added TLS option

2025-03-05 06:46:48 +00:00 · 2021-04-19 21:06:37 +02:00 · 2021-04-19 21:06:37 +02:00 · 02ccc9f208
commit 02ccc9f208
parent 3859ae6b9b
3 changed files with 117 additions and 2 deletions
--- a/configuration_flags.go
+++ b/configuration_flags.go
@ -95,6 +95,8 @@ type Configuration struct {
 	SubscribersDataFolder string
 	// central node to receive messages published from nodes
 	CentralNodeName string
+	// Path to the certificate of the root CA
+	RootCAPath string

 	// Make the current node send hello messages to central at given interval in seconds
 	StartPubREQHello int
@ -143,6 +145,7 @@ func newConfigurationDefaults() Configuration {
 		StartPubREQHello:        30,
 		SubscribersDataFolder:   "./var",
 		CentralNodeName:         "",
+		RootCAPath:              "",
 		StartSubREQErrorLog:     flagNodeSlice{Values: []node{}},
 		StartSubREQHello:        flagNodeSlice{OK: true, Values: []node{"*"}},
 		StartSubREQToFileAppend: flagNodeSlice{OK: true, Values: []node{"*"}},
@ -183,6 +186,7 @@ func (c *Configuration) CheckFlags() error {
 	flag.IntVar(&c.DefaultMessageRetries, "defaultMessageRetries", fc.DefaultMessageRetries, "default amount of retries that will be done before a message is thrown away, and out of the system")
 	flag.StringVar(&c.SubscribersDataFolder, "subscribersDataFolder", fc.SubscribersDataFolder, "The data folder where subscribers are allowed to write their data if needed")
 	flag.StringVar(&c.CentralNodeName, "centralNodeName", fc.CentralNodeName, "The name of the central node to receive messages published by this node")
+	flag.StringVar(&c.RootCAPath, "rootCAPath", fc.RootCAPath, "If TLS, enter the path for where to find the root CA certificate")

 	flag.IntVar(&c.StartPubREQHello, "startPubREQHello", fc.StartPubREQHello, "Make the current node send hello messages to central at given interval in seconds")

--- a/doc/nats-server-configuration/README.md
+++ b/doc/nats-server-configuration/README.md
@ -4,7 +4,7 @@

 Nats-server version need to be greater than v2+ for leafnode functionality.

-### Leafnode config options
+### Leafnode config options with certificates

 <https://docs.nats.io/nats-server/configuration/leafnodes/leafnode_conf>

@ -44,3 +44,109 @@ leafnodes {
  ]
 }
 ```
+
+## Leafnode config with self signed certificates
+
+mkdir ca
+cd ca
+
+Generate key for rootCA
+
+`openssl genrsa -out rootCA.key 2048`
+
+Generate the certificate for the rootCA
+
+`openssl req -new -x509 -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem`
+
+Genereate directory structure for the node certificates. NB: Normally this would not be done on the same place. Each node would only create a key and a CSR which would be sent to the rootCA, and the rootCA would create the .pem file for the node, and the .pem file would them be sent back to the node. The rootCA should never know the key's of the nodes. But since we're doing the test on a single machine, folders are used to simulate nodes.
+
+```bash
+mkdir central
+mkdir ship1
+mkdir ship2
+```
+
+Generate private keys for nodes
+
+```bash
+openssl genrsa -out ship1/ship1.key 2048
+openssl genrsa -out ship2/ship2.key 2048
+openssl genrsa -out central/central.key 2048
+```
+
+Generate signing requests
+
+```bash
+openssl req -new -key central/central.key -out central/central.csr
+openssl req -new -key ship1/ship1.key -out ship1/ship1.csr
+openssl req -new -key ship2/ship2.key -out ship2/ship2.csr
+```
+
+Generate certificates for nodes
+
+```bash
+openssl x509 -req -in ship1/ship1.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out ship1/ship1.pem -days 1024 -sha256
+openssl x509 -req -in ship2/ship2.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out ship2/ship2.pem -days 1024 -sha256
+openssl x509 -req -in central/central.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out central/central.pem -days 1024 -sha256
+```
+
+If the certificates needs to be generated for ip adresses and not FQDN, we need to add the IP SAN in an openssl.cnf file, and reference the block where it is specified when we generate the node certificate.
+
+Copy the standard `openssl.conf` file from the system, so we can use it as a template.
+
+`cp /usr/local/etc/openssl/openssl.cnf ./`
+
+Open `openssl.conf` for editing, and under `[ v3_req ]` add
+
+`subjectAltName = IP:10.0.0.124`
+
+```bash
+openssl x509 -req -in central/central.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out central/central.pem -days 1024 -sha256 -extfile ./openssl.cnf -extensions v3_req
+openssl x509 -req -in ship1/ship1.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out ship1/ship1.pem -days 1024 -sha256 -extfile ./openssl.cnf -extensions v3_req
+openssl x509 -req -in ship2/ship2.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out ship2/ship2.pem -days 1024 -sha256 -extfile ./openssl.cnf -extensions v3_req
+```
+
+Verify with:
+
+```bash
+openssl x509 -text -noout -in central/central.pem
+```
+
+### Self signed certificates
+
+### Central config
+
+```conf
+leafnodes {
+    port: 7422
+
+    tls {
+        cert_file: "/Users/bt/tmp/ca/central/central.pem"
+        key_file: "/Users/bt/tmp/ca/central/central.key"
+        ca_file: "/Users/bt/tmp/ca/rootCA.pem"
+    }
+
+    authorization {
+        user: leaf
+        password: secret
+    }
+}
+```
+
+### Spoke leaf config
+
+```conf
+port: 4111
+leafnodes {
+  remotes: [
+    {
+      urls: [
+        tls://leaf:secret@10.0.0.124:7422
+      ]
+      tls {
+        ca_file: "/Users/bt/tmp/ca/rootCA.pem"
+      }
+    }
+  ]
+}
+```
--- a/server.go
+++ b/server.go
@ -80,7 +80,12 @@ type server struct {

 // newServer will prepare and return a server type
 func NewServer(c *Configuration) (*server, error) {
-	conn, err := nats.Connect(c.BrokerAddress, nil)
+	var opt nats.Option
+	if c.RootCAPath != "" {
+		opt = nats.RootCAs(c.RootCAPath)
+	}
+
+	conn, err := nats.Connect(c.BrokerAddress, opt)
 	if err != nil {
 		er := fmt.Errorf("error: nats.Connect failed: %v", err)
 		return nil, er