def _configure_certificates():
# Just in case we're testing, we need to ensure this path exists.
local('mkdir -p /etc/pantheon')
pantheon.configure_root_certificate('http://pki.getpantheon.com')
# Now Helios cert is OTS
pki_server = 'https://pki.getpantheon.com'
# Ask Helios about what to put into the certificate request.
try:
host_info = json.loads(urllib2.urlopen('%s/info' % pki_server).read())
ou = host_info['ou']
cn = host_info['cn']
subject = '/C=US/ST=California/L=San Francisco/O=Pantheon Systems, Inc./OU=%s/CN=%s/emailAddress=hostmaster@%s/' % (
ou, cn, cn)
except ValueError:
# This fails if Helios says "Could not find corresponding LDAP entry."
return False
# Generate a local key and certificate-signing request.
local('openssl genrsa 4096 > /etc/pantheon/system.key')
local('chmod 600 /etc/pantheon/system.key')
local(
'openssl req -new -nodes -subj "%s" -key /etc/pantheon/system.key > /etc/pantheon/system.csr'
% subject)
# Have the PKI server sign the request.
local(
'curl --silent -X POST -d"`cat /etc/pantheon/system.csr`" %s > /etc/pantheon/system.crt'
% pki_server)
# Combine the private key and signed certificate into a PEM file (for Apache and Pound).
local(
'cat /etc/pantheon/system.crt /etc/pantheon/system.key > /etc/pantheon/system.pem'
)
local('chmod 640 /etc/pantheon/system.pem')
local('chgrp ssl-cert /etc/pantheon/system.pem')
# Start pound, which has been waiting for system.pem
local('/etc/init.d/pound start')
# Update BCFG2's client configuration to use the zone (a.k.a. OU) from the certificate
local(
'sed -i "s/^bcfg2 = .*/bcfg2 = https:\/\/config.%s:6789/g" /etc/bcfg2.conf'
% ou)
# Wait 20 seconds so
print 'Waiting briefly so slight clock skew does not affect certificate verification.'
time.sleep(20)
verification = local('openssl verify -verbose /etc/pantheon/system.crt')
print verification
ygg.send_event('Authorization',
'Certificate issued. Verification result:\n' + verification)
def _configure_certificates():
# Just in case we're testing, we need to ensure this path exists.
local('mkdir -p /etc/pantheon')
pantheon.configure_root_certificate('http://pki.getpantheon.com')
# Now Helios cert is OTS
pki_server = 'https://pki.getpantheon.com'
# Ask Helios about what to put into the certificate request.
try:
host_info = json.loads(urllib2.urlopen('%s/info' % pki_server).read())
ou = host_info['ou']
cn = host_info['cn']
subject = '/C=US/ST=California/L=San Francisco/O=Pantheon Systems, Inc./OU=%s/CN=%s/emailAddress=hostmaster@%s/' % (ou, cn, cn)
except ValueError:
# This fails if Helios says "Could not find corresponding LDAP entry."
return False
# Generate a local key and certificate-signing request.
local('openssl genrsa 4096 > /etc/pantheon/system.key')
local('chmod 600 /etc/pantheon/system.key')
local('openssl req -new -nodes -subj "%s" -key /etc/pantheon/system.key > /etc/pantheon/system.csr' % subject)
# Have the PKI server sign the request.
local('curl --silent -X POST -d"`cat /etc/pantheon/system.csr`" %s > /etc/pantheon/system.crt' % pki_server)
# Combine the private key and signed certificate into a PEM file (for Apache and Pound).
local('cat /etc/pantheon/system.crt /etc/pantheon/system.key > /etc/pantheon/system.pem')
local('chmod 640 /etc/pantheon/system.pem')
local('chgrp ssl-cert /etc/pantheon/system.pem')
# Export cert in pkcs12 format
local('openssl pkcs12 -export -password pass: -in /etc/pantheon/system.pem -out /etc/pantheon/system.p12')
local('chmod 600 /etc/pantheon/system.p12')
# Start pound, which has been waiting for system.pem
local('/etc/init.d/pound start');
# Update client config to use unique identifier
local('sed -i "s/^user = .*/user = %s/g" /etc/bcfg2.conf' % cn)
# Update BCFG2's client configuration to use the zone (a.k.a. OU) from the certificate
local('sed -i "s/^bcfg2 = .*/bcfg2 = https:\/\/config.%s:6789/g" /etc/bcfg2.conf' % ou)
# Wait 20 seconds so
print 'Waiting briefly so slight clock skew does not affect certificate verification.'
time.sleep(20)
verification = local('openssl verify -verbose /etc/pantheon/system.crt')
print verification
ygg.send_event('Authorization', 'Certificate issued. Verification result:\n' + verification)
def _initialize_root_certificate():
"""Install the Pantheon root certificate.
"""
pantheon.configure_root_certificate('http://pki.getpantheon.com')
def _initialize_root_certificate():
"""Install the Pantheon root certificate.
"""
pantheon.configure_root_certificate('http://pki.getpantheon.com')
