program to generate initial server certs/key

certs/generate_server_certificates/generate_server_certificates.go

@@ -0,0 +1,64 @@
+package main
+
+import (
+	"crypto/ed25519"
+	"crypto/rand"
+	"fmt"
+	"log"
+	"os"
+
+	"github.com/gravitl/netmaker/tls"
+)
+
+// generate root ca/key and server certificate/key for use with mq
+func main() {
+	if len(os.Args) < 2 {
+		fmt.Printf("usage %s: server-name(fqdn) or IP address\n", os.Args[0])
+		os.Exit(1)
+	}
+	server := os.Args[1]
+
+	caName := tls.NewName("CA Root", "US", "Gravitl")
+	serverName := tls.NewCName(server)
+	_, sk, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		log.Fatal("generate server key ", err)
+	}
+	_, key, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		log.Fatal("generate root key ", err)
+	}
+	csr, err := tls.NewCSR(key, caName)
+	if err != nil {
+		log.Fatal("generate root request ", err)
+	}
+	serverCSR, err := tls.NewCSR(sk, serverName)
+	if err != nil {
+		log.Fatal("generate server request ", err)
+	}
+	rootCA, err := tls.SelfSignedCA(key, csr, 365)
+	if err != nil {
+		log.Fatal("generate root ca ", err)
+	}
+	serverCert, err := tls.NewEndEntityCert(key, serverCSR, rootCA, 365)
+	if err != nil {
+		log.Fatal("generate server certificate", err)
+	}
+	err = tls.SaveCert("./certs/", "server.pem", serverCert)
+	if err != nil {
+		log.Fatal("save server certificate", err)
+	}
+	err = tls.SaveCert("./certs/", "root.pem", rootCA)
+	if err != nil {
+		log.Fatal("save root ca ", err)
+	}
+	err = tls.SaveKey("./certs/", "root.key", sk)
+	if err != nil {
+		log.Fatal("save root key ", err)
+	}
+	err = tls.SaveKey("./certs/", "server.key", sk)
+	if err != nil {
+		log.Fatal("save server key", err)
+	}
+
+}

compose/docker-compose.contained.yml

@@ -36,7 +36,7 @@ services:
       MQ_HOST: "mq"
       HOST_NETWORK: "off"
       MANAGE_IPTABLES: "on"
-      PORT_FORWARD_SERVICES: "mq"
+      PORT_FORWARD_SERVICES: ""
       VERBOSITY: "1"
     ports:
       - "51821-51830:51821-51830/udp"
@@ -74,13 +74,15 @@ services:
       - caddy_data:/data
       - caddy_conf:/config
   mq:
-    image: eclipse-mosquitto:2.0.14
+    image: eclipse-mosquitto:2.0.11-openssl
     container_name: mq
     restart: unless-stopped
     ports:
       - "1883:1883"
+      - "8883:8883"
     volumes:
       - /root/mosquitto.conf:/mosquitto/config/mosquitto.conf
+      - /root/certs:/mosquitto/certs/
       - mosquitto_data:/mosquitto/data
       - mosquitto_logs:/mosquitto/log
 volumes:

docker/mosquitto.conf

@@ -1,4 +1,13 @@
-persistence true
 per_listener_settings true
-listener 1883
+
+listener 1883 localhost
 allow_anonymous true
+
+listener 8883
+allow_anonymous false
+require_certificate true
+use_identity_as_username true
+
+cafile /mosquitto/certs/root.pem
+certfile /mosquitto/certs/broker.pem
+keyfile /mosquitto/certs/broker.key

netclient/functions/daemon.go

@@ -2,8 +2,11 @@ package functions
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
+	"io/ioutil"
 	"os"
 	"os/signal"
 	"strings"
@@ -176,7 +179,8 @@ func messageQueue(ctx context.Context, server string) {
 // utilizes comms client configs to setup connections
 func setupMQTTSub(server string) mqtt.Client {
 	opts := mqtt.NewClientOptions()
-	opts.AddBroker(server + ":1883")             // TODO get the appropriate port of the comms mq server
+	opts.AddBroker("ssl://" + server + ":8883") // TODO get the appropriate port of the comms mq server
+	opts.TLSConfig = NewTLSConfig(nil, server)
 	opts.ClientID = ncutils.MakeRandomString(23) // helps avoid id duplication on broker
 	opts.SetDefaultPublishHandler(All)
 	opts.SetAutoReconnect(true)
@@ -261,12 +265,44 @@ func setupMQTTSub(server string) mqtt.Client {
 	return client
 }
 
+// NewTLSConf sets up tls to connect to broker
+func NewTLSConfig(cfg *config.ClientConfig, server string) *tls.Config {
+	var ca []byte
+	var err error
+	certpool := x509.NewCertPool()
+	if cfg != nil {
+		ca, err = ioutil.ReadFile("/etc/netclient/" + cfg.Server.Server + "/root.pem")
+		if err != nil {
+			logger.Log(0, "could not read CA file %v\n", err.Error())
+		}
+	} else {
+		ca, err = ioutil.ReadFile("/etc/netclient/" + server + "/root.pem")
+		if err != nil {
+			logger.Log(0, "could not read CA file %v\n", err.Error())
+		}
+	}
+	certpool.AppendCertsFromPEM(ca)
+	//clientKeyPair, err := tls.LoadX509KeyPair("/etc/netclient/"+cfg.Server.Server+"/client.pem", "/etc/netclient/client.key")
+	//if err != nil {
+	//	log.Fatalf("could not read client cert/key %v \n", err)
+	//}
+	return &tls.Config{
+		RootCAs:    certpool,
+		ClientAuth: tls.NoClientCert,
+		//ClientAuth:         tls.VerifyClientCertIfGiven,
+		ClientCAs:          nil,
+		InsecureSkipVerify: true,
+		//Certificates:       []tls.Certificate{clientKeyPair},
+	}
+}
+
 // setupMQTT creates a connection to broker and return client
 // utilizes comms client configs to setup connections
 func setupMQTT(cfg *config.ClientConfig, publish bool) mqtt.Client {
 	opts := mqtt.NewClientOptions()
 	server := cfg.Server.Server
-	opts.AddBroker(server + ":1883")             // TODO get the appropriate port of the comms mq server
+	opts.AddBroker("ssl://" + server + ":8883") // TODO get the appropriate port of the comms mq server
+	opts.TLSConfig = NewTLSConfig(cfg, "")
 	opts.ClientID = ncutils.MakeRandomString(23) // helps avoid id duplication on broker
 	opts.SetDefaultPublishHandler(All)
 	opts.SetAutoReconnect(true)

scripts/nm-quick.sh

@@ -137,6 +137,11 @@ echo "setting mosquitto.conf..."
 
 wget -q -O /root/mosquitto.conf https://raw.githubusercontent.com/gravitl/netmaker/master/docker/mosquitto.conf
 
+echo "setting certificates for mosquitto"
+wget -q -O /root/mosquitto.conf https://raw.githubusercontent.com/gravitl/netmaker/master/certs/generate_server_certificates
+server=$(echo "broker."$NETMAKER_BASE_DOMAIN)
+./generate_server_certificates $server
+
 echo "setting docker-compose..."
 
 wget -q -O /root/docker-compose.yml https://raw.githubusercontent.com/gravitl/netmaker/master/compose/docker-compose.contained.yml