Improve documentation and defaults

- recommend `mkcert` to generate certificates for local development - change default configuration to use files recommended in README.md - separate server name and bind address to allow binding to a local address but publish a different public name
9 months ago · 9821d34939
parent ab2e3c33b5
commit 9821d34939
4 changed files with 32 additions and 35 deletions
--- a/README.md
+++ b/README.md
@ -8,45 +8,30 @@ UI components that are required by Hydra to allow login and consent.
 The code in this repository is licensed under the terms of the Apache License
 Version 2.0.

-Copyright © 2020-2022  Jan Dittberner
+Copyright © 2020-2023  Jan Dittberner

 ## Setup

 ### Certificates

-You need a set of certificates for the IDP. You can use the Test CA created by
-the ``setup_test_ca.sh`` script from the [CAcert developer
-setup](https://git.dittberner.info/jan/cacert-devsetup) repository like this:
+You need a set of certificate and private key and a PEM file with CA
+certificates used to verify client certificates to run `cacert-idp`.

-1. create signing requests
+An easy way to generate server certificate and key for local testing is
+[`mkcert`](https://github.com/FiloSottile/mkcert/releases).

-   ```
-   mkdir certs
-   cd certs
-   openssl req -new -newkey rsa:3072 -nodes \
-       -keyout idp.cacert.localhost.key \
-       -out idp.cacert.localhost.csr.pem \
-       -subj /CN=idp.cacert.localhost \
-       -addext subjectAltName=DNS:idp.cacert.localhost,DNS:login.cacert.localhost
-   cp *.csr.pem $PATH_TO_DEVSETUP_TESTCA/
-   ```
-
-2. Use the CA to sign the certificates
+1. Run `mkcert` to generate `idp.cacert.localhost.pem` and
+   `idp.cacert.localhost+1-key.pem`:

-   ```
-   pushd $PATH_TO_DEVSETUP_TESTCA/
-   openssl ca -config ca.cnf -name class3_ca -extensions server_ext \
-       -in idp.cacert.localhost.csr.pem \
-       -out idp.cacert.localhost.crt.pem -days 365
-   popd
-   cp $PATH_TO_DEVSETUP_TESTCA/idp.cacert.localhost.crt.pem .
+   ```shell
+   mkcert -cert-file idp.cacert.localhost login.cacert.localhost
   ```

-3. Copy CA certificate for client certificates
+2. Copy CA certificate for client certificates
  
-   ```
-   openssl x509 -in $PATH_TO_DEVSETUP_TESTCA/class3/ca.crt.pem \
-       -out client_ca.pem
+   ```shell
+   (curl -s http://www.cacert.org/certs/CAcert_Class3Root_x14E228.crt ; \
+    curl -s http://www.cacert.org/certs/root_X0F.crt ) > client_ca.pem
   ```

 ### Configure IDP
--- a/changelog.md
+++ b/changelog.md
@ -8,6 +8,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## Unreleased
 ### Added
 - implement logout-successful handler
+### Changed
+- recommend `mkcert` to generate certificates for local development
+- change default configuration to use files recommended in README.md
+- separate server name and bind address to allow binding to a local address
+  but publish a different public name

 ## [0.1.3] - 2023-07-24
 ### Fixed
--- a/cmd/idp/main.go
+++ b/cmd/idp/main.go
@ -62,11 +62,12 @@ func main() {
 		logger,
 		"IDP",
 		map[string]interface{}{
+			"server.bind_address":     "",
+			"server.name":             "idp.cacert.localhost",
 			"server.port":             DefaultServerPort,
-			"server.name":             "login.cacert.localhost",
-			"server.key":              "certs/idp.cacert.localhost.key",
-			"server.certificate":      "certs/idp.cacert.localhost.crt.pem",
-			"security.client.ca-file": "certs/client_ca.pem",
+			"server.key":              "idp.cacert.localhost+1-key.pem",
+			"server.certificate":      "idp.cacert.localhost+1.pem",
+			"security.client.ca-file": "client_ca.pem",
 			"admin.url":               "https://hydra.cacert.localhost:4445/",
 			"i18n.languages":          []string{"en", "de"},
 		})
@ -172,6 +173,7 @@ func main() {

 func startServer(ctx context.Context, handlerChain http.Handler, logger *log.Logger, config *koanf.Koanf) {
 	clientCertificateCAFile := config.MustString("security.client.ca-file")
+	serverBindAddress := config.String("server.bind_address")
 	serverName := config.String("server.name")
 	serverPort := config.Int("server.port")

@ -191,7 +193,7 @@ func startServer(ctx context.Context, handlerChain http.Handler, logger *log.Log
 		ClientCAs:  clientCertPool,
 	}
 	server := &http.Server{
-		Addr:         fmt.Sprintf("%s:%d", serverName, serverPort),
+		Addr:         fmt.Sprintf("%s:%d", serverBindAddress, serverPort),
 		Handler:      handlerChain,
 		ReadTimeout:  TimeoutTwenty,
 		WriteTimeout: TimeoutTwenty,
@ -220,7 +222,10 @@ func startServer(ctx context.Context, handlerChain http.Handler, logger *log.Log
 		close(done)
 	}()

-	logger.Infof("Server is ready to handle requests at https://%s/", server.Addr)
+	logger.WithFields(log.Fields{
+		"address": server.Addr,
+		"url":     fmt.Sprintf("https://%s:%d/", serverName, serverPort),
+	}).Info("Server is ready to handle requests")
 	atomic.StoreInt32(&handlers.Healthy, 1)

 	if err := server.ListenAndServeTLS(
--- a/docs/idp.toml
+++ b/docs/idp.toml
@ -5,8 +5,10 @@ csrf.key = "32-byte-long-random-base64-encoded-key"
 client.ca-file = "client.cas.pem"

 [server]
+# server name
+name = "idp.cacert.org"
 # server IP address
-name = "127.0.0.1"
+bind_address = "127.0.0.1"
 # server port
 port = 3443
 # server TLS X.509 certificate in PEM format