def genServerCert(password, d, verbosity=0):
""" server cert generation and signing """
serverKeyPairDir = os.path.join(d['--dir'],
getMachineName(d['--set-hostname']))
genServerCert_dependencies(password, d)
ca_key = os.path.join(d['--dir'], os.path.basename(d['--ca-key']))
ca_cert = os.path.join(d['--dir'], os.path.basename(d['--ca-cert']))
server_cert_req = os.path.join(serverKeyPairDir,
os.path.basename(d['--server-cert-req']))
server_cert = os.path.join(serverKeyPairDir,
os.path.basename(d['--server-cert']))
ca_openssl_cnf = os.path.join(d['--dir'], CA_OPENSSL_CNF_NAME)
index_txt = os.path.join(d['--dir'], 'index.txt')
serial = os.path.join(d['--dir'], 'serial')
try:
os.unlink(index_txt)
except:
pass
# figure out the serial file and truncate the index.txt file.
ser = figureSerial(ca_cert, serial, index_txt)
# need to insure the directory declared in the ca_openssl.cnf
# file is current:
configFile = ConfigFile(ca_openssl_cnf)
configFile.updateDir()
args = (
"/usr/bin/openssl ca -extensions req_server_x509_extensions -passin pass:%s -outdir ./ -config %s "
"-in %s -batch -cert %s -keyfile %s -startdate %s -days %s "
"-md %s -out %s" %
('%s', repr(cleanupAbsPath(ca_openssl_cnf)),
repr(cleanupAbsPath(server_cert_req)), repr(cleanupAbsPath(ca_cert)),
repr(cleanupAbsPath(ca_key)), d['--startdate'],
repr(d['--cert-expiration']), MD, repr(cleanupAbsPath(server_cert))))
if verbosity >= 0:
print "\nGenerating/signing web server's SSL certificate: %s" % d[
'--server-cert']
if verbosity > 1:
print "Commandline:", args % 'PASSWORD'
try:
rotated = rotateFile(filepath=server_cert, verbosity=verbosity)
if verbosity >= 0 and rotated:
print "Rotated: %s --> %s" % (d['--server-cert'],
os.path.basename(rotated))
except ValueError:
pass
cwd = chdir(_getWorkDir())
try:
ret, out_stream, err_stream = rhn_popen(args % repr(password))
finally:
chdir(cwd)
out = out_stream.read()
out_stream.close()
err = err_stream.read()
err_stream.close()
if ret:
# signature for a mistyped CA password
if string.find(err, "unable to load CA private key") != -1 \
and string.find(err, "error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c") != -1 \
and string.find(err, "error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c") != -1:
raise GenServerCertException(
"web server's SSL certificate generation/signing "
"failed:\nDid you mistype your CA password?")
else:
raise GenServerCertException(
"web server's SSL certificate generation/signing "
"failed:\n%s\n%s" % (out, err))
if verbosity > 2:
if out:
print "STDOUT:", out
if err:
print "STDERR:", err
# permissions:
os.chmod(server_cert, 0644)
# cleanup duplicate XX.pem file:
pemFilename = os.path.basename(string.upper(ser) + '.pem')
if pemFilename != server_cert and os.path.exists(pemFilename):
os.unlink(pemFilename)
# cleanup the old index.txt file
try:
os.unlink(index_txt + '.old')
except:
pass
# cleanup the old serial file
try:
os.unlink(serial + '.old')
except:
pass
def genServerCert(password, d, verbosity=0):
""" server cert generation and signing """
serverKeyPairDir = os.path.join(d['--dir'],
getMachineName(d['--set-hostname']))
genServerCert_dependencies(password, d)
ca_key = os.path.join(d['--dir'], os.path.basename(d['--ca-key']))
ca_cert = os.path.join(d['--dir'], os.path.basename(d['--ca-cert']))
server_cert_req = os.path.join(serverKeyPairDir,
os.path.basename(d['--server-cert-req']))
server_cert = os.path.join(serverKeyPairDir,
os.path.basename(d['--server-cert']))
ca_openssl_cnf = os.path.join(d['--dir'], CA_OPENSSL_CNF_NAME)
index_txt = os.path.join(d['--dir'], 'index.txt')
serial = os.path.join(d['--dir'], 'serial')
try:
os.unlink(index_txt)
except:
pass
# figure out the serial file and truncate the index.txt file.
ser = figureSerial(ca_cert, serial, index_txt)
# need to insure the directory declared in the ca_openssl.cnf
# file is current:
configFile = ConfigFile(ca_openssl_cnf)
configFile.updateDir()
args = ("/usr/bin/openssl ca -extensions req_server_x509_extensions -passin pass:%s -outdir ./ -config %s "
"-in %s -batch -cert %s -keyfile %s -startdate %s -days %s "
"-md %s -out %s"
% ('%s', repr(cleanupAbsPath(ca_openssl_cnf)),
repr(cleanupAbsPath(server_cert_req)),
repr(cleanupAbsPath(ca_cert)),
repr(cleanupAbsPath(ca_key)), d['--startdate'],
repr(d['--cert-expiration']), MD,
repr(cleanupAbsPath(server_cert))))
if verbosity >= 0:
print "\nGenerating/signing web server's SSL certificate: %s" % d['--server-cert']
if verbosity > 1:
print "Commandline:", args % 'PASSWORD'
try:
rotated = rotateFile(filepath=server_cert, verbosity=verbosity)
if verbosity>=0 and rotated:
print "Rotated: %s --> %s" % (d['--server-cert'],
os.path.basename(rotated))
except ValueError:
pass
cwd = chdir(_getWorkDir())
try:
ret, out_stream, err_stream = rhn_popen(args % repr(password))
finally:
chdir(cwd)
out = out_stream.read(); out_stream.close()
err = err_stream.read(); err_stream.close()
if ret:
# signature for a mistyped CA password
if string.find(err, "unable to load CA private key") != -1 \
and string.find(err, "error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c") != -1 \
and string.find(err, "error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c") != -1:
raise GenServerCertException(
"web server's SSL certificate generation/signing "
"failed:\nDid you mistype your CA password?")
else:
raise GenServerCertException(
"web server's SSL certificate generation/signing "
"failed:\n%s\n%s" % (out, err))
if verbosity > 2:
if out:
print "STDOUT:", out
if err:
print "STDERR:", err
# permissions:
os.chmod(server_cert, 0644)
# cleanup duplicate XX.pem file:
pemFilename = os.path.basename(string.upper(ser)+'.pem')
if pemFilename != server_cert and os.path.exists(pemFilename):
os.unlink(pemFilename)
# cleanup the old index.txt file
try:
os.unlink(index_txt + '.old')
except:
pass
# cleanup the old serial file
try:
os.unlink(serial + '.old')
except:
pass