TLS termination using your own certificates
The goal of this tutorial is to expose a service via https using a certificate generated by openssl.
If you already have an up and running otoroshi instance, you can skip the following instructions
Let’s start by downloading the latest Otoroshi.
curl -L -o otoroshi.jar 'https://github.com/MAIF/otoroshi/releases/download/v16.20.0-dev/otoroshi.jar'
then you can run start Otoroshi :
java -Dotoroshi.adminPassword=password -jar otoroshi.jar
Now you can log into Otoroshi at http://otoroshi.oto.tools:8080 with admin@otoroshi.io/password
Create a new route, exposed on http://myservice.oto.tools:8080
, which will forward all requests to the mirror https://request.otoroshi.io
. Each call to this service will returned the body and the headers received by the mirror.
curl -X POST 'http://otoroshi-api.oto.tools:8080/api/routes' \
-H "Content-type: application/json" \
-u admin-api-apikey-id:admin-api-apikey-secret \
-d @- <<'EOF'
{
"name": "my-service",
"frontend": {
"domains": ["myservice.oto.tools"]
},
"backend": {
"targets": [
{
"hostname": "request.otoroshi.io",
"port": 443,
"tls": true
}
]
}
}
EOF
Try to call the service.
curl 'http://myservice.oto.tools:8080'
This should output something like
{
"method": "GET",
"path": "/",
"headers": {
"host": "mirror.opunmaif.io",
"accept": "*/*",
"user-agent": "curl/7.64.1",
"x-forwarded-port": "443",
"opun-proxied-host": "request.otoroshi.io",
"otoroshi-request-id": "1463145856319359618",
"otoroshi-proxied-host": "myservice.oto.tools:8080",
"opun-gateway-request-id": "1463145856554240100",
"x-forwarded-proto": "https",
},
"body": ""
}
Let’s try to call the service in https.
curl 'https://myservice.oto.tools:8443'
This should output
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to myservice.oto.tools:8443
To fix it, we have to generate a certificate and import it in Otoroshi to match the domain myservice.oto.tools
.
If you already had a certificate you can skip the next set of commands and directly import your certificate in Otoroshi
We will use openssl to generate a private key and a self-signed certificate.
openssl genrsa -out myservice.key 4096
# remove pass phrase
openssl rsa -in myservice.key -out myservice.key
# generate the certificate authority cert
openssl req -new -x509 -sha256 -days 730 -key myservice.key -out myservice.cer -subj "/CN=myservice.oto.tools"
Check the content of the certificate
openssl x509 -in myservice.cer -text
This should contains something like
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 9572962808320067790 (0x84d9fef455f188ce)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=myservice.oto.tools
Validity
Not Before: Nov 23 14:25:55 2021 GMT
Not After : Nov 23 14:25:55 2022 GMT
Subject: CN=myservice.oto.tools
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
...
Once generated, go back to Otoroshi and navigate to the certificates management page (top right cog icon / SSL/TLS certificates
or at /bo/dashboard/certificates
) and click on Add item
.
Set myservice-certificate
as name
and description
.
Drop the myservice.cer
file or copy the content to the Certificate full chain
field.
Do the same action for the myservice.key
file in the Certificate private key
field.
Set your passphrase password in the private key password
field if you added one.
Let’s try the same call to the service.
curl 'https://myservice.oto.tools:8443'
An error should occurs due to the untrsuted received certificate server
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
End this tutorial by trusting the certificate server
curl 'https://myservice.oto.tools:8443' --cacert myservice.cer
This should finally output
{
"method": "GET",
"path": "/",
"headers": {
"host": "mirror.opunmaif.io",
"accept": "*/*",
"user-agent": "curl/7.64.1",
"x-forwarded-port": "443",
"opun-proxied-host": "request.otoroshi.io",
"otoroshi-request-id": "1463158439730479893",
"otoroshi-proxied-host": "myservice.oto.tools:8443",
"opun-gateway-request-id": "1463158439558515871",
"x-forwarded-proto": "https",
"sozu-id": "01FN6MGKSYZNJYHEMP4R5PJ4Q5"
},
"body": ""
}