forked from TrueCloudLab/certificates
Add examples using the bootstrap methods.
This commit is contained in:
Mariano Cano
parent
091506a994
commit
e8a66d85a7
3 changed files with 142 additions and 0 deletions
68
examples/README.md
Normal file
68
examples/README.md
Normal file
|
|
@ -0,0 +1,68 @@
|
|||
# Example
|
||||
|
||||
# Client & Server requests
|
||||
|
||||
On this example we are going to see the Certificate Authority running, as well
|
||||
as a simple Server using TLS and a simple client doing TLS requests to the
|
||||
server.
|
||||
|
||||
The examples directory already contains a sample pki configuration with the
|
||||
password `password` hardcoded, but you can create your own using `step ca init`.
|
||||
|
||||
First we will start the certificate authority:
|
||||
```
|
||||
certificates $ bin/step-ca examples/pki/config/ca.json
|
||||
2018/11/02 18:29:25 Serving HTTPS on :9000 ...
|
||||
```
|
||||
|
||||
We will start the server and we will type `password` when step asks for the
|
||||
provisioner password:
|
||||
```
|
||||
certificates $ export STEPPATH=examples/pki
|
||||
certificates $ export STEP_CA_URL=https://localhost:9000
|
||||
certificates $ go run examples/server.go $(step ca new-token localhost))
|
||||
✔ Key ID: DmAtZt2EhmZr_iTJJ387fr4Md2NbzMXGdXQNW1UWPXk (mariano@smallstep.com)
|
||||
Please enter the password to decrypt the provisioner key:
|
||||
Listening on :8443 ...
|
||||
```
|
||||
|
||||
We try that using cURL with the system certificates it will return an error:
|
||||
```
|
||||
certificates $ curl https://localhost:8443
|
||||
curl: (60) SSL certificate problem: unable to get local issuer certificate
|
||||
More details here: https://curl.haxx.se/docs/sslcerts.html
|
||||
|
||||
curl performs SSL certificate verification by default, using a "bundle"
|
||||
of Certificate Authority (CA) public keys (CA certs). If the default
|
||||
bundle file isn't adequate, you can specify an alternate file
|
||||
using the --cacert option.
|
||||
If this HTTPS server uses a certificate signed by a CA represented in
|
||||
the bundle, the certificate verification probably failed due to a
|
||||
problem with the certificate (it might be expired, or the name might
|
||||
not match the domain name in the URL).
|
||||
If you'd like to turn off curl's verification of the certificate, use
|
||||
the -k (or --insecure) option.
|
||||
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
|
||||
```
|
||||
|
||||
But if we use the root certificate it will properly work:
|
||||
```
|
||||
certificates $ curl --cacert examples/pki/secrets/root_ca.crt https://localhost:8443
|
||||
Hello nobody at 2018-11-03 01:49:25.66912 +0000 UTC!!!
|
||||
```
|
||||
|
||||
Notice that in the response we see `nobody`, this is because the server didn't
|
||||
detected a TLS client configuration.
|
||||
|
||||
But if we the client with the certificate name Mike we'll see:
|
||||
```
|
||||
certificates $ export STEPPATH=examples/pki
|
||||
certificates $ export STEP_CA_URL=https://localhost:9000
|
||||
certificates $ go run examples/client.go $(step ca new-token Mike)
|
||||
✔ Key ID: DmAtZt2EhmZr_iTJJ387fr4Md2NbzMXGdXQNW1UWPXk (mariano@smallstep.com)
|
||||
Please enter the password to decrypt the provisioner key:
|
||||
Server responded: Hello Mike at 2018-11-03 01:52:52.678215 +0000 UTC!!!
|
||||
Server responded: Hello Mike at 2018-11-03 01:52:53.681563 +0000 UTC!!!
|
||||
Server responded: Hello Mike at 2018-11-03 01:52:54.682787 +0000 UTC!!!
|
||||
...
|
||||
```
|
||||
39
examples/client.go
Normal file
39
examples/client.go
Normal file
|
|
@ -0,0 +1,39 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"time"
|
||||
|
||||
"github.com/smallstep/certificates/ca"
|
||||
)
|
||||
|
||||
func main() {
|
||||
if len(os.Args) != 2 {
|
||||
fmt.Fprintf(os.Stderr, "Usage: %s <token>\n", os.Args[0])
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
token := os.Args[1]
|
||||
|
||||
client, err := ca.BootstrapClient(token)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
for {
|
||||
resp, err := client.Get("https://localhost:8443")
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
b, err := ioutil.ReadAll(resp.Body)
|
||||
resp.Body.Close()
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
fmt.Printf("Server responded: %s\n", b)
|
||||
time.Sleep(1 * time.Second)
|
||||
}
|
||||
}
|
||||
35
examples/server.go
Normal file
35
examples/server.go
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"os"
|
||||
"time"
|
||||
|
||||
"github.com/smallstep/certificates/ca"
|
||||
)
|
||||
|
||||
func main() {
|
||||
if len(os.Args) != 2 {
|
||||
fmt.Fprintf(os.Stderr, "Usage: %s <token>\n", os.Args[0])
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
token := os.Args[1]
|
||||
|
||||
srv, err := ca.BootstrapServer(":8443", token, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
name := "nobody"
|
||||
if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
|
||||
name = r.TLS.PeerCertificates[0].Subject.CommonName
|
||||
}
|
||||
w.Write([]byte(fmt.Sprintf("Hello %s at %s!!!", name, time.Now().UTC())))
|
||||
}))
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
fmt.Println("Listening on :8443 ...")
|
||||
if err := srv.ListenAndServeTLS("", ""); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
}
|
||||
Loading…
Reference in a new issue