https://linen.dev logo
Join Slack
Powered by
Hi friends. I'm trying to set up a standalone Wire...
# help
a
Hi friends. I'm trying to set up a standalone Wiremock service so that it can be a proxy and setting up the certificate story around that. According to the Wiremock documentation
WireMock uses a root Certificate Authority private key to sign a certificate for each host that it proxies. By default, WireMock will use a CA key store at 
$HOME/.wiremock/ca-keystore.jks
. If this key store does not exist, WireMock will generate it with a new secure private key which should be entirely private to the system on which WireMock is running. You can provide a key store containing such a private key & certificate yourself using the 
--ca-keystore
, 
--ca-keystore-password
& 
--ca-keystore-type
options.
I'm using cert-manager and kubernetes to generate my own certificate that I want to pass down to Wiremock. When I pipe in the certificate I generated like so
Copy code
--ca-keystore=/etc/wiremock-certificate/keystore.jks
but when I try to make a call that gets proxied through Wiremock, it presents me with the default certificate instead of the one I specified through the options. See 🧵
I can verify that the keystore is correct by examining it inside the pod that has Wiremock deployed
Copy code
aurea ~/Development/persona-kubernetes [aurea/PER-29086/wiremock-cert-manager] $ k exec -it wiremock-6c987c9d64-g8jpl -n wiremock -- keytool -list -v -keystore /etc/wiremock-certificate/keystore.jks
Enter keystore password:  
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: ca
Creation date: Aug 15, 2024
Entry type: trustedCertEntry

Owner: CN=Wiremock Root CA
Issuer: CN=Wiremock Root CA

etc...
yet the certificate I receive back is
Copy code
root@shell-demo:/# openssl s_client -connect <http://example.org:443|example.org:443> -showcerts
CONNECTED(00000003)
depth=0 C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = Tom Akehurst
verify error:num=18:self-signed certificate
verify return:1
depth=0 C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = Tom Akehurst
verify return:1
---
Certificate chain
 0 s:C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = Tom Akehurst
   i:C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = Tom Akehurst
I set the password to be the default "password" for the keystore.
Can someone help me understand if there's something wrong with my setup?
Here's all the options I'm using for Wiremock
Copy code
--https-port=8443,--port=9021,--max-request-journal=1000,--local-response-templating,--root-dir=/home/wiremock/storage,--enable-browser-proxying,--ca-keystore=/etc/wiremock-certificate/keystore.jks
I'm using istio.io to reroute traffic from 
<http://example.org|example.org>
to the Wiremock service I'm running.
I confirmed it reroutes and I can stub things successfully if I ignore certificate validation during the TLS connection.
Copy code
root@shell-demo:/# curl <https://example.org> -k
Wiremock stub.root@shell-demo:/#
Copy code
{
  "uuid": "5f4266b1-7138-4d60-9d55-e72ea0ba5ff2",
  "request": {
    "url": "/",
    "method": "GET"
  },
  "response": {
    "status": 200,
    "body": "Wiremock stub.",
    "headers": {
      "Content-Type": "text/plain"
    }
  }
}
bump, can I get any help on debugging this?
An update: I don't think the 
--ca-keystore=
option works at all. I am using the 
wiremock/wiremock:3.8.0
image. I can use 
--https-keystore
option but I have to pass in a cert with the matching hostname I want to stub. I can't do it for multiple calls to different hostnames.
32 Views
Open in Slack
PreviousNext
Powered by