Allow to specify TLS cert for secure GRPC connection to Beacon Chain

[linki]

This allows to specify a custom TLS certificate for the GRPC connection to the beacon chain (only supported by prysm at the moment).

Implements #27

It's backwards compatible. If no --beacon.tls-cert is provided it uses the current behaviour. It prints a warning about the insecure connection, though.

I didn't test a custom TLS cert for HTTPS connections, e.g. to lighthouse, and I don't know if it makes sense. Therefore, this case is guarded so no one accidentally configures it.

The implementation is highly inspired by prysm's source code, e.g. here.

[mrosack]

Sorry it took me so long to test, been a busy week or two. I'm seeing messages like this in the logs for eth2stats-client:

time="2020-06-03T00:33:58Z" level=info msg="[prysm] setting up beacon client connection"
time="2020-06-03T00:33:58Z" level=info msg="[core] setting up eth2stats server connection"
time="2020-06-03T00:33:58Z" level=info msg="[core] getting beacon client version"
time="2020-06-03T00:33:58Z" level=error msg="[main] setting up: prysm: getting version: rpc error: code = Unavailable desc = connection error: desc = \"transport: authentication handshake failed: x509: certificate is not valid for any names, but wanted to match localhost\""

I'm generating my cert with this script:

openssl req \
        -newkey rsa:4096 \
        -x509 \
        -sha256 \
        -days 3650 \
        -nodes \
        -out prysm.crt \
        -keyout prysm.key \
        -subj "/CN=prysm" \
        -extensions san \
        -config <( \
                echo '[req]'; \
                echo 'distinguished_name=req'; \
                echo '[san]'; \
                echo 'subjectAltName=IP:127.0.0.1')

Let me know if you need any other info.

[tzapu]

hey guys, would love to merge this, it would be ideal if there was some readme section telling you how to generate the certs as well

cheers

[linki]

@mrosack I think if your cert is valid for IP:127.0.0.1 you cannot connect to it using localhost. You could try with 127.0.0.1 and see if it helps. Alternatively, add a DNS alternative name to the cert with DNS:localhost.

[mrosack]

I'm sorry, it's user error, in my configuration I was using 127.0.0.1 when configuring the validator to talk to the beacon node, and using localhost when configuring eth2stats to talk to the beacon node, so the two didn't like the same cert. With both using 127.0.0.1 everything seems great!

[mrosack]

And with that aha moment, I realized I don't need to overcomplicate my cert creation with the IP SANs and can obviously just use localhost as the name for everything:

openssl req \
        -newkey rsa:4096 \
        -x509 \
        -sha256 \
        -days 3650 \
        -nodes \
        -out prysm.crt \
        -keyout prysm.key \
        -subj "/CN=localhost"

Beacon: --tls-cert=prysm.crt --tls-key=prysm.key

Validator: --beacon-rpc-provider=localhost:4000 --tls-cert=prysm.crt

Eth2Stats: --beacon.addr="localhost:4000" --beacon.tls-cert="prysm.crt"

[linki]

@tzapu I'll reproduce what @mrosack did and add it to the docs.

[tzapu]

thanks @linki , much appreciated

[linki]

@tzapu I added a section about the --beacon.tls-cert flag in the README.

I kept it brief and only explain how to configure it for eth2stats. All the details on how to create and use self-signed certificates are explained in Prysm's documentation.