According to the google documentation at https://cloud.google.com/dialogflow/docs/fulfillment-mtls, mutual TLS is an optional way of authenticating.
I have been trying to set this up with a nginx server as my Fulfilment Endpoint, however it does not appear that Dialogflow is actually sending a certificate with the request. If I make a request to the nginx server with curl using some letsencrypt certificates then it works as intended and the request is proxied to my API endpoint.
server {
listen 80;
listen [::]:80;
server_name *.mysite.com;
return 301 https://$host$request_uri;
}
server {
listen 443 default_server ssl;
server_name _;
ssl_certificate /etc/letsencrypt/live/mysite/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite/privkey.pem;
}
server {
listen 443 ssl;
server_name mysubdomain.mysite;
ssl_protocols TLSv1.2;
ssl_client_certificate /home/user/cacert.pem;
ssl_verify_client on;
ssl_verify_depth 10;
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;
location / {
proxy_pass https://myapi/;
}
}
Is this function something that needs to be turned on somewhere for it to attempt an TLS connection? Has anyone got this working?
It turns out that the mozilla bundle from here does not play nicely. Using the google ones only has fixed this for me
curl https://pki.goog/gsr2/GTS1O1.crt | openssl x509 -inform der >> ca-crt.pem
curl https://pki.goog/gsr2/GSR2.crt | openssl x509 -inform der >> ca-crt.pem