diff --git a/certs/generate_server_certificates/generate_server_certificates b/certs/generate_server_certificates/generate_server_certificates deleted file mode 100755 index 5632d492..00000000 Binary files a/certs/generate_server_certificates/generate_server_certificates and /dev/null differ diff --git a/netclient/functions/daemon.go b/netclient/functions/daemon.go index 207ad54e..09cc0be9 100644 --- a/netclient/functions/daemon.go +++ b/netclient/functions/daemon.go @@ -2,11 +2,11 @@ package functions import ( "context" + "crypto/ed25519" "crypto/tls" "crypto/x509" "errors" "fmt" - "io/ioutil" "os" "os/signal" "strings" @@ -23,6 +23,7 @@ import ( "github.com/gravitl/netmaker/netclient/daemon" "github.com/gravitl/netmaker/netclient/ncutils" "github.com/gravitl/netmaker/netclient/wireguard" + ssl "github.com/gravitl/netmaker/tls" "golang.zx2c4.com/wireguard/wgctrl/wgtypes" ) @@ -267,21 +268,22 @@ func setupMQTTSub(server string) mqtt.Client { // NewTLSConf sets up tls to connect to broker func NewTLSConfig(cfg *config.ClientConfig, server string) *tls.Config { - var ca []byte - var err error - certpool := x509.NewCertPool() + var file string if cfg != nil { - ca, err = ioutil.ReadFile("/etc/netclient/" + cfg.Server.Server + "/root.pem") - if err != nil { - logger.Log(0, "could not read CA file %v\n", err.Error()) - } + server = cfg.Server.Server + file = "/etc/netclient/" + cfg.Server.Server + "/root.pem" } else { - ca, err = ioutil.ReadFile("/etc/netclient/" + server + "/root.pem") - if err != nil { - logger.Log(0, "could not read CA file %v\n", err.Error()) - } + file = "/etc/netclient/" + server + "/root.pem" + } + certpool := x509.NewCertPool() + ca, err := os.ReadFile(file) + if err != nil { + logger.Log(0, "could not read CA file %v\n", err.Error()) + } + ok := certpool.AppendCertsFromPEM(ca) + if !ok { + logger.Log(0, "failed to append cert") } - certpool.AppendCertsFromPEM(ca) //clientKeyPair, err := tls.LoadX509KeyPair("/etc/netclient/"+cfg.Server.Server+"/client.pem", "/etc/netclient/client.key") //if err != nil { // log.Fatalf("could not read client cert/key %v \n", err) @@ -290,9 +292,29 @@ func NewTLSConfig(cfg *config.ClientConfig, server string) *tls.Config { RootCAs: certpool, ClientAuth: tls.NoClientCert, //ClientAuth: tls.VerifyClientCertIfGiven, - ClientCAs: nil, + ClientCAs: nil, + //InsecureSkipVerify: false fails ---- so need to use VerifyConnection InsecureSkipVerify: true, - //Certificates: []tls.Certificate{clientKeyPair}, + VerifyConnection: func(cs tls.ConnectionState) error { + if cs.ServerName != server { + logger.Log(0, "VerifyConnection - certifiate mismatch") + return errors.New("certificate doesn't match server") + } + ca, err := ssl.ReadCert("/etc/netclient/" + cs.ServerName + "/root.pem") + if err != nil { + logger.Log(0, "VerifyConnection - unable to read ca", err.Error()) + return errors.New("unable to read ca") + } + for _, cert := range cs.PeerCertificates { + if cert.IsCA { + if string(cert.PublicKey.(ed25519.PublicKey)) != string(ca.PublicKey.(ed25519.PublicKey)) { + logger.Log(0, "VerifyConnection - public key mismatch") + return errors.New("cert public key does not match ca public key") + } + } + } + return nil + }, } } diff --git a/scripts/nm-quick.sh b/scripts/nm-quick.sh index 1c98cfcd..02a4102b 100755 --- a/scripts/nm-quick.sh +++ b/scripts/nm-quick.sh @@ -50,7 +50,7 @@ elif [ -f /etc/fedora-release ]; then dnf update fi -dependencies=( "docker.io" "docker-compose" "wireguard" "jq" ) +dependencies=( "docker.io" "docker-compose" "wireguard" "jq" "openssl" ) for dependency in ${dependencies[@]}; do is_installed=$(dpkg-query -W --showformat='${Status}\n' ${dependency} | grep "install ok installed") @@ -137,10 +137,17 @@ echo "setting mosquitto.conf..." wget -q -O /root/mosquitto.conf https://raw.githubusercontent.com/gravitl/netmaker/master/docker/mosquitto.conf -echo "setting certificates for mosquitto" -wget -q -O /root/mosquitto.conf https://raw.githubusercontent.com/gravitl/netmaker/master/certs/generate_server_certificates -server=$(echo "broker."$NETMAKER_BASE_DOMAIN) -./generate_server_certificates $server +echo "creating certificates for mosquitto" +server=$( echo "broker."$NETMAKER_BASE_DOMAIN) +mkdir certs + +openssl genpkey -algorithm Ed25519 -out certs/root.key +openssl req -new -key certs/root.key -out certs/root.csr -subj '/CN=CA Root' +openssl x509 -req -in certs/root.csr -days 365 -signkey certs/root.key -CAcreateserial -out certs/root.pem + +openssl genpkey -algorithm Ed25519 -out certs/server.key +openssl req -new -out certs/server.csr -key certs/server.key -subj $subject +openssl x509 -req -in certs/server.csr -days 365 -CA certs/root.pem -CAkey certs/root.key -CAcreateserial -out certs/server.pem echo "setting docker-compose..." diff --git a/tls/tls.go b/tls/tls.go index 6a5f9a09..77389c7b 100644 --- a/tls/tls.go +++ b/tls/tls.go @@ -95,9 +95,12 @@ func NewCName(commonName string) pkix.Name { // creates a new certificate signing request for a func NewCSR(key ed25519.PrivateKey, name pkix.Name) (*x509.CertificateRequest, error) { + dnsnames := []string{} + dnsnames = append(dnsnames, name.CommonName) derCertRequest, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{ Subject: name, PublicKey: key.Public(), + DNSNames: dnsnames, }, key) if err != nil { return nil, err