danajp

$ curl --cert ~/.kube/k8s-admin.pem --key ~/.kube/k8s-admin-key.pem https://k8s.dev.use1.int.greenhouse.io/version
{
  "major": "1",
  "minor": "5",
  "gitVersion": "v1.5.4+coreos.0",
  "gitCommit": "97c11b097b1a2b194f1eddca8ce5468fcc83331c",
  "gitTreeState": "clean",
  "buildDate": "2017-03-08T23:54:21Z",
  "goVersion": "go1.7.4",
  "compiler": "gc",

danajp

$ curl -sv https://k8s.dev.use1.int.greenhouse.io/version |& grep '<'
< HTTP/1.1 401 Unauthorized
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Thu, 18 May 2017 13:24:01 GMT
< Content-Length: 13

danajp

irb(main):130:0> Net::HTTP.start(
irb(main):131:1*   "k8s.dev.use1.int.greenhouse.io",
irb(main):132:1*   443,
irb(main):133:1*   :use_ssl => true,
irb(main):134:1*   :cert => OpenSSL::X509::Certificate.new(File.read("/home/dana/.kube/k8s-admin.pem")),
irb(main):135:1*   :key => OpenSSL::PKey.read(File.read("/home/dana/.kube/k8s-admin-key.pem")),
irb(main):136:1* ) do |http|
irb(main):137:1*   http.request(Net::HTTP::Get.new("/version"))
irb(main):138:1> end
=> #<Net::HTTPUnauthorized 401 Unauthorized readbody=true>

danajp

$ curl  --cacert ~/.minikube/ca.crt --cert ~/.minikube/apiserver.crt --key ~/.minikube/apiserver.key https://192.168.99.100:8443/version
{
  "major": "1",
  "minor": "6",
  "gitVersion": "v1.6.0",
  "gitCommit": "fff5156092b56e6bd60fff75aad4dc9de6b6ef37",
  "gitTreeState": "dirty",
  "buildDate": "2017-04-07T20:43:50Z",
  "goVersion": "go1.7.1",
  "compiler": "gc",

danajp

irb(main):116:0> cert_store = OpenSSL::X509::Store.new
=> #<OpenSSL::X509::Store:0x00560ede1504f8 @verify_callback=nil, @error=nil, @error_string=nil, @chain=nil, @time=nil>
irb(main):117:0> cert_store.add_file("/home/dana/.minikube/ca.crt")
=> #<OpenSSL::X509::Store:0x00560ede1504f8 @verify_callback=nil, @error=nil, @error_string=nil, @chain=nil, @time=nil>
irb(main):118:0>
irb(main):119:0* Net::HTTP.start(
irb(main):120:1*   "192.168.99.100",
irb(main):121:1*   8443,
irb(main):122:1*   :use_ssl => true,
irb(main):123:1*   :cert_store => cert_store,

danajp

$ cat ~/.minikube/apiserver.crt
-----BEGIN CERTIFICATE-----
MHIwWjAgbmljZSB0cnkgYnVkZHksIHRoaXMgaXMgc29tZSBmYWtlIGNlcnRpZmlj
...
YXRlIGRhdGEK==
-----END CERTIFICATE-----

$ cat ~/.kube/k8s-admin.pem
-----BEGIN CERTIFICATE-----
MHIwWjAgZXZlbiBtb3JlIGZha2UgY2VydGlmaWNhdGUgZGF0YSB0aGF0J3MgYmFz

danajp

irb(main):001:0> puts OpenSSL::X509::Certificate.new(File.read("/home/dana/.kube/k8s-admin.pem")).to_s
-----BEGIN CERTIFICATE-----
MHIwWjAgZXZlbiBtb3JlIGZha2UgY2VydGlmaWNhdGUgZGF0YSB0aGF0J3MgYmFz
...
ZTY0IGVuY29kZWQK
-----END CERTIFICATE-----
=> nil

danajp

module Net   #:nodoc:
  # ...

  class HTTP < Protocol
    # ...

    SSL_IVNAMES = [
      :@ca_file,
      :@ca_path,
      :@cert,

danajp

class Net::HTTP
  SSL_IVNAMES << :@extra_chain_cert unless SSL_IVNAMES.include?(:@extra_chain_cert)
  SSL_ATTRIBUTES << :extra_chain_cert unless SSL_ATTRIBUTES.include?(:extra_chain_cert)

  attr_accessor :extra_chain_cert
end

danajp

irb(main):090:0> cert_data = <<EOF
irb(main):091:0" -----BEGIN CERTIFICATE-----
irb(main):092:0" MHIwWjAgZXZlbiBtb3JlIGZha2UgY2VydGlmaWNhdGUgZGF0YSB0aGF0J3MgYmFz
irb(main):093:0" ...
irb(main):094:0" ZTY0IGVuY29kZWQK
irb(main):095:0" -----END CERTIFICATE-----
irb(main):096:0" EOF
=> "-----BEGIN CERTIFICATE-----\nMHIwWjAgZXZlbiBtb3JlIGZha2UgY2VydGlmaWNhdGUgZGF0YSB0aGF0J3MgYmFz\n...\nZTY0IGVuY29kZWQK\n-----END CERTIFICATE-----\n"
irb(main):097:0> intermediate_cert_data = <<EOF
irb(main):098:0" -----BEGIN CERTIFICATE-----