Improve documentation and defaults

- recommend `mkcert` to generate certificates for local development - change default configuration to use files recommended in README.md - separate server name and bind address to allow binding to a local address but publish a different public name
10 months ago · 9821d34939
parent ab2e3c33b5
commit 9821d34939
4 changed files with 32 additions and 35 deletions
--- a/README.md
+++ b/README.md
@ -8,45 +8,30 @@ UI components that are required by Hydra to allow login and consent.
 The code in this repository is licensed under the terms of the Apache License
 Version 2.0.
-Copyright © 2020-2022  Jan Dittberner
+Copyright © 2020-2023  Jan Dittberner
 ## Setup
 ### Certificates
-You need a set of certificates for the IDP. You can use the Test CA created by
+You need a set of certificate and private key and a PEM file with CA
-the ``setup_test_ca.sh`` script from the [CAcert developer
+certificates used to verify client certificates to run `cacert-idp`.
 setup](https://git.dittberner.info/jan/cacert-devsetup) repository like this:
-1. create signing requests
+An easy way to generate server certificate and key for local testing is
 [`mkcert`](https://github.com/FiloSottile/mkcert/releases).
-   ```
+1. Run `mkcert` to generate `idp.cacert.localhost.pem` and
-   mkdir certs
+   `idp.cacert.localhost+1-key.pem`:
   cd certs
   openssl req -new -newkey rsa:3072 -nodes \
       -keyout idp.cacert.localhost.key \
       -out idp.cacert.localhost.csr.pem \
       -subj /CN=idp.cacert.localhost \
       -addext subjectAltName=DNS:idp.cacert.localhost,DNS:login.cacert.localhost
   cp *.csr.pem $PATH_TO_DEVSETUP_TESTCA/
   ```
 2. Use the CA to sign the certificates
-   ```
+   ```shell
-   pushd $PATH_TO_DEVSETUP_TESTCA/
+   mkcert -cert-file idp.cacert.localhost login.cacert.localhost
   openssl ca -config ca.cnf -name class3_ca -extensions server_ext \
       -in idp.cacert.localhost.csr.pem \
       -out idp.cacert.localhost.crt.pem -days 365
   popd
   cp $PATH_TO_DEVSETUP_TESTCA/idp.cacert.localhost.crt.pem .
   ```
-3. Copy CA certificate for client certificates
+2. Copy CA certificate for client certificates
-   ```
+   ```shell
-   openssl x509 -in $PATH_TO_DEVSETUP_TESTCA/class3/ca.crt.pem \
+   (curl -s http://www.cacert.org/certs/CAcert_Class3Root_x14E228.crt ; \
-       -out client_ca.pem
+    curl -s http://www.cacert.org/certs/root_X0F.crt ) > client_ca.pem
   ```
 ### Configure IDP
--- a/changelog.md
+++ b/changelog.md
@ -8,6 +8,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## Unreleased
 ### Added
 - implement logout-successful handler
 ### Changed
 - recommend `mkcert` to generate certificates for local development
 - change default configuration to use files recommended in README.md
 - separate server name and bind address to allow binding to a local address
  but publish a different public name
 ## [0.1.3] - 2023-07-24
 ### Fixed
--- a/cmd/idp/main.go
+++ b/cmd/idp/main.go
@ -62,11 +62,12 @@ func main() {
 		logger,
 		"IDP",
 		map[string]interface{}{
 			"server.bind_address":     "",
 			"server.name":             "idp.cacert.localhost",
 			"server.port":             DefaultServerPort,
-			"server.name":             "login.cacert.localhost",
+			"server.key":              "idp.cacert.localhost+1-key.pem",
-			"server.key":              "certs/idp.cacert.localhost.key",
+			"server.certificate":      "idp.cacert.localhost+1.pem",
-			"server.certificate":      "certs/idp.cacert.localhost.crt.pem",
+			"security.client.ca-file": "client_ca.pem",
 			"security.client.ca-file": "certs/client_ca.pem",
 			"admin.url":               "https://hydra.cacert.localhost:4445/",
 			"i18n.languages":          []string{"en", "de"},
 		})
@ -172,6 +173,7 @@ func main() {
 func startServer(ctx context.Context, handlerChain http.Handler, logger *log.Logger, config *koanf.Koanf) {
 	clientCertificateCAFile := config.MustString("security.client.ca-file")
 	serverBindAddress := config.String("server.bind_address")
 	serverName := config.String("server.name")
 	serverPort := config.Int("server.port")
@ -191,7 +193,7 @@ func startServer(ctx context.Context, handlerChain http.Handler, logger *log.Log
 		ClientCAs:  clientCertPool,
 	}
 	server := &http.Server{
-		Addr:         fmt.Sprintf("%s:%d", serverName, serverPort),
+		Addr:         fmt.Sprintf("%s:%d", serverBindAddress, serverPort),
 		Handler:      handlerChain,
 		ReadTimeout:  TimeoutTwenty,
 		WriteTimeout: TimeoutTwenty,
@ -220,7 +222,10 @@ func startServer(ctx context.Context, handlerChain http.Handler, logger *log.Log
 		close(done)
 	}()
-	logger.Infof("Server is ready to handle requests at https://%s/", server.Addr)
+	logger.WithFields(log.Fields{
 		"address": server.Addr,
 		"url":     fmt.Sprintf("https://%s:%d/", serverName, serverPort),
 	}).Info("Server is ready to handle requests")
 	atomic.StoreInt32(&handlers.Healthy, 1)
 	if err := server.ListenAndServeTLS(
--- a/docs/idp.toml
+++ b/docs/idp.toml
@ -5,8 +5,10 @@ csrf.key = "32-byte-long-random-base64-encoded-key"
 client.ca-file = "client.cas.pem"
 [server]
 # server name
 name = "idp.cacert.org"
 # server IP address
-name = "127.0.0.1"
+bind_address = "127.0.0.1"
 # server port
 port = 3443
 # server TLS X.509 certificate in PEM format