TLS termination using your own certificates

The goal of this tutorial is to expose a service via https using a certificate generated by openssl.

If you already have an up and running otoroshi instance, you can skip the following instructions

Set up an Otoroshi

Let’s start by downloading the latest Otoroshi.

curl -L -o otoroshi.jar 'https://github.com/MAIF/otoroshi/releases/download/v16.17.0/otoroshi.jar'

then you can run start Otoroshi :

java -Dotoroshi.adminPassword=password -jar otoroshi.jar 

Now you can log into Otoroshi at http://otoroshi.oto.tools:8080 with admin@otoroshi.io/password

Create a new route, exposed on http://myservice.oto.tools:8080, which will forward all requests to the mirror https://mirror.otoroshi.io. Each call to this service will returned the body and the headers received by the mirror.

curl -X POST 'http://otoroshi-api.oto.tools:8080/api/routes' \
-H "Content-type: application/json" \
-u admin-api-apikey-id:admin-api-apikey-secret \
-d @- <<'EOF'
{
  "name": "my-service",
  "frontend": {
    "domains": ["myservice.oto.tools"]
  },
  "backend": {
    "targets": [
      {
        "hostname": "mirror.otoroshi.io",
        "port": 443,
        "tls": true
      }
    ]
  }
}
EOF

Try to call the service.

curl 'http://myservice.oto.tools:8080'

This should output something like

{
  "method": "GET",
  "path": "/",
  "headers": {
    "host": "mirror.opunmaif.io",
    "accept": "*/*",
    "user-agent": "curl/7.64.1",
    "x-forwarded-port": "443",
    "opun-proxied-host": "mirror.otoroshi.io",
    "otoroshi-request-id": "1463145856319359618",
    "otoroshi-proxied-host": "myservice.oto.tools:8080",
    "opun-gateway-request-id": "1463145856554240100",
    "x-forwarded-proto": "https",
  },
  "body": ""
}

Let’s try to call the service in https.

curl 'https://myservice.oto.tools:8443'

This should output

curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to myservice.oto.tools:8443

To fix it, we have to generate a certificate and import it in Otoroshi to match the domain myservice.oto.tools.

If you already had a certificate you can skip the next set of commands and directly import your certificate in Otoroshi

We will use openssl to generate a private key and a self-signed certificate.

openssl genrsa -out myservice.key 4096
# remove pass phrase
openssl rsa -in myservice.key -out myservice.key
# generate the certificate authority cert
openssl req -new -x509 -sha256 -days 730 -key myservice.key -out myservice.cer -subj "/CN=myservice.oto.tools"

Check the content of the certificate

openssl x509 -in myservice.cer -text

This should contains something like

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 9572962808320067790 (0x84d9fef455f188ce)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=myservice.oto.tools
        Validity
            Not Before: Nov 23 14:25:55 2021 GMT
            Not After : Nov 23 14:25:55 2022 GMT
        Subject: CN=myservice.oto.tools
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
...

Once generated, go back to Otoroshi and navigate to the certificates management page (top right cog icon / SSL/TLS certificates or at /bo/dashboard/certificates) and click on Add item.

Set myservice-certificate as name and description.

Drop the myservice.cer file or copy the content to the Certificate full chain field.

Do the same action for the myservice.key file in the Certificate private key field.

Set your passphrase password in the private key password field if you added one.

Let’s try the same call to the service.

curl 'https://myservice.oto.tools:8443'

An error should occurs due to the untrsuted received certificate server

curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

End this tutorial by trusting the certificate server

curl 'https://myservice.oto.tools:8443' --cacert myservice.cer

This should finally output

{
  "method": "GET",
  "path": "/",
  "headers": {
    "host": "mirror.opunmaif.io",
    "accept": "*/*",
    "user-agent": "curl/7.64.1",
    "x-forwarded-port": "443",
    "opun-proxied-host": "mirror.otoroshi.io",
    "otoroshi-request-id": "1463158439730479893",
    "otoroshi-proxied-host": "myservice.oto.tools:8443",
    "opun-gateway-request-id": "1463158439558515871",
    "x-forwarded-proto": "https",
    "sozu-id": "01FN6MGKSYZNJYHEMP4R5PJ4Q5"
  },
  "body": ""
}