| .. | ||
| README.md | ||
Nats-Server configuration
Leafnode config
Nats-server version need to be greater than v2+ for leafnode functionality.
Leafnode config options with certificates
https://docs.nats.io/nats-server/configuration/leafnodes/leafnode_conf
https://docs.nats.io/nats-server/configuration/leafnodes
Central server node config
leafnodes {
port: 7422
tls {
cert_file: "</some/location/mysite.com>.crt"
key_file: "</some/location/mysite.com>.crt.key"
}
authorization {
user: leaf
password: secret
}
}
Spoke leaf node config
On the spokes we set the listen port to 4111 instead of the default 4222.
port: 4111
leafnodes {
remotes: [
{
urls: [
tls://leaf:secret@<mysite.com>:7422
]
}
]
}
Leafnode config with self signed certificates
mkdir ca cd ca
Generate key for rootCA
openssl genrsa -out rootCA.key 2048
Generate the certificate for the rootCA
openssl req -new -x509 -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
Genereate directory structure for the node certificates. NB: Normally this would not be done on the same place. Each node would only create a key and a CSR which would be sent to the rootCA, and the rootCA would create the .pem file for the node, and the .pem file would them be sent back to the node. The rootCA should never know the key's of the nodes. But since we're doing the test on a single machine, folders are used to simulate nodes.
mkdir central
mkdir ship1
mkdir ship2
Generate private keys for nodes
openssl genrsa -out ship1/ship1.key 2048
openssl genrsa -out ship2/ship2.key 2048
openssl genrsa -out central/central.key 2048
Generate signing requests
openssl req -new -key central/central.key -out central/central.csr
openssl req -new -key ship1/ship1.key -out ship1/ship1.csr
openssl req -new -key ship2/ship2.key -out ship2/ship2.csr
Generate certificates for nodes
openssl x509 -req -in ship1/ship1.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out ship1/ship1.pem -days 1024 -sha256
openssl x509 -req -in ship2/ship2.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out ship2/ship2.pem -days 1024 -sha256
openssl x509 -req -in central/central.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out central/central.pem -days 1024 -sha256
If the certificates needs to be generated for ip adresses and not FQDN, we need to add the IP SAN in an openssl.cnf file, and reference the block where it is specified when we generate the node certificate.
Copy the standard openssl.conf file from the system, so we can use it as a template.
cp /usr/local/etc/openssl/openssl.cnf ./
Open openssl.conf for editing, and under [ v3_req ] add
subjectAltName = IP:10.0.0.124
openssl x509 -req -in central/central.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out central/central.pem -days 1024 -sha256 -extfile ./openssl.cnf -extensions v3_req
openssl x509 -req -in ship1/ship1.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out ship1/ship1.pem -days 1024 -sha256 -extfile ./openssl.cnf -extensions v3_req
openssl x509 -req -in ship2/ship2.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out ship2/ship2.pem -days 1024 -sha256 -extfile ./openssl.cnf -extensions v3_req
Verify with:
openssl x509 -text -noout -in central/central.pem
Self signed certificates
Central config
leafnodes {
port: 7422
tls {
cert_file: "/Users/bt/tmp/ca/central/central.pem"
key_file: "/Users/bt/tmp/ca/central/central.key"
ca_file: "/Users/bt/tmp/ca/rootCA.pem"
}
authorization {
user: leaf
password: secret
}
}
Spoke leaf config
port: 4111
leafnodes {
remotes: [
{
urls: [
tls://leaf:secret@10.0.0.124:7422
]
tls {
ca_file: "/Users/bt/tmp/ca/rootCA.pem"
}
}
]
}