Merge branch 'alain'

Conflicts: stack/certificate-authority/buildout.cfg stack/certificate-authority/instance-certificate-authority.cfg.jinja2.in stack/certificate-authority/template/ca-nginx.conf.in

Merge branch 'alain'
Conflicts: stack/certificate-authority/buildout.cfg stack/certificate-authority/instance-certificate-authority.cfg.jinja2.in stack/certificate-authority/template/ca-nginx.conf.in
9e128673 · Alain Takoudjou · 0619e1bc · 75e2d291 · 9e128673 · 9e128673
Commit 9e128673 authored Apr 21, 2017 by Alain Takoudjou
4 changed files
--- a/stack/certificate-authority/buildout.cfg
+++ b/stack/certificate-authority/buildout.cfg
 [buildout]
 extends =
+  buildout.hash.cfg
  ../../component/apache/buildout.cfg
  ../../component/nginx/buildout.cfg
  ../../component/curl/buildout.cfg
@@ -36,20 +37,14 @@ mode = 0644
 [template-httpd-auth-conf]
 <= template-ca-download-base
-md5sum = ea445b0a9b143d12b5700a71ac06293c
-filename = template-httpd-auth.conf.in
 [template-nginx-ca-conf]
 <= template-ca-download-base
-md5sum = 97d8dbcdfcca92a3c2b70634f0dee8d9
-filename = ca-nginx.conf.in
 [template-authenticated-server]
 recipe = slapos.recipe.template:jinja2
-filename = template-authenticated-server.cfg
 template = ${:_profile_base_location_}/instance-auth-server.cfg.jinja2.in
 rendered = ${buildout:directory}/template-authenticated-server.cfg
-md5sum = 39c1494b45dcbd5388b0d1c1d9b27ffb
 context =
  key apache_location apache:location
  key gzip_location gzip:location
@@ -65,15 +60,14 @@ context =
 [template-certificate-authority]
 recipe = slapos.recipe.template:jinja2
-filename = template-certificate-authority.cfg
 template = ${:_profile_base_location_}/instance-certificate-authority.cfg.jinja2.in
 rendered = ${buildout:directory}/template-certificate-authority.cfg
-md5sum = d5139f650388256776f43b9026617564
 context =
  key ngix_location nginx:location
  key template_logrotate_base template-logrotate-base:rendered
  raw curl_executable_location ${curl:location}/bin/curl
  raw certificate_authority_bin ${buildout:directory}/bin/ca-bin
+  raw certificate_request_bin ${buildout:directory}/bin/ca-cliweb
  raw template_nginx_ca_conf ${template-nginx-ca-conf:location}/${template-nginx-ca-conf:filename}
  raw dash_executable_location ${dash:location}/bin/dash
  raw gunicorn_bin ${buildout:directory}/bin/gunicorn

--- a/stack/certificate-authority/buildout.hash.cfg
+++ b/stack/certificate-authority/buildout.hash.cfg
+# THIS IS NOT A BUILDOUT FILE, despite purposedly using a compatible syntax.
+# The only allowed lines here are (regexes):
+# - "^#" comments, copied verbatim
+# - "^[" section beginings, copied verbatim
+# - lines containing an "=" sign which must fit in the following categorie.
+#   - "^\s*filename\s*=\s*path\s*$" where "path" is relative to this file
+#     But avoid directories, they are not portable.
+#     Copied verbatim.
+#   - "^\s*hashtype\s*=.*" where "hashtype" is one of the values supported
+#     by the re-generation script.
+#     Re-generated.
+# - other lines are copied verbatim
+# Substitution (${...:...}), extension ([buildout] extends = ...) and
+# section inheritance (< = ...) are NOT supported (but you should really
+# not need these here).
+[template-httpd-auth-conf]
+md5sum = ea445b0a9b143d12b5700a71ac06293c
+filename = template-httpd-auth.conf.in
+[template-nginx-ca-conf]
+md5sum = 608b221009981fddfd9bb6cc6c5d465c
+filename = ca-nginx.conf.in
+[template-authenticated-server]
+filename = template-authenticated-server.cfg
+md5sum = 39c1494b45dcbd5388b0d1c1d9b27ffb
+[template-certificate-authority]
+filename = template-certificate-authority.cfg
+md5sum = 50d678bfc056489fd9817e4da6599e8f
\ No newline at end of file
--- a/stack/certificate-authority/instance-certificate-authority.cfg.jinja2.in
+++ b/stack/certificate-authority/instance-certificate-authority.cfg.jinja2.in
@@ -9,8 +9,10 @@ parts =
 [certificate-authority-parameters]
 server-port = 8009
-# Overrite this to set frontend URL
+server-https-port = 8010
-external-url = https://[${slap-configuration:ipv6-random}]:${:server-port}
+# Overrite this to set frontend URL (URL is used as CRL distribution point)
+# Please set http not HTTPS scheme
+external-url = http://[${slap-configuration:ipv6-random}]:${:server-port}
 [directory]
 recipe = slapos.cookbook:mkdirectory
@@ -52,18 +54,50 @@ ca-certs = ${ca-directory:certs}
 ca-newcerts = ${ca-directory:newcerts}
 ca-crl = ${ca-directory:crl}
-[ca-nginx-ssl]
+[nginx-certificate-request-base]
+recipe = slapos.cookbook:wrapper
+wrapper-path = ${directory:bin}/request-base-certificate
+cert-file = ${ca-nginx-ssl-config:cert}
+key-file = ${ca-nginx-ssl-config:key}
+ca-cert = ${directory:ssl}/cacert.pem
+parameters-extra = true
+command-line = {{ certificate_request_bin }}
+  --crt-file ${:cert-file}
+  --key-file ${:key-file}
+  --ca-url http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port}
+  --ca-crt-file ${:ca-cert}
+  --no-check-certificate
+[nginx-certificate-request]
+recipe = slapos.cookbook:wrapper
+wrapper-path = ${directory:scripts}/request-server-certificate
+command-line =
+  ${nginx-certificate-request-base:wrapper-path}
+  --cn nginx@certificate.authority
+  --request
+[ca-nginx-ssl-config]
 recipe = plone.recipe.command
-# XXX - For now, generate ca httpd certificate here, because it's not possible to start CA without this files
+command = 
-command = "{{ openssl_executable_location }}" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
+  if [ -s "${:key}" ] && [ -s "${:cert}" ]; then
+    echo -e "[ca-nginx-ssl]\nkey=${:key}\ncert=${:cert}" > ${:output}
+  else:
+    echo -e "[ca-nginx-ssl]\nkey=\ncert=" > ${:output}
+  fi
 key = ${directory:ssl}/ca-cert.key
 cert = ${directory:ssl}/ca-cert.crt
-update-command = 
+update-command = ${:command}
+output = ${directory:etc}/ca-nginx-ssl.cfg
 stop-on-error = true
+[ca-nginx-ssl]
+recipe = slapos.cookbook:zero-knowledge.read
+file-path = ${ca-nginx-ssl-config:output}
 [ca-nginx-conf-parameter]
 ip = ${slap-configuration:ipv6-random}
 port = ${certificate-authority-parameters:server-port}
+https-port = ${certificate-authority-parameters:server-https-port}
 pid-file = ${directory:run}/nginx-ca.pid
 access-log = ${directory:log}/nginx-ca-access.log
 error-log = ${directory:log}/nginx-ca-error.log
@@ -102,6 +136,8 @@ input = inline:
  crl-life-period 0.02
  # ca-life-time = ca-life-period * crt-life-time
  ca-life-period 10
+  # time before clean certificate on CA: 60*24*60*60
+  crt-keep-time 5184000
 output = ${directory:etc}/ca.conf
 mode = 700
@@ -129,21 +165,56 @@ wrapper-path = ${directory:services}/ca-gunicorn
 recipe = slapos.cookbook:wrapper
 command-line = {{ ngix_location }}/sbin/nginx -p ${directory:ca-dir} -c ${ca-nginx-conf:rendered}
 wrapper-path = ${directory:services}/ca-server
-wait-for-files =
+#wait-for-files =
-  ${ca-nginx-ssl:cert}
+#  ${ca-nginx-ssl:cert}
-  ${ca-nginx-ssl:key}
+#  ${ca-nginx-ssl:key}
-#environment = 
-#  CA_CONFIGURATION_FILE=${certificate-authority-conf:output}
 url = ${certificate-authority-parameters:external-url}
+secure-url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port}
 depends = 
+  ${nginx-certificate-request:wrapper-path}
  ${certificate-authority-server-promise:filename}
+  ${certificate-authority-https-server-promise:filename}
  ${ca-nginx-graceful:output}
+  ${certificate-renew-cron-entry:name}
+[ca-server-certificate-renew]
+recipe = collective.recipe.template
+input = inline:
+  #!{{ dash_executable_location }}
+  d=$({{ openssl_executable_location }} x509 -enddate -noout -in ${nginx-certificate-request-base:cert-file} | cut -d'=' -f 2)
+  cert_time=$(date -d "$d" +"%s")
+  now=$(date +"%s")
+  thresold=2592000  # 30*24*60*60  equivalent to one month in seconds
+  remind=$(($cert_time - $now))
+  if [ $remind -lt $thresold ]; then
+    exec ${nginx-certificate-request-base:wrapper-path} --renew
+  fi
+output = ${directory:bin}/server-certificate-renew
+mode = 700
+[certificate-renew-cron-entry]
+recipe = slapos.cookbook:cron.d
+cron-entries = ${cron:cron-entries}
+name = ca-server-certificate-auto-renew
+frequency = 0 */2 * * *
+command = ${ca-server-certificate-renew:output}
 [certificate-authority-server-promise]
 recipe = slapos.cookbook:check_url_available
 path = ${directory:promises}/${:filename}
 filename = certificate-authority-server-listening-on-tcp
 url = http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port}
+dash_path = {{ dash_executable_location }}
+curl_path = {{ curl_executable_location }}
+[certificate-authority-https-server-promise]
+recipe = slapos.cookbook:check_url_available
+path = ${directory:promises}/${:filename}
+filename = certificate-authority-server-https-on-${certificate-authority-parameters:server-https-port}
+url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port}
 check-secure = 1
 dash_path = {{ dash_executable_location }}
 curl_path = {{ curl_executable_location }}

--- a/stack/certificate-authority/template/ca-nginx.conf.in
+++ b/stack/certificate-authority/template/ca-nginx.conf.in
@@ -26,36 +26,70 @@ http {
      server unix:{{ parameter_dict['socket'] }} fail_timeout=0;
    }
-     server {
+    {% if parameter_dict['cert-file'] and parameter_dict['key-file'] -%}
-        listen [{{ parameter_dict['ip'] }}]:{{ parameter_dict['port'] }} ssl;
+    server {
-        server_name _;
+      listen [{{ parameter_dict['ip'] }}]:{{ parameter_dict['https-port'] }} ssl;
-        ssl_certificate     {{ parameter_dict['cert-file'] }};
+      server_name _;
-        ssl_certificate_key {{ parameter_dict['key-file'] }};
+      ssl_certificate     {{ parameter_dict['cert-file'] }};
-        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+      ssl_certificate_key {{ parameter_dict['key-file'] }};
-        ssl_ciphers         ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5;
+      ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
-        ssl_prefer_server_ciphers on;
+      ssl_ciphers         ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5;
-        keepalive_timeout 90s;
+      ssl_prefer_server_ciphers on;
-        client_body_temp_path {{ parameter_dict['client-body-temp-path'] }};
+      keepalive_timeout 90s;
-        proxy_temp_path {{ parameter_dict['proxy-temp-path'] }};
+      client_body_temp_path {{ parameter_dict['client-body-temp-path'] }};
-        fastcgi_temp_path {{ parameter_dict['fastcgi-temp-path'] }};
+      proxy_temp_path {{ parameter_dict['proxy-temp-path'] }};
-        uwsgi_temp_path {{ parameter_dict['uwsgi-temp-path'] }};
+      fastcgi_temp_path {{ parameter_dict['fastcgi-temp-path'] }};
-        scgi_temp_path {{ parameter_dict['scgi-temp-path'] }};
+      uwsgi_temp_path {{ parameter_dict['uwsgi-temp-path'] }};
+      scgi_temp_path {{ parameter_dict['scgi-temp-path'] }};
-        location / {
-            proxy_redirect off;
+      location / {
-            proxy_set_header   X-Forwarded-Proto $scheme;
+          proxy_redirect off;
-            proxy_set_header   X-Real-IP $remote_addr;
+          proxy_set_header   X-Forwarded-Proto $scheme;
-            proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+          proxy_set_header   X-Real-IP $remote_addr;
-            proxy_set_header   X-Forwarded-Host  $http_host;
+          proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
-            proxy_set_header   Host $http_host;
+          proxy_set_header   X-Forwarded-Host  $http_host;
-            proxy_set_header   Authorization $http_authorization;
+          proxy_set_header   Host $http_host;
-            proxy_pass_header  Authorization;
+          proxy_set_header   Authorization $http_authorization;
-            proxy_connect_timeout 90;
+          proxy_pass_header  Authorization;
-            proxy_send_timeout    90;
+          proxy_connect_timeout 90;
-            proxy_read_timeout    90;
+          proxy_send_timeout    90;
-            send_timeout          90;
+          proxy_read_timeout    90;
+          send_timeout          90;
-            proxy_pass http://app_server;
-        }
+          proxy_pass http://app_server;
+      }
+    }
+    {% endif -%}
+    server {
+      listen [{{ parameter_dict['ip'] }}]:parameter_dict['port'] ssl;
+      server_name _;
+      keepalive_timeout 90s;
+      client_body_temp_path {{ parameter_dict['client-body-temp-path'] }};
+      proxy_temp_path {{ parameter_dict['proxy-temp-path'] }};
+      fastcgi_temp_path {{ parameter_dict['fastcgi-temp-path'] }};
+      uwsgi_temp_path {{ parameter_dict['uwsgi-temp-path'] }};
+      scgi_temp_path {{ parameter_dict['scgi-temp-path'] }};
+      location ~ ^(/admin|/user) {
+        # http is not used for /admin and /user
+      }
+      location / {
+          proxy_redirect off;
+          proxy_set_header   X-Forwarded-Proto $scheme;
+          proxy_set_header   X-Real-IP $remote_addr;
+          proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+          proxy_set_header   X-Forwarded-Host  $http_host;
+          proxy_set_header   Host $http_host;
+          proxy_set_header   Authorization $http_authorization;
+          proxy_pass_header  Authorization;
+          proxy_connect_timeout 90;
+          proxy_send_timeout    90;
+          proxy_read_timeout    90;
+          send_timeout          90;
+          proxy_pass http://app_server;
+      }
    }
 }