Home > Software design >  netty terminate tls using kubernetes certificate
netty terminate tls using kubernetes certificate

Time:10-20

I am trying to terminate TLS in a netty webserver in a Kubernetes cluster.

I am using cert-manager to manage my website's certificates

Here is the result of kubernetes get secret websitesslcert-staging -o yaml 

apiVersion: v1
data:
  tls.crt: REDACTED=
  tls.key: REDACTED=
kind: Secret
metadata:
  annotations:
    cert-manager.io/alt-names: mysite.com
    cert-manager.io/certificate-name: websitesslcert-staging
    cert-manager.io/common-name: mysite.com
    cert-manager.io/ip-sans: ""
    cert-manager.io/issuer-group: cert-manager.io
    cert-manager.io/issuer-kind: ClusterIssuer
    cert-manager.io/issuer-name: letsencrypt-staging
    cert-manager.io/uri-sans: ""
  creationTimestamp: "2021-10-17T00:00:00Z"
  name: websitesslcert-staging
  namespace: default
  resourceVersion: "123456"
  uid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
type: kubernetes.io/tls

The format of the kubernetes.io/tls is described in the Kubernetes docs.

The public/private key pair must exist beforehand. The public key certificate for --cert must be .PEM encoded (Base64-encoded DER format), and match the given private key for --key. The private key must be in what is commonly called PEM private key format, unencrypted. In both cases, the initial and the last lines from PEM (for example, --------BEGIN CERTIFICATE----- and -------END CERTIFICATE---- for a certificate) are not included.

I have a Java (Netty) application that has to terminate TLS. Locally I can copy the secrets ("tls.crt" and "tls.key") and write them to files, however I am not able to use them in my local server Netty 4 to accept TLS connections.

 ChannelPipeline p = channel.pipeline();
 SslContext sslCtx = SslContextBuilder.forServer(tlsKeyFile, tlsCertFile).build();
 p.addLast("ssl", sslCtx.newHandler(channel.alloc()));

results in an error:

Execution error (CertificateException) at io.netty.handler.ssl.PemReader/readCertificates (PemReader.java:98).
found no certificates in input stream

Adding --------BEGIN CERTIFICATE----- and -------END CERTIFICATE---- to the files results in

Execution error (CertificateParsingException) at sun.security.x509.X509CertImpl/parse (X509CertImpl.java:1826).
signed overrun, bytes = 919

How should I approach this, to read my certificate from Netty?

CodePudding user response:

Turns out the certificates are base64-encode in the yaml output. base64 --decode shows the files contents.

Page link:https//www.codepudding.com/Softwaredesign/158876.html

Prev:AWS-issued (managed) TLS/SSL certificate for ELB/ALB
Next:OkHttp client authentication failing to validate server and send client certificate in the same requ
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding