diff --git a/api/api.go b/api/api.go index 1ee9f19d1..fa803015b 100644 --- a/api/api.go +++ b/api/api.go @@ -178,6 +178,10 @@ type TLSConfig struct { // the Nomad server SSL certificate. CAPath string + // CAInMemCert is the PEM-encoded CA cert to use to verify the Nomad server + // SSL certificate. + CAInMemCert []byte + // ClientCert is the path to the certificate for Nomad communication ClientCert string @@ -348,8 +352,9 @@ func ConfigureTLS(httpClient *http.Client, tlsConfig *TLSConfig) error { clientTLSConfig := httpClient.Transport.(*http.Transport).TLSClientConfig rootConfig := &rootcerts.Config{ - CAFile: tlsConfig.CACert, - CAPath: tlsConfig.CAPath, + CAFile: tlsConfig.CACert, + CAPath: tlsConfig.CAPath, + CACertificate: tlsConfig.CAInMemCert, } if err := rootcerts.ConfigureTLS(clientTLSConfig, rootConfig); err != nil { return err diff --git a/vendor/github.com/hashicorp/go-rootcerts/README.md b/vendor/github.com/hashicorp/go-rootcerts/README.md index f5abffc29..6a128e1e1 100644 --- a/vendor/github.com/hashicorp/go-rootcerts/README.md +++ b/vendor/github.com/hashicorp/go-rootcerts/README.md @@ -28,8 +28,9 @@ Here's a snippet demonstrating how this library is meant to be used: func httpClient() (*http.Client, error) tlsConfig := &tls.Config{} err := rootcerts.ConfigureTLS(tlsConfig, &rootcerts.Config{ - CAFile: os.Getenv("MYAPP_CAFILE"), - CAPath: os.Getenv("MYAPP_CAPATH"), + CAFile: os.Getenv("MYAPP_CAFILE"), + CAPath: os.Getenv("MYAPP_CAPATH"), + Certificate: os.Getenv("MYAPP_CERTIFICATE"), }) if err != nil { return nil, err diff --git a/vendor/github.com/hashicorp/go-rootcerts/go.mod b/vendor/github.com/hashicorp/go-rootcerts/go.mod new file mode 100644 index 000000000..e2dd02470 --- /dev/null +++ b/vendor/github.com/hashicorp/go-rootcerts/go.mod @@ -0,0 +1,5 @@ +module github.com/hashicorp/go-rootcerts + +go 1.12 + +require github.com/mitchellh/go-homedir v1.1.0 diff --git a/vendor/github.com/hashicorp/go-rootcerts/go.sum b/vendor/github.com/hashicorp/go-rootcerts/go.sum new file mode 100644 index 000000000..ae38d147b --- /dev/null +++ b/vendor/github.com/hashicorp/go-rootcerts/go.sum @@ -0,0 +1,2 @@ +github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= diff --git a/vendor/github.com/hashicorp/go-rootcerts/rootcerts.go b/vendor/github.com/hashicorp/go-rootcerts/rootcerts.go index aeb30ece3..69aabd6bc 100644 --- a/vendor/github.com/hashicorp/go-rootcerts/rootcerts.go +++ b/vendor/github.com/hashicorp/go-rootcerts/rootcerts.go @@ -3,21 +3,26 @@ package rootcerts import ( "crypto/tls" "crypto/x509" + "errors" "fmt" "io/ioutil" "os" "path/filepath" ) -// Config determines where LoadCACerts will load certificates from. When both -// CAFile and CAPath are blank, this library's functions will either load +// Config determines where LoadCACerts will load certificates from. When CAFile, +// CACertificate and CAPath are blank, this library's functions will either load // system roots explicitly and return them, or set the CertPool to nil to allow // Go's standard library to load system certs. type Config struct { // CAFile is a path to a PEM-encoded certificate file or bundle. Takes - // precedence over CAPath. + // precedence over CACertificate and CAPath. CAFile string + // CACertificate is a PEM-encoded certificate or bundle. Takes precedence + // over CAPath. + CACertificate []byte + // CAPath is a path to a directory populated with PEM-encoded certificates. CAPath string } @@ -44,6 +49,9 @@ func LoadCACerts(c *Config) (*x509.CertPool, error) { if c.CAFile != "" { return LoadCAFile(c.CAFile) } + if len(c.CACertificate) != 0 { + return AppendCertificate(c.CACertificate) + } if c.CAPath != "" { return LoadCAPath(c.CAPath) } @@ -68,6 +76,18 @@ func LoadCAFile(caFile string) (*x509.CertPool, error) { return pool, nil } +// AppendCertificate appends an in-memory PEM-encoded certificate or bundle and returns a pool. +func AppendCertificate(ca []byte) (*x509.CertPool, error) { + pool := x509.NewCertPool() + + ok := pool.AppendCertsFromPEM(ca) + if !ok { + return nil, errors.New("Error appending CA: Couldn't parse PEM") + } + + return pool, nil +} + // LoadCAPath walks the provided path and loads all certificates encounted into // a pool. func LoadCAPath(caPath string) (*x509.CertPool, error) { diff --git a/vendor/vendor.json b/vendor/vendor.json index 2899c7ad7..75ad22829 100644 --- a/vendor/vendor.json +++ b/vendor/vendor.json @@ -241,7 +241,7 @@ {"path":"github.com/hashicorp/go-plugin/internal/plugin","checksumSHA1":"uTvnRQ5UWn/bhRxbW/UCfYFseSc=","revision":"809113480b559c989ea9cfcff62e9d387961f60b","revisionTime":"2019-10-04T17:18:45Z"}, {"path":"github.com/hashicorp/go-plugin/internal/proto","checksumSHA1":"Ikbb1FngsPR79bHhr2UmKk4CblI=","revision":"f444068e8f5a19853177f7aa0aea7e7d95b5b528","revisionTime":"2018-12-12T15:08:38Z"}, {"path":"github.com/hashicorp/go-retryablehttp","checksumSHA1":"9SqwC2BzFbsWulQuBG2+QEliTpo=","revision":"73489d0a1476f0c9e6fb03f9c39241523a496dfd","revisionTime":"2019-01-26T20:33:39Z"}, - {"path":"github.com/hashicorp/go-rootcerts","checksumSHA1":"A1PcINvF3UiwHRKn8UcgARgvGRs=","revision":"6bb64b370b90e7ef1fa532be9e591a81c3493e00","revisionTime":"2016-05-03T14:34:40Z"}, + {"path":"github.com/hashicorp/go-rootcerts","checksumSHA1":"hfxPtUTFbsE5C1P6gY/gCb9KmP4=","revision":"98fadc2a5ba2ad2a534a179b352ecdfd1f4259aa","revisionTime":"2019-12-10T09:55:28Z","version":"=v1.0.2","versionExact":"v1.0.2"}, {"path":"github.com/hashicorp/go-safetemp","checksumSHA1":"CduvzBFfTv77nhjtXPGdIjQQLMI=","revision":"b1a1dbde6fdc11e3ae79efd9039009e22d4ae240","revisionTime":"2018-03-26T21:11:50Z"}, {"path":"github.com/hashicorp/go-sockaddr","checksumSHA1":"J47ySO1q0gcnmoMnir1q1loKzCk=","revision":"6d291a969b86c4b633730bfc6b8b9d64c3aafed9","revisionTime":"2018-03-20T11:50:54Z"}, {"path":"github.com/hashicorp/go-sockaddr/template","checksumSHA1":"PDp9DVLvf3KWxhs4G4DpIwauMSU=","revision":"6d291a969b86c4b633730bfc6b8b9d64c3aafed9","revisionTime":"2018-03-20T11:50:54Z"},