def create_minion_keys(hostname=None, ca_name=''):
log = logger.Logger().logger
# FIXME: paths should not be hard coded here, move to settings universally
config_file = '/etc/certmaster/minion.conf'
config = read_config(config_file, MinionConfig)
try:
certauth=config.ca[ca_name]
except:
raise codes.CMException("Unknown cert authority: %s" % ca_name)
cert_dir = certauth.cert_dir
master_uri = 'http://%s:%s/' % (config.certmaster, config.certmaster_port)
hn = hostname
if hn is None:
hn = get_hostname()
if hn is None:
raise codes.CMException("Could not determine a hostname other than localhost")
else:
# use lowercase letters for hostnames
hn = hn.lower()
key_file = '%s/%s.pem' % (cert_dir, hn)
csr_file = '%s/%s.csr' % (cert_dir, hn)
cert_file = '%s/%s.cert' % (cert_dir, hn)
ca_cert_file = '%s/ca.cert' % cert_dir
if os.path.exists(cert_file) and os.path.exists(ca_cert_file):
# print "DEBUG: err, no cert_file"
return
keypair = None
try:
if not os.path.exists(cert_dir):
os.makedirs(cert_dir)
if not os.path.exists(key_file):
keypair = certs.make_keypair(dest=key_file)
if not os.path.exists(csr_file):
if not keypair:
keypair = certs.retrieve_key_from_file(key_file)
csr = certs.make_csr(keypair, dest=csr_file, hostname=hn)
except Exception, e:
traceback.print_exc()
raise codes.CMException, "Could not create local keypair or csr for session"
def __init__(self, conf_file=CERTMASTER_CONFIG):
self.cfg = read_config(conf_file, CMConfig)
usename = utils.get_hostname(talk_to_certmaster=False)
self.logger = logger.Logger().logger
self.audit_logger = logger.AuditLogger()
self.cakey = {}
self.cacert = {}
for (s_caname,a_ca) in self.cfg.ca.iteritems():
s_cadir = a_ca.cadir
if s_caname == "":
mycn = '%s-CA-KEY' % usename
else:
mycn = '%s-%s-CA-KEY' % (s_caname.upper(),usename)
s_ca_key_file = '%s/certmaster.key' % s_cadir
s_ca_cert_file = '%s/certmaster.crt' % s_cadir
# if ca_key_file exists and ca_cert_file is missing == minion only setup
if os.path.exists(s_ca_key_file) and not os.path.exists(s_ca_cert_file):
continue
try:
if not os.path.exists(s_cadir):
os.makedirs(s_cadir)
if not os.path.exists(s_ca_key_file) and not os.path.exists(s_ca_cert_file):
certs.create_ca(CN=mycn, ca_key_file=s_ca_key_file, ca_cert_file=s_ca_cert_file, hash_function=a_ca.hash_function)
except (IOError, OSError), e:
print 'Cannot make certmaster certificate authority keys/certs for CA %s, aborting: %s' % (s_caname, e)
sys.exit(1)
# open up the cakey and cacert so we have them available
a_ca.cakey = certs.retrieve_key_from_file(s_ca_key_file)
a_ca.cacert = certs.retrieve_cert_from_file(s_ca_cert_file)
for dirpath in [a_ca.cadir, a_ca.certroot, a_ca.csrroot, a_ca.csrroot]:
if not os.path.exists(dirpath):
os.makedirs(dirpath)
class CertMaster(object):
def __init__(self, conf_file=CERTMASTER_CONFIG):
self.cfg = read_config(conf_file, CMConfig)
usename = utils.get_hostname(talk_to_certmaster=False)
mycn = '%s-CA-KEY' % usename
self.ca_key_file = '%s/certmaster.key' % self.cfg.cadir
self.ca_cert_file = '%s/certmaster.crt' % self.cfg.cadir
self.logger = logger.Logger().logger
self.audit_logger = logger.AuditLogger()
# if ca_key_file exists and ca_cert_file is missing == minion only setup
if os.path.exists(self.ca_key_file) and not os.path.exists(self.ca_cert_file):
return
try:
if not os.path.exists(self.cfg.cadir):
os.makedirs(self.cfg.cadir)
if not os.path.exists(self.ca_key_file) and not os.path.exists(self.ca_cert_file):
certs.create_ca(CN=mycn, ca_key_file=self.ca_key_file, ca_cert_file=self.ca_cert_file)
except (IOError, OSError), e:
print 'Cannot make certmaster certificate authority keys/certs, aborting: %s' % e
sys.exit(1)
# open up the cakey and cacert so we have them available
self.cakey = certs.retrieve_key_from_file(self.ca_key_file)
self.cacert = certs.retrieve_cert_from_file(self.ca_cert_file)
for dirpath in [self.cfg.cadir, self.cfg.certroot, self.cfg.csrroot]:
if not os.path.exists(dirpath):
os.makedirs(dirpath)
# setup handlers
self.handlers = {
'wait_for_cert': self.wait_for_cert,
}
def create_minion_keys():
# FIXME: paths should not be hard coded here, move to settings universally
config_file = '/etc/certmaster/minion.conf'
config = read_config(config_file, MinionConfig)
cert_dir = config.cert_dir
master_uri = 'http://%s:%s/' % (config.certmaster, config.certmaster_port)
# print "DEBUG: acquiring hostname"
hn = get_hostname()
# print "DEBUG: hostname = %s\n" % hn
if hn is None:
raise codes.CMException("Could not determine a hostname other than localhost")
key_file = '%s/%s.pem' % (cert_dir, hn)
csr_file = '%s/%s.csr' % (cert_dir, hn)
cert_file = '%s/%s.cert' % (cert_dir, hn)
ca_cert_file = '%s/ca.cert' % cert_dir
if os.path.exists(cert_file) and os.path.exists(ca_cert_file):
# print "DEBUG: err, no cert_file"
return
keypair = None
try:
if not os.path.exists(cert_dir):
os.makedirs(cert_dir)
if not os.path.exists(key_file):
keypair = certs.make_keypair(dest=key_file)
if not os.path.exists(csr_file):
if not keypair:
keypair = certs.retrieve_key_from_file(key_file)
csr = certs.make_csr(keypair, dest=csr_file)
except Exception, e:
traceback.print_exc()
raise codes.CMException, "Could not create local keypair or csr for session"
result, cert_string, ca_cert_string = submit_csr_to_master(csr_file, master_uri)
except socket.error, e:
log.warning("Could not locate certmaster at %s" % master_uri)
# logging here would be nice
if not result:
# print "DEBUG: no response from certmaster, sleeping 10 seconds"
log.warning("no response from certmaster %s, sleeping 10 seconds" % master_uri)
time.sleep(10)
if result:
# print "DEBUG: recieved certificate from certmaster"
log.debug("received certificate from certmaster %s, storing to %s" % (master_uri, cert_file))
if not keypair:
keypair = certs.retrieve_key_from_file(key_file)
valid = certs.check_cert_key_match(cert_string, keypair)
if not valid:
log.info("certificate does not match key (run certmaster-ca --clean first?)")
sys.stderr.write("certificate does not match key (run certmaster-ca --clean first?)\n")
return
cert_fd = os.open(cert_file, os.O_RDWR|os.O_CREAT, 0644)
os.write(cert_fd, cert_string)
os.close(cert_fd)
ca_cert_fd = os.open(ca_cert_file, os.O_RDWR|os.O_CREAT, 0644)
os.write(ca_cert_fd, ca_cert_string)
os.close(ca_cert_fd)
def run_triggers(ref, globber):
"""
