getcert

Overview ¶

Package getcert allows the dialing of a TLS service (http or gRPC) without possessing the public key. This is useful in situations where you don't need a preshared cert because traffic is under internal control (internal Kubernetes routing) or when you have a non self signed cert that can be verified against a chain of trust with a Certificate Authority (CA). The server already has the cert, why would you want to have a static cert to manage?

For internal traffic (where DNS is under your control), you can do:

tlsCert, xCerts, err := FromTLSServer("service.com:443", true)

For a non self signed certificate you verify with a CA:

tlsCert, xCerts, err := FromTLSServer("service.com:443", false)

You can use this in an http.Client with:

client := &http.Client{
	Transport: &http.Transport{
		TLSClientConfig: &tls.Config{
			ServerName: "service.com", Certificates: []tls.Certificate{tlsCert},
			InsecureSkipVerify: true, // Set only if you set skipVerify to true above
		},
	},
}

repsp, err := client.Get("service.com:443")

You can also use this as a gRPC DialOption:

conn, err := grpc.Dial(*serverAddr, grpc.NewServerTLSFromCert(tlsCert))
if err != nil {
    ...
}
defer conn.Close()

Note: I don't know that I believe there is something completely under internal control that is safe. I suggest always using verify and limiting this to only certain trusted CAs. But that's your call.

This library is useful where mutual authentication via certs is not needed and you do not want to use self signed certs (which gRPC seems to encourage, but this is no better than preshared secrets and rarely

rotate). If your require authentication and don't want client certs, use Oauth or some other mechanism.