NOISSUE - Remove Development Mode on Certs Creation (#1908)
* Fix certificate creation in development mode This commit removes certificate creation in development mode. Previously, the `MF_CERTS_VAULT_HOST` environment variable was not being properly checked, resulting in incorrect behavior when issuing certificates. This commit ensures that the correct mode is set based on the value of `MF_CERTS_VAULT_HOST`. Signed-off-by: Rodney Osodo <socials@rodneyosodo.com> * Fix certificate revocation in README.md The README.md file has been updated to clarify the process of revoking certificates. The previous instructions were incorrect, and the correct method is now provided. The certificates can be revoked using the `certs` service by providing the `thing_id` of the thing for which the certificate was issued. ``` curl -s -S -X DELETE http://localhost:9019/certs/revoke -H "Authorization: Bearer $TOK" -H 'Content-Type: application/json' -d '{"thing_id":"c30b8842-507c-4bcd-973c-74008cef3be5"}' ``` Signed-off-by: Rodney Osodo <socials@rodneyosodo.com> --------- Signed-off-by: Rodney Osodo <socials@rodneyosodo.com>
This commit is contained in:
parent
46705d401f
commit
687505c833
|
@ -1,36 +1,7 @@
|
||||||
# Certs Service
|
# Certs Service
|
||||||
|
|
||||||
Issues certificates for things. `Certs` service can create certificates to be used when `Mainflux` is deployed to support mTLS.
|
Issues certificates for things. `Certs` service can create certificates to be used when `Mainflux` is deployed to support mTLS.
|
||||||
Certificate service can create certificates in two modes:
|
Certificate service can create certificates using PKI mode - where certificates issued by PKI, when you deploy `Vault` as PKI certificate management `cert` service will proxy requests to `Vault` previously checking access rights and saving info on successfully created certificate.
|
||||||
|
|
||||||
1. Development mode - to be used when no PKI is deployed, this works similar to the [make thing_cert](../docker/ssl/Makefile)
|
|
||||||
2. PKI mode - certificates issued by PKI, when you deploy `Vault` as PKI certificate management `cert` service will proxy requests to `Vault` previously checking access rights and saving info on successfully created certificate.
|
|
||||||
|
|
||||||
## Development mode
|
|
||||||
|
|
||||||
If `MF_CERTS_VAULT_HOST` is empty than Development mode is on.
|
|
||||||
|
|
||||||
To issue a certificate:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
|
|
||||||
TOK=`curl -s --insecure -S -X POST http://localhost/tokens -H 'Content-Type: application/json' -d '{"email":"edge@email.com","password":"12345678"}' | jq -r '.token'`
|
|
||||||
|
|
||||||
curl -s -S -X POST http://localhost:9019/certs -H "Authorization: Bearer $TOK" -H 'Content-Type: application/json' -d '{"thing_id":<thing_id>}'
|
|
||||||
```
|
|
||||||
|
|
||||||
```json
|
|
||||||
{
|
|
||||||
"ThingID": "",
|
|
||||||
"ClientCert": "-----BEGIN CERTIFICATE-----\nMIIDmTCCAoGgAwIBAgIRANmkAPbTR1UYeYO0Id/4+8gwDQYJKoZIhvcNAQELBQAw\nVzESMBAGA1UEAwwJbG9jYWxob3N0MREwDwYDVQQKDAhNYWluZmx1eDEMMAoGA1UE\nCwwDSW9UMSAwHgYJKoZIhvcNAQkBFhFpbmZvQG1haW5mbHV4LmNvbTAeFw0yMDA2\nMzAxNDIxMDlaFw0yMDA5MjMyMjIxMDlaMFUxETAPBgNVBAoTCE1haW5mbHV4MREw\nDwYDVQQLEwhtYWluZmx1eDEtMCsGA1UEAxMkYjAwZDBhNzktYjQ2YS00NTk3LTli\nNGYtMjhkZGJhNTBjYTYyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\ntgS2fLUWG3CCQz/l6VRQRJfRvWmdxK0mW6zIXGeeOILYZeaLiuiUnohwMJ4RiMqT\nuJbInAIuO/Tt5osfrCFFzPEOLYJ5nZBBaJfTIAxqf84Ou1oeMRll4wpzgeKx0rJO\nXMAARwn1bT9n3uky5QQGSLy4PyyILzSXH/1yCQQctdQB/Ar/UI1TaYoYlGzh7dHT\nWpcxq1HYgCyAtcrQrGD0rEwUn82UBCrnya+bygNqu0oDzIFQwa1G8jxSgXk0mFS1\nWrk7rBipsvp8HQhdnvbEVz4k4AAKcQxesH4DkRx/EXmU2UvN3XysvcJ2bL+UzMNI\njNhAe0pgPbB82F6zkYZ/XQIDAQABo2IwYDAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0l\nBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA4GA1UdDgQHBAUBAgMEBjAfBgNVHSME\nGDAWgBRs4xR91qEjNRGmw391xS7x6Tc+8jANBgkqhkiG9w0BAQsFAAOCAQEAW/dS\nV4vNLTZwBnPVHUX35pRFxPKvscY+vnnpgyDtITgZHYe0KL+Bs3IHuywtqaezU5x1\nkZo+frE1OcpRvp7HJtDiT06yz+18qOYZMappCWCeAFWtZkMhlvnm3TqTkgui6Xgl\nGj5xnPb15AOlsDE2dkv5S6kEwJGHdVX6AOWfB4ubUq5S9e4ABYzXGUty6Hw/ZUmJ\nhCTRVJ7cQJVTJsl1o7CYT8JBvUUG75LirtoFE4M4JwsfsKZXzrQffTf1ynqI3dN/\nHWySEbvTSWcRcA3MSmOTxGt5/zwCglHDlWPKMrXtjTW7NPuGL5/P9HSB9HGVVeET\nDUMdvYwgj0cUCEu3LA==\n-----END CERTIFICATE-----\n",
|
|
||||||
"IssuingCA": "",
|
|
||||||
"CAChain": null,
|
|
||||||
"ClientKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAtgS2fLUWG3CCQz/l6VRQRJfRvWmdxK0mW6zIXGeeOILYZeaL\niuiUnohwMJ4RiMqTuJbInAIuO/Tt5osfrCFFzPEOLYJ5nZBBaJfTIAxqf84Ou1oe\nMRll4wpzgeKx0rJOXMAARwn1bT9n3uky5QQGSLy4PyyILzSXH/1yCQQctdQB/Ar/\nUI1TaYoYlGzh7dHTWpcxq1HYgCyAtcrQrGD0rEwUn82UBCrnya+bygNqu0oDzIFQ\nwa1G8jxSgXk0mFS1Wrk7rBipsvp8HQhdnvbEVz4k4AAKcQxesH4DkRx/EXmU2UvN\n3XysvcJ2bL+UzMNIjNhAe0pgPbB82F6zkYZ/XQIDAQABAoIBAALoal3tqq+/iWU3\npR2oKiweXMxw3oNg3McEKKNJSH7QoFJob3xFoPIzbc9pBxCvY9LEHepYIpL0o8RW\nHqhqU6olg7t4ZSb+Qf1Ax6+wYxctnJCjrO3N4RHSfevqSjr6fEQBEUARSal4JNmr\n0hNUkCEjWrIvrPFMHsn1C5hXR3okJQpGsad4oCGZDp2eZ/NDyvmLBLci9/5CJdRv\n6roOF5ShWweKcz1+pfy666Q8RiUI7H1zXjPaL4yqkv8eg/WPOO0dYF2Ri2Grk9OY\n1qTM0W1vi9zfncinZ0DpgtwMTFQezGwhUyJHSYHmjVBA4AaYIyOQAI/2dl5fXM+O\n9JfXpOUCgYEA10xAtMc/8KOLbHCprpc4pbtOqfchq/M04qPKxQNAjqvLodrWZZgF\nexa+B3eWWn5MxmQMx18AjBCPwbNDK8Rkd9VqzdWempaSblgZ7y1a0rRNTXzN5DFP\noiuRQV4wszCuj5XSdPn+lxApaI/4+TQ0oweIZCpGW39XKePPoB5WZiMCgYEA2G3W\niJncRpmxWwrRPi1W26E9tWOT5s9wYgXWMc+PAVUd/qdDRuMBHpu861Qoghp/MJog\nBYqt2rQqU0OxvIXlXPrXPHXrCLOFwybRCBVREZrg4BZNnjyDTLOu9C+0M3J9ImCh\n3vniYqb7S0gRmoDM0R3Zu4+ajfP2QOGLXw1qHH8CgYEAl0EQ7HBW8V5UYzi7XNcM\nixKOb0YZt83DR74+hC6GujTjeLBfkzw8DX+qvWA8lxLIKVC80YxivAQemryv4h21\nX6Llx/nd1UkXUsI+ZhP9DK5y6I9XroseIRZuk/fyStFWsbVWB6xiOgq2rKkJBzqw\nCCEQpx40E6/gsqNDiIAHvvUCgYBkkjXc6FJ55DWMLuyozfzMtpKsVYeG++InSrsM\nDn1PizQS/7q9mAMPLCOP312rh5CPDy/OI3FCbfI1GwHerwG0QUP/bnQ3aOTBmKoN\n7YnsemIA/5w16bzBycWE5x3/wjXv4aOWr9vJJ/siMm0rtKp4ijyBcevKBxHpeGWB\nWAR1FQKBgGIqAxGnBpip9E24gH894BaGHHMpQCwAxARev6sHKUy27eFUd6ipoTva\n4Wv36iz3gxU4R5B0gyfnxBNiUab/z90cb5+6+FYO13kqjxRRZWffohk5nHlmFN9K\nea7KQHTfTdRhOLUzW2yVqLi9pzfTfA6Yqf3U1YD3bgnWrp1VQnjo\n-----END RSA PRIVATE KEY-----\n",
|
|
||||||
"PrivateKeyType": "",
|
|
||||||
"Serial": "",
|
|
||||||
"Expire": "0001-01-01T00:00:00Z"
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
## PKI mode
|
## PKI mode
|
||||||
|
|
||||||
|
@ -40,7 +11,7 @@ To setup `Vault` follow steps in [Build Your Own Certificate Authority (CA)](htt
|
||||||
|
|
||||||
To setup certs service with `Vault` following environment variables must be set:
|
To setup certs service with `Vault` following environment variables must be set:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
MF_CERTS_VAULT_HOST=vault-domain.com
|
MF_CERTS_VAULT_HOST=vault-domain.com
|
||||||
MF_CERTS_VAULT_PKI_PATH=<vault_pki_path>
|
MF_CERTS_VAULT_PKI_PATH=<vault_pki_path>
|
||||||
MF_CERTS_VAULT_ROLE=<vault_role>
|
MF_CERTS_VAULT_ROLE=<vault_role>
|
||||||
|
@ -49,8 +20,7 @@ MF_CERTS_VAULT_TOKEN=<vault_acces_token>
|
||||||
|
|
||||||
For lab purposes you can use docker-compose and script for setting up PKI in [https://github.com/mteodor/vault](https://github.com/mteodor/vault)
|
For lab purposes you can use docker-compose and script for setting up PKI in [https://github.com/mteodor/vault](https://github.com/mteodor/vault)
|
||||||
|
|
||||||
Issuing certificate is same as in **Development** mode.
|
The certificates can also be revoked using `certs` service. To revoke a certificate you need to provide `thing_id` of the thing for which the certificate was issued.
|
||||||
In this mode certificates can also be revoked:
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
curl -s -S -X DELETE http://localhost:9019/certs/revoke -H "Authorization: Bearer $TOK" -H 'Content-Type: application/json' -d '{"thing_id":"c30b8842-507c-4bcd-973c-74008cef3be5"}'
|
curl -s -S -X DELETE http://localhost:9019/certs/revoke -H "Authorization: Bearer $TOK" -H 'Content-Type: application/json' -d '{"thing_id":"c30b8842-507c-4bcd-973c-74008cef3be5"}'
|
||||||
|
|
|
@ -1,27 +1,28 @@
|
||||||
|
# Vault
|
||||||
|
|
||||||
This is Vault service deployment to be used with Mainflux.
|
This is Vault service deployment to be used with Mainflux.
|
||||||
|
|
||||||
When the Vault service is started, some initialization steps need to be done to set things up.
|
When the Vault service is started, some initialization steps need to be done to set things up.
|
||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
| Variable | Description | Default |
|
| Variable | Description | Default |
|
||||||
| ------------------------- | ----------------------------------------------------------------------- | -------------- |
|
| --------------------- | ------------------------------------------------------- | -------------- |
|
||||||
| MF_VAULT_HOST | Vault service address | vault |
|
| MF_VAULT_HOST | Vault service address | vault |
|
||||||
| MF_VAULT_PORT | Vault service port | 8200 |
|
| MF_VAULT_PORT | Vault service port | 8200 |
|
||||||
| MF_VAULT_UNSEAL_KEY_1 | Vault unseal key | "" |
|
| MF_VAULT_UNSEAL_KEY_1 | Vault unseal key | "" |
|
||||||
| MF_VAULT_UNSEAL_KEY_2 | Vault unseal key | "" |
|
| MF_VAULT_UNSEAL_KEY_2 | Vault unseal key | "" |
|
||||||
| MF_VAULT_UNSEAL_KEY_3 | Vault unseal key | "" |
|
| MF_VAULT_UNSEAL_KEY_3 | Vault unseal key | "" |
|
||||||
| MF_VAULT_TOKEN | Vault cli access token | "" |
|
| MF_VAULT_TOKEN | Vault cli access token | "" |
|
||||||
| MF_VAULT_PKI_PATH | Vault secrets engine path for CA | pki |
|
| MF_VAULT_PKI_PATH | Vault secrets engine path for CA | pki |
|
||||||
| MF_VAULT_PKI_INT_PATH | Vault secrets engine path for intermediate CA | pki_int |
|
| MF_VAULT_PKI_INT_PATH | Vault secrets engine path for intermediate CA | pki_int |
|
||||||
| MF_VAULT_CA_ROLE_NAME | Vault secrets engine role | mainflux |
|
| MF_VAULT_CA_ROLE_NAME | Vault secrets engine role | mainflux |
|
||||||
| MF_VAULT_CA_NAME | Certificates name used by `vault-set-pki.sh` | mainflux |
|
| MF_VAULT_CA_NAME | Certificates name used by `vault-set-pki.sh` | mainflux |
|
||||||
| MF_VAULT_CA_CN | Common name used for CA creation by `vault-set-pki.sh` | mainflux.com |
|
| MF_VAULT_CA_CN | Common name used for CA creation by `vault-set-pki.sh` | mainflux.com |
|
||||||
| MF_VAULT_CA_OU | Org unit used for CA creation by `vault-set-pki.sh` | Mainflux Cloud |
|
| MF_VAULT_CA_OU | Org unit used for CA creation by `vault-set-pki.sh` | Mainflux Cloud |
|
||||||
| MF_VAULT_CA_O | Organization used for CA creation by `vault-set-pki.sh` | Mainflux Labs |
|
| MF_VAULT_CA_O | Organization used for CA creation by `vault-set-pki.sh` | Mainflux Labs |
|
||||||
| MF_VAULT_CA_C | Country used for CA creation by `vault-set-pki.sh` | Serbia |
|
| MF_VAULT_CA_C | Country used for CA creation by `vault-set-pki.sh` | Serbia |
|
||||||
| MF_VAULT_CA_L | Location used for CA creation by `vault-set-pki.sh` | Belgrade |
|
| MF_VAULT_CA_L | Location used for CA creation by `vault-set-pki.sh` | Belgrade |
|
||||||
|
|
||||||
|
|
||||||
## Setup
|
## Setup
|
||||||
|
|
||||||
|
@ -37,7 +38,7 @@ After this step, the corresponding Vault environment variables (`MF_VAULT_TOKEN`
|
||||||
|
|
||||||
Example contents for `data/secrets`:
|
Example contents for `data/secrets`:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
Unseal Key 1: Ay0YZecYJ2HVtNtXfPootXK5LtF+JZoDmBb7IbbYdLBI
|
Unseal Key 1: Ay0YZecYJ2HVtNtXfPootXK5LtF+JZoDmBb7IbbYdLBI
|
||||||
Unseal Key 2: P6hb7x2cglv0p61jdLyNE3+d44cJUOFaDt9jHFDfr8Df
|
Unseal Key 2: P6hb7x2cglv0p61jdLyNE3+d44cJUOFaDt9jHFDfr8Df
|
||||||
Unseal Key 3: zSBfDHzUiWoOzXKY1pnnBqKO8UD2MDLuy8DNTxNtEBFy
|
Unseal Key 3: zSBfDHzUiWoOzXKY1pnnBqKO8UD2MDLuy8DNTxNtEBFy
|
||||||
|
@ -79,13 +80,13 @@ After it runs, it copies the necessary certificates and keys to the `docker/ssl/
|
||||||
|
|
||||||
The CA parameters are obtained from the environment variables starting with `MF_VAULT_CA` in `.env` file.
|
The CA parameters are obtained from the environment variables starting with `MF_VAULT_CA` in `.env` file.
|
||||||
|
|
||||||
## Vault CLI
|
## Vault CLI
|
||||||
|
|
||||||
It can also be useful to run the Vault CLI for inspection and administration work.
|
It can also be useful to run the Vault CLI for inspection and administration work.
|
||||||
|
|
||||||
This can be done directly using the Vault image in Docker: `docker run -it mainflux/vault:latest vault`
|
This can be done directly using the Vault image in Docker: `docker run -it mainflux/vault:latest vault`
|
||||||
|
|
||||||
```
|
```bash
|
||||||
Usage: vault <command> [args]
|
Usage: vault <command> [args]
|
||||||
|
|
||||||
Common commands:
|
Common commands:
|
||||||
|
|
|
@ -74,7 +74,7 @@ type BootstrapPage struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
type CertSerials struct {
|
type CertSerials struct {
|
||||||
Serials []string `json:"serials"`
|
Certs []Cert `json:"certs"`
|
||||||
pageRes
|
pageRes
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue