Thanks Rob, this was very useful, and this is working perfectly now. I also took some inspiration from docker documentation https://docs.docker.com/articles/https/ to create a small script that would generate the keys and certificates for the CA, the server, and the client: https://gist.github.com/bbinet/a68c8f8381f36d484042
Feel free to use it if it can be of any help to others. Cheers, Bruno On 21 August 2014 19:29, Rob Miller <[email protected]> wrote: > On 08/21/2014 03:22 AM, bruno binet wrote: > >> Hi, >> >> I want to setup a simple tls tcp connection between two heka instances >> (a server and a client) communicating with standard ProtobufEncoder, so >> that the Heka client will forward all heka messages to the Heka server. >> But I have no experience configuring tls/ssl stuff, so any help would be >> really appreciated. >> > > SSL is a tricky beast, and OpenSSL is notoriously finicky, but it can be > made to work. I fumbled through the process of setting up my own > Certificate Authority and issuing client and server certificates using the > following guide: > > http://www.g-loaded.eu/2005/11/10/be-your-own-ca/ > > augmented by a couple of tweaks to the CA config as specified in the > following thread on the go-nuts mailing list: > > https://groups.google.com/forum/#!topic/golang-nuts/vw7wiGxVu0g > > > Do you know how to use openssl to generate ssl certificates that need to >> be used by the Heka server and the Heka client? >> > > See the links above. > > > Should we use the same files for both the server and the client for >> "cert_file" and "key_file" options (see: >> http://hekad.readthedocs.org/en/v0.6.0/tls.html#tls- >> configuration-settings)? >> > > This depends on whether or not the certificate and the key are in the same > file. When generating your certificates and your keys, you can put them in > a single (`.pem`) file, or you can put each in its own (`.crt` and `.key`) > file. Neither choice is intrinsically better than the other, AFAIK, but for > simple setups I usually use a single file for both. > > > Does anyone could also share some configuration examples both to setup >> TcpInput for the Heka server, and TcpOutput for the Heka client? >> > > Sure. I've used the following config to successfully test TLS encrypted > connections from TcpOutput in one hekad instance: > > > [TcpOutput] > message_matcher = "Type == 'hekabench'" > address = "127.0.0.1:5575" > use_tls = true > encoder = "ProtobufEncoder" > > [TcpOutput.tls] > server_name = "agni.kalistra.com" > cert_file = "/home/rob/go/heka/etc/certs/client.pem" > key_file = "/home/rob/go/heka/etc/certs/client.pem" > root_cafile = "/home/rob/go/heka/etc/certs/myca.crt" > > to TcpInput in another hekad instance: > > [TcpInput] > address = "127.0.0.1:5575" > parser_type = "message.proto" > decoder = "protobuf" > use_tls = true > > [TcpInput.tls] > server_name = "agni.kalistra.com" > cert_file = "/home/rob/go/heka/etc/certs/server.pem" > key_file = "/home/rob/go/heka/etc/certs/server.pem" > client_cafile = "/home/rob/go/heka/etc/certs/myca.crt" > client_auth = "RequireAndVerifyClientCert" > > This was using certificates I generated and signed using my self-created > CA following the guides linked to above. Note that you'll want the > `server_name` config setting to match what was specified in the server > certificate. > > > I was also wondering if "client_cafile" and "root_cafile" (see: >> http://hekad.readthedocs.org/en/v0.6.0/tls.html#tls- >> configuration-settings) >> were required or optional, and what are they actually used for? >> > > The `root_cafile` option is required on the client (i.e. TcpOutput) side, > unless you have the `insecure_skip_verify` option set to true, which is > *not* recommended. This option must point to the certificate of the CA that > was used to generate and sign the server certificate. If you're acting as > your own CA following the above linked guide, you'll have this file. If you > get your certificates signed by a third party certificate authority, you > should be able to get such a certificate from your CA. > > The `client_cafile` option is required on the server (i.e. TcpInput) side > if you're using any `client_auth` option other than the default of > `NoClientCert`. This must point to the certificate of the CA that was used > to generate and sign the client certificate. Again, if you're acting as > your own CA, you have this file, it will be the same one used to sign the > server certificate, and if you're using a third party CA, you can get it > from them. > > Thanks for any help, >> > > You're welcome. Hope this actually does help. Good luck! > > -r >
_______________________________________________ Heka mailing list [email protected] https://mail.mozilla.org/listinfo/heka
