝试了以下修改后发送crt证书:

certPath := "path/certficate.crt"
cert, crtErr := ioutil.ReadFile(certPath)
if crtErr != nil {
    //
}
//var crtErr error
tp := http.DefaultTransport.(*http.Transport).Clone()
if tp.TLSClientConfig.RootCAs, crtErr = x509.SystemCertPool(); crtErr != nil {
    //error
}
if tp.TLSClientConfig.RootCAs == nil {
    tp.TLSClientConfig.RootCAs = x509.NewCertPool()
}
if tp.TLSClientConfig.RootCAs == nil {
    // error msg
}	 
caCertPool, crtErr := x509.SystemCertPool()
if crtErr != nil {
    //error
}
if tp.TLSClientConfig.RootCAs == nil {
    caCertPool = x509.NewCertPool()
}
caCertPool.AppendCertsFromPEM(cert)
client := &http.Client{
    Transport: &http.Transport{
        TLSClientConfig: &tls.Config{
            ClientCAs: caCertPool,
            // tried this too	RootCAs: caCertPool},
        },
    },
}
// Due to security reason  below code is not reommended.
// this works if added.
//	tr := &http.Transport{}
//TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
//}

var jsonByte *bytes.Buffer
     
jsonByte = bytes.NewBuffer(payloadMap)
req, err := http.NewRequest(httpMethod, url, jsonByte) // URL-encoded payload
     
if err != nil {
    // error
}
req.Header.Add("Content-Type", "application/json")
if headerData != "" {
    req.Header.Add("X-Vault-Token", headerData)
}
resp, errr := client.Do(req)

这并没有解决问题,我尝试使用以下命令通过Docker文件生成crt证书,但由于交互式命令运行,它也没有起作用:

openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -key rootCA.key -days 3650 -out rootCA.crt

需要解决以下错误:Post "https://url:8200/v1/login": x509: certificate signed by unknown authority。

#golang #dockeriamge #vaultrestapi-integration

英文:

I am making rest api call to fetch some data but I am getting

 Post \"https://url:8200/v1/login\": x509: certificate signed by unknown authority]

then I started sending crt with below modification

<!-- begin snippet: js hide: false console: true babel: false -->

<!-- language: lang-html -->

certPath := &quot;path/certficate.crt&quot;
cert, crtErr := ioutil.ReadFile(certPath)
if crtErr != nil {
//
}
//var crtErr error
tp := http.DefaultTransport.(*http.Transport).Clone()
if tp.TLSClientConfig.RootCAs, crtErr = x509.SystemCertPool(); crtErr != nil {
//error
}
if tp.TLSClientConfig.RootCAs == nil {
tp.TLSClientConfig.RootCAs = x509.NewCertPool()
}
if tp.TLSClientConfig.RootCAs == nil {
// error msg
}	 
caCertPool, crtErr := x509.SystemCertPool()
if crtErr != nil {
//error
}
if tp.TLSClientConfig.RootCAs == nil {
caCertPool = x509.NewCertPool()
}
caCertPool.AppendCertsFromPEM(cert)
client := &amp;http.Client{
Transport: &amp;http.Transport{
TLSClientConfig: &amp;tls.Config{
ClientCAs: caCertPool,
// tried this too	RootCAs: caCertPool},
},
},
}
// Due to security reason  below code is not reommended.
// this works if added.
//	tr := &amp;http.Transport{}
//TLSClientConfig: &amp;tls.Config{InsecureSkipVerify: true},
//}
var jsonByte *bytes.Buffer
jsonByte = bytes.NewBuffer(payloadMap)
req, err := http.NewRequest(httpMethod, url, jsonByte) // URL-encoded payload
if err != nil {
// error
}
req.Header.Add(&quot;Content-Type&quot;, &quot;application/json&quot;)
if headerData != &quot;&quot; {
req.Header.Add(&quot;X-Vault-Token&quot;, headerData)
}
resp, errr := client.Do(req)

<!-- end snippet -->

This is not helping, I did try generating crt via docker file using below command
due to the interactive command run, it didn't work either

openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -key rootCA.key -days 3650 -out rootCA.crt

Need to resolve this Post &quot;https://url:8200/v1/login&quot;: x509: certificate signed by unknown authority] .

#golang #dockeriamge #vaultrestapi-integration

答案1

得分: 2

你正在遇到的客户端错误(certificate signed by unknown authority)与客户端不信任服务器有关,与你的客户端证书逻辑无关(我将在下面解释):

通过tls.Config,有两种方法可以解决客户端对服务器身份的信任问题:

// 正确的方式
&tls.Config{
RootCAs: caCertPool, // 定义根信任池
}

或者:

// 错误的方式
&tls.Config{
InsecureSkipVerify: true, // 不要在生产环境中使用此选项!
}

应该优先选择前一种方法,后一种方法只用于测试目的。

下面是如何使用客户端证书进行身份验证的示例。


关于双向 TLS 身份验证,有很多博客都有介绍。从客户端的角度来看,基本的步骤如下:

caCert, _ := ioutil.ReadFile("ca.crt")
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
cert, _ := tls.LoadX509KeyPair("client.crt", "client.key")
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs:      caCertPool,
Certificates: []tls.Certificate{cert},
},
},
}

如果你对服务器有控制权,服务器应该做如下操作:

caCert, _ := ioutil.ReadFile("ca.crt")
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
server := &http.Server{
Addr:      ":9443",
TLSConfig: &tls.Config{
ClientCAs:    caCertPool,
ClientAuth:   tls.RequireAndVerifyClientCert,
},
}
英文:

The client-side error you are getting (certificate signed by unknown authority) is related to the client not trusting the server - so has nothing to do with your client cert logic (which I'll address below):

There are two ways to address server identity trust from a client via tls.Config:

// the right way
&amp;tls.Config{
RootCAs: caCertPool, // define a root trust pool
}

or:

// the wrong-way
&amp;tls.Config{
InsecureSkipVerify: true, // DONT USE THIS IN PRODUCTION!
}

the former method should be preferred - the latter should only be used for testing purposes.

See below on how to try this with client certificate authentication.


Mutual TLS authentication is covered in many blogs. From a client perspective, the basic gist is:

caCert, _ := ioutil.ReadFile(&quot;ca.crt&quot;)
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
cert, _ := tls.LoadX509KeyPair(&quot;client.crt&quot;, &quot;client.key&quot;)
client := &amp;http.Client{
Transport: &amp;http.Transport{
TLSClientConfig: &amp;tls.Config{
RootCAs: caCertPool,
Certificates: []tls.Certificate{cert},
},
},
}

the server (if you have control over this) should do something like:

caCert, _ := ioutil.ReadFile(&quot;ca.crt&quot;)
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
server := &amp;http.Server{
Addr:      &quot;:9443&quot;,
TLSConfig: &amp;tls.Config{
ClientCAs: caCertPool,
ClientAuth: tls.RequireAndVerifyClientCert,
},
}

huangapple
  • 本文由 发表于 2022年9月12日 20:18:19
  • 转载请务必保留本文链接:https://go.coder-hub.com/73689148.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定