Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Alain Takoudjou
slapos
Commits
41231b96
Commit
41231b96
authored
Apr 21, 2017
by
Alain Takoudjou
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
stack ca: apply some fixes
parent
9e128673
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
37 additions
and
28 deletions
+37
-28
stack/certificate-authority/buildout.cfg
stack/certificate-authority/buildout.cfg
+4
-5
stack/certificate-authority/buildout.hash.cfg
stack/certificate-authority/buildout.hash.cfg
+3
-3
stack/certificate-authority/instance-auth-server.cfg.jinja2.in
.../certificate-authority/instance-auth-server.cfg.jinja2.in
+1
-2
stack/certificate-authority/instance-certificate-authority.cfg.jinja2.in
...te-authority/instance-certificate-authority.cfg.jinja2.in
+28
-17
stack/certificate-authority/template/ca-nginx.conf.in
stack/certificate-authority/template/ca-nginx.conf.in
+1
-1
No files found.
stack/certificate-authority/buildout.cfg
View file @
41231b96
...
@@ -20,11 +20,12 @@ parts =
...
@@ -20,11 +20,12 @@ parts =
[extra-eggs]
[extra-eggs]
recipe = zc.recipe.egg
recipe = zc.recipe.egg
interpreter = python
.
ca
interpreter = python
_
ca
eggs =
eggs =
gunicorn # for WSGI HTTP Server
gunicorn # for WSGI HTTP Server
futures
futures
certificate.authority
certificate.authority
# are also required
plone.recipe.command
plone.recipe.command
collective.recipe.template
collective.recipe.template
...
@@ -52,11 +53,10 @@ context =
...
@@ -52,11 +53,10 @@ context =
raw certificate_request_bin ${buildout:directory}/bin/ca-cliweb
raw certificate_request_bin ${buildout:directory}/bin/ca-cliweb
raw curl_executable_location ${curl:location}/bin/curl
raw curl_executable_location ${curl:location}/bin/curl
raw dash_executable_location ${dash:location}/bin/dash
raw dash_executable_location ${dash:location}/bin/dash
raw dcron_executable_location ${dcron:location}/sbin/crond
raw slapos_kill_bin ${buildout:directory}/bin/slapos-kill
raw slapos_kill_bin ${buildout:directory}/bin/slapos-kill
raw template_httpd_auth_conf ${template-httpd-auth-conf:location}/${template-httpd-auth-conf:filename}
raw template_httpd_auth_conf ${template-httpd-auth-conf:location}/${template-httpd-auth-conf:filename}
raw openssl_executable_location ${openssl:location}/bin/openssl
raw openssl_executable_location ${openssl:location}/bin/openssl
raw python_
executable
${buildout:directory}/bin/${extra-eggs:interpreter}
raw python_
bin
${buildout:directory}/bin/${extra-eggs:interpreter}
[template-certificate-authority]
[template-certificate-authority]
recipe = slapos.recipe.template:jinja2
recipe = slapos.recipe.template:jinja2
...
@@ -70,8 +70,7 @@ context =
...
@@ -70,8 +70,7 @@ context =
raw certificate_request_bin ${buildout:directory}/bin/ca-cliweb
raw certificate_request_bin ${buildout:directory}/bin/ca-cliweb
raw template_nginx_ca_conf ${template-nginx-ca-conf:location}/${template-nginx-ca-conf:filename}
raw template_nginx_ca_conf ${template-nginx-ca-conf:location}/${template-nginx-ca-conf:filename}
raw dash_executable_location ${dash:location}/bin/dash
raw dash_executable_location ${dash:location}/bin/dash
raw slapos_kill_bin ${buildout:directory}/bin/slapos-kill
raw gunicorn_bin ${buildout:directory}/bin/gunicorn
raw gunicorn_bin ${buildout:directory}/bin/gunicorn
raw openssl_executable_location ${openssl:location}/bin/openssl
raw openssl_executable_location ${openssl:location}/bin/openssl
raw python_bin ${buildout:directory}/bin/${extra-eggs:interpreter}
raw python_bin ${buildout:directory}/bin/${extra-eggs:interpreter}
raw eggs_directory ${buildout:eggs-directory}
raw develop_eggs_directory ${buildout:develop-eggs-directory}
stack/certificate-authority/buildout.hash.cfg
View file @
41231b96
...
@@ -19,13 +19,13 @@ md5sum = ea445b0a9b143d12b5700a71ac06293c
...
@@ -19,13 +19,13 @@ md5sum = ea445b0a9b143d12b5700a71ac06293c
filename = template-httpd-auth.conf.in
filename = template-httpd-auth.conf.in
[template-nginx-ca-conf]
[template-nginx-ca-conf]
md5sum =
608b221009981fddfd9bb6cc6c5d465c
md5sum =
d8bebf1629aacffd619541f363687b4a
filename = ca-nginx.conf.in
filename = ca-nginx.conf.in
[template-authenticated-server]
[template-authenticated-server]
filename = template-authenticated-server.cfg
filename = template-authenticated-server.cfg
md5sum =
39c1494b45dcbd5388b0d1c1d9b27ffb
md5sum =
444ada31a9a453fc0550df3ccccac6a7
[template-certificate-authority]
[template-certificate-authority]
filename = template-certificate-authority.cfg
filename = template-certificate-authority.cfg
md5sum = 50d678bfc056489fd9817e4da6599e8f
md5sum = e097dab69a38e428600b171ce2f6d68c
\ No newline at end of file
\ No newline at end of file
stack/certificate-authority/instance-auth-server.cfg.jinja2.in
View file @
41231b96
...
@@ -39,7 +39,6 @@ command-line = {{ certificate_request_bin }}
...
@@ -39,7 +39,6 @@ command-line = {{ certificate_request_bin }}
--key-file ${:key-file}
--key-file ${:key-file}
--ca-url ${authenticated-server-parameters:ca-url}
--ca-url ${authenticated-server-parameters:ca-url}
--ca-crt-file ${:ca-cert}
--ca-crt-file ${:ca-cert}
--no-check-certificate
[server-certificate-request]
[server-certificate-request]
recipe = slapos.cookbook:wrapper
recipe = slapos.cookbook:wrapper
...
@@ -121,7 +120,7 @@ mode = 700
...
@@ -121,7 +120,7 @@ mode = 700
recipe = slapos.cookbook:cron.d
recipe = slapos.cookbook:cron.d
cron-entries = ${cron:cron-entries}
cron-entries = ${cron:cron-entries}
name = certificate-auto-renew
name = certificate-auto-renew
frequency =
0 */2 * * *
frequency =
5 6 * * 6
command = ${certificate-renew:output}
command = ${certificate-renew:output}
[logrotate-authenticated-httpd]
[logrotate-authenticated-httpd]
...
...
stack/certificate-authority/instance-certificate-authority.cfg.jinja2.in
View file @
41231b96
...
@@ -10,9 +10,9 @@ parts =
...
@@ -10,9 +10,9 @@ parts =
[certificate-authority-parameters]
[certificate-authority-parameters]
server-port = 8009
server-port = 8009
server-https-port = 8010
server-https-port = 8010
# Overrite this to set frontend URL (URL is used as CRL distribution point)
# Overrite this to set frontend
or DNS
URL (URL is used as CRL distribution point)
# Please set http not HTTPS scheme
# Please set http not HTTPS scheme
external-url = http://[${slap-configuration:ipv6-random}]:${:server-port}
crl-
external-url = http://[${slap-configuration:ipv6-random}]:${:server-port}
[directory]
[directory]
recipe = slapos.cookbook:mkdirectory
recipe = slapos.cookbook:mkdirectory
...
@@ -66,7 +66,6 @@ command-line = {{ certificate_request_bin }}
...
@@ -66,7 +66,6 @@ command-line = {{ certificate_request_bin }}
--key-file ${:key-file}
--key-file ${:key-file}
--ca-url http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port}
--ca-url http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port}
--ca-crt-file ${:ca-cert}
--ca-crt-file ${:ca-cert}
--no-check-certificate
[nginx-certificate-request]
[nginx-certificate-request]
recipe = slapos.cookbook:wrapper
recipe = slapos.cookbook:wrapper
...
@@ -77,12 +76,15 @@ command-line =
...
@@ -77,12 +76,15 @@ command-line =
--request
--request
[ca-nginx-ssl-config]
[ca-nginx-ssl-config]
# if ssl certificate is signed write to file so that zero-knowledge can read
recipe = plone.recipe.command
recipe = plone.recipe.command
command =
command =
if [ -s "${:key}" ] && [ -s "${:cert}" ]; then
if [ -s "${:key}" ] && [ -s "${:cert}" ]; then
echo -e "[ca-nginx-ssl]\nkey=${:key}\ncert=${:cert}" > ${:output}
cat << EOF > ${:output}
else:
[ca-nginx-ssl]
echo -e "[ca-nginx-ssl]\nkey=\ncert=" > ${:output}
key=${:key}
cert=${:cert}
EOF
fi
fi
key = ${directory:ssl}/ca-cert.key
key = ${directory:ssl}/ca-cert.key
cert = ${directory:ssl}/ca-cert.crt
cert = ${directory:ssl}/ca-cert.crt
...
@@ -93,6 +95,9 @@ stop-on-error = true
...
@@ -93,6 +95,9 @@ stop-on-error = true
[ca-nginx-ssl]
[ca-nginx-ssl]
recipe = slapos.cookbook:zero-knowledge.read
recipe = slapos.cookbook:zero-knowledge.read
file-path = ${ca-nginx-ssl-config:output}
file-path = ${ca-nginx-ssl-config:output}
# initials values are empty, the section https (ssl) in nginx config will be skipped
cert =
key =
[ca-nginx-conf-parameter]
[ca-nginx-conf-parameter]
ip = ${slap-configuration:ipv6-random}
ip = ${slap-configuration:ipv6-random}
...
@@ -122,6 +127,7 @@ context =
...
@@ -122,6 +127,7 @@ context =
[certificate-authority-conf]
[certificate-authority-conf]
recipe = collective.recipe.template
recipe = collective.recipe.template
# Values here are intended to be changed in your instance. override this section
input = inline:
input = inline:
ca-dir ${directory:ca-dir}
ca-dir ${directory:ca-dir}
# enable debug
# enable debug
...
@@ -129,7 +135,7 @@ input = inline:
...
@@ -129,7 +135,7 @@ input = inline:
# log-file ${directory:log}/ca-server.log
# log-file ${directory:log}/ca-server.log
subject /C=XX/ST=State/L=City/OU=OUnit/O=Company/CN=SlapOS Certificate Authority/emailAddress=xx@example.com
subject /C=XX/ST=State/L=City/OU=OUnit/O=Company/CN=SlapOS Certificate Authority/emailAddress=xx@example.com
max-request-amount 10
max-request-amount 10
external-url ${certificate-authority-parameters:external-url}
external-url ${certificate-authority-parameters:
crl-
external-url}
# one year (in seconds)
# one year (in seconds)
crt-life-time 31536000
crt-life-time 31536000
# crl-life-period correspond to about one week
# crl-life-period correspond to about one week
...
@@ -165,17 +171,15 @@ wrapper-path = ${directory:services}/ca-gunicorn
...
@@ -165,17 +171,15 @@ wrapper-path = ${directory:services}/ca-gunicorn
recipe = slapos.cookbook:wrapper
recipe = slapos.cookbook:wrapper
command-line = {{ ngix_location }}/sbin/nginx -p ${directory:ca-dir} -c ${ca-nginx-conf:rendered}
command-line = {{ ngix_location }}/sbin/nginx -p ${directory:ca-dir} -c ${ca-nginx-conf:rendered}
wrapper-path = ${directory:services}/ca-server
wrapper-path = ${directory:services}/ca-server
#wait-for-files =
url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port}
# ${ca-nginx-ssl:cert}
insecure-url = ${certificate-authority-parameters:crl-external-url}
# ${ca-nginx-ssl:key}
url = ${certificate-authority-parameters:external-url}
secure-url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port}
depends =
depends =
${nginx-certificate-request:wrapper-path}
${nginx-certificate-request:wrapper-path}
${certificate-authority-server-promise:filename}
${certificate-authority-server-promise:filename}
${certificate-authority-https-server-promise:filename}
${certificate-authority-https-server-promise:filename}
${ca-nginx-graceful:output}
${ca-nginx-graceful:output}
${certificate-renew-cron-entry:name}
${ca-certificate-renew-cron-entry:name}
${logrotate-ca-nginx:name}
[ca-server-certificate-renew]
[ca-server-certificate-renew]
recipe = collective.recipe.template
recipe = collective.recipe.template
...
@@ -190,18 +194,27 @@ input = inline:
...
@@ -190,18 +194,27 @@ input = inline:
if [ $remind -lt $thresold ]; then
if [ $remind -lt $thresold ]; then
exec ${nginx-certificate-request-base:wrapper-path} --renew
exec ${nginx-certificate-request-base:wrapper-path} --renew
# run nginx grancefull restart to reload renewed certificates
excec ${ca-nginx-graceful:output}
fi
fi
output = ${directory:bin}/server-certificate-renew
output = ${directory:bin}/server-certificate-renew
mode = 700
mode = 700
[certificate-renew-cron-entry]
[c
a-c
ertificate-renew-cron-entry]
recipe = slapos.cookbook:cron.d
recipe = slapos.cookbook:cron.d
cron-entries = ${cron:cron-entries}
cron-entries = ${cron:cron-entries}
name = ca-server-certificate-auto-renew
name = ca-server-certificate-auto-renew
frequency = 0 */2 * * *
# check renew every-week
frequency = 5 4 * * 6
command = ${ca-server-certificate-renew:output}
command = ${ca-server-certificate-renew:output}
[logrotate-ca-nginx]
< = logrotate-entry-base
name = certificate-authority-nginx-server
log = ${ca-nginx-conf-parameter:access-log} ${ca-nginx-conf-parameter:access-log}
post = {{ slapos_kill_bin }} --pidfile ${ca-nginx-conf-parameter:pid-file} -s USR1
[certificate-authority-server-promise]
[certificate-authority-server-promise]
recipe = slapos.cookbook:check_url_available
recipe = slapos.cookbook:check_url_available
path = ${directory:promises}/${:filename}
path = ${directory:promises}/${:filename}
...
@@ -226,5 +239,3 @@ partition = ${slap-connection:partition-id}
...
@@ -226,5 +239,3 @@ partition = ${slap-connection:partition-id}
url = ${slap-connection:server-url}
url = ${slap-connection:server-url}
key = ${slap-connection:key-file}
key = ${slap-connection:key-file}
cert = ${slap-connection:cert-file}
cert = ${slap-connection:cert-file}
[slap-parameter]
stack/certificate-authority/template/ca-nginx.conf.in
View file @
41231b96
...
@@ -62,7 +62,7 @@ http {
...
@@ -62,7 +62,7 @@ http {
{% endif -%}
{% endif -%}
server {
server {
listen [{{ parameter_dict['ip'] }}]:
parameter_dict['port'] ssl
;
listen [{{ parameter_dict['ip'] }}]:
{{ parameter_dict['port'] }}
;
server_name _;
server_name _;
keepalive_timeout 90s;
keepalive_timeout 90s;
client_body_temp_path {{ parameter_dict['client-body-temp-path'] }};
client_body_temp_path {{ parameter_dict['client-body-temp-path'] }};
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment