12 063
правки
(Новая страница: «The device certificate is signed by a CA certificate and can be verified by it: <pre> openssl verify -CAfile ca.crt device_AP6V5MDG.crt device_AP6V5MDG.crt: OK <…») |
(Новая страница: «Getting messages from the "test" topic on the example.com server») |
||
(не показаны 32 промежуточные версии этого же участника) | |||
Строка 188: | Строка 188: | ||
</pre> | </pre> | ||
Well, the certificate is signed "by itself" | |||
<pre> | <pre> | ||
openssl verify -CAfile ca.crt ca.crt | openssl verify -CAfile ca.crt ca.crt | ||
Строка 196: | Строка 196: | ||
== | == Nginx configuration == | ||
For example, suppose you have a server on the Internet that must process requests only from devices that have certificates, | |||
issued by our CA. | |||
To enable this check in the nginx configuration file, you need to write the following lines in the http or server section: | |||
<pre> | <pre> | ||
Строка 207: | Строка 207: | ||
</pre> | </pre> | ||
Nginx will now require a certificate from the client that must be validated by a ca.crt, otherwise the server | |||
returns an error 400 to the client: | |||
<pre> | <pre> | ||
Строка 222: | Строка 222: | ||
</pre> | </pre> | ||
Now let's make http requests from WB controller pass this check. | |||
For simplicity, we will use nginx on the client side. This will give the opportunity to work | |||
with secure servers for clients who can't make SSL connections. | |||
First, we will create a server on the unused local http port, which will do the following | |||
all https "magic" for us: | |||
<pre> | <pre> | ||
Строка 242: | Строка 242: | ||
</pre> | </pre> | ||
Add the www-data user to the i2c group to access the crypto device: | |||
<pre> | <pre> | ||
usermod -G www-data | usermod -G www-data | ||
</pre> | </pre> | ||
Run the command '''service nginx restart''' to update the configuration. | |||
Now, when you access http on the local port 8080, encrypted requests with authentication information will be sent to the server example.com | |||
<pre> | <pre> | ||
Строка 261: | Строка 260: | ||
</pre> | </pre> | ||
== | == Openvpn configuration == | ||
First, install the package: | |||
<pre> | <pre> | ||
Строка 269: | Строка 268: | ||
</pre> | </pre> | ||
Create file named req.cnf - we need it to make a server certificate. | |||
<pre> | <pre> | ||
[ v3_req ] | [ v3_req ] | ||
Строка 277: | Строка 276: | ||
</pre> | </pre> | ||
The openvpn server also needs a file with DH parameters, let's make it. | |||
<pre> | <pre> | ||
openssl dhparam -out dh2048.pem 2048 | openssl dhparam -out dh2048.pem 2048 | ||
</pre> | </pre> | ||
It may take a few minutes to create this file. | |||
Next, make a private key of our server and request a certificate. We assume, for example, that | |||
server has name example.com: | |||
<pre> | <pre> | ||
Строка 293: | Строка 292: | ||
</pre> | </pre> | ||
Sign the request in our certification authority: | |||
<pre> | <pre> | ||
Строка 299: | Строка 298: | ||
</pre> | </pre> | ||
Now let's start setting up openvpn server on the machine example.com | |||
Copy the file '''ca.crt''', '''example.crt''', '''example.key''' and '''dh2048.pem''' and edit the openvpn server configuration file. | |||
By default, the configuration file is in /etc/openvpn/server.conf | |||
<pre> | <pre> | ||
Строка 328: | Строка 327: | ||
</pre> | </pre> | ||
Add the openvpn user to the i2c group to access the crypto device: | |||
<pre> | <pre> | ||
Строка 334: | Строка 333: | ||
</pre> | </pre> | ||
after that, start the server with the command | |||
service openvpn start. | service openvpn start. | ||
Next, create a client configuration file on the controller: | |||
client.ovpn: | client.ovpn: | ||
<pre> | <pre> | ||
Строка 359: | Строка 358: | ||
------------------------------------------------------------------------- | ------------------------------------------------------------------------- | ||
</pre> | </pre> | ||
Note the line group i2c. It is necessary to work with the crypto device. | |||
Then run the client: | |||
<pre> | <pre> | ||
Строка 367: | Строка 366: | ||
</pre> | </pre> | ||
If all is well, then the system should appear tun0 interface with the address from the subnet 10.8.0.0/24: | |||
<pre> | <pre> | ||
Строка 380: | Строка 379: | ||
</pre> | </pre> | ||
To check the performance run ping: | |||
<pre> | <pre> | ||
Строка 389: | Строка 388: | ||
</pre> | </pre> | ||
== | == Mosquitto settings == | ||
UPD: | UPD: | ||
Строка 469: | Строка 468: | ||
Generate a private key and certificate request: | |||
<pre> | <pre> | ||
Строка 481: | Строка 480: | ||
</pre> | </pre> | ||
Copy the file '''ca.crt''', '''mosquitto.crt''', '''mosquitto.key''' to the server and edit the configuration file '''/etc/mosquito/conf.d/server.conf''' | |||
<pre> | <pre> | ||
Строка 491: | Строка 490: | ||
</pre> | </pre> | ||
Start service: | |||
<pre> | <pre> | ||
service mosquitto start | service mosquitto start | ||
</pre> | </pre> | ||
Also, if required, you can make the local mosquitto server on the controller | |||
forwarder some topics on a remote server. To do this, create a bridge file: '''/etc/mosquitto/bridge.conf''' | |||
<pre> | <pre> | ||
Строка 509: | Строка 508: | ||
</pre> | </pre> | ||
After restarting the local service mosquito topics /test/.. will be sent to the remote server example.com | |||
secure ssl channel. | |||
Examples of client mosquitto commands. | |||
Sending a message to the "test" topic on the example.com server | |||
<pre> | <pre> | ||
Строка 519: | Строка 518: | ||
</pre> | </pre> | ||
Getting messages from the "test" topic on the example.com server | |||
<pre> | <pre> | ||
mosquitto_sub -h example.com --cert device_AP6V5MDG.crt --key 'engine:ateccx08:ATECCx08:00:04:C0:00' -t "test" --cafile ca.crt | mosquitto_sub -h example.com --cert device_AP6V5MDG.crt --key 'engine:ateccx08:ATECCx08:00:04:C0:00' -t "test" --cafile ca.crt | ||
</pre> | </pre> |
правки