A port of nebula-certs code to Clojure. Allows users to generate nebula certs, sign, verify etc.
Useful as a Clojure library and as a CLI tool.
nebula-cert-clj can be used as a command line tool.
It tries to follow the same syntax as original nebula-cert .
Still work in progress
# Call without options to view usage
clojure -M -m ieugen.nebula.cli
Usage: nebula-cert-clj [-V | -version] [-h | --help] [ca | keygen | sign | pring | verify] [<args>...]
A port of nebula-certs to clojure.
-V, Prints the version
-h, --help Prints this help message
ca Create a self signed certificate authority
keygen Create a public/private key pair.
sign Create and sign a certificate.
pring Print details about a certificate
verify Verifies a certificate isn't expired and was signed by a trusted authority.
{io.github.ieugen/nebula-cert-clj {:git/url "https://github.com/ieugen/nebula-cert-clj.git"
:git/sha "fill commit id here"}}To generate certificates we need protocol buffers.
There is an issue with protojure serialization: protojure/lib#164 Use java protocol buffers for serialization. Using protojure is easier to work with, so will use protojure for all work except serialization. To handle serialization we will serialize with protojure and then read and write with java protocol buffers implementation. This will be required until protojure can write packed repeated fields properly.
See https://protojure.readthedocs.io/en/latest/protobufs/#getting-started
- Install protojure
- Generate clojure from .proto file
# Download plugin to generate clojure code from proto files
curl -L https://github.com/protojure/protoc-plugin/releases/download/v2.1.2/protoc-gen-clojure --output protoc-gen-clojure
chmod +x protoc-gen-clojure
mkdir -p generated/clj
# Generate clojure code from protocol buffers
protoc --clojure_out=generated/clj src/proto/cert.proto
# Use java protocol buffers. Compile classes after.
mkdir -p generated/java
protoc --java_out=generated/java src/proto/cert.proto
Some useful commands on using nebula-cert:
cd sample-certs
# Generate sample certificate authority
nebula-cert ca -name "Sample-CA01" -ips 100.100.0.0/24,100.90.0.0/24,100.99.0.0/24 \
-groups group-a,group-b -subnets 100.90.0.0/24,100.99.0.0/24 \
-out-crt sample-ca01.crt \
-out-key sample-ca01.key
# Generate a key pair for users
nebula-cert keygen -out-key sample-cert-01.key -out-pub sample-cert-01.pub
nebula-cert keygen -out-key ecdh-25519-01.key -out-pub ecdh-25519-01.pub
nebula-cert keygen -curve P256 -out-key ecdh-p256-01.key -out-pub ecdh-p256-01.pub
# Sign certificate
nebula-cert sign -ca-crt sample-certs/sample-ca01.crt \
-ca-key sample-certs/sample-ca01.key \
-name ieugen -in-pub sample-certs/25519.pub \
-out-crt sample-25519.crt \
-ip 100.100.0.1/24
# Sign command using nebula-cert-clj
./nebula-cert-clj.sh sign --ca-crt sample-certs/sample-ca01.crt \
--ca-key sample-certs/sample-ca01.key \
--name ieugen --in-pub sample-certs/25519.pub \
--out-crt sample-25519.crt \
--ip 100.100.0.1/24
# Print certificate details
nebula-cert print -path sample-ca01.crt -json
# Verify certificate
nebula-cert verify -ca sample-ca01.crt -crt sample-cert-01.crt
Nebula handles SIGHUP (signal number 1) and does a configuration and certificate reload when the signal is sent.
During a reload connections are kept. If the config is invalid, nebula will keep the old configuration and continue running as nothing happened.
ps -aux | grep nebula
root 9370 0.0 0.0 20488 5356 pts/2 S+ mar26 0:00 sudo /home/ieugen/.guix-profile/bin/nebula --config ./config.yml
# Sending SIGHUP to the process triggers a configuration reload
kill -1 9370
# In nebula logs you will see something like this
INFO[151006] Caught HUP, reloading config
INFO[151006] Client cert refreshed from disk cert="NebulaCertificate {\n\tDetails {\n\t\tName: ieugen.users REDACTED"
# Configuration with error
INFO[151473] Caught HUP, reloading config
ERRO[151473] Error occurred while reloading config config_path=/REDACTED/config.yml error="yaml: line 113: did not find expected key"