def adjust_broker_config(cacert, cakey, keystore, keystore_pass, basedir, gtdir, log): brokerconfig = get_brokerconfig_path(gtdir) pathutil.ensure_file_exists(cacert, "CA certificate") pathutil.ensure_file_exists(cakey, "CA private key") pathutil.ensure_file_exists(brokerconfig, "Nimbus Context Broker config") pathutil.ensure_file_exists(keystore, "Java keystore") # is some BS restbroker_xml = pathutil.pathjoin(gtdir, 'etc/nimbus-context-broker/other/main.xml') pathutil.ensure_file_exists(restbroker_xml, "Context Broker REST interface config") args = [brokerconfig, 'NimbusContextBroker', 'ctxBrokerBootstrapFactory', 'caCertPath', cacert, 'caKeyPath', cakey] (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_SERVICE_RESOURCE, args=args) runutil.generic_bailout("Problem adjusting broker config", exitcode, stdout, stderr) args = [brokerconfig, 'NimbusContextBroker', 'rest', 'keystoreLocation', keystore, 'keystorePassword', keystore_pass, 'springConfig', restbroker_xml] (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_SERVICE_RESOURCE, args=args) runutil.generic_bailout("Problem adjusting broker config", exitcode, stdout, stderr) log.debug("Ensured Context Broker CA config: %s" % brokerconfig)
def classpath(basedir): opt = "." libdir = jarsdir(basedir) dirs = os.listdir(libdir) for fname in dirs: opt += ":" + pathutil.pathjoin(libdir, fname) return opt
def findCAkey(basedir, cadir, log): cacertdir = pathutil.pathjoin(cadir, "ca-certs") args = [cacertdir] (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_FIND_CA_PRIVPEM, args=args) runutil.generic_bailout("Problem finding CA key.", exitcode, stdout, stderr) if not stdout: raise UnexpectedError("Path is not present for CA key") keypath = stdout.strip() pathutil.ensure_file_exists(keypath, "CA key") return keypath
def adjust_broker_config(cacert, cakey, keystore, keystore_pass, basedir, gtdir, log): brokerconfig = get_brokerconfig_path(gtdir) pathutil.ensure_file_exists(cacert, "CA certificate") pathutil.ensure_file_exists(cakey, "CA private key") pathutil.ensure_file_exists(brokerconfig, "Nimbus Context Broker config") pathutil.ensure_file_exists(keystore, "Java keystore") # is some BS restbroker_xml = pathutil.pathjoin( gtdir, 'etc/nimbus-context-broker/other/main.xml') pathutil.ensure_file_exists(restbroker_xml, "Context Broker REST interface config") args = [ brokerconfig, 'NimbusContextBroker', 'ctxBrokerBootstrapFactory', 'caCertPath', cacert, 'caKeyPath', cakey ] (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_SERVICE_RESOURCE, args=args) runutil.generic_bailout("Problem adjusting broker config", exitcode, stdout, stderr) args = [ brokerconfig, 'NimbusContextBroker', 'rest', 'keystoreLocation', keystore, 'keystorePassword', keystore_pass, 'springConfig', restbroker_xml ] (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_SERVICE_RESOURCE, args=args) runutil.generic_bailout("Problem adjusting broker config", exitcode, stdout, stderr) log.debug("Ensured Context Broker CA config: %s" % brokerconfig)
def get_brokerconfig_path(gtdir): return pathutil.pathjoin(gtdir, CONF_BROKERCONFIG)
def main(argv=None): if os.name != 'posix': print >> sys.stderr, "Only runs on POSIX systems." return 3 parser = parsersetup() if argv: (opts, args) = parser.parse_args(argv[1:]) else: (opts, args) = parser.parse_args() global log log = None printdebugoutput = False try: # 1. Intake args and confs validateargs(opts) config = getconfig(filepath=opts.configpath) # 2. Setup logging confdebug = config.get("nimbusweb", "debug") if confdebug == "on": printdebugoutput = True elif opts.debug: printdebugoutput = True if printdebugoutput: configureLogging(logging.DEBUG) else: configureLogging(logging.INFO) # 3. Dump settings basedir = opts.basedir log.debug("base directory: %s" % basedir) insecuremode = opts.insecuremode if insecuremode: log.debug("**** This is insecure developer mode ****") else: log.debug("secure mode") certconf = config_from_key(config, "ssl.cert") keyconf = config_from_key(config, "ssl.key") cadir = config_from_key(config, "ca.dir") timezone = config_from_key(config, "timezone") port = config_from_key(config, "webserver.port") host = config_from_key(config, "webserver.host") printurl = config_from_key(config, "print.url") accountprompt = config_from_key(config, "account.prompt") expire_hours = config_from_key(config, "token.expire_hours") try: expire_hours = int(expire_hours) except: raise InvalidConfig( "invalid token.expire_hours setting, not an integer?") # 4. Validate base directory if not pathutil.is_absolute_path(basedir): raise IncompatibleEnvironment( "Base directory setting is not absolute, have you been altering the stanadalone launch code?" ) pathutil.ensure_dir_exists( basedir, "base", ": have you been altering the stanadalone launch code?") # 5. Run one subcommand if opts.checkssl: checkssl.run(basedir, certconf, keyconf, log) if opts.newconf: newconf.run(basedir, timezone, accountprompt, log, printdebugoutput, insecuremode, printurl, expire_hours, cadir) if opts.printport: if not port: raise IncompatibleEnvironment( "There is no 'webserver.port' configuration") try: port = int(port) except: raise IncompatibleEnvironment( "'webserver.port' configuration is not an integer?") print port if opts.printhost: if not host: raise IncompatibleEnvironment( "There is no 'webserver.host' configuration") print host if opts.printcertpath: if not certconf: raise IncompatibleEnvironment( "There is no 'ssl.cert' configuration") if not pathutil.is_absolute_path(certconf): certconf = pathutil.pathjoin(basedir, certconf) log.debug("ssl.cert was a relative path, converted to '%s'" % certconf) print certconf if opts.printkeypath: if not keyconf: raise IncompatibleEnvironment( "There is no 'ssl.key' configuration") if not pathutil.is_absolute_path(keyconf): keyconf = pathutil.pathjoin(basedir, keyconf) log.debug("ssl.key was a relative path, converted to '%s'" % keyconf) print keyconf if opts.forcenewssl: forcessl.run(basedir, opts.forcecapath, opts.forcecertpath, opts.forcekeypath, opts.forcehostname, log) except InvalidInput, e: msg = "\nProblem with input: %s" % e.msg print >> sys.stderr, msg return 1
def jarsdir(basedir): return pathutil.pathjoin(basedir, "lib/java")
def createCert(CN, basedir, cadir, certtarget, keytarget, log, allow_overwrite=False): if not allow_overwrite and pathutil.check_path_exists(certtarget): msg = "Certificate file present already: " + certtarget raise IncompatibleEnvironment(msg) if not allow_overwrite and pathutil.check_path_exists(keytarget): msg = "Key file present already: " + keytarget raise IncompatibleEnvironment(msg) cacert_path = findCAcert(basedir, cadir, log) cakey_path = findCAkey(basedir, cadir, log) # Create temp directory. uuid = pathutil.uuidgen() tempdir = pathutil.pathjoin(cadir, uuid) os.mkdir(tempdir) pathutil.ensure_dir_exists(tempdir, "temp certs directory") log.debug("Created %s" % tempdir) args = [tempdir, CN, "pub", "priv", cacert_path, cakey_path] (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_CREATE_NEW_CERT, args=args) runutil.generic_bailout("Problem creating certificate.", exitcode, stdout, stderr) pub_DN = stdout.strip() temp_pub_path = pathutil.pathjoin(tempdir, "pub") pathutil.ensure_file_exists(temp_pub_path, "temp cert") log.debug("temp cert exists: " + temp_pub_path) # copy that to user-cert records args = [temp_pub_path] (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_GET_HASHED_CERT_NAME, args=args) runutil.generic_bailout("Problem finding hashed cert name.", exitcode, stdout, stderr) usercertfilehash = stdout.strip() log.debug("user cert file hash is '%s'" % usercertfilehash) cert_records_path = pathutil.pathjoin(cadir, "user-certs") cert_records_path = pathutil.pathjoin(cert_records_path, usercertfilehash + ".0") shutil.copyfile(temp_pub_path, cert_records_path) pathutil.ensure_file_exists(cert_records_path, "new certificate (record)") log.debug("cert exists at target: " + cert_records_path) temp_priv_path = pathutil.pathjoin(tempdir, "priv") pathutil.ensure_file_exists(temp_priv_path, "temp key") log.debug("temp key exists: " + temp_priv_path) log.debug("Created certificate: %s" % pub_DN) # Those user-supplied targets still don't exist, right? :-) if not allow_overwrite and pathutil.check_path_exists(certtarget): msg = "Certificate file present already: " + certtarget raise IncompatibleEnvironment(msg) if not allow_overwrite and pathutil.check_path_exists(keytarget): msg = "Key file present already: " + keytarget raise IncompatibleEnvironment(msg) shutil.copyfile(temp_pub_path, certtarget) pathutil.ensure_file_exists(certtarget, "new certificate") log.debug("cert exists at target: " + certtarget) shutil.copyfile(temp_priv_path, keytarget) pathutil.ensure_file_exists(keytarget, "new key") log.debug("key exists at target: " + keytarget) pathutil.make_path_rw_private(keytarget) pathutil.ensure_path_private(keytarget, "new key") log.debug("file made private: %s" % keytarget) shutil.rmtree(tempdir) return pub_DN
def run(basedir, certconf, keyconf, log, cadir=None, hostname=None): log.debug("Checking SSL") # If the configurations themselves are missing, we cannot continue. if not certconf: raise IncompatibleEnvironment("There is no 'ssl.cert' configuration") if not keyconf: raise IncompatibleEnvironment("There is no 'ssl.key' configuration") # If the configurations are relative, they are assumed to be relative from # the base directory. if not pathutil.is_absolute_path(certconf): certconf = pathutil.pathjoin(basedir, certconf) log.debug("ssl.cert was a relative path, converted to '%s'" % certconf) if not pathutil.is_absolute_path(keyconf): keyconf = pathutil.pathjoin(basedir, keyconf) log.debug("ssl.key was a relative path, converted to '%s'" % keyconf) # If the configured certificate exists, check the key permissions, then # exit. missingcert = None missingkey = None if not pathutil.check_path_exists(certconf): missingcert = "Configured 'ssl.cert' does not exist at '%s'" % certconf if not pathutil.check_path_exists(keyconf): missingkey = "Configured 'ssl.key' does not exist at '%s'" % keyconf if not missingcert and not missingkey: log.debug("cert and key confs exist already, checking key perms") # check key permission if pathutil.is_path_private(keyconf): log.debug("key is owner-read only: %s" % keyconf) else: print >> sys.stderr, "***" print >> sys.stderr, "*** WARNING ***" print >> sys.stderr, "***" print >> sys.stderr, "SSL key has bad permissions, should only be readable by the file owner. ssl.key: '%s'" % keyconf return # If only one of the cert/key files exists, we cannot reason about # what to do: error. prefix = "Only one of the SSL cert/key file exists, cannot continue. " if missingcert and not missingkey: raise IncompatibleEnvironment(prefix + missingcert) if missingkey and not missingcert: raise IncompatibleEnvironment(prefix + missingkey) # The configured certificate and key do not exist; create them. print "Cannot find configured certificate and key for HTTPS, creating these for you." # If the internal CA does not exist, create that first. if not cadir: cadir = pathutil.pathjoin(basedir, "var/ca") if not pathutil.check_path_exists(cadir): print "\nCannot find internal CA, creating this for you.\n" print "Please pick a unique, one word CA name or hit return to use a UUID.\n" print "For example, if you are installing this on the \"Jupiter\" cluster, you could perhaps use \"JupiterNimbusCA\" as the name.\n" ca_name = raw_input("Enter a name: ") if not ca_name: ca_name = pathutil.uuidgen() print "You did not enter a name, using '%s'" % ca_name else: ca_name = ca_name.split()[0] print "Using '%s'" % ca_name autoca.createCA(ca_name, basedir, cadir, log) print "\nCreated internal CA: %s" % cadir if not hostname: print "\nEnter the fully qualified hostname of this machine. If you don't know or care right now, hit return to use 'localhost'.\n" hostname = raw_input("Hostname: ") if not hostname: hostname = "localhost" print "Using '%s'" % hostname autoca.createCert(hostname, basedir, cadir, certconf, keyconf, log) print "\nCreated certificate: %s" % certconf print "Created key: %s\n" % keyconf
def get_serverconfig_path(gtdir): return pathutil.pathjoin(gtdir, CONF_SERVERCONFIG)
def _createCA(ca_name, basedir, cadir, log): javautil.check(basedir, log) # mkdir $cadir # mkdir $cadir/ca-certs # mkdir $cadir/trusted-certs # mkdir $cadir/user-certs os.mkdir(cadir) pathutil.ensure_dir_exists(cadir, "New CA directory") log.debug("Created %s" % cadir) cacertdir = pathutil.pathjoin(cadir, "ca-certs") os.mkdir(cacertdir) pathutil.ensure_dir_exists(cacertdir, "New CA certs directory") log.debug("Created %s" % cacertdir) trustedcertdir = pathutil.pathjoin(cadir, "trusted-certs") os.mkdir(trustedcertdir) pathutil.ensure_dir_exists(trustedcertdir, "New CA trusted certs directory") log.debug("Created %s" % trustedcertdir) usercertdir = pathutil.pathjoin(cadir, "user-certs") os.mkdir(usercertdir) pathutil.ensure_dir_exists(usercertdir, "New CA user certs directory") log.debug("Created %s" % usercertdir) # Create the cert via autocommon args = [cacertdir, ca_name] (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_CREATE_NEW_CA, args=args) runutil.generic_bailout("Problem creating CA.", exitcode, stdout, stderr) # Make the private key owner-readable only privkeyname = "private-key-" + ca_name + ".pem" cakeyfile = pathutil.pathjoin(cacertdir, privkeyname) pathutil.ensure_file_exists(cakeyfile, "New CA key") log.debug("file exists: %s" % cakeyfile) pathutil.make_path_rw_private(cakeyfile) pathutil.ensure_path_private(cakeyfile, "New CA key") log.debug("file made private: %s" % cakeyfile) # Copy the new certificate file to the "hash.0" version that some toolings # will expect. cacertfile = pathutil.pathjoin(cacertdir, ca_name + ".pem") pathutil.ensure_file_exists(cacertfile, "New CA cert") log.debug("file exists: %s" % cacertfile) args = [cacertfile] (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_GET_HASHED_CERT_NAME, args=args) runutil.generic_bailout("Problem finding hashed cert name.", exitcode, stdout, stderr) cacertfilehash = stdout.strip() log.debug("cert file hash is '%s'" % cacertfilehash) newpath = pathutil.pathjoin(cacertdir, cacertfilehash + ".0") shutil.copyfile(cacertfile, newpath) pathutil.ensure_file_exists(newpath, "New CA cert (hashed #1)") log.debug("file exists: %s" % newpath) newpath = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".0") shutil.copyfile(cacertfile, newpath) pathutil.ensure_file_exists(newpath, "New CA cert (hashed #2)") log.debug("file exists: %s" % newpath) # Signing policy signing1 = pathutil.pathjoin(cacertdir, cacertfilehash + ".signing_policy") args = [cacertfile, signing1] (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_WRITE_SIGNING_POLICY, args=args) runutil.generic_bailout("Problem creating signing_policy file.", exitcode, stdout, stderr) pathutil.ensure_file_exists(signing1, "signing_policy file #1") log.debug("file exists: %s" % signing1) signing2 = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".signing_policy") shutil.copyfile(signing1, signing2) pathutil.ensure_file_exists(signing2, "signing_policy file #2") log.debug("file exists: %s" % signing2) # CRL crl1 = pathutil.pathjoin(cacertdir, cacertfilehash + ".r0") args = [crl1, cacertfile, cakeyfile] (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_CREATE_CRL, args=args) runutil.generic_bailout("Problem creating revocation file.", exitcode, stdout, stderr) pathutil.ensure_file_exists(crl1, "revocation file #1") log.debug("file exists: %s" % crl1) crl2 = pathutil.pathjoin(trustedcertdir, cacertfilehash + ".r0") shutil.copyfile(crl1, crl2) pathutil.ensure_file_exists(crl2, "revocation file #2") log.debug("file exists: %s" % crl2)
def get_secdesc_path(gtdir): return pathutil.pathjoin(gtdir, CONF_SECDESC)
def run(basedir, timezone, accountprompt, log, debug, insecuremode, printurl, expire_hours, cadir): log.debug("Installing new configurations to django and cherrypy") if not accountprompt: accountprompt = "contact the administrator." if not timezone: raise IncompatibleEnvironment("There is no 'timezone' configuration") # -------------------------------------------------------------------------- # The generated_settings.py file is created and replaced at will by this # newconf system. # sanity check: real_settings = pathutil.pathjoin(basedir, "src/python/nimbusweb/portal/settings.py") pathutil.ensure_file_exists(real_settings, "web settings") log.debug("file exists: %s" % real_settings) generated_settings = pathutil.pathjoin(basedir, "src/python/nimbusweb/portal/generated_settings.py") if pathutil.check_path_exists(generated_settings): log.debug("Going to overwrite previously written generated_settings.py") lines = [] # sqlite DB db_path = pathutil.pathjoin(basedir, "var/nimbus.sqlite") lines.append("DATABASE_ENGINE = 'sqlite3'") lines.append("DATABASE_NAME = '%s'" % db_path) lines.append("TIME_ZONE = '%s'" % timezone) lines.append("NIMBUS_ACCOUNT_PROMPT = '%s'" % accountprompt) cadir_path = pathutil.pathjoin(basedir, cadir) lines.append("NIMBUS_CADIR = '%s'" % cadir_path) if debug: lines.append("DEBUG = True") lines.append("TEMPLATE_DEBUG = True") else: lines.append("DEBUG = False") lines.append("TEMPLATE_DEBUG = False") if insecuremode: lines.append("SESSION_COOKIE_SECURE = False") else: lines.append("SESSION_COOKIE_SECURE = True") lines.append("NIMBUS_PRINT_URL = '%s'" % printurl) lines.append("NIMBUS_TOKEN_EXPIRE_HOURS = %d" % expire_hours) generated_text = "\n" for line in lines: generated_text += line generated_text += "\n" log.debug("Going to write this to generated_settings:\n%s" % generated_text) f = open(generated_settings, 'w') f.write(generated_text) f.close() pathutil.ensure_file_exists(generated_settings, "generated web settings") print "Wrote generated_settings: %s" % generated_settings # -------------------------------------------------------------------------- generated_secrets = pathutil.pathjoin(basedir, "src/python/nimbusweb/portal/generated_secrets.py") if not pathutil.check_path_exists(generated_secrets): # Creating secret each newconf would mean that people's sessions won't # work after webapp reboot and they would need to login again. # Instead, it is only written when nonexistent (clean-slate script will # remove it). lines = [] okchars = string.letters + string.digits + "!@%^_&*+-" okchars += okchars secret = ''.join( Random().sample(okchars, 50) ) lines.append("SECRET_KEY = '%s'" % secret) generated_text = "\n" for line in lines: generated_text += line generated_text += "\n" f = open(generated_secrets, 'w') f.write(generated_text) f.close() pathutil.ensure_file_exists(generated_secrets, "generated web secrets") print "Wrote generated_secrets: %s" % generated_secrets
def main(argv=None): if os.name != 'posix': print >>sys.stderr, "Only runs on POSIX systems." return 3 parser = parsersetup() if argv: (opts, args) = parser.parse_args(argv[1:]) else: (opts, args) = parser.parse_args() global log log = None printdebugoutput = False try: # 1. Intake args and confs validateargs(opts) config = getconfig(filepath=opts.configpath) # 2. Setup logging confdebug = config.get("nimbusweb", "debug") if confdebug == "on": printdebugoutput = True elif opts.debug: printdebugoutput = True if printdebugoutput: configureLogging(logging.DEBUG) else: configureLogging(logging.INFO) # 3. Dump settings basedir = opts.basedir log.debug("base directory: %s" % basedir) insecuremode = opts.insecuremode if insecuremode: log.debug("**** This is insecure developer mode ****") else: log.debug("secure mode") certconf = config_from_key(config, "ssl.cert") keyconf = config_from_key(config, "ssl.key") cadir = config_from_key(config, "ca.dir") timezone = config_from_key(config, "timezone") port = config_from_key(config, "webserver.port") host = config_from_key(config, "webserver.host") rest_url = config_from_key(config, "nimbusrest.url") rest_key = config_from_key(config, "nimbusrest.key") rest_secret = config_from_key(config, "nimbusrest.secret") printurl = config_from_key(config, "print.url") accountprompt = config_from_key(config, "account.prompt") expire_hours = config_from_key(config, "token.expire_hours") try: expire_hours = int(expire_hours) except: raise InvalidConfig("invalid token.expire_hours setting, not an integer?") # 4. Validate base directory if not pathutil.is_absolute_path(basedir): raise IncompatibleEnvironment("Base directory setting is not absolute, have you been altering the stanadalone launch code?") pathutil.ensure_dir_exists(basedir, "base", ": have you been altering the stanadalone launch code?") # 5. Run one subcommand if opts.checkssl: checkssl.run(basedir, certconf, keyconf, log) if opts.newconf: newconf.run(basedir, timezone, accountprompt, log, printdebugoutput, insecuremode, printurl, expire_hours, cadir, rest_url, rest_key, rest_secret) if opts.printport: if not port: raise IncompatibleEnvironment("There is no 'webserver.port' configuration") try: port = int(port) except: raise IncompatibleEnvironment("'webserver.port' configuration is not an integer?") print port if opts.printhost: if not host: raise IncompatibleEnvironment("There is no 'webserver.host' configuration") print host if opts.printcertpath: if not certconf: raise IncompatibleEnvironment("There is no 'ssl.cert' configuration") if not pathutil.is_absolute_path(certconf): certconf = pathutil.pathjoin(basedir, certconf) log.debug("ssl.cert was a relative path, converted to '%s'" % certconf) print certconf if opts.printkeypath: if not keyconf: raise IncompatibleEnvironment("There is no 'ssl.key' configuration") if not pathutil.is_absolute_path(keyconf): keyconf = pathutil.pathjoin(basedir, keyconf) log.debug("ssl.key was a relative path, converted to '%s'" % keyconf) print keyconf if opts.forcenewssl: forcessl.run(basedir, opts.forcecapath, opts.forcecertpath, opts.forcekeypath, opts.forcehostname, log) except InvalidInput, e: msg = "\nProblem with input: %s" % e.msg print >>sys.stderr, msg return 1
def run(basedir, certconf, keyconf, log, cadir=None, hostname=None): log.debug("Checking SSL") # If the configurations themselves are missing, we cannot continue. if not certconf: raise IncompatibleEnvironment("There is no 'ssl.cert' configuration") if not keyconf: raise IncompatibleEnvironment("There is no 'ssl.key' configuration") # If the configurations are relative, they are assumed to be relative from # the base directory. if not pathutil.is_absolute_path(certconf): certconf = pathutil.pathjoin(basedir, certconf) log.debug("ssl.cert was a relative path, converted to '%s'" % certconf) if not pathutil.is_absolute_path(keyconf): keyconf = pathutil.pathjoin(basedir, keyconf) log.debug("ssl.key was a relative path, converted to '%s'" % keyconf) # If the configured certificate exists, check the key permissions, then # exit. missingcert = None missingkey = None if not pathutil.check_path_exists(certconf): missingcert = "Configured 'ssl.cert' does not exist at '%s'" % certconf if not pathutil.check_path_exists(keyconf): missingkey = "Configured 'ssl.key' does not exist at '%s'" % keyconf if not missingcert and not missingkey: log.debug("cert and key confs exist already, checking key perms") # check key permission if pathutil.is_path_private(keyconf): log.debug("key is owner-read only: %s" % keyconf) else: print >>sys.stderr, "***" print >>sys.stderr, "*** WARNING ***" print >>sys.stderr, "***" print >>sys.stderr, "SSL key has bad permissions, should only be readable by the file owner. ssl.key: '%s'" % keyconf return # If only one of the cert/key files exists, we cannot reason about # what to do: error. prefix = "Only one of the SSL cert/key file exists, cannot continue. " if missingcert and not missingkey: raise IncompatibleEnvironment(prefix + missingcert) if missingkey and not missingcert: raise IncompatibleEnvironment(prefix + missingkey) # The configured certificate and key do not exist; create them. print "Cannot find configured certificate and key for HTTPS, creating these for you." # If the internal CA does not exist, create that first. if not cadir: cadir = pathutil.pathjoin(basedir, "var/ca") if not pathutil.check_path_exists(cadir): print "\nCannot find internal CA, creating this for you.\n" print "Please pick a unique, one word CA name or hit return to use a UUID.\n" print "For example, if you are installing this on the \"Jupiter\" cluster, you could perhaps use \"JupiterNimbusCA\" as the name.\n" ca_name = raw_input("Enter a name: ") if not ca_name: ca_name = pathutil.uuidgen() print "You did not enter a name, using '%s'" % ca_name else: ca_name = ca_name.split()[0] print "Using '%s'" % ca_name autoca.createCA(ca_name, basedir, cadir, log) print "\nCreated internal CA: %s" % cadir if not hostname: print "\nEnter the fully qualified hostname of this machine. If you don't know or care right now, hit return to use 'localhost'.\n" hostname = raw_input("Hostname: ") if not hostname: hostname = "localhost" print "Using '%s'" % hostname autoca.createCert(hostname, basedir, cadir, certconf, keyconf, log) print "\nCreated certificate: %s" % certconf print "Created key: %s\n" % keyconf