diff --git a/cmd/app/serve.go b/cmd/app/serve.go index 5ca4ae52a..499de9085 100644 --- a/cmd/app/serve.go +++ b/cmd/app/serve.go @@ -276,7 +276,7 @@ func runServeCmd(cmd *cobra.Command, args []string) { //nolint: revive opts.PublicKey = string(pemPubKey) } var httpClient *http.Client - if tlsCaCertPath := viper.GetString("tls-ca-cert"); tlsCaCertPath != "" { + if tlsCaCertPath := viper.GetString("ct-log.tls-ca-cert"); tlsCaCertPath != "" { tlsCaCert, err := os.ReadFile(filepath.Clean(tlsCaCertPath)) if err != nil { log.Logger.Fatal(err) diff --git a/config/tls/ca.crt b/config/tls/ca.crt new file mode 100644 index 000000000..674cf2a34 --- /dev/null +++ b/config/tls/ca.crt @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIFAzCCAuugAwIBAgIUHVoudGeot0qmjmziA9njcOFXGGMwDQYJKoZIhvcNAQEL +BQAwEDEOMAwGA1UEAwwFTXkgQ0EwIBcNMjQwNzI0MjA0MDQ0WhgPMjEyNDA2MzAy +MDQwNDRaMBAxDjAMBgNVBAMMBU15IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A +MIICCgKCAgEAjuXxEhzC0K3w4gRDvldrI3NZSGiMFWWaghIqcjZe2cE6GnR428BG +Mdz30kzJ0XCFcpJzECYMUAS6odwH0ZeNh9YLhTn1Hn/R/pGO1gML5+3NSH76kHMT +mlYcn2qawXqY55iyERiPW/iamBMtTIRXQgKo0/JVThrGCsErwat117XDEE385uqS +06rqK9aWGlvk/9SSqb1LKy1gjRnQtnQWDNwIgAt9Or0AO+thAkYqY/6+fJj5z5XK +35E12PHd+XP9AKGu8Xcu3RUcIq0jOnZT23kycLrdLjaQKvt0sU/5u808qe2+YIe/ +ldwJCGr5SZXqKv5/Zv6giM1xNkv+RsLRaIEYlHD3CTn8qgESIImYnIuiwOa3n04q +ZGsaG6155p0pJuvXhZegXpvGnQ7Ku+Tx8mbAwoPHWBVBESz5pS8fIRZ5zgy/p/ZI +cz3Rgg6JXCGIe5o3y2TzlpeL0V5rgaqaQz0GLIXnrkjyGhxfK65H9fAPinZDVS4o +qGCnMfYqJwyf+oLLPZGz1CYCA5jemSugGRgm45O0UtMvzIomRhnmZVEalA/+qDhn +zFBOfPoY1jqHW9mWNeXOW4cpW+kQw3Chqy6TQ4hA6OADd5rXlkSKs05uW+UujWZf +DwupgaRG9cWj0uqoTmbgqxPqAoXW+NJmIQJVXVgxe9f+87ZgGRonFUUCAwEAAaNT +MFEwHQYDVR0OBBYEFGq8SuCoNKy7BGjUanonufX2Z7p5MB8GA1UdIwQYMBaAFGq8 +SuCoNKy7BGjUanonufX2Z7p5MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL +BQADggIBABb3C7izkhKirLU9hXLdqwqkc9pUteBCYni+OjIqO8793unF6fP/Q32+ +rmLWpSHJ2t0CwsUQI5b5UZCPlv9MjyMi8QsnkZNcQnENoIgv8COB+PGEM6okhH3U +MInp+KqIekhi92QeoMxdbdzAp6e2MYW6UKgnuJU6y8oKmoJsBICLYY0H8z5dBPd0 +fdnE0AKdWGkZ99w7qvlN3dvLe9//aNg5qtxGokNsvBxtdoj7KXiPYlaz5bazl2p3 +dlboojhidLqIejzPzH0Q7gGWgAOvwRD3vFznwuoi6J596JvTzi0Wx14mBKibyeHs +vQIndFeOVGIsLC2kK5JEW7rAPcyzRkTh7Qj3vAfvAbsDuSS7Kc8ULV8NRfxBb2lS +QVKNHKfNDCjZ1XmsE7BWSpCF/mCEtBKuRGwtGI8dtmgxwmq4p1w8WwanrEQdtZP/ +C00my+QEnm6CxBSKEJWjkU32jP9NQb7Cnz+/iUVAQX3iZgPQ3+sF4JxyEyoxkMm3 +U/Hy4lF3D9cGH1C8ZkJuhJDimezAjO8wO1I/XKbODpzG5bbm5feIW42If0eirT90 +doBF6QrHi6lOGpLAaWc6eCtSm7HuxkJvfX0vjoefieIrLETSkq/yHzbYvToDGl0F +iOwjfiayctH3YP+GxvOD+Q6kQP20xEG09MYgQtJIKiT0F3x0sDEs +-----END CERTIFICATE----- diff --git a/config/tls/tls.crt b/config/tls/tls.crt new file mode 100644 index 000000000..ca04781c7 --- /dev/null +++ b/config/tls/tls.crt @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFRzCCAy+gAwIBAgIUUwaiANUP/pPFrbAsRqRltYFlZzUwDQYJKoZIhvcNAQEL +BQAwEDEOMAwGA1UEAwwFTXkgQ0EwHhcNMjQwNzI0MjA0MTIzWhcNMjQwOTIyMjA0 +MTIzWjA7MQ8wDQYDVQQLDAZTZXJ2ZXIxCjAIBgNVBAMMASoxHDAaBgkqhkiG9w0B +CQEWDXRsc0BnbWFpbC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC +AQCbvz8gzLIYAN8PXk4kPajOVQrYbRV6SzKC0ehGd+iTTe4/Srwl2sSHE0Zlb88R +maVyNtam/JfD8fYMjnHHyh0NyvM0jvUs0UgS0IiOoW9s7IgvJoI9yzWXXg7kX4Yw +ZOrf13FokKQqvKy8YrpEVmmw38TGNfgCwiKnWsrNqS4jICUT/rh6VHGuAVK44Uf4 +3rX6dIE/0VuHnfefdRyHvgExs7BZOZdF8/XOFXNIlrRRIjgRldtR1AQahvzUgst7 +jMWiu+f+M5XlU5DIImMGpK198HS7rnCAjiHOdMEbpdBEqXeDU1qQu11D4iYIOPzQ +AlEnYzXd0ynSXzRtJ9sLjfZIAGpA72u1ernLNh4k7/OwOeX6seDLYahkaNStxSip +YmHEmReIBeq+u84YZ1K5LwJioLFI0MJdvBu7fnYV5o2Tu03M47n2RRnizX/nWwqD +S4Mha3OPvQg2lwcO/o3zLJQ4Rf0lKeuZllQ6f7FfdjQIJW3PbQk1XTIDc94og+Cy +z/OdRY4TuaHU+GeZCTjKyYieFl2q8vmIZQh7GHayOVNh7ts41I3bYt7QwKzMqBcR +tzi8zjWVpB2fTkMogr4TFDtTUfJosWVnmY3YlQmAMRXqYSbVehrkQM/hi0XxDPn0 +hNZlJyg2jdQl4WiCEsCK3bglniLcCL7xL61FI03MB5IBzwIDAQABo24wbDAqBgNV +HREEIzAhggEqghZodHRwczovL2N0X3NlcnZlcjo2OTYyhwQAAAAAMB0GA1UdDgQW +BBTIrMR1pR30/uPPz0VHIIsj1lmCSTAfBgNVHSMEGDAWgBRqvErgqDSsuwRo1Gp6 +J7n19me6eTANBgkqhkiG9w0BAQsFAAOCAgEAF6EKMKUC/LegXLFsCxY0c5hzd2Vf +TO0Si3/Y0lJ00zdGHgyTXCxqTXGutHYyEX9QF2+yg2WVQu7NzTpc/7tpa7FroJpo +Wc0ll6rGuhWaLv8EYJ33sHJBU3yyU9mKUQVgdk4PJAsTu5RlkQy7gdjNUOwjPCwI +2U/r01UfIHihbScPE3eIu5cvk39LESJEUmWixoOievUYmdZ/R0hSzwFv2XXo2HBj ++2qSnOq/O2AvltX2c2zVuoRxR9qa6TfznskP6mmXEcxwIUJV86EgnJthVVHQfWUC +V9o9TTfBwhfKtJ7oH6C3t8dZJqjXtXFt/mzI0tZdqEN6Ozlc7zNB72mpW5pNlY3J +1BMGEDdJesyWTG9nKzg8AjW2mbTaHKJBk72/RnRhgoV5yOY/kPcYBf83jyzbuafr +KJBmUewPdf/T3/QSlDMaX+6rKSNNLgKgQwAlOdd+eaWdcZlT2UTJTSGJv3aANBEy +2Ajv2ZzLcw24uAZEIFJKh8jswtkCMScvePlVlhgAY7SZMNvtO9HepQMtpwRD/jkv +e7IRHhB7tEFUiTHmsVc7llIlJRsOewtsLjwacpfKkFWGpZQmyEy+Xxf/FkGQLyQ/ +KQJYFJ+uScq6Ae9RatWNTnhC6Ja75estMfL0SatrE1yGyZUTTGWdYohxYbiJYsgd +bW3vUsnPEIFX0Fo= +-----END CERTIFICATE----- diff --git a/config/tls/tls.key b/config/tls/tls.key new file mode 100644 index 000000000..b2dfd5a89 --- /dev/null +++ b/config/tls/tls.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCbvz8gzLIYAN8P +Xk4kPajOVQrYbRV6SzKC0ehGd+iTTe4/Srwl2sSHE0Zlb88RmaVyNtam/JfD8fYM +jnHHyh0NyvM0jvUs0UgS0IiOoW9s7IgvJoI9yzWXXg7kX4YwZOrf13FokKQqvKy8 +YrpEVmmw38TGNfgCwiKnWsrNqS4jICUT/rh6VHGuAVK44Uf43rX6dIE/0VuHnfef +dRyHvgExs7BZOZdF8/XOFXNIlrRRIjgRldtR1AQahvzUgst7jMWiu+f+M5XlU5DI +ImMGpK198HS7rnCAjiHOdMEbpdBEqXeDU1qQu11D4iYIOPzQAlEnYzXd0ynSXzRt +J9sLjfZIAGpA72u1ernLNh4k7/OwOeX6seDLYahkaNStxSipYmHEmReIBeq+u84Y +Z1K5LwJioLFI0MJdvBu7fnYV5o2Tu03M47n2RRnizX/nWwqDS4Mha3OPvQg2lwcO +/o3zLJQ4Rf0lKeuZllQ6f7FfdjQIJW3PbQk1XTIDc94og+Cyz/OdRY4TuaHU+GeZ +CTjKyYieFl2q8vmIZQh7GHayOVNh7ts41I3bYt7QwKzMqBcRtzi8zjWVpB2fTkMo +gr4TFDtTUfJosWVnmY3YlQmAMRXqYSbVehrkQM/hi0XxDPn0hNZlJyg2jdQl4WiC +EsCK3bglniLcCL7xL61FI03MB5IBzwIDAQABAoICAD3UKVp7CIRw7BxswrauZ7Ip +npmWjH01FwNKE1zOQ10fBeLIZ3Lbq0M4Sq0AOwLwrPZvgL1f71vRVW1cqxy2Rtxv +4ibOTdSR7HvTnzKIMfTa3aFiNzgS0N6bb2wH4/yYQ4nDPHlXWmTA7A4JX4q7h0+5 +NaO+TwvBSAKKD5Kfg/pby3xplZCyr0J1sgJFJM5Ok42u7JSKJzzqYCBEXKQisNSr +UenJ7BzQIZfDejWp5kGDRSDuDdgpQ8vIJNy0Y9VTaC4XTJzkm7AjgYmB5TAA9gLW +D3FmabEPO6p7PSIdrFVltVVEJOLqDrdhMtn2zZ5CHTd2si6yopqqQuTGerXWkJsc +OyAvgE01xLrr00Nu7eba7bkavDU7Dc2oCHJxSj45R/89J4g25lOHK/JfEv+XKmoF +T+GKLkPCBwBG7CoB7u1CqkjXxZSMncHaqaby/3M5OIxWnXyQocJNV/HksHgSPrZj +Ep8cDQ9x+9iCqE5bBmxJNOuBnlqcrCoATdruku0MlLHhl726vXSe+JAAgSJ/J/us +JkX8ef//Gp9ibEvrGoh3bnqB5zUR8gRL7Nf46ywfdKKOd41XqLVJ/U8Af0CyfndB +3wps7bEuN2MdtnKUPeBIWvbySewvJVOSIJNOXZ5S3wDx8bfrDrTzFi+tA1txUWLX +o4O0SM6gDcDyiGpY+jmBAoIBAQDNsLeH8Sw6Y0KDz+Kf3efdkV3qGBUsLGPrA6ZL +hrYSHZHnp5yskaru9YR1yqAJCqXws1lz/De8U8sH0qi9HU6umi2K/qx0wrs4PLY9 +dRLo1l/jIpbxhx/w8hM25nXvH3L2s08xAU0sZ7ufLYlvzpsWT2JwolGWs8xcHl4+ +Yt/RYHgSf22LNAQvFIZU/MjE/w9f2/YJyo/uSTQeGqkqbeGM3CBqzB3pbrgXzCUR +anXDpFoDBeFyaspq38qwrHjcXhIbN8aAXyBg7xGqR4Y/9e7yCB1fb/Yfpe+iSMZR +jRQsovbyyM7PPSmOCPB4Uxr9cuk/LnOEEf34jLreYplt4BMPAoIBAQDB11ZPam5t +dCeSsFlB1XjtIEtXpcLrVPh5RQFbfyRtosMwGy0QczKVcZcNeQlzzMPiDCyu1FF3 +2P+WfDc/w/ls8EeBwlIRQoko0F27d8yx8iPjgzYxkYgC27bJkcZ6262bon1rBli+ +FH/B9GHzz6cO2eUYF55iqVOD3pOHY7aaEwwa9qWbHd/HKHAVE1mjN8BxCe0qwWkU +FAWfQbX1M1aBWy+XfBrNd94JAp9TVvG1U3ul1/H+zpmMQGVtuIWCEudBeJils+ip +kJW6Lu2+Ywjh9368cZ53bHRUxZP8+m8BfXTd2HHrxIOTHRqR9wqAKGJaHC1TEYrb +TJKmW6CiVCVBAoIBAQCpB2/K5wXRdYBTkaJKfbDtA2iJ1wCPLGtv1a/yoOE+Qc6E +79hwd8RgWqJfqgOZaoazJq98AOhMew99fj/sKQlfspN6hY5y5RO1Qy7/khXYAVMK +9IHWOZSmDEh99SU1PELdOLz7KHai5xvn0yP+HWqVCud6Z+lkTpzBlrMb0WTcSsph +aRY8LqLBjbxWWuUh/fhEbh3iLfPZfY62rnIVy/ZuKvb4zIRIMBRYegp8JWBhRc4y +bcK2o8tzyDRou1MWxLdcZplZJNMW1V9O7zgDl7akbsa0hu1bVKF4WxWeLrFFfSYy +nZJV+40Ki44RUzn6zVOf+Cw1fBOZDQ0Dc0NiZ6FBAoIBAGwJiAqFSHzqw2+nqGfg +AiEv4a49LjGZz09P3ZzQdU5B7EYwr2I+wo+2mrkgn9sR4o9nt7PNlIaWxIVsQCLj +KG7GUSSKWNFT4zyDPerRr53yVnxk0ly4PzVQnkUkYZpyPAXFf9+ZzvZKWJaSjdGl +B/hoC57s8xMMSwbxlApe0hR3z0Rr+gtFkEbhS+8DNO+akECwhqZQ3C8bpbKInlDG +x00btJ/axNmGGJOvCXwatmcY246omDErlzsrXRzVPlwsCwZbn8CjUGbJthnqNAns +CrRfDB0dunPXV9Mzt/LE5f/Pm8ZV79C3W5owG3IFXa3mVELi94QX/+uQdyAPa61t +9sECggEAMAgBQc/i923+jWpV6VFEKaEq27T6krgg2lnXN+6HLspWycCiCLbcMeGT +wBIaCi05tbkv6h4/4CssND+3pvnPOnRpMKaBHvVhpaXPbsqGFsv8l9CbGZ8KAg8x +T/0qa4BVb9CRmBcOMRSWMHo8EDza4ZoXwZm2e3z0o5+Qw3KScc9JL+RhfYTJEhpl +U3sLpI4l6WydsQRnx2Yjo3JttFRgZUBfhr9fSkySx2VoOwr3F/5U/ggc0NjjNiGg +jcQaWv6y/hmWYT+e+cmJut53Edkm7BQ/ysO4gNm5CItGBXRQ8P6i0dCrE2bOVNsd +e9uMuhkyG/mPqX9db3CrBUy0kbq14Q== +-----END PRIVATE KEY----- diff --git a/docker-compose.yml b/docker-compose.yml index a720943c9..6228ac7f0 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -26,7 +26,8 @@ services: "--port=5555", "--grpc-port=5554", "--ca=ephemeralca", - "--ct-log-url=http://ct_server:6962/test", + "--ct-log-url=https://ct_server:6962/test", + "--ct-log.tls-ca-cert=/config/tls/ca.crt", # Uncomment this for production logging # "--log_type=prod", ] @@ -38,6 +39,7 @@ services: volumes: - ~/.config/gcloud:/root/.config/gcloud/:z # for GCP authentication - ${FULCIO_CONFIG:-./config/identity/config.yaml}:/etc/fulcio-config/config.yaml:z + - ./config/tls:/config/tls:z healthcheck: test: ["CMD", "curl", "-f", "http://localhost:5555/healthz"] interval: 10s @@ -79,10 +81,13 @@ services: image: gcr.io/trillian-opensource-ci/ctfe volumes: - ctfeConfig:/etc/config/:ro + - ./config/tls:/config/tls:z command: [ "--log_config" ,"/etc/config/ct_server.cfg", "--log_rpc_server", "trillian-log-server:8096", "--http_endpoint", "0.0.0.0:6962", + "--tls_certificate", "/config/tls/tls.crt", + "--tls_key", "/config/tls/tls.key", "--alsologtostderr", ] restart: always # retry while ctfe_init is running