def create_minion_keys(hostname=None, ca_name=''): log = logger.Logger().logger # FIXME: paths should not be hard coded here, move to settings universally config_file = '/etc/certmaster/minion.conf' config = read_config(config_file, MinionConfig) try: certauth=config.ca[ca_name] except: raise codes.CMException("Unknown cert authority: %s" % ca_name) cert_dir = certauth.cert_dir master_uri = 'http://%s:%s/' % (config.certmaster, config.certmaster_port) hn = hostname if hn is None: hn = get_hostname() if hn is None: raise codes.CMException("Could not determine a hostname other than localhost") else: # use lowercase letters for hostnames hn = hn.lower() key_file = '%s/%s.pem' % (cert_dir, hn) csr_file = '%s/%s.csr' % (cert_dir, hn) cert_file = '%s/%s.cert' % (cert_dir, hn) ca_cert_file = '%s/ca.cert' % cert_dir if os.path.exists(cert_file) and os.path.exists(ca_cert_file): # print "DEBUG: err, no cert_file" return keypair = None try: if not os.path.exists(cert_dir): os.makedirs(cert_dir) if not os.path.exists(key_file): keypair = certs.make_keypair(dest=key_file) if not os.path.exists(csr_file): if not keypair: keypair = certs.retrieve_key_from_file(key_file) csr = certs.make_csr(keypair, dest=csr_file, hostname=hn) except Exception, e: traceback.print_exc() raise codes.CMException, "Could not create local keypair or csr for session"
def __init__(self, conf_file=CERTMASTER_CONFIG): self.cfg = read_config(conf_file, CMConfig) usename = utils.get_hostname(talk_to_certmaster=False) self.logger = logger.Logger().logger self.audit_logger = logger.AuditLogger() self.cakey = {} self.cacert = {} for (s_caname,a_ca) in self.cfg.ca.iteritems(): s_cadir = a_ca.cadir if s_caname == "": mycn = '%s-CA-KEY' % usename else: mycn = '%s-%s-CA-KEY' % (s_caname.upper(),usename) s_ca_key_file = '%s/certmaster.key' % s_cadir s_ca_cert_file = '%s/certmaster.crt' % s_cadir # if ca_key_file exists and ca_cert_file is missing == minion only setup if os.path.exists(s_ca_key_file) and not os.path.exists(s_ca_cert_file): continue try: if not os.path.exists(s_cadir): os.makedirs(s_cadir) if not os.path.exists(s_ca_key_file) and not os.path.exists(s_ca_cert_file): certs.create_ca(CN=mycn, ca_key_file=s_ca_key_file, ca_cert_file=s_ca_cert_file, hash_function=a_ca.hash_function) except (IOError, OSError), e: print 'Cannot make certmaster certificate authority keys/certs for CA %s, aborting: %s' % (s_caname, e) sys.exit(1) # open up the cakey and cacert so we have them available a_ca.cakey = certs.retrieve_key_from_file(s_ca_key_file) a_ca.cacert = certs.retrieve_cert_from_file(s_ca_cert_file) for dirpath in [a_ca.cadir, a_ca.certroot, a_ca.csrroot, a_ca.csrroot]: if not os.path.exists(dirpath): os.makedirs(dirpath)
class CertMaster(object): def __init__(self, conf_file=CERTMASTER_CONFIG): self.cfg = read_config(conf_file, CMConfig) usename = utils.get_hostname(talk_to_certmaster=False) mycn = '%s-CA-KEY' % usename self.ca_key_file = '%s/certmaster.key' % self.cfg.cadir self.ca_cert_file = '%s/certmaster.crt' % self.cfg.cadir self.logger = logger.Logger().logger self.audit_logger = logger.AuditLogger() # if ca_key_file exists and ca_cert_file is missing == minion only setup if os.path.exists(self.ca_key_file) and not os.path.exists(self.ca_cert_file): return try: if not os.path.exists(self.cfg.cadir): os.makedirs(self.cfg.cadir) if not os.path.exists(self.ca_key_file) and not os.path.exists(self.ca_cert_file): certs.create_ca(CN=mycn, ca_key_file=self.ca_key_file, ca_cert_file=self.ca_cert_file) except (IOError, OSError), e: print 'Cannot make certmaster certificate authority keys/certs, aborting: %s' % e sys.exit(1) # open up the cakey and cacert so we have them available self.cakey = certs.retrieve_key_from_file(self.ca_key_file) self.cacert = certs.retrieve_cert_from_file(self.ca_cert_file) for dirpath in [self.cfg.cadir, self.cfg.certroot, self.cfg.csrroot]: if not os.path.exists(dirpath): os.makedirs(dirpath) # setup handlers self.handlers = { 'wait_for_cert': self.wait_for_cert, }
def create_minion_keys(): # FIXME: paths should not be hard coded here, move to settings universally config_file = '/etc/certmaster/minion.conf' config = read_config(config_file, MinionConfig) cert_dir = config.cert_dir master_uri = 'http://%s:%s/' % (config.certmaster, config.certmaster_port) # print "DEBUG: acquiring hostname" hn = get_hostname() # print "DEBUG: hostname = %s\n" % hn if hn is None: raise codes.CMException("Could not determine a hostname other than localhost") key_file = '%s/%s.pem' % (cert_dir, hn) csr_file = '%s/%s.csr' % (cert_dir, hn) cert_file = '%s/%s.cert' % (cert_dir, hn) ca_cert_file = '%s/ca.cert' % cert_dir if os.path.exists(cert_file) and os.path.exists(ca_cert_file): # print "DEBUG: err, no cert_file" return keypair = None try: if not os.path.exists(cert_dir): os.makedirs(cert_dir) if not os.path.exists(key_file): keypair = certs.make_keypair(dest=key_file) if not os.path.exists(csr_file): if not keypair: keypair = certs.retrieve_key_from_file(key_file) csr = certs.make_csr(keypair, dest=csr_file) except Exception, e: traceback.print_exc() raise codes.CMException, "Could not create local keypair or csr for session"
result, cert_string, ca_cert_string = submit_csr_to_master(csr_file, master_uri) except socket.error, e: log.warning("Could not locate certmaster at %s" % master_uri) # logging here would be nice if not result: # print "DEBUG: no response from certmaster, sleeping 10 seconds" log.warning("no response from certmaster %s, sleeping 10 seconds" % master_uri) time.sleep(10) if result: # print "DEBUG: recieved certificate from certmaster" log.debug("received certificate from certmaster %s, storing to %s" % (master_uri, cert_file)) if not keypair: keypair = certs.retrieve_key_from_file(key_file) valid = certs.check_cert_key_match(cert_string, keypair) if not valid: log.info("certificate does not match key (run certmaster-ca --clean first?)") sys.stderr.write("certificate does not match key (run certmaster-ca --clean first?)\n") return cert_fd = os.open(cert_file, os.O_RDWR|os.O_CREAT, 0644) os.write(cert_fd, cert_string) os.close(cert_fd) ca_cert_fd = os.open(ca_cert_file, os.O_RDWR|os.O_CREAT, 0644) os.write(ca_cert_fd, ca_cert_string) os.close(ca_cert_fd) def run_triggers(ref, globber): """