Merge pull request #152 from sebadob/bump-redhac-0.9.0

bump `redhac` to 0.9.0
sebadob · Nov 7, 2023 · 8d0a012 · 8d0a012
2 parents a14beda + be2e2cb
commit 8d0a012
Show file tree

Hide file tree

Showing 11 changed files with 71 additions and 60 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -52,7 +52,7 @@ num_cpus = "1"
 openssl-sys = { version = "0.9", features = ["vendored"] }
 rand = "0.8"
 rand_core = { version = "0.6", features = ["std"] }
-redhac = "0.8.0"
+redhac = "0.9.0"
 regex = "1"
 reqwest = { version = "0.11", default-features = false, features = ["json", "rustls-tls"] }
 ring = "0.17"

diff --git a/justfile b/justfile
@@ -36,7 +36,7 @@ create-end-entity-tls:
     docker run --rm -it -v ./tls/ca:/ca -u $(id -u ${USER}):$(id -g ${USER}) \
           ghcr.io/sebadob/nioca \
           x509 \
-          --cn 'Rauthy Default' \
+          --cn 'localhost' \
           --alt-name-dns 'localhost' \
           --alt-name-dns 'redhac.local' \
           --alt-name-dns 'rauthy.local' \

diff --git a/rauthy-book/src/config/config.md b/rauthy-book/src/config/config.md
@@ -533,38 +533,39 @@ PROXY_MODE=false
 # Enable / disable TLS for the cache communication
 # (default: true)
 CACHE_TLS=true
+
 # The path to the server TLS certificate PEM file
-# (default: tls/redhac.local.cert.pem)
-CACHE_TLS_SERVER_CERT=tls/redhac.local.cert.pem
+# default: tls/redhac.cert-chain.pem
+CACHE_TLS_SERVER_CERT=tls/cert-chain.pem
 # The path to the server TLS key PEM file
-# (default: tls/redhac.local.key.pem)
-CACHE_TLS_SERVER_KEY=tls/redhac.local.key.pem
-# If not empty, the PEM file from the specified location
-# will be added as the CA certificate chain for validating
-# the servers TLS certificate (default: tls/ca-chain.cert.pem)
-CACHE_TLS_CA_SERVER=tls/ca-chain.cert.pem
-
-# The path to the client mTLS certificate PEM file
-# (default: tls/redhac.local.cert.pem)
-CACHE_TLS_CLIENT_CERT=tls/redhac.local.cert.pem
-# The path to the client mTLS key PEM file
-# (default: tls/redhac.local.key.pem)
-CACHE_TLS_CLIENT_KEY=tls/redhac.local.key.pem
+# default: tls/redhac.key.pem
+CACHE_TLS_SERVER_KEY=tls/key.pem
+
+# The path to the client mTLS certificate PEM file. This is optional.
+#CACHE_TLS_CLIENT_CERT=tls/cert-chain.pem
+# The path to the client mTLS key PEM file. This is optional.
+#CACHE_TLS_CLIENT_KEY=tls/key.pem
+
+# If not empty, the PEM file from the specified location will be
+# added as the CA certificate chain for validating
+# the servers TLS certificate. This is optional.
+#CACHE_TLS_CA_SERVER=tls/ca-chain.pem
 # If not empty, the PEM file from the specified location will
 # be added as the CA certificate chain for validating
-# the clients mTLS certificate (default: tls/ca-chain.cert.pem)
-CACHE_TLS_CA_CLIENT=tls/ca-chain.cert.pem
+# the clients mTLS certificate. This is optional.
+#CACHE_TLS_CA_CLIENT=tls/ca-chain.pem
 
 # The domain / CN the client should validate the certificate
 # against. This domain MUST be inside the
-# 'X509v3 Subject Alternative Name' when you take a look at the
-# servers certificate with the openssl tool.
+# 'X509v3 Subject Alternative Name' when you take a look at
+# the servers certificate with the openssl tool.
 # default: redhac.local
 CACHE_TLS_CLIENT_VALIDATE_DOMAIN=redhac.local
 
-# Can be used, if you need to overwrite the SNI when the client
-# connects to the server, for instance if you are behind
-# a loadbalancer which combines multiple certificates. (default: "")
+# Can be used if you need to overwrite the SNI when the
+# client connects to the server, for instance if you are
+# behind a loadbalancer which combines multiple certificates.
+# default: ""
 #CACHE_TLS_SNI_OVERWRITE=
 
 #####################################

diff --git a/rauthy.cfg b/rauthy.cfg
@@ -492,29 +492,39 @@ TLS_KEY=tls/key.pem
 
 # Enable / disable TLS for the cache communication (default: true)
 CACHE_TLS=true
-# The path to the server TLS certificate PEM file (default: tls/redhac.local.cert.pem)
+
+# The path to the server TLS certificate PEM file
+# default: tls/redhac.cert-chain.pem
 CACHE_TLS_SERVER_CERT=tls/cert-chain.pem
-# The path to the server TLS key PEM file (default: tls/redhac.local.key.pem)
+# The path to the server TLS key PEM file
+# default: tls/redhac.key.pem
 CACHE_TLS_SERVER_KEY=tls/key.pem
-# If not empty, the PEM file from the specified location will be added as the CA certificate chain for validating
-# the servers TLS certificate (default: tls/ca-chain.cert.pem)
-CACHE_TLS_CA_SERVER=tls/ca-chain.pem
 
-# The path to the client mTLS certificate PEM file (default: tls/redhac.local.cert.pem)
+# The path to the client mTLS certificate PEM file. This is optional.
 CACHE_TLS_CLIENT_CERT=tls/cert-chain.pem
-# The path to the client mTLS key PEM file (default: tls/redhac.local.key.pem)
+# The path to the client mTLS key PEM file. This is optional.
 CACHE_TLS_CLIENT_KEY=tls/key.pem
-# If not empty, the PEM file from the specified location will be added as the CA certificate chain for validating
-# the clients mTLS certificate (default: tls/ca-chain.cert.pem)
+
+# If not empty, the PEM file from the specified location will be
+# added as the CA certificate chain for validating
+# the servers TLS certificate. This is optional.
+CACHE_TLS_CA_SERVER=tls/ca-chain.pem
+# If not empty, the PEM file from the specified location will
+# be added as the CA certificate chain for validating
+# the clients mTLS certificate. This is optional.
 CACHE_TLS_CA_CLIENT=tls/ca-chain.pem
 
-# The domain / CN the client should validate the certificate against. This domain MUST be inside the
-# 'X509v3 Subject Alternative Name' when you take a look at the servers certificate with the openssl tool.
+# The domain / CN the client should validate the certificate
+# against. This domain MUST be inside the
+# 'X509v3 Subject Alternative Name' when you take a look at
+# the servers certificate with the openssl tool.
 # default: redhac.local
 CACHE_TLS_CLIENT_VALIDATE_DOMAIN=redhac.local
 
-# Can be used, if you need to overwrite the SNI when the client connects to the server, for instance if you are behind
-# a loadbalancer which combines multiple certificates. (default: "")
+# Can be used if you need to overwrite the SNI when the
+# client connects to the server, for instance if you are
+# behind a loadbalancer which combines multiple certificates.
+# default: ""
 #CACHE_TLS_SNI_OVERWRITE=
 
 #####################################

diff --git a/start_ha_1.sh b/start_ha_1.sh
@@ -2,6 +2,6 @@
 
 DATABASE_URL="postgresql://rauthy:123SuperSafe@localhost:5432/rauthy" \
 HA_MODE=true \
-HA_HOSTS="http://127.0.0.1:8001,http://127.0.0.1:8002,http://127.0.0.1:8003" \
+HA_HOSTS="https://127.0.0.1:8001,https://127.0.0.1:8002,https://127.0.0.1:8003" \
 HOSTNAME_OVERWRITE="127.0.0.1:8001" \
 cargo run $1
diff --git a/start_ha_2.sh b/start_ha_2.sh
@@ -2,7 +2,7 @@
 
 DATABASE_URL="postgresql://rauthy:123SuperSafe@localhost:5432/rauthy" \
 HA_MODE=true \
-HA_HOSTS="http://127.0.0.1:8001,http://127.0.0.1:8002,http://127.0.0.1:8003" \
+HA_HOSTS="https://127.0.0.1:8001,https://127.0.0.1:8002,https://127.0.0.1:8003" \
 HOSTNAME_OVERWRITE="127.0.0.1:8002" \
 LISTEN_ADDRESS=0.0.0.0 \
 LISTEN_PORT_HTTP=8090 \

diff --git a/start_ha_3.sh b/start_ha_3.sh
@@ -2,7 +2,7 @@
 
 DATABASE_URL="postgresql://rauthy:123SuperSafe@localhost:5432/rauthy" \
 HA_MODE=true \
-HA_HOSTS="http://127.0.0.1:8001,http://127.0.0.1:8002,http://127.0.0.1:8003" \
+HA_HOSTS="https://127.0.0.1:8001,https://127.0.0.1:8002,https://127.0.0.1:8003" \
 HOSTNAME_OVERWRITE="127.0.0.1:8003" \
 LISTEN_ADDRESS=0.0.0.0 \
 LISTEN_PORT_HTTP=8091 \

diff --git a/tls/ca/x509/end_entity/serial b/tls/ca/x509/end_entity/serial
@@ -1 +1 @@
-1
+3
diff --git a/tls/cert-chain.pem b/tls/cert-chain.pem
@@ -1,17 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIICTzCCAdWgAwIBAgIBATAKBggqhkjOPQQDAzAoMSYwJAYDVQQDDB1SYXV0aHkg
-RGV2IElUIENBIEludGVybWVkaWF0ZTAeFw0yMzExMDYxMTQ3NDVaFw0yNDExMTUx
-MTU3NDVaMC8xFzAVBgNVBAMMDlJhdXRoeSBEZWZhdWx0MRQwEgYDVQQKDAtSYXV0
-aHkgT0lEQzB2MBAGByqGSM49AgEGBSuBBAAiA2IABA6xzxkUgr/htW0d2+MFu4QN
-GCJTKL5WiEZqVp2TuYh9ejfi2BHVHquUmeO7T0QfDqLXpMg5mSKV5fQWTTMNQLQ7
-CxscuDK4cubGXlgIFuiN93sknBdUKUV8TLhdOt4ImaOByzCByDAfBgNVHSMEGDAW
-gBQDL70Ay75oPlc+KMxO3sBQ8hVJ6DBWBgNVHREETzBNhwR/AAABhg5sb2NhbGhv
-c3Q6ODA4MIYObG9jYWxob3N0Ojg0NDOCCWxvY2FsaG9zdIIMcmVkaGFjLmxvY2Fs
-ggxyYXV0aHkubG9jYWwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0G
-A1UdDgQWBBSpXmH16DpJBXVzGUT/TsqbT84szTAPBgNVHRMBAf8EBTADAQEAMAoG
-CCqGSM49BAMDA2gAMGUCMQDb799dyGscC2JaFKSopHEZIN01iloJeMrw2th0Mw/Y
-3x9PRNMamKtM2XXi0fyV04wCMFnR5KSFoM/L6CBz58q18uIreTTrcD3ODHpbWUY4
-A93hl6e8O56cuV//gcUmrTEgJA==
+MIICSTCCAdCgAwIBAgIBAzAKBggqhkjOPQQDAzAoMSYwJAYDVQQDDB1SYXV0aHkg
+RGV2IElUIENBIEludGVybWVkaWF0ZTAeFw0yMzExMDYxMjUzNThaFw0yNDExMTUx
+MzAzNThaMCoxEjAQBgNVBAMMCWxvY2FsaG9zdDEUMBIGA1UECgwLUmF1dGh5IE9J
+REMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARBFL2Jg39rv8XHv/UNoQpwv27sJSzw
+xYx06RdwXw46v4VgTM69Xr7Dd8mQjqgOuA7/kkuXOCpj70iHrODagLLjEK+SBMtP
+5DrGp+3d4ukLi/DvOJ0n8Q2oEikU/9zNMN2jgcswgcgwHwYDVR0jBBgwFoAUAy+9
+AMu+aD5XPijMTt7AUPIVSegwVgYDVR0RBE8wTYcEfwAAAYYObG9jYWxob3N0Ojgw
+ODCGDmxvY2FsaG9zdDo4NDQzgglsb2NhbGhvc3SCDHJlZGhhYy5sb2NhbIIMcmF1
+dGh5LmxvY2FsMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4E
+FgQUTlzOvTakjG+mSusf61Fh+sEQHxMwDwYDVR0TAQH/BAUwAwEBADAKBggqhkjO
+PQQDAwNnADBkAjAZKEsf7lwrE7igHzqiVYjUtW74w4kVOYoYqcEwkfCtUgX5vMD6
+Mhd8fQBxXFXE+IICMFFFFPDWHXZKqm7mwSSRlVqUKYTjWANIs4mRby/zJfUMpODX
+AqI/qRQJWUPWX0jPLg==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIB6jCCAXCgAwIBAgIUAy+9AMu+aD5XPijMTt7AUPIVSegwCgYIKoZIzj0EAwMw

diff --git a/tls/key.pem b/tls/key.pem
@@ -1,6 +1,6 @@
 -----BEGIN PRIVATE KEY-----
-MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDBl5GKYoO+p0trjEUBU
-3hfqhSx3TUfvJpAa+YzQoyoLFzdHY0OkT72Rjss1l1JVgfqhZANiAAQOsc8ZFIK/
-4bVtHdvjBbuEDRgiUyi+VohGaladk7mIfXo34tgR1R6rlJnju09EHw6i16TIOZki
-leX0Fk0zDUC0OwsbHLgyuHLmxl5YCBbojfd7JJwXVClFfEy4XTreCJk=
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDC8YrEkYg9EUVJVJ5jC
+u7vvGM6NtFOt5DeOVtUGIXQLvWR3gza5bBnM9F7Zr87fHBqhZANiAARBFL2Jg39r
+v8XHv/UNoQpwv27sJSzwxYx06RdwXw46v4VgTM69Xr7Dd8mQjqgOuA7/kkuXOCpj
+70iHrODagLLjEK+SBMtP5DrGp+3d4ukLi/DvOJ0n8Q2oEikU/9zNMN0=
 -----END PRIVATE KEY-----