Commit 41231b96 authored by Alain Takoudjou's avatar Alain Takoudjou

stack ca: apply some fixes

parent 9e128673
......@@ -20,11 +20,12 @@ parts =
[extra-eggs]
recipe = zc.recipe.egg
interpreter = python.ca
interpreter = python_ca
eggs =
gunicorn # for WSGI HTTP Server
futures
certificate.authority
# are also required
plone.recipe.command
collective.recipe.template
......@@ -52,11 +53,10 @@ context =
raw certificate_request_bin ${buildout:directory}/bin/ca-cliweb
raw curl_executable_location ${curl:location}/bin/curl
raw dash_executable_location ${dash:location}/bin/dash
raw dcron_executable_location ${dcron:location}/sbin/crond
raw slapos_kill_bin ${buildout:directory}/bin/slapos-kill
raw template_httpd_auth_conf ${template-httpd-auth-conf:location}/${template-httpd-auth-conf:filename}
raw openssl_executable_location ${openssl:location}/bin/openssl
raw python_executable ${buildout:directory}/bin/${extra-eggs:interpreter}
raw python_bin ${buildout:directory}/bin/${extra-eggs:interpreter}
[template-certificate-authority]
recipe = slapos.recipe.template:jinja2
......@@ -70,8 +70,7 @@ context =
raw certificate_request_bin ${buildout:directory}/bin/ca-cliweb
raw template_nginx_ca_conf ${template-nginx-ca-conf:location}/${template-nginx-ca-conf:filename}
raw dash_executable_location ${dash:location}/bin/dash
raw slapos_kill_bin ${buildout:directory}/bin/slapos-kill
raw gunicorn_bin ${buildout:directory}/bin/gunicorn
raw openssl_executable_location ${openssl:location}/bin/openssl
raw python_bin ${buildout:directory}/bin/${extra-eggs:interpreter}
raw eggs_directory ${buildout:eggs-directory}
raw develop_eggs_directory ${buildout:develop-eggs-directory}
......@@ -19,13 +19,13 @@ md5sum = ea445b0a9b143d12b5700a71ac06293c
filename = template-httpd-auth.conf.in
[template-nginx-ca-conf]
md5sum = 608b221009981fddfd9bb6cc6c5d465c
md5sum = d8bebf1629aacffd619541f363687b4a
filename = ca-nginx.conf.in
[template-authenticated-server]
filename = template-authenticated-server.cfg
md5sum = 39c1494b45dcbd5388b0d1c1d9b27ffb
md5sum = 444ada31a9a453fc0550df3ccccac6a7
[template-certificate-authority]
filename = template-certificate-authority.cfg
md5sum = 50d678bfc056489fd9817e4da6599e8f
\ No newline at end of file
md5sum = e097dab69a38e428600b171ce2f6d68c
\ No newline at end of file
......@@ -39,7 +39,6 @@ command-line = {{ certificate_request_bin }}
--key-file ${:key-file}
--ca-url ${authenticated-server-parameters:ca-url}
--ca-crt-file ${:ca-cert}
--no-check-certificate
[server-certificate-request]
recipe = slapos.cookbook:wrapper
......@@ -121,7 +120,7 @@ mode = 700
recipe = slapos.cookbook:cron.d
cron-entries = ${cron:cron-entries}
name = certificate-auto-renew
frequency = 0 */2 * * *
frequency = 5 6 * * 6
command = ${certificate-renew:output}
[logrotate-authenticated-httpd]
......
......@@ -10,9 +10,9 @@ parts =
[certificate-authority-parameters]
server-port = 8009
server-https-port = 8010
# Overrite this to set frontend URL (URL is used as CRL distribution point)
# Overrite this to set frontend or DNS URL (URL is used as CRL distribution point)
# Please set http not HTTPS scheme
external-url = http://[${slap-configuration:ipv6-random}]:${:server-port}
crl-external-url = http://[${slap-configuration:ipv6-random}]:${:server-port}
[directory]
recipe = slapos.cookbook:mkdirectory
......@@ -66,7 +66,6 @@ command-line = {{ certificate_request_bin }}
--key-file ${:key-file}
--ca-url http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port}
--ca-crt-file ${:ca-cert}
--no-check-certificate
[nginx-certificate-request]
recipe = slapos.cookbook:wrapper
......@@ -77,12 +76,15 @@ command-line =
--request
[ca-nginx-ssl-config]
# if ssl certificate is signed write to file so that zero-knowledge can read
recipe = plone.recipe.command
command =
if [ -s "${:key}" ] && [ -s "${:cert}" ]; then
echo -e "[ca-nginx-ssl]\nkey=${:key}\ncert=${:cert}" > ${:output}
else:
echo -e "[ca-nginx-ssl]\nkey=\ncert=" > ${:output}
cat << EOF > ${:output}
[ca-nginx-ssl]
key=${:key}
cert=${:cert}
EOF
fi
key = ${directory:ssl}/ca-cert.key
cert = ${directory:ssl}/ca-cert.crt
......@@ -93,6 +95,9 @@ stop-on-error = true
[ca-nginx-ssl]
recipe = slapos.cookbook:zero-knowledge.read
file-path = ${ca-nginx-ssl-config:output}
# initials values are empty, the section https (ssl) in nginx config will be skipped
cert =
key =
[ca-nginx-conf-parameter]
ip = ${slap-configuration:ipv6-random}
......@@ -122,6 +127,7 @@ context =
[certificate-authority-conf]
recipe = collective.recipe.template
# Values here are intended to be changed in your instance. override this section
input = inline:
ca-dir ${directory:ca-dir}
# enable debug
......@@ -129,7 +135,7 @@ input = inline:
# log-file ${directory:log}/ca-server.log
subject /C=XX/ST=State/L=City/OU=OUnit/O=Company/CN=SlapOS Certificate Authority/emailAddress=xx@example.com
max-request-amount 10
external-url ${certificate-authority-parameters:external-url}
external-url ${certificate-authority-parameters:crl-external-url}
# one year (in seconds)
crt-life-time 31536000
# crl-life-period correspond to about one week
......@@ -165,17 +171,15 @@ wrapper-path = ${directory:services}/ca-gunicorn
recipe = slapos.cookbook:wrapper
command-line = {{ ngix_location }}/sbin/nginx -p ${directory:ca-dir} -c ${ca-nginx-conf:rendered}
wrapper-path = ${directory:services}/ca-server
#wait-for-files =
# ${ca-nginx-ssl:cert}
# ${ca-nginx-ssl:key}
url = ${certificate-authority-parameters:external-url}
secure-url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port}
url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port}
insecure-url = ${certificate-authority-parameters:crl-external-url}
depends =
${nginx-certificate-request:wrapper-path}
${certificate-authority-server-promise:filename}
${certificate-authority-https-server-promise:filename}
${ca-nginx-graceful:output}
${certificate-renew-cron-entry:name}
${ca-certificate-renew-cron-entry:name}
${logrotate-ca-nginx:name}
[ca-server-certificate-renew]
recipe = collective.recipe.template
......@@ -190,18 +194,27 @@ input = inline:
if [ $remind -lt $thresold ]; then
exec ${nginx-certificate-request-base:wrapper-path} --renew
# run nginx grancefull restart to reload renewed certificates
excec ${ca-nginx-graceful:output}
fi
output = ${directory:bin}/server-certificate-renew
mode = 700
[certificate-renew-cron-entry]
[ca-certificate-renew-cron-entry]
recipe = slapos.cookbook:cron.d
cron-entries = ${cron:cron-entries}
name = ca-server-certificate-auto-renew
frequency = 0 */2 * * *
# check renew every-week
frequency = 5 4 * * 6
command = ${ca-server-certificate-renew:output}
[logrotate-ca-nginx]
< = logrotate-entry-base
name = certificate-authority-nginx-server
log = ${ca-nginx-conf-parameter:access-log} ${ca-nginx-conf-parameter:access-log}
post = {{ slapos_kill_bin }} --pidfile ${ca-nginx-conf-parameter:pid-file} -s USR1
[certificate-authority-server-promise]
recipe = slapos.cookbook:check_url_available
path = ${directory:promises}/${:filename}
......@@ -226,5 +239,3 @@ partition = ${slap-connection:partition-id}
url = ${slap-connection:server-url}
key = ${slap-connection:key-file}
cert = ${slap-connection:cert-file}
[slap-parameter]
......@@ -62,7 +62,7 @@ http {
{% endif -%}
server {
listen [{{ parameter_dict['ip'] }}]:parameter_dict['port'] ssl;
listen [{{ parameter_dict['ip'] }}]:{{ parameter_dict['port'] }};
server_name _;
keepalive_timeout 90s;
client_body_temp_path {{ parameter_dict['client-body-temp-path'] }};
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment