def ask_ca_name(self): ca_name_config = self['ca.name'] if self.interactive: print CA_NAME_QUESTION % {CONFIG_KEY_CA_DIR : self.cadir} ca_name = get_user_input("CA Name", default=ca_name_config, required=False) if not ca_name: ca_name = pathutil.uuidgen() print "You did not enter a name, using '%s'" % ca_name else: ca_name = ca_name_config or pathutil.uuidgen() print "Creating CA with name: '%s'" % ca_name return ca_name
def ask_ca_name(self): ca_name_config = self['ca.name'] if self.interactive: print CA_NAME_QUESTION % {CONFIG_KEY_CA_DIR: self.cadir} ca_name = get_user_input("CA Name", default=ca_name_config, required=False) if not ca_name: ca_name = pathutil.uuidgen() print "You did not enter a name, using '%s'" % ca_name else: ca_name = ca_name_config or pathutil.uuidgen() print "Creating CA with name: '%s'" % ca_name return ca_name
def run(basedir, cadir, certconf, keyconf, hostnameconf, log): log.debug("Forcing a CA/hostcert install") # Reject relative paths if not pathutil.is_absolute_path(cadir): raise IncompatibleEnvironment("CA directory path is not absolute") if not pathutil.is_absolute_path(certconf): raise IncompatibleEnvironment("certificate path is not absolute") if not pathutil.is_absolute_path(keyconf): raise IncompatibleEnvironment("key path is not absolute") # The CA dir must not exist, create that first. autoca.createCA(pathutil.uuidgen(), basedir, cadir, log) print "Created auto CA: %s" % cadir # The configured certificate and key must not exist; create them. autoca.createCert(hostnameconf, basedir, cadir, certconf, keyconf, log) print "\nCreated hostcert: %s" % certconf print "Created hostkey: %s\n" % keyconf
def run(basedir, certconf, keyconf, log, cadir=None, hostname=None): log.debug("Checking SSL") # If the configurations themselves are missing, we cannot continue. if not certconf: raise IncompatibleEnvironment("There is no 'ssl.cert' configuration") if not keyconf: raise IncompatibleEnvironment("There is no 'ssl.key' configuration") # If the configurations are relative, they are assumed to be relative from # the base directory. if not pathutil.is_absolute_path(certconf): certconf = pathutil.pathjoin(basedir, certconf) log.debug("ssl.cert was a relative path, converted to '%s'" % certconf) if not pathutil.is_absolute_path(keyconf): keyconf = pathutil.pathjoin(basedir, keyconf) log.debug("ssl.key was a relative path, converted to '%s'" % keyconf) # If the configured certificate exists, check the key permissions, then # exit. missingcert = None missingkey = None if not pathutil.check_path_exists(certconf): missingcert = "Configured 'ssl.cert' does not exist at '%s'" % certconf if not pathutil.check_path_exists(keyconf): missingkey = "Configured 'ssl.key' does not exist at '%s'" % keyconf if not missingcert and not missingkey: log.debug("cert and key confs exist already, checking key perms") # check key permission if pathutil.is_path_private(keyconf): log.debug("key is owner-read only: %s" % keyconf) else: print >>sys.stderr, "***" print >>sys.stderr, "*** WARNING ***" print >>sys.stderr, "***" print >>sys.stderr, "SSL key has bad permissions, should only be readable by the file owner. ssl.key: '%s'" % keyconf return # If only one of the cert/key files exists, we cannot reason about # what to do: error. prefix = "Only one of the SSL cert/key file exists, cannot continue. " if missingcert and not missingkey: raise IncompatibleEnvironment(prefix + missingcert) if missingkey and not missingcert: raise IncompatibleEnvironment(prefix + missingkey) # The configured certificate and key do not exist; create them. print "Cannot find configured certificate and key for HTTPS, creating these for you." # If the internal CA does not exist, create that first. if not cadir: cadir = pathutil.pathjoin(basedir, "var/ca") if not pathutil.check_path_exists(cadir): print "\nCannot find internal CA, creating this for you.\n" print "Please pick a unique, one word CA name or hit return to use a UUID.\n" print "For example, if you are installing this on the \"Jupiter\" cluster, you could perhaps use \"JupiterNimbusCA\" as the name.\n" ca_name = raw_input("Enter a name: ") if not ca_name: ca_name = pathutil.uuidgen() print "You did not enter a name, using '%s'" % ca_name else: ca_name = ca_name.split()[0] print "Using '%s'" % ca_name autoca.createCA(ca_name, basedir, cadir, log) print "\nCreated internal CA: %s" % cadir if not hostname: print "\nEnter the fully qualified hostname of this machine. If you don't know or care right now, hit return to use 'localhost'.\n" hostname = raw_input("Hostname: ") if not hostname: hostname = "localhost" print "Using '%s'" % hostname autoca.createCert(hostname, basedir, cadir, certconf, keyconf, log) print "\nCreated certificate: %s" % certconf print "Created key: %s\n" % keyconf
def createCert(CN, basedir, cadir, certtarget, keytarget, log, allow_overwrite=False): if not allow_overwrite and pathutil.check_path_exists(certtarget): msg = "Certificate file present already: " + certtarget raise IncompatibleEnvironment(msg) if not allow_overwrite and pathutil.check_path_exists(keytarget): msg = "Key file present already: " + keytarget raise IncompatibleEnvironment(msg) cacert_path = findCAcert(basedir, cadir, log) cakey_path = findCAkey(basedir, cadir, log) # Create temp directory. uuid = pathutil.uuidgen() tempdir = pathutil.pathjoin(cadir, uuid) os.mkdir(tempdir) pathutil.ensure_dir_exists(tempdir, "temp certs directory") log.debug("Created %s" % tempdir) args = [tempdir, CN, "pub", "priv", cacert_path, cakey_path] (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_CREATE_NEW_CERT, args=args) runutil.generic_bailout("Problem creating certificate.", exitcode, stdout, stderr) pub_DN = stdout.strip() temp_pub_path = pathutil.pathjoin(tempdir, "pub") pathutil.ensure_file_exists(temp_pub_path, "temp cert") log.debug("temp cert exists: " + temp_pub_path) # copy that to user-cert records args = [temp_pub_path] (exitcode, stdout, stderr) = javautil.run(basedir, log, EXE_GET_HASHED_CERT_NAME, args=args) runutil.generic_bailout("Problem finding hashed cert name.", exitcode, stdout, stderr) usercertfilehash = stdout.strip() log.debug("user cert file hash is '%s'" % usercertfilehash) cert_records_path = pathutil.pathjoin(cadir, "user-certs") cert_records_path = pathutil.pathjoin(cert_records_path, usercertfilehash + ".0") shutil.copyfile(temp_pub_path, cert_records_path) pathutil.ensure_file_exists(cert_records_path, "new certificate (record)") log.debug("cert exists at target: " + cert_records_path) temp_priv_path = pathutil.pathjoin(tempdir, "priv") pathutil.ensure_file_exists(temp_priv_path, "temp key") log.debug("temp key exists: " + temp_priv_path) log.debug("Created certificate: %s" % pub_DN) # Those user-supplied targets still don't exist, right? :-) if not allow_overwrite and pathutil.check_path_exists(certtarget): msg = "Certificate file present already: " + certtarget raise IncompatibleEnvironment(msg) if not allow_overwrite and pathutil.check_path_exists(keytarget): msg = "Key file present already: " + keytarget raise IncompatibleEnvironment(msg) shutil.copyfile(temp_pub_path, certtarget) pathutil.ensure_file_exists(certtarget, "new certificate") log.debug("cert exists at target: " + certtarget) shutil.copyfile(temp_priv_path, keytarget) pathutil.ensure_file_exists(keytarget, "new key") log.debug("key exists at target: " + keytarget) pathutil.make_path_rw_private(keytarget) pathutil.ensure_path_private(keytarget, "new key") log.debug("file made private: %s" % keytarget) shutil.rmtree(tempdir) return pub_DN
def run(basedir, certconf, keyconf, log, cadir=None, hostname=None): log.debug("Checking SSL") # If the configurations themselves are missing, we cannot continue. if not certconf: raise IncompatibleEnvironment("There is no 'ssl.cert' configuration") if not keyconf: raise IncompatibleEnvironment("There is no 'ssl.key' configuration") # If the configurations are relative, they are assumed to be relative from # the base directory. if not pathutil.is_absolute_path(certconf): certconf = pathutil.pathjoin(basedir, certconf) log.debug("ssl.cert was a relative path, converted to '%s'" % certconf) if not pathutil.is_absolute_path(keyconf): keyconf = pathutil.pathjoin(basedir, keyconf) log.debug("ssl.key was a relative path, converted to '%s'" % keyconf) # If the configured certificate exists, check the key permissions, then # exit. missingcert = None missingkey = None if not pathutil.check_path_exists(certconf): missingcert = "Configured 'ssl.cert' does not exist at '%s'" % certconf if not pathutil.check_path_exists(keyconf): missingkey = "Configured 'ssl.key' does not exist at '%s'" % keyconf if not missingcert and not missingkey: log.debug("cert and key confs exist already, checking key perms") # check key permission if pathutil.is_path_private(keyconf): log.debug("key is owner-read only: %s" % keyconf) else: print >> sys.stderr, "***" print >> sys.stderr, "*** WARNING ***" print >> sys.stderr, "***" print >> sys.stderr, "SSL key has bad permissions, should only be readable by the file owner. ssl.key: '%s'" % keyconf return # If only one of the cert/key files exists, we cannot reason about # what to do: error. prefix = "Only one of the SSL cert/key file exists, cannot continue. " if missingcert and not missingkey: raise IncompatibleEnvironment(prefix + missingcert) if missingkey and not missingcert: raise IncompatibleEnvironment(prefix + missingkey) # The configured certificate and key do not exist; create them. print "Cannot find configured certificate and key for HTTPS, creating these for you." # If the internal CA does not exist, create that first. if not cadir: cadir = pathutil.pathjoin(basedir, "var/ca") if not pathutil.check_path_exists(cadir): print "\nCannot find internal CA, creating this for you.\n" print "Please pick a unique, one word CA name or hit return to use a UUID.\n" print "For example, if you are installing this on the \"Jupiter\" cluster, you could perhaps use \"JupiterNimbusCA\" as the name.\n" ca_name = raw_input("Enter a name: ") if not ca_name: ca_name = pathutil.uuidgen() print "You did not enter a name, using '%s'" % ca_name else: ca_name = ca_name.split()[0] print "Using '%s'" % ca_name autoca.createCA(ca_name, basedir, cadir, log) print "\nCreated internal CA: %s" % cadir if not hostname: print "\nEnter the fully qualified hostname of this machine. If you don't know or care right now, hit return to use 'localhost'.\n" hostname = raw_input("Hostname: ") if not hostname: hostname = "localhost" print "Using '%s'" % hostname autoca.createCert(hostname, basedir, cadir, certconf, keyconf, log) print "\nCreated certificate: %s" % certconf print "Created key: %s\n" % keyconf