Documentation
¶
Index ¶
- Variables
- func CmdResolve(chainPath, privateKeyPath, hostname, outputPath string, force bool, is ISSL) error
- func CmdVerify(chainPath, privateKeyPath, hostname string, selfSigned bool, is ISSL) error
- func IsHostnameMismatchErr(err error) bool
- func IsIncompleteChainErr(err error) bool
- type HostnameMismatchError
- type ISSL
- type IncompleteChainError
- type SSSL
Constants ¶
This section is empty.
Variables ¶
View Source
var Cmd = models.Command{ Name: "ssl", ShortHelp: "Perform operations on local certificates to verify their validity", LongHelp: "The <code>ssl</code> command offers access to subcommands that deal with SSL certificates. You cannot run the SSL command directly but must call a subcommand.", CmdFunc: func(settings *models.Settings) func(cmd *cli.Cmd) { return func(cmd *cli.Cmd) { cmd.CommandLong(ResolveSubCmd.Name, ResolveSubCmd.ShortHelp, ResolveSubCmd.LongHelp, ResolveSubCmd.CmdFunc(settings)) cmd.CommandLong(VerifySubCmd.Name, VerifySubCmd.ShortHelp, VerifySubCmd.LongHelp, VerifySubCmd.CmdFunc(settings)) } }, }
Cmd is the contract between the user and the CLI. This specifies the command name, arguments, and required/optional arguments and flags for the command.
View Source
var ResolveSubCmd = models.Command{ Name: "resolve", ShortHelp: "Verify that an SSL certificate is signed by a valid CA and attempt to resolve any incomplete certificate chains that are found", LongHelp: "<code>ssl resolve</code> is a tool that will attempt to fix invalid SSL certificates chains. " + "A well formatted SSL certificate will include your certificate, intermediate certificates, and root certificates. " + "It should follow this format\n\n" + "<pre>\n-----BEGIN CERTIFICATE-----\n" + "<Your SSL certificate here>\n" + "-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\n" + "<One or more intermediate certificates here>\n" + "-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\n" + "<Root CA here>\n" + "-----END CERTIFICATE-----\n</pre>\n\n" + "If your certificate only includes your own certificate, such as the following format shows\n\n" + "<pre>\n-----BEGIN CERTIFICATE-----\n" + "<Your SSL certificate here>\n" + "-----END CERTIFICATE-----\n</pre>\n\n" + "then the SSL resolve command will attempt to resolve this by downloading public intermediate certificates and root certificates. " + "A general rule of thumb is, if your certificate passes the <code>ssl resolve</code> check, it will almost always work on the Datica platform. " + "You can specify where to save the updated chain or omit the <code>OUTPUT</code> argument to print it to STDOUT.\n\n" + "Please note you all certificates and private keys should be in PEM format. " + "You cannot use self signed certificates with this command as they cannot be resolved as they are not signed by a valid CA. " + "Here are some sample commands\n\n" + "<pre>\ndatica ssl resolve ~/mysites_cert.pem ~/mysites_key.key *.mysite.com ~/updated_mysites_cert.pem -f\n" + "datica ssl resolve ~/mysites_cert.pem ~/mysites_key.key *.mysite.com\n</pre>", CmdFunc: func(settings *models.Settings) func(cmd *cli.Cmd) { return func(subCmd *cli.Cmd) { chain := subCmd.StringArg("CHAIN", "", "The path to your full certificate chain in PEM format") privateKey := subCmd.StringArg("PRIVATE_KEY", "", "The path to your private key in PEM format") hostname := subCmd.StringArg("HOSTNAME", "", "The hostname that should match your certificate (e.g. \"*.datica.com\")") output := subCmd.StringArg("OUTPUT", "", "The path of a file to save your properly resolved certificate chain (defaults to STDOUT)") force := subCmd.BoolOpt("f force", false, "If an output file is specified and already exists, setting force to true will overwrite the existing output file") subCmd.Action = func() { err := CmdResolve(*chain, *privateKey, *hostname, *output, *force, New(settings)) if err != nil { logrus.Fatal(err.Error()) } } subCmd.Spec = "CHAIN PRIVATE_KEY HOSTNAME [OUTPUT] [-f]" } }, }
View Source
var VerifySubCmd = models.Command{ Name: "verify", ShortHelp: "Verify whether a certificate chain is complete and if it matches the given private key", LongHelp: "<code>ssl verify</code> will tell you if your SSL certificate and private key are properly formatted for use with Datica's Compliant Cloud. " + "Before uploading a certificate to Datica you should verify it creates a full chain and matches the given private key with this command. " + "Both your chain and private key should be <b>unencrypted</b> and in <b>PEM</b> format. " + "The private key is the only key in the key file. " + "However, for the chain, you should include your SSL certificate, intermediate certificates, and root certificate in the following order and format.\n\n" + "<pre>\n-----BEGIN CERTIFICATE-----\n" + "<Your SSL certificate here>\n" + "-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\n" + "<One or more intermediate certificates here>\n" + "-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\n" + "<Root CA here>\n" + "-----END CERTIFICATE-----\n</pre>\n\n" + "This command also requires you to specify the hostname that you are using the SSL certificate for in order to verify that the hostname matches what is in the chain. " + "If it is a wildcard certificate, your hostname would be in the following format: <code>*.datica.com</code>. " + "This command will verify a complete chain can be made from your certificate down through the intermediate certificates all the way to a root certificate that you have given or one found in your system.\n\n" + "You can also use this command to verify self-signed certificates match a given private key. " + "To do so, add the <code>-s</code> option which will skip verifying the certificate to root chain and just tell you if your certificate matches your private key. " + "Please note that the empty quotes are required for checking self signed certificates. " + "This is the required parameter HOSTNAME which is ignored when checking self signed certificates. " + "Here are some sample commands\n\n" + "<pre>\ndatica ssl verify ./datica.crt ./datica.key *.datica.com\n" + "datica ssl verify ~/self-signed.crt ~/self-signed.key \"\" -s\n</pre>", CmdFunc: func(settings *models.Settings) func(cmd *cli.Cmd) { return func(subCmd *cli.Cmd) { chain := subCmd.StringArg("CHAIN", "", "The path to your full certificate chain in PEM format") privateKey := subCmd.StringArg("PRIVATE_KEY", "", "The path to your private key in PEM format") hostname := subCmd.StringArg("HOSTNAME", "", "The hostname that should match your certificate (e.g. \"*.datica.com\")") selfSigned := subCmd.BoolOpt("s self-signed", false, "Whether or not the certificate is self signed. If set, chain verification is skipped") subCmd.Action = func() { err := CmdVerify(*chain, *privateKey, *hostname, *selfSigned, New(settings)) if err != nil { logrus.Fatal(err.Error()) } } subCmd.Spec = "CHAIN PRIVATE_KEY HOSTNAME [-s]" } }, }
Functions ¶
func CmdResolve ¶
func IsHostnameMismatchErr ¶
func IsIncompleteChainErr ¶
Types ¶
type HostnameMismatchError ¶
HostnameMismatchError represents an error thrown when the hostname listed in an SSL certificate is different from the user input.
func (*HostnameMismatchError) Error ¶
func (h *HostnameMismatchError) Error() string
type ISSL ¶
type ISSL interface {
Verify(chainPath, privateKeyPath, hostname string, selfSigned bool) error
Resolve(chainPath string) ([]byte, error)
}
ISSL
type IncompleteChainError ¶
IncompleteChainError represents an error thrown when an SSL certificate is signed by an invalid CA or has an incomplete certificate chain.
func (*IncompleteChainError) Error ¶
func (i *IncompleteChainError) Error() string
Source Files
Click to show internal directories.
Click to hide internal directories.