def __init__(self, config):
self.cfg = config
usename = utils.get_hostname()
mycn = '%s-CA-KEY' % usename
# TODO: Make extensions confi
self.ca_key_file = '%s/certmaster.key' % self.cfg.cadir
self.ca_cert_file = '%s/certmaster.crt' % self.cfg.cadir
self.logger = logging.getLogger(__name__)
self.audit_logger = logging.getLogger('audit')
# if ca_key_file exists and ca_cert_file is missing == minion only setup
if os.path.exists(self.ca_key_file) and not os.path.exists(self.ca_cert_file):
raise Exception("Unable to initialize certmaster service; CA key/cert files do not exist.")
try:
if not os.path.exists(self.cfg.cadir):
os.makedirs(self.cfg.cadir)
if not os.path.exists(self.ca_key_file) and not os.path.exists(self.ca_cert_file):
certs.create_ca(CN=mycn, ca_key_file=self.ca_key_file, ca_cert_file=self.ca_cert_file)
except (IOError, OSError), e:
raise Exception('Cannot make certmaster certificate authority keys/certs, aborting: %s' % e)
def __init__(self, config):
self.cfg = config
usename = utils.get_hostname()
mycn = '%s-CA-KEY' % usename
# TODO: Make extensions configurable
self.ca_key_file = '%s/ca.key' % self.cfg.cadir
self.ca_cert_file = '%s/ca.crt' % self.cfg.cadir
self.logger = logging.getLogger(__name__)
self.audit_logger = logging.getLogger('audit')
# if ca_key_file exists and ca_cert_file is missing == minion only setup
if os.path.exists(self.ca_key_file) and not os.path.exists(self.ca_cert_file):
raise Exception("Unable to initialize certify service; CA key/cert files do not exist.")
try:
if not os.path.exists(self.cfg.cadir):
os.makedirs(self.cfg.cadir)
if not os.path.exists(self.ca_key_file) and not os.path.exists(self.ca_cert_file):
# TODO: configure all other optional args
(cacert, cakey) = certs.create_ca(CN=mycn)
with open(self.ca_key_file, 'wt') as f:
certs.dump_to_file(cakey, self.ca_key_file)
self.logger.info("Created CA Key %s", self.ca_key_file)
with open(self.ca_cert_file, 'wt') as f:
certs.dump_to_file(cacert, self.ca_cert_file)
self.logger.info("Created CA Cert %s", self.ca_cert_file)
except (IOError, OSError), e:
raise Exception('Cannot make certify certificate authority keys/certs, aborting: %s' % e)
def create_minion_keys(CN,
C=None,
ST=None,
L=None,
O=None,
OU=None,
emailAddress=None,
hashalgorithm='sha1'):
"""
"""
log = logger()
cert_dir = minion_config.cert_dir
master_uri = 'http://%s:%s/' % (minion_config.certify,
minion_config.certify_port)
filename = CN
if filename is None:
filename = utils.get_hostname()
if filename is None:
raise exc.CMException(
"Could not determine a hostname other than localhost")
# use lowercase letters for filenames
filename = filename.lower()
# XXX: Other normalization?
# TODO: Make the extensions configurable?
key_file = '%s/%s.pem' % (cert_dir, filename)
csr_file = '%s/%s.csr' % (cert_dir, filename)
cert_file = '%s/%s.cert' % (cert_dir, filename)
ca_cert_file = '%s/ca.cert' % cert_dir
if os.path.exists(cert_file) and os.path.exists(ca_cert_file):
log.debug("cert file already exists: %s" % cert_file)
return
keypair = None
try:
if not os.path.exists(cert_dir):
os.makedirs(cert_dir)
force_recreate_csr = False
if os.path.exists(key_file):
keypair = certs.retrieve_key_from_file(key_file)
else:
keypair = certs.make_keypair()
certs.dump_to_file(keypair, key_file, mode=0600)
force_recreate_csr = True
if not os.path.exists(csr_file) or force_recreate_csr:
csr = certs.make_csr(keypair,
CN=CN,
C=C,
ST=ST,
L=L,
O=O,
OU=OU,
emailAddress=emailAddress,
hashalgorithm=hashalgorithm)
certs.dump_to_file(csr, csr_file, mode=0644)
except object as e:
log.exception(e)
log.exception("Could not create local keypair or csr for session.")
raise exc.CMException(
"Could not create local keypair or csr for session")
result = False
while not result:
try:
log.debug("submitting CSR: %s to certify %s" %
(csr_file, master_uri))
(result, cert_string,
ca_cert_string) = submit_csr_to_master(csr_file, master_uri)
except socket.error:
log.warning("Could not connect to server at %s" % master_uri,
exc_info=True)
if not result:
log.warning("no response from certify %s, sleeping 10 seconds" %
master_uri)
time.sleep(10)
if result:
log.debug("received certificate from certify %s, storing to %s" %
(master_uri, cert_file))
if not keypair:
keypair = certs.retrieve_key_from_file(key_file)
valid = certs.check_cert_key_match(cert_string, keypair)
if not valid:
log.info(
"certificate does not match key (run certify-ca --clean first?)"
)
sys.stderr.write(
"certificate does not match key (run certify-ca --clean first?)\n"
)
return
cert_fd = os.open(cert_file, os.O_RDWR | os.O_CREAT, 0644)
os.write(cert_fd, cert_string)
os.close(cert_fd)
ca_cert_fd = os.open(ca_cert_file, os.O_RDWR | os.O_CREAT, 0644)
os.write(ca_cert_fd, ca_cert_string)
os.close(ca_cert_fd)
def create_minion_keys(CN, C=None, ST=None, L=None, O=None, OU=None, emailAddress=None, hashalgorithm='sha1'):
"""
"""
log = logger()
cert_dir = minion_config.cert_dir
master_uri = 'http://%s:%s/' % (minion_config.certmaster, minion_config.certmaster_port)
filename = CN
if filename is None:
filename = utils.get_hostname()
if filename is None:
raise exc.CMException("Could not determine a hostname other than localhost")
# use lowercase letters for filenames
filename = filename.lower()
# XXX: Other normalization?
# TODO: Make the extensions configurable?
key_file = '%s/%s.pem' % (cert_dir, filename)
csr_file = '%s/%s.csr' % (cert_dir, filename)
cert_file = '%s/%s.cert' % (cert_dir, filename)
ca_cert_file = '%s/ca.cert' % cert_dir
if os.path.exists(cert_file) and os.path.exists(ca_cert_file):
log.debug("cert file already exists: %s" % cert_file)
return
keypair = None
try:
if not os.path.exists(cert_dir):
os.makedirs(cert_dir)
force_recreate_csr = False
if os.path.exists(key_file):
keypair = certs.retrieve_key_from_file(key_file)
else:
keypair = certs.make_keypair()
certs.dump_to_file(keypair, key_file, mode=0600)
force_recreate_csr = True
if not os.path.exists(csr_file) or force_recreate_csr:
csr = certs.make_csr(keypair, CN=CN, C=C, ST=ST, L=L, O=O, OU=OU, emailAddress=emailAddress, hashalgorithm=hashalgorithm)
certs.dump_to_file(csr, csr_file, mode=0644)
except:
log.exception("Could not create local keypair or csr for session.")
raise exc.CMException("Could not create local keypair or csr for session")
result = False
while not result:
try:
log.debug("submitting CSR: %s to certmaster %s" % (csr_file, master_uri))
(result, cert_string, ca_cert_string) = submit_csr_to_master(csr_file, master_uri)
except socket.error:
log.warning("Could not connect to server at %s" % master_uri, exc_info=True)
if not result:
log.warning("no response from certmaster %s, sleeping 10 seconds" % master_uri)
time.sleep(10)
if result:
log.debug("received certificate from certmaster %s, storing to %s" % (master_uri, cert_file))
if not keypair:
keypair = certs.retrieve_key_from_file(key_file)
valid = certs.check_cert_key_match(cert_string, keypair)
if not valid:
log.info("certificate does not match key (run certmaster-ca --clean first?)")
sys.stderr.write("certificate does not match key (run certmaster-ca --clean first?)\n")
return
cert_fd = os.open(cert_file, os.O_RDWR|os.O_CREAT, 0644)
os.write(cert_fd, cert_string)
os.close(cert_fd)
ca_cert_fd = os.open(ca_cert_file, os.O_RDWR|os.O_CREAT, 0644)
os.write(ca_cert_fd, ca_cert_string)
os.close(ca_cert_fd)
