💬
Life is always like that.
💻
Recently, WHEN I was looking at GRPC TLS authentication, I found that the generation of go1.16 version certificate would be much more troublesome than before. Please refer to the generation of certificate
# Generate the CA certificate key
ronething at ronething-dell-ubuntu in ~/Documents/grpc-sample/tls
$ openssl genrsa -out ca.key 2048
Copy the code
Generate the ca certificate public key
ronething at ronething-dell-ubuntu in~/Documents/grpc-sample/tls $ openssl req -new -x509 -days 3650 -key ca.key -out ca.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter'. '. the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:GZ Locality Name (eg, city) []:GZ Organization Name (eg, company) [Internet Widgits Pty Ltd]:ronething Organizational Unit Name (eg, section) []:ronething Common Name (e.g. server FQDN or YOUR name) []:localhost Email Address []:Copy the code
Use OpenSSL to generate ca and SAN certificates
# Ubuntu 16.04 -> /etc/ssl/openssl.cnf requires some modifications
# 1, find [CA_default] and uncomment # copy_extensions = copy
# 2, find [req] uncomment # req_extensions = v3_req # The extensions to add to a certificate request
# find [v3_req] add subjectAltName = @alt_names
# Add new tag [alt_names] and tag field
[ alt_names ]
DNS.1 = localhost
DNS.2 = *.ronething.cn
DNS.3 = *.ronething.com
# Generate a server SAN certificate
openssl genpkey -algorithm RSA -out server.key
openssl req -new -nodes -key server.key -out server.csr -days 3650 -subj "/C=CN/OU=ronething/OU=ronething/CN=localhost" -config ./openssl.cnf -extensions v3_req
openssl x509 -req -days 3650 -in server.csr -out server.pem -CA ca.pem -CAkey ca.key -CAcreateserial -extfile ./openssl.cnf -extensions v3_req
Copy the code
ronething at ronething-dell-ubuntu in~/Documents/grpc-sample/ TLS (Master ●) $ll total 40K-RW-RW-r -- 1 ronething ronething 1.7k Apr 8 00:30 ca.key-rw-rw-r -- 1 ronething ronething 1.3k Apr 8 00:52 CA.pem-rw-rw-r -- 1 Ronething ronething ronething 1.3k Apr 8 00:58 ca.sr-rw-r --r-- 1 ronething ronething 1.3k Apr 8 00:58 ca.sr-rw-r --r-- 1 ronething ronething 1.3k Apr 8 00:58 Ca.sr-rw-r --r-- 1 ronething ronething 11K Apr 8 00:50 openssl.cnf -rw-rw-r-- 1 ronething ronething 156 Apr 8 01:09 README.md -rw-rw-r-- 1 ronething ronething 741 Apr 8 00:55 server.csr -rw-rw-r-- 1 ronething ronething 916 Apr 8 00:51 server.key -rw-rw-r-- 1 Ronething Ronething 1.1K Apr 8 00:58 server.pemCopy the code
# start server
ronething at ronething-dell-ubuntu in~ / Documents/GRPC - sample/CMD/server complaints (master) $export GRPC_GO_LOG_SEVERITY_LEVEL=INFO
ronething at ronething-dell-ubuntu in~/Documents/ GRPC -sample/ CMD /server (Master ●) $./server INFO: 2021/04/08 01:58:54 Listen on 127.0.0.1:50052 with TLSCopy the code
# start the client
ronething at ronething-dell-ubuntu in~ / Documents/GRPC - sample/CMD/server complaints (master) $export GRPC_GO_LOG_SEVERITY_LEVEL=INFO
ronething at ronething-dell-ubuntu in~/Documents/ GRPC -sample/ CMD /client (Master ●) $./client INFO: 2021/04/08 01:59:25 [core] parsed scheme:""
INFO: 2021/04/08 01:59:25 [core] scheme "" not registered, fallback to default scheme
INFO: 2021/04/08 01:59:25 [core] ccResolverWrapper: sending update to cc: {[{127.0.0.1:50052 <nil> 0 <nil>}] <nil> <nil>}
INFO: 2021/04/08 01:59:25 [core] ClientConn switching balancer to "pick_first"
INFO: 2021/04/08 01:59:25 [core] Channel switches to new LB policy "pick_first"
INFO: 2021/04/08 01:59:25 [core] Subchannel Connectivity change to CONNECTING
INFO: 2021/04/08 01:59:25 [core] blockingPicker: the picked transport is not ready, loop back to repick
INFO: 2021/04/08 01:59:25 [core] Subchannel picks a new address "127.0.0.1:50052" to connect
INFO: 2021/04/08 01:59:25 [core] Channel Connectivity change to CONNECTING
INFO: 2021/04/08 01:59:25 [core] Subchannel Connectivity change to READY
INFO: 2021/04/08 01:59:25 [core] Channel Connectivity change to READY
INFO: 2021/04/08 01:59:25 Hello gRPC.
INFO: 2021/04/08 01:59:25 [core] Channel Connectivity change to SHUTDOWN
INFO: 2021/04/08 01:59:25 [core] Subchannel Connectivity change to SHUTDOWN
Copy the code
Grpclog does not print. This problem can be solved by setting the GRPC_GO_LOG_SEVERITY_LEVEL variable. See grPC-Auth-SAMPLE for related codes
PS: this is only one-way authentication, there is no two-way authentication, next time write two-way authentication and RPC methods to do custom authentication
🌞
Well, the advice is to go to bed early.
Written at 2021-04-08 a.m