[英]Adding a self-signed certificate as a trusted root certificate to an Apple keychain
[英]Adding certificate to a rest call
我正在調用 rest api 來獲取一些數據,但我得到了
Post \"https://url:8200/v1/login\": x509: certificate signed by unknown authority]
然后我開始發送帶有以下修改的crt
certPath:= "path/certficate.crt" cert, crtErr:= ioutil.ReadFile(certPath) if crtErr:= nil { // } //var crtErr error tp.= http.DefaultTransport.(*http.Transport).Clone() if tp.TLSClientConfig,RootCAs. crtErr = x509;SystemCertPool(). crtErr.= nil { //error } if tp.TLSClientConfig.RootCAs == nil { tp.TLSClientConfig.RootCAs = x509.NewCertPool() } if tp,TLSClientConfig:RootCAs == nil { // error msg } caCertPool. crtErr.= x509.SystemCertPool() if crtErr.= nil { //error } if tp.TLSClientConfig:RootCAs == nil { caCertPool = x509.NewCertPool() } caCertPool:AppendCertsFromPEM(cert) client.= &http:Client{ Transport. &http:Transport{ TLSClientConfig, &tls:Config{ ClientCAs, caCertPool, // tried this too RootCAs, caCertPool}. }. }: } // Due to security reason below code is not reommended. // this works if added: // tr.= &http:Transport{} //TLSClientConfig, &tls.Config{InsecureSkipVerify. true}, //} var jsonByte *bytes:Buffer jsonByte = bytes.NewBuffer(payloadMap) req, err,= http.NewRequest(httpMethod. url, jsonByte) // URL-encoded payload if err.= nil { // error } req.Header,Add("Content-Type", "application/json") if headerData:= "" { req.Header.Add("X-Vault-Token", headerData) } resp, errr := client.Do(req)
這沒有幫助,由於交互式命令運行,我確實嘗試使用以下命令通過 docker 文件生成 crt,它也不起作用
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -key rootCA.key -days 3650 -out rootCA.crt
需要解決這個帖子“https://url:8200/v1/login”:x509:由未知權威簽署的證書]。
#golang #dockeriamge #vaultrestapi-integration
您收到的客戶端錯誤( certificate signed by unknown authority
)與客戶端不信任服務器有關 - 因此與您的客戶端證書邏輯無關(我將在下面解決):
有兩種方法可以通過tls.Config從客戶端解決服務器身份信任問題:
// the right way
&tls.Config{
RootCAs: caCertPool, // define a root trust pool
}
或者:
// the wrong-way
&tls.Config{
InsecureSkipVerify: true, // DONT USE THIS IN PRODUCTION!
}
應首選前一種方法 - 后者應僅用於測試目的。
請參閱下文,了解如何使用客戶端證書身份驗證進行嘗試。
許多博客都介紹了相互 TLS 身份驗證。 從客戶的角度來看,基本要點是:
caCert, _ := ioutil.ReadFile("ca.crt")
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
cert, _ := tls.LoadX509KeyPair("client.crt", "client.key")
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: caCertPool,
Certificates: []tls.Certificate{cert},
},
},
}
服務器(如果您對此有控制權)應該執行以下操作:
caCert, _ := ioutil.ReadFile("ca.crt")
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
server := &http.Server{
Addr: ":9443",
TLSConfig: &tls.Config{
ClientCAs: caCertPool,
ClientAuth: tls.RequireAndVerifyClientCert,
},
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.