scottk/estserver
1
0
Fork 0
mirror of https://github.com/outbackdingo/estserver.git synced 2026-03-22 06:41:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #13 from foundriesio/fixes

Browse Source 
Fix issues found from more complex usage
This commit is contained in:
Andy Doan
2023-12-14 11:47:01 -06:00
committed by GitHub
parent cd5cd710d5 8c19c0a3b5
commit 583ad2b807
3 changed files with 21 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
README.md
View File

@@ -34,27 +34,32 @@ The simple "standalone" server can be built with:
## Using
TLS certificates for the server can be generate by using the helper script
`contrib/mk-tls-keypair.sh`. Your factory's PKI directory was generated
with a `create_ca` script. Once a CA is created, you can upload/authorize
it with:
First you must create a TLS certificate for this server that your factory
devices will trust. This can be generated using the helper script
`contrib/mk-tls-keypair.sh`.
Next you need to create an intermediate "device CA" this service can use to
sign certificates with. There is a Fioctl helper for this:
```bash
fioctl keys ca show --just-device-cas > /tmp/cas.pem
cat <new-ca.pem> >> /tmp/cas.pem
fioctl keys ca update /tmp/cas.pem
fioctl keys ca add-device-ca <path to your PKI dir> --local-ca --local-ca-filename est-ca.pem
```
Finally, the this server needs a list of intermediate CAs to trust. This can
be obtained with:
```bash
fioctl keys ca show --just-device-cas > client-cas.pem
```
Then run the server with:
Now the server can be run with:
```bash
$ ./bin/estserver \
-root-cert <pkidir>/factory_ca.pem \
-tls-cert <pkidir>/local-tls.pem \
-tls-key <pkidir>/local-tls.key \
-ca-cert <pkidir>/local-ca.pem \
-ca-key <pkidir>/local-ca.key \
-tls-cert <pkidir>/local-tls.pem # cert from mk-tls-keypair above \
-tls-key <pkidir>/local-tls.key # key from mk-tls-keypair above \
-ca-cert <pkidir>/est-ca.pem # cert from fioctl keys ca add-device-ca \
-ca-key <pkidir>/est-ca.key # key from fioctl keys ca add-device-ca \
-client-cas client-cas.pem
```

4
cmd/main.go
View File

@@ -72,7 +72,9 @@ func main() {
pemBytes, err := os.ReadFile(*clientCas)
if err != nil {
log.Fatal().Err(err).Msg("Unable to load client CAs")
caPool.AppendCertsFromPEM(pemBytes)
}
if ok := caPool.AppendCertsFromPEM(pemBytes); !ok {
log.Fatal().Msg("Unable to load client CAs")
}
}

2
http_handlers.go
View File

@@ -46,7 +46,7 @@ func RegisterEchoHandlers(svcHandler ServiceHandler, e *echo.Echo) {
return c.String(http.StatusInternalServerError, err.Error())
}
bytes, err := validateRequest(svc, c)
if err != nil {
if bytes == nil { // validateRequest failed and sent the response
return err
}
peerCerts := c.Request().TLS.PeerCertificates