Butter Days: Day 10.5
This is Day 10.5 of Butter Days, from my mate’s place.
I managed to find a solution to the certificate issues that at least works well enough for now, so I wanted to quickly write it up.
See Day 1 of Butter Days for context on what I’m ultimately trying to build.
mkcert
First of all, this mkcert tool is
amazing. You should try it. Go ahead, I’ll wait.
The quickstart is just one command, if you have an updated version of go:
go run github.com/FiloSottile/mkcert -install example.com "*.example.com"
That’s it. Now you have a self signed cert trusted by your system that’s valid
for example.com and *.example.com. So easy. This could be much more
horrible, as yesterday’s post
hopefully made clear.
At this point, all I needed to do was get the proxy to serve it up.
Serving It From The Proxy Library
I struggled for a bit figuring out how to pass it in, because the way the proxy hooks into hyper is a bit odd to me. It’s one of those situations where the user (me) isn’t calling the constructor of the object that would need to get the certificate paths. Instead, it’s called by some internal hyper code, which I can’t control.
Rather than try to fight this, I just decided to have it read some environment variables. Here’s the pull request for that.
As an aside, the way I tested this was to run cargo run --example noop to run
the provided noop
example that
does nothing but terminate the connection and pass the request through
unmodified. That was ideal for testing that I didn’t get any certificate
errors. It was pretty handy, and also neat that examples are so easy to run in
rust, and seem to be a built in concept.
Adding It To My Project
Once that was done, all I needed to do was pull in the new proxy library. I
also created a wrapper script to run mkcert and set everything up properly.
I had to run an openssl command to get the private key into the right format
(there are so many key formats, it’s crazy. I just figured out what key was
needed by comparing it to the example I copied the key reading code
from).
Now it’s done! Here’s the pull request.
$ https_proxy=127.0.0.1:8080 \
curl -s \
"https://iam.amazonaws.com?Action=ListUsers&Version=2010-05-08" \
| xq .
{
"ListUsersResponse": {
"@xmlns": "https://iam.amazonaws.com/doc/2010-05-08/",
"ListUsersResult": {
"IsTruncated": "false",
"Users": {
"member": {
"Path": "/",
"PasswordLastUsed": "2019-08-31T04:27:09Z",
"UserName": "shaun.verch",
"Arn": "arn:aws:iam::000000000000:user/shaun.verch",
"UserId": "AAAAAAAAAAAAAAAAAAAAA",
"CreateDate": "2017-09-26T21:42:46Z"
}
}
},
"ResponseMetadata": {
"RequestId": "9c75b38b-e482-4c32-a60f-606cb541c7fe"
}
}
}
Awesome. No more --insecure!
Next Time
This was the last piece I needed to start using standard libraries with the proxy without any errors.
Now I want to finally start generating some OpenAPI clients and see how far I can get. Remember, the entire point of this is to dump information from my AWS account, so once I auto generate the OpenAPI clients I can hopefully also auto generate the code that dumps the current state of my account.