def ask_ca_name(self):
ca_name_config = self['ca.name']
if self.interactive:
print CA_NAME_QUESTION % {CONFIG_KEY_CA_DIR : self.cadir}
ca_name = get_user_input("CA Name", default=ca_name_config,
required=False)
if not ca_name:
ca_name = pathutil.uuidgen()
print "You did not enter a name, using '%s'" % ca_name
else:
ca_name = ca_name_config or pathutil.uuidgen()
print "Creating CA with name: '%s'" % ca_name
return ca_name
def ask_ca_name(self):
ca_name_config = self['ca.name']
if self.interactive:
print CA_NAME_QUESTION % {CONFIG_KEY_CA_DIR: self.cadir}
ca_name = get_user_input("CA Name",
default=ca_name_config,
required=False)
if not ca_name:
ca_name = pathutil.uuidgen()
print "You did not enter a name, using '%s'" % ca_name
else:
ca_name = ca_name_config or pathutil.uuidgen()
print "Creating CA with name: '%s'" % ca_name
return ca_name
def run(basedir, cadir, certconf, keyconf, hostnameconf, log):
log.debug("Forcing a CA/hostcert install")
# Reject relative paths
if not pathutil.is_absolute_path(cadir):
raise IncompatibleEnvironment("CA directory path is not absolute")
if not pathutil.is_absolute_path(certconf):
raise IncompatibleEnvironment("certificate path is not absolute")
if not pathutil.is_absolute_path(keyconf):
raise IncompatibleEnvironment("key path is not absolute")
# The CA dir must not exist, create that first.
autoca.createCA(pathutil.uuidgen(), basedir, cadir, log)
print "Created auto CA: %s" % cadir
# The configured certificate and key must not exist; create them.
autoca.createCert(hostnameconf, basedir, cadir, certconf, keyconf, log)
print "\nCreated hostcert: %s" % certconf
print "Created hostkey: %s\n" % keyconf
def run(basedir, cadir, certconf, keyconf, hostnameconf, log):
log.debug("Forcing a CA/hostcert install")
# Reject relative paths
if not pathutil.is_absolute_path(cadir):
raise IncompatibleEnvironment("CA directory path is not absolute")
if not pathutil.is_absolute_path(certconf):
raise IncompatibleEnvironment("certificate path is not absolute")
if not pathutil.is_absolute_path(keyconf):
raise IncompatibleEnvironment("key path is not absolute")
# The CA dir must not exist, create that first.
autoca.createCA(pathutil.uuidgen(), basedir, cadir, log)
print "Created auto CA: %s" % cadir
# The configured certificate and key must not exist; create them.
autoca.createCert(hostnameconf, basedir, cadir, certconf, keyconf, log)
print "\nCreated hostcert: %s" % certconf
print "Created hostkey: %s\n" % keyconf
def run(basedir, certconf, keyconf, log, cadir=None, hostname=None):
log.debug("Checking SSL")
# If the configurations themselves are missing, we cannot continue.
if not certconf:
raise IncompatibleEnvironment("There is no 'ssl.cert' configuration")
if not keyconf:
raise IncompatibleEnvironment("There is no 'ssl.key' configuration")
# If the configurations are relative, they are assumed to be relative from
# the base directory.
if not pathutil.is_absolute_path(certconf):
certconf = pathutil.pathjoin(basedir, certconf)
log.debug("ssl.cert was a relative path, converted to '%s'" % certconf)
if not pathutil.is_absolute_path(keyconf):
keyconf = pathutil.pathjoin(basedir, keyconf)
log.debug("ssl.key was a relative path, converted to '%s'" % keyconf)
# If the configured certificate exists, check the key permissions, then
# exit.
missingcert = None
missingkey = None
if not pathutil.check_path_exists(certconf):
missingcert = "Configured 'ssl.cert' does not exist at '%s'" % certconf
if not pathutil.check_path_exists(keyconf):
missingkey = "Configured 'ssl.key' does not exist at '%s'" % keyconf
if not missingcert and not missingkey:
log.debug("cert and key confs exist already, checking key perms")
# check key permission
if pathutil.is_path_private(keyconf):
log.debug("key is owner-read only: %s" % keyconf)
else:
print >>sys.stderr, "***"
print >>sys.stderr, "*** WARNING ***"
print >>sys.stderr, "***"
print >>sys.stderr, "SSL key has bad permissions, should only be readable by the file owner. ssl.key: '%s'" % keyconf
return
# If only one of the cert/key files exists, we cannot reason about
# what to do: error.
prefix = "Only one of the SSL cert/key file exists, cannot continue. "
if missingcert and not missingkey:
raise IncompatibleEnvironment(prefix + missingcert)
if missingkey and not missingcert:
raise IncompatibleEnvironment(prefix + missingkey)
# The configured certificate and key do not exist; create them.
print "Cannot find configured certificate and key for HTTPS, creating these for you."
# If the internal CA does not exist, create that first.
if not cadir:
cadir = pathutil.pathjoin(basedir, "var/ca")
if not pathutil.check_path_exists(cadir):
print "\nCannot find internal CA, creating this for you.\n"
print "Please pick a unique, one word CA name or hit return to use a UUID.\n"
print "For example, if you are installing this on the \"Jupiter\" cluster, you could perhaps use \"JupiterNimbusCA\" as the name.\n"
ca_name = raw_input("Enter a name: ")
if not ca_name:
ca_name = pathutil.uuidgen()
print "You did not enter a name, using '%s'" % ca_name
else:
ca_name = ca_name.split()[0]
print "Using '%s'" % ca_name
autoca.createCA(ca_name, basedir, cadir, log)
print "\nCreated internal CA: %s" % cadir
if not hostname:
print "\nEnter the fully qualified hostname of this machine. If you don't know or care right now, hit return to use 'localhost'.\n"
hostname = raw_input("Hostname: ")
if not hostname:
hostname = "localhost"
print "Using '%s'" % hostname
autoca.createCert(hostname, basedir, cadir, certconf, keyconf, log)
print "\nCreated certificate: %s" % certconf
print "Created key: %s\n" % keyconf
def createCert(CN,
basedir,
cadir,
certtarget,
keytarget,
log,
allow_overwrite=False):
if not allow_overwrite and pathutil.check_path_exists(certtarget):
msg = "Certificate file present already: " + certtarget
raise IncompatibleEnvironment(msg)
if not allow_overwrite and pathutil.check_path_exists(keytarget):
msg = "Key file present already: " + keytarget
raise IncompatibleEnvironment(msg)
cacert_path = findCAcert(basedir, cadir, log)
cakey_path = findCAkey(basedir, cadir, log)
# Create temp directory.
uuid = pathutil.uuidgen()
tempdir = pathutil.pathjoin(cadir, uuid)
os.mkdir(tempdir)
pathutil.ensure_dir_exists(tempdir, "temp certs directory")
log.debug("Created %s" % tempdir)
args = [tempdir, CN, "pub", "priv", cacert_path, cakey_path]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_CREATE_NEW_CERT,
args=args)
runutil.generic_bailout("Problem creating certificate.", exitcode, stdout,
stderr)
pub_DN = stdout.strip()
temp_pub_path = pathutil.pathjoin(tempdir, "pub")
pathutil.ensure_file_exists(temp_pub_path, "temp cert")
log.debug("temp cert exists: " + temp_pub_path)
# copy that to user-cert records
args = [temp_pub_path]
(exitcode, stdout, stderr) = javautil.run(basedir,
log,
EXE_GET_HASHED_CERT_NAME,
args=args)
runutil.generic_bailout("Problem finding hashed cert name.", exitcode,
stdout, stderr)
usercertfilehash = stdout.strip()
log.debug("user cert file hash is '%s'" % usercertfilehash)
cert_records_path = pathutil.pathjoin(cadir, "user-certs")
cert_records_path = pathutil.pathjoin(cert_records_path,
usercertfilehash + ".0")
shutil.copyfile(temp_pub_path, cert_records_path)
pathutil.ensure_file_exists(cert_records_path, "new certificate (record)")
log.debug("cert exists at target: " + cert_records_path)
temp_priv_path = pathutil.pathjoin(tempdir, "priv")
pathutil.ensure_file_exists(temp_priv_path, "temp key")
log.debug("temp key exists: " + temp_priv_path)
log.debug("Created certificate: %s" % pub_DN)
# Those user-supplied targets still don't exist, right? :-)
if not allow_overwrite and pathutil.check_path_exists(certtarget):
msg = "Certificate file present already: " + certtarget
raise IncompatibleEnvironment(msg)
if not allow_overwrite and pathutil.check_path_exists(keytarget):
msg = "Key file present already: " + keytarget
raise IncompatibleEnvironment(msg)
shutil.copyfile(temp_pub_path, certtarget)
pathutil.ensure_file_exists(certtarget, "new certificate")
log.debug("cert exists at target: " + certtarget)
shutil.copyfile(temp_priv_path, keytarget)
pathutil.ensure_file_exists(keytarget, "new key")
log.debug("key exists at target: " + keytarget)
pathutil.make_path_rw_private(keytarget)
pathutil.ensure_path_private(keytarget, "new key")
log.debug("file made private: %s" % keytarget)
shutil.rmtree(tempdir)
return pub_DN
def run(basedir, certconf, keyconf, log, cadir=None, hostname=None):
log.debug("Checking SSL")
# If the configurations themselves are missing, we cannot continue.
if not certconf:
raise IncompatibleEnvironment("There is no 'ssl.cert' configuration")
if not keyconf:
raise IncompatibleEnvironment("There is no 'ssl.key' configuration")
# If the configurations are relative, they are assumed to be relative from
# the base directory.
if not pathutil.is_absolute_path(certconf):
certconf = pathutil.pathjoin(basedir, certconf)
log.debug("ssl.cert was a relative path, converted to '%s'" % certconf)
if not pathutil.is_absolute_path(keyconf):
keyconf = pathutil.pathjoin(basedir, keyconf)
log.debug("ssl.key was a relative path, converted to '%s'" % keyconf)
# If the configured certificate exists, check the key permissions, then
# exit.
missingcert = None
missingkey = None
if not pathutil.check_path_exists(certconf):
missingcert = "Configured 'ssl.cert' does not exist at '%s'" % certconf
if not pathutil.check_path_exists(keyconf):
missingkey = "Configured 'ssl.key' does not exist at '%s'" % keyconf
if not missingcert and not missingkey:
log.debug("cert and key confs exist already, checking key perms")
# check key permission
if pathutil.is_path_private(keyconf):
log.debug("key is owner-read only: %s" % keyconf)
else:
print >> sys.stderr, "***"
print >> sys.stderr, "*** WARNING ***"
print >> sys.stderr, "***"
print >> sys.stderr, "SSL key has bad permissions, should only be readable by the file owner. ssl.key: '%s'" % keyconf
return
# If only one of the cert/key files exists, we cannot reason about
# what to do: error.
prefix = "Only one of the SSL cert/key file exists, cannot continue. "
if missingcert and not missingkey:
raise IncompatibleEnvironment(prefix + missingcert)
if missingkey and not missingcert:
raise IncompatibleEnvironment(prefix + missingkey)
# The configured certificate and key do not exist; create them.
print "Cannot find configured certificate and key for HTTPS, creating these for you."
# If the internal CA does not exist, create that first.
if not cadir:
cadir = pathutil.pathjoin(basedir, "var/ca")
if not pathutil.check_path_exists(cadir):
print "\nCannot find internal CA, creating this for you.\n"
print "Please pick a unique, one word CA name or hit return to use a UUID.\n"
print "For example, if you are installing this on the \"Jupiter\" cluster, you could perhaps use \"JupiterNimbusCA\" as the name.\n"
ca_name = raw_input("Enter a name: ")
if not ca_name:
ca_name = pathutil.uuidgen()
print "You did not enter a name, using '%s'" % ca_name
else:
ca_name = ca_name.split()[0]
print "Using '%s'" % ca_name
autoca.createCA(ca_name, basedir, cadir, log)
print "\nCreated internal CA: %s" % cadir
if not hostname:
print "\nEnter the fully qualified hostname of this machine. If you don't know or care right now, hit return to use 'localhost'.\n"
hostname = raw_input("Hostname: ")
if not hostname:
hostname = "localhost"
print "Using '%s'" % hostname
autoca.createCert(hostname, basedir, cadir, certconf, keyconf, log)
print "\nCreated certificate: %s" % certconf
print "Created key: %s\n" % keyconf
def createCert(CN, basedir, cadir, certtarget, keytarget, log,
allow_overwrite=False):
if not allow_overwrite and pathutil.check_path_exists(certtarget):
msg = "Certificate file present already: " + certtarget
raise IncompatibleEnvironment(msg)
if not allow_overwrite and pathutil.check_path_exists(keytarget):
msg = "Key file present already: " + keytarget
raise IncompatibleEnvironment(msg)
cacert_path = findCAcert(basedir, cadir, log)
cakey_path = findCAkey(basedir, cadir, log)
# Create temp directory.
uuid = pathutil.uuidgen()
tempdir = pathutil.pathjoin(cadir, uuid)
os.mkdir(tempdir)
pathutil.ensure_dir_exists(tempdir, "temp certs directory")
log.debug("Created %s" % tempdir)
args = [tempdir, CN, "pub", "priv", cacert_path, cakey_path]
(exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_CREATE_NEW_CERT, args=args)
runutil.generic_bailout("Problem creating certificate.", exitcode, stdout, stderr)
pub_DN = stdout.strip()
temp_pub_path = pathutil.pathjoin(tempdir, "pub")
pathutil.ensure_file_exists(temp_pub_path, "temp cert")
log.debug("temp cert exists: " + temp_pub_path)
# copy that to user-cert records
args = [temp_pub_path]
(exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_GET_HASHED_CERT_NAME, args=args)
runutil.generic_bailout("Problem finding hashed cert name.", exitcode, stdout, stderr)
usercertfilehash = stdout.strip()
log.debug("user cert file hash is '%s'" % usercertfilehash)
cert_records_path = pathutil.pathjoin(cadir, "user-certs")
cert_records_path = pathutil.pathjoin(cert_records_path,
usercertfilehash + ".0")
shutil.copyfile(temp_pub_path, cert_records_path)
pathutil.ensure_file_exists(cert_records_path, "new certificate (record)")
log.debug("cert exists at target: " + cert_records_path)
temp_priv_path = pathutil.pathjoin(tempdir, "priv")
pathutil.ensure_file_exists(temp_priv_path, "temp key")
log.debug("temp key exists: " + temp_priv_path)
log.debug("Created certificate: %s" % pub_DN)
# Those user-supplied targets still don't exist, right? :-)
if not allow_overwrite and pathutil.check_path_exists(certtarget):
msg = "Certificate file present already: " + certtarget
raise IncompatibleEnvironment(msg)
if not allow_overwrite and pathutil.check_path_exists(keytarget):
msg = "Key file present already: " + keytarget
raise IncompatibleEnvironment(msg)
shutil.copyfile(temp_pub_path, certtarget)
pathutil.ensure_file_exists(certtarget, "new certificate")
log.debug("cert exists at target: " + certtarget)
shutil.copyfile(temp_priv_path, keytarget)
pathutil.ensure_file_exists(keytarget, "new key")
log.debug("key exists at target: " + keytarget)
pathutil.make_path_rw_private(keytarget)
pathutil.ensure_path_private(keytarget, "new key")
log.debug("file made private: %s" % keytarget)
shutil.rmtree(tempdir)
return pub_DN
