def _gen_and_copy_cert(args):
"""
Generate certs if they don't exist or if cert regen was requested with "force-new-certs"
"""
crt_dir = "/etc/pki/rsyslog/"
x("mkdir -p {0}".format(crt_dir))
fqdn = "{0}.{1}".format(net.get_hostname(), config.general.get_resolv_domain())
srv = config.general.get_log_server_hostname1()
cert_files = [
"{0}{1}.crt".format(crt_dir, fqdn),
"{0}{1}.key".format(crt_dir, fqdn),
"{0}/ca.crt".format(crt_dir)
]
# Determine whether to generate and copy rsyslog certificates
if 'force-new-certs' in args or not _all_files_exist(cert_files):
# Generate the certs on the remote machine
general.wait_for_server_root_login(srv)
general.run_remote_command(srv, "/etc/pki/rsyslog/syco-gen-rsyslog-client-keys.sh {0}".format(fqdn))
# Retrieve the certs
general.retrieve_from_server(srv, "/etc/pki/rsyslog/ca.crt", crt_dir)
general.retrieve_from_server(srv, "/etc/pki/rsyslog/{0}*".format(net.get_hostname()), crt_dir,
verify_local=cert_files, remove_remote_files=True)
x("restorecon -r /etc/pki/rsyslog")
x("chmod 600 /etc/pki/rsyslog/*")
x("chown root:root /etc/pki/rsyslog/*")
else:
app.print_verbose("Found all certs and force-new-certs was not specified so not updating certificates")
def _copy_certificate_files(env):
copyfrom = "root@{0}".format(cert_server)
copyremotefile = "{0}/{1}.pem".format(cert_server_path, env)
copylocalfile = "{0}/{1}.pem".format(cert_copy_to_path, env)
retrieve_from_server(copyfrom,
copyremotefile,
copylocalfile,
verify_local=[copylocalfile])
def download_cert(filename):
"""
Get certificate from ldap server.
This is not needed to be done on the server.
"""
# Creating certs folder
x("mkdir -p /etc/openldap/cacerts")
general.retrieve_from_server(config.general.get_ldap_server_ip(),
'/etc/openldap/cacerts/client.pem',
'/etc/openldap/cacerts/',
verify_local=['/etc/openldap/cacerts/'])
general.retrieve_from_server(config.general.get_ldap_server_ip(),
'/etc/openldap/cacerts/ca.crt',
'/etc/openldap/cacerts/',
verify_local=['/etc/openldap/cacerts/'])
def _gen_and_copy_cert(args):
"""
Generate certs if they don't exist or if cert regen was requested with "force-new-certs"
"""
crt_dir = "/etc/pki/rsyslog/"
x("mkdir -p {0}".format(crt_dir))
fqdn = "{0}.{1}".format(net.get_hostname(),
config.general.get_resolv_domain())
srv = config.general.get_log_server_hostname1()
cert_files = [
"{0}{1}.crt".format(crt_dir, fqdn), "{0}{1}.key".format(crt_dir, fqdn),
"{0}/ca.crt".format(crt_dir)
]
# Determine whether to generate and copy rsyslog certificates
if 'force-new-certs' in args or not _all_files_exist(cert_files):
# Generate the certs on the remote machine
general.wait_for_server_root_login(srv)
general.run_remote_command(
srv, "/etc/pki/rsyslog/syco-gen-rsyslog-client-keys.sh {0}".format(
fqdn))
# Retrieve the certs
general.retrieve_from_server(srv, "/etc/pki/rsyslog/ca.crt", crt_dir)
general.retrieve_from_server(srv,
"/etc/pki/rsyslog/{0}*".format(
net.get_hostname()),
crt_dir,
verify_local=cert_files,
remove_remote_files=True)
x("restorecon -r /etc/pki/rsyslog")
x("chmod 600 /etc/pki/rsyslog/*")
x("chown root:root /etc/pki/rsyslog/*")
else:
app.print_verbose(
"Found all certs and force-new-certs was not specified so not updating certificates"
)
def download_cert(filename):
"""
Get certificate from ldap server.
This is not needed to be done on the server.
"""
# Creating certs folder
x("mkdir -p /etc/openldap/cacerts")
general.retrieve_from_server(
config.general.get_ldap_server_ip(),
'/etc/openldap/cacerts/client.pem',
'/etc/openldap/cacerts/',
verify_local = ['/etc/openldap/cacerts/']
)
general.retrieve_from_server(
config.general.get_ldap_server_ip(),
'/etc/openldap/cacerts/ca.crt',
'/etc/openldap/cacerts/',
verify_local = ['/etc/openldap/cacerts/']
)
def _copy_certificate_files(env):
copyfrom = "root@{0}".format(cert_server)
copyremotefile = "{0}/{1}.pem".format(cert_server_path, env)
copylocalfile = "{0}/{1}.pem".format(cert_copy_to_path, env)
retrieve_from_server(copyfrom, copyremotefile, copylocalfile, verify_local=[copylocalfile])
