def _configure_certificates(): # Just in case we're testing, we need to ensure this path exists. local('mkdir -p /etc/pantheon') pantheon.configure_root_certificate('http://pki.getpantheon.com') # Now Helios cert is OTS pki_server = 'https://pki.getpantheon.com' # Ask Helios about what to put into the certificate request. try: host_info = json.loads(urllib2.urlopen('%s/info' % pki_server).read()) ou = host_info['ou'] cn = host_info['cn'] subject = '/C=US/ST=California/L=San Francisco/O=Pantheon Systems, Inc./OU=%s/CN=%s/emailAddress=hostmaster@%s/' % ( ou, cn, cn) except ValueError: # This fails if Helios says "Could not find corresponding LDAP entry." return False # Generate a local key and certificate-signing request. local('openssl genrsa 4096 > /etc/pantheon/system.key') local('chmod 600 /etc/pantheon/system.key') local( 'openssl req -new -nodes -subj "%s" -key /etc/pantheon/system.key > /etc/pantheon/system.csr' % subject) # Have the PKI server sign the request. local( 'curl --silent -X POST -d"`cat /etc/pantheon/system.csr`" %s > /etc/pantheon/system.crt' % pki_server) # Combine the private key and signed certificate into a PEM file (for Apache and Pound). local( 'cat /etc/pantheon/system.crt /etc/pantheon/system.key > /etc/pantheon/system.pem' ) local('chmod 640 /etc/pantheon/system.pem') local('chgrp ssl-cert /etc/pantheon/system.pem') # Start pound, which has been waiting for system.pem local('/etc/init.d/pound start') # Update BCFG2's client configuration to use the zone (a.k.a. OU) from the certificate local( 'sed -i "s/^bcfg2 = .*/bcfg2 = https:\/\/config.%s:6789/g" /etc/bcfg2.conf' % ou) # Wait 20 seconds so print 'Waiting briefly so slight clock skew does not affect certificate verification.' time.sleep(20) verification = local('openssl verify -verbose /etc/pantheon/system.crt') print verification ygg.send_event('Authorization', 'Certificate issued. Verification result:\n' + verification)
def _configure_certificates(): # Just in case we're testing, we need to ensure this path exists. local('mkdir -p /etc/pantheon') pantheon.configure_root_certificate('http://pki.getpantheon.com') # Now Helios cert is OTS pki_server = 'https://pki.getpantheon.com' # Ask Helios about what to put into the certificate request. try: host_info = json.loads(urllib2.urlopen('%s/info' % pki_server).read()) ou = host_info['ou'] cn = host_info['cn'] subject = '/C=US/ST=California/L=San Francisco/O=Pantheon Systems, Inc./OU=%s/CN=%s/emailAddress=hostmaster@%s/' % (ou, cn, cn) except ValueError: # This fails if Helios says "Could not find corresponding LDAP entry." return False # Generate a local key and certificate-signing request. local('openssl genrsa 4096 > /etc/pantheon/system.key') local('chmod 600 /etc/pantheon/system.key') local('openssl req -new -nodes -subj "%s" -key /etc/pantheon/system.key > /etc/pantheon/system.csr' % subject) # Have the PKI server sign the request. local('curl --silent -X POST -d"`cat /etc/pantheon/system.csr`" %s > /etc/pantheon/system.crt' % pki_server) # Combine the private key and signed certificate into a PEM file (for Apache and Pound). local('cat /etc/pantheon/system.crt /etc/pantheon/system.key > /etc/pantheon/system.pem') local('chmod 640 /etc/pantheon/system.pem') local('chgrp ssl-cert /etc/pantheon/system.pem') # Export cert in pkcs12 format local('openssl pkcs12 -export -password pass: -in /etc/pantheon/system.pem -out /etc/pantheon/system.p12') local('chmod 600 /etc/pantheon/system.p12') # Start pound, which has been waiting for system.pem local('/etc/init.d/pound start'); # Update client config to use unique identifier local('sed -i "s/^user = .*/user = %s/g" /etc/bcfg2.conf' % cn) # Update BCFG2's client configuration to use the zone (a.k.a. OU) from the certificate local('sed -i "s/^bcfg2 = .*/bcfg2 = https:\/\/config.%s:6789/g" /etc/bcfg2.conf' % ou) # Wait 20 seconds so print 'Waiting briefly so slight clock skew does not affect certificate verification.' time.sleep(20) verification = local('openssl verify -verbose /etc/pantheon/system.crt') print verification ygg.send_event('Authorization', 'Certificate issued. Verification result:\n' + verification)
def _initialize_root_certificate(): """Install the Pantheon root certificate. """ pantheon.configure_root_certificate('http://pki.getpantheon.com')
def _initialize_root_certificate(): """Install the Pantheon root certificate. """ pantheon.configure_root_certificate('http://pki.getpantheon.com')