This is an automated email from the ASF dual-hosted git repository.
omartushevskyi pushed a commit to branch DLAB-1158
in repository https://gitbox.apache.org/repos/asf/incubator-dlab.git
The following commit(s) were added to refs/heads/DLAB-1158 by this push:
new 111d716 fixed issue with SSL certs expiration
111d716 is described below
commit 111d7162cd767e8b7bd7c498776d32cb85aa1c13
Author: Oleh Martushevskyi <oleh_martushevs...@epam.com>
AuthorDate: Thu Jan 16 16:25:17 2020 +0200
fixed issue with SSL certs expiration
---
.../src/general/files/aws/project_Dockerfile | 2 +
.../src/general/files/aws/ssn_Dockerfile | 3 +
.../src/general/files/azure/project_Dockerfile | 2 +
.../src/general/files/azure/ssn_Dockerfile | 3 +
.../src/general/files/gcp/project_Dockerfile | 2 +
.../src/general/files/gcp/ssn_Dockerfile | 4 ++
.../src/general/lib/os/debian/edge_lib.py | 40 +++++++----
.../src/general/lib/os/debian/ssn_lib.py | 6 +-
.../src/general/lib/os/redhat/edge_lib.py | 40 +++++++----
.../src/general/lib/os/redhat/ssn_lib.py | 6 +-
.../src/general/templates/os/manage_step_certs.sh | 80 ++++++++++++++++++++++
.../src/general/templates/os/renew_certificates.sh | 43 ++++++++++++
.../os/step-cert-manager.service} | 19 +++--
.../src/ssn/scripts/configure_ssn_node.py | 46 +++++++++----
.../terraform/bin/deploy/endpoint_fab.py | 41 +++++++----
.../terraform/bin/deploy/manage_step_certs.sh | 80 ++++++++++++++++++++++
.../terraform/bin/deploy/renew_certificates.sh | 38 +++++++---
.../bin/deploy/step-cert-manager.service} | 19 +++--
18 files changed, 387 insertions(+), 87 deletions(-)
diff --git
a/infrastructure-provisioning/src/general/files/aws/project_Dockerfile
b/infrastructure-provisioning/src/general/files/aws/project_Dockerfile
index 4fa38da..0c23ae0 100644
--- a/infrastructure-provisioning/src/general/files/aws/project_Dockerfile
+++ b/infrastructure-provisioning/src/general/files/aws/project_Dockerfile
@@ -29,6 +29,8 @@ COPY general/scripts/aws/project_* /root/scripts/
COPY general/scripts/aws/edge_* /root/scripts/
COPY general/lib/os/${OS}/edge_lib.py /usr/lib/python2.7/dlab/edge_lib.py
COPY general/templates/aws/edge_s3_policy.json
/root/templates/edge_s3_policy.json
+COPY general/templates/os/manage_step_certs.sh /root/templates/
+COPY general/templates/os/step-cert-manager.service /root/templates/
RUN chmod a+x /root/fabfile.py; \
chmod a+x /root/scripts/*
diff --git a/infrastructure-provisioning/src/general/files/aws/ssn_Dockerfile
b/infrastructure-provisioning/src/general/files/aws/ssn_Dockerfile
index 7283925..aeef12b 100644
--- a/infrastructure-provisioning/src/general/files/aws/ssn_Dockerfile
+++ b/infrastructure-provisioning/src/general/files/aws/ssn_Dockerfile
@@ -28,6 +28,9 @@ COPY
infrastructure-provisioning/src/general/scripts/aws/ssn_* /root/scripts/
COPY infrastructure-provisioning/src/general/lib/os/${OS}/ssn_lib.py
/usr/lib/python2.7/dlab/ssn_lib.py
COPY infrastructure-provisioning/src/general/files/aws/ssn_policy.json
/root/files/
COPY infrastructure-provisioning/src/general/templates/aws/jenkins_jobs
/root/templates/jenkins_jobs
+COPY infrastructure-provisioning/src/general/templates/os/manage_step_certs.sh
/root/templates/
+COPY
infrastructure-provisioning/src/general/templates/os/step-cert-manager.service
/root/templates/
+COPY
infrastructure-provisioning/src/general/templates/os/renew_certificates.sh
/root/templates/
RUN chmod a+x /root/fabfile.py; \
chmod a+x /root/scripts/*
diff --git
a/infrastructure-provisioning/src/general/files/azure/project_Dockerfile
b/infrastructure-provisioning/src/general/files/azure/project_Dockerfile
index 29c80ec..823becc 100644
--- a/infrastructure-provisioning/src/general/files/azure/project_Dockerfile
+++ b/infrastructure-provisioning/src/general/files/azure/project_Dockerfile
@@ -28,6 +28,8 @@ COPY project/ /root/
COPY general/scripts/azure/project_* /root/scripts/
COPY general/scripts/azure/edge_* /root/scripts/
COPY general/lib/os/${OS}/edge_lib.py /usr/lib/python2.7/dlab/edge_lib.py
+COPY general/templates/os/manage_step_certs.sh /root/templates/
+COPY general/templates/os/step-cert-manager.service /root/templates/
RUN chmod a+x /root/fabfile.py; \
chmod a+x /root/scripts/*
\ No newline at end of file
diff --git a/infrastructure-provisioning/src/general/files/azure/ssn_Dockerfile
b/infrastructure-provisioning/src/general/files/azure/ssn_Dockerfile
index b1e87aa..ee9be75 100644
--- a/infrastructure-provisioning/src/general/files/azure/ssn_Dockerfile
+++ b/infrastructure-provisioning/src/general/files/azure/ssn_Dockerfile
@@ -27,6 +27,9 @@ COPY infrastructure-provisioning/src/ssn/ /root/
COPY infrastructure-provisioning/src/general/scripts/azure/ssn_* /root/scripts/
COPY infrastructure-provisioning/src/general/lib/os/${OS}/ssn_lib.py
/usr/lib/python2.7/dlab/ssn_lib.py
COPY infrastructure-provisioning/src/general/templates/azure/jenkins_jobs
/root/templates/jenkins_jobs
+COPY infrastructure-provisioning/src/general/templates/os/manage_step_certs.sh
/root/templates/
+COPY
infrastructure-provisioning/src/general/templates/os/step-cert-manager.service
/root/templates/
+COPY
infrastructure-provisioning/src/general/templates/os/renew_certificates.sh
/root/templates/
RUN chmod a+x /root/fabfile.py; \
chmod a+x /root/scripts/*
diff --git
a/infrastructure-provisioning/src/general/files/gcp/project_Dockerfile
b/infrastructure-provisioning/src/general/files/gcp/project_Dockerfile
index fb9ecde..7fc44e5 100644
--- a/infrastructure-provisioning/src/general/files/gcp/project_Dockerfile
+++ b/infrastructure-provisioning/src/general/files/gcp/project_Dockerfile
@@ -30,6 +30,8 @@ COPY general/scripts/gcp/edge_* /root/scripts/
COPY general/lib/os/${OS}/edge_lib.py /usr/lib/python2.7/dlab/edge_lib.py
COPY general/files/gcp/ps_policy.json /root/files/ps_policy.json
COPY general/files/gcp/ps_roles.json /root/files/ps_roles.json
+COPY general/templates/os/manage_step_certs.sh /root/templates/
+COPY general/templates/os/step-cert-manager.service /root/templates/
RUN chmod a+x /root/fabfile.py; \
chmod a+x /root/scripts/*
\ No newline at end of file
diff --git a/infrastructure-provisioning/src/general/files/gcp/ssn_Dockerfile
b/infrastructure-provisioning/src/general/files/gcp/ssn_Dockerfile
index 152e35d..c0c3916 100644
--- a/infrastructure-provisioning/src/general/files/gcp/ssn_Dockerfile
+++ b/infrastructure-provisioning/src/general/files/gcp/ssn_Dockerfile
@@ -29,6 +29,10 @@ COPY
infrastructure-provisioning/src/general/lib/os/${OS}/ssn_lib.py /usr/lib/py
COPY infrastructure-provisioning/src/general/files/gcp/ssn_policy.json
/root/files/
COPY infrastructure-provisioning/src/general/files/gcp/ssn_roles.json
/root/files/
COPY infrastructure-provisioning/src/general/templates/gcp/jenkins_jobs
/root/templates/jenkins_jobs
+COPY infrastructure-provisioning/src/general/templates/os/manage_step_certs.sh
/root/templates/
+COPY
infrastructure-provisioning/src/general/templates/os/step-cert-manager.service
/root/templates/
+COPY
infrastructure-provisioning/src/general/templates/os/renew_certificates.sh
/root/templates/
+renew_certificates.sh
RUN chmod a+x /root/fabfile.py; \
chmod a+x /root/scripts/*
diff --git a/infrastructure-provisioning/src/general/lib/os/debian/edge_lib.py
b/infrastructure-provisioning/src/general/lib/os/debian/edge_lib.py
index 64bd2e7..753ab1b 100644
--- a/infrastructure-provisioning/src/general/lib/os/debian/edge_lib.py
+++ b/infrastructure-provisioning/src/general/lib/os/debian/edge_lib.py
@@ -67,30 +67,44 @@ def install_nginx_lua(edge_ip, nginx_version,
keycloak_auth_server_url, keycloak
sudo('apt-get -y install gcc build-essential make automake
zlib1g-dev libpcre++-dev libssl-dev git libldap2-dev libc6-dev libgd-dev
libgeoip-dev libpcre3-dev apt-utils autoconf liblmdb-dev libtool libxml2-dev
libyajl-dev pkgconf liblua5.1-0 liblua5.1-0-dev libreadline-dev
libreadline6-dev libtinfo-dev libtool-bin lua5.1 zip readline-doc')
if os.environ['conf_stepcerts_enabled'] == 'true':
sudo('mkdir -p /home/{0}/keys'.format(user))
- sudo('echo "{0}" | base64 --decode >
/home/{1}/keys/root_ca.crt'.format(
- os.environ['conf_stepcerts_root_ca'], user))
- fingerprint = sudo('step certificate fingerprint
/home/{0}/keys/root_ca.crt'.format(
- user))
+ sudo('echo "{0}" | base64 --decode >
/etc/ssl/certs/root_ca.crt'.format(
+ os.environ['conf_stepcerts_root_ca']))
+ fingerprint = sudo('step certificate fingerprint
/etc/ssl/certs/root_ca.crt')
sudo('step ca bootstrap --fingerprint {0} --ca-url
"{1}"'.format(fingerprint,
os.environ['conf_stepcerts_ca_url']))
sudo('echo "{0}" > /home/{1}/keys/provisioner_password'.format(
os.environ['conf_stepcerts_kid_password'], user))
sans = "--san localhost --san 127.0.0.1
{0}".format(step_cert_sans)
cn = edge_ip
- sudo('step ca token {3} --kid {0} --ca-url "{1}" --root
/home/{2}/keys/root_ca.crt '
+ sudo('step ca token {3} --kid {0} --ca-url "{1}" --root
/etc/ssl/certs/root_ca.crt '
'--password-file /home/{2}/keys/provisioner_password {4}
--output-file /tmp/step_token'.format(
os.environ['conf_stepcerts_kid'],
os.environ['conf_stepcerts_ca_url'], user, cn, sans))
token = sudo('cat /tmp/step_token')
- sudo('step ca certificate "{0}" /home/{2}/keys/dlab.crt
/home/{2}/keys/dlab.key '
- '--token "{1}" --kty=RSA --size 2048 --not-after=10m
--provisioner {3} '.format(cn, token, user,
+ sudo('step ca certificate "{0}" /etc/ssl/certs/dlab.crt
/etc/ssl/certs/dlab.key '
+ '--token "{1}" --kty=RSA --size 2048 --provisioner {2}
'.format(cn, token,
os.environ['conf_stepcerts_kid']))
- sudo('cp /home/{0}/keys/dlab.crt /etc/ssl/certs/'.format(user))
- sudo('cp /home/{0}/keys/dlab.key /etc/ssl/certs/'.format(user))
sudo('touch /var/log/renew_certificates.log')
- sudo('bash -c \'echo "0 */3 * * * root /usr/bin/step ca renew
/etc/ssl/certs/dlab.crt '
- '/etc/ssl/certs/dlab.key --exec "nginx -s reload"
--ca-url "{1}" '
- '--root /home/{0}/keys/root_ca.crt --force --expires-in
8h >> /var/log/renew_certificates.log '
- '2>&1" >> /etc/crontab \''.format(user,
os.environ['conf_stepcerts_ca_url']))
+ put('/root/templates/manage_step_certs.sh',
'/usr/local/bin/manage_step_certs.sh', use_sudo=True)
+ sudo('chmod +x /usr/local/bin/manage_step_certs.sh')
+ sudo('sed -i
"s|STEP_ROOT_CERT_PATH|/etc/ssl/certs/root_ca.crt|g" '
+ '/usr/local/bin/manage_step_certs.sh')
+ sudo('sed -i "s|STEP_CERT_PATH|/etc/ssl/certs/dlab.crt|g"
/usr/local/bin/manage_step_certs.sh')
+ sudo('sed -i "s|STEP_KEY_PATH|/etc/ssl/certs/dlab.key|g"
/usr/local/bin/manage_step_certs.sh')
+ sudo('sed -i "s|STEP_CA_URL|{0}|g"
/usr/local/bin/manage_step_certs.sh'.format(
+ os.environ['conf_stepcerts_ca_url']))
+ sudo('sed -i "s|RESOURCE_TYPE|edge|g"
/usr/local/bin/manage_step_certs.sh')
+ sudo('sed -i "s|SANS|{0}|g"
/usr/local/bin/manage_step_certs.sh'.format(sans))
+ sudo('sed -i "s|CN|{0}|g"
/usr/local/bin/manage_step_certs.sh'.format(cn))
+ sudo('sed -i "s|KID|{0}|g"
/usr/local/bin/manage_step_certs.sh'.format(
+ os.environ['conf_stepcerts_kid']))
+ sudo('sed -i
"s|STEP_PROVISIONER_PASSWORD_PATH|/home/{0}/keys/provisioner_password|g" '
+ '/usr/local/bin/manage_step_certs.sh'.format(user))
+ sudo('bash -c \'echo "0 */3 * * * root
/usr/local/bin/manage_step_certs.sh >> '
+ '/var/log/renew_certificates.log 2>&1" >> /etc/crontab
\'')
+ put('/root/templates/step-cert-manager.service',
'/etc/systemd/system/step-cert-manager.service',
+ use_sudo=True)
+ sudo('systemctl daemon-reload')
+ sudo('systemctl enable step-cert-manager.service')
else:
sudo('openssl req -x509 -nodes -days 3650 -newkey rsa:2048
-keyout /etc/ssl/certs/dlab.key \
-out /etc/ssl/certs/dlab.crt -subj
"/C=US/ST=US/L=US/O=dlab/CN={}"'.format(hostname))
diff --git a/infrastructure-provisioning/src/general/lib/os/debian/ssn_lib.py
b/infrastructure-provisioning/src/general/lib/os/debian/ssn_lib.py
index 4d97449..10bb844 100644
--- a/infrastructure-provisioning/src/general/lib/os/debian/ssn_lib.py
+++ b/infrastructure-provisioning/src/general/lib/os/debian/ssn_lib.py
@@ -321,12 +321,12 @@ def start_ss(keyfile, host_string, dlab_conf_dir,
web_path,
sudo('keytool -importcert -trustcacerts -alias step-crt
-file /etc/ssl/certs/dlab.crt -noprompt '
'-storepass changeit -keystore
{0}/lib/security/cacerts'.format(java_path))
else:
- sudo('keytool -genkeypair -alias dlab -keyalg RSA
-validity 730 -storepass {1} -keypass {1} \
+ sudo('keytool -genkeypair -alias ssn -keyalg RSA -validity
730 -storepass {1} -keypass {1} \
-keystore /home/{0}/keys/ssn.keystore.jks -keysize
2048 -dname "CN=localhost"'.format(
os_user, keystore_passwd))
- sudo('keytool -exportcert -alias dlab -storepass {1} -file
/home/{0}/keys/dlab.crt \
+ sudo('keytool -exportcert -alias ssn -storepass {1} -file
/home/{0}/keys/dlab.crt \
-keystore
/home/{0}/keys/ssn.keystore.jks'.format(os_user, keystore_passwd))
- sudo('keytool -importcert -trustcacerts -alias dlab -file
/home/{0}/keys/dlab.crt -noprompt \
+ sudo('keytool -importcert -trustcacerts -alias ssn -file
/home/{0}/keys/dlab.crt -noprompt \
-storepass changeit -keystore
{1}/lib/security/cacerts'.format(os_user, java_path))
except:
append_result("Unable to generate cert and copy to java
keystore")
diff --git a/infrastructure-provisioning/src/general/lib/os/redhat/edge_lib.py
b/infrastructure-provisioning/src/general/lib/os/redhat/edge_lib.py
index 122d0e1..25a28cc 100644
--- a/infrastructure-provisioning/src/general/lib/os/redhat/edge_lib.py
+++ b/infrastructure-provisioning/src/general/lib/os/redhat/edge_lib.py
@@ -72,30 +72,44 @@ def install_nginx_ldap(edge_ip, nginx_version, ldap_ip,
ldap_dn, ldap_ou, ldap_s
'yum -y install gcc gcc-c++ make zlib-devel pcre-devel
openssl-devel git openldap-devel')
if os.environ['conf_stepcerts_enabled'] == 'true':
sudo('mkdir -p /home/{0}/keys'.format(user))
- sudo('echo "{0}" | base64 --decode >
/home/{1}/keys/root_ca.crt'.format(
- os.environ['conf_stepcerts_root_ca'], user))
- fingerprint = sudo('step certificate fingerprint
/home/{0}/keys/root_ca.crt'.format(
- user))
+ sudo('echo "{0}" | base64 --decode >
/etc/ssl/certs/root_ca.crt'.format(
+ os.environ['conf_stepcerts_root_ca']))
+ fingerprint = sudo('step certificate fingerprint
/etc/ssl/certs/root_ca.crt')
sudo('step ca bootstrap --fingerprint {0} --ca-url
"{1}"'.format(fingerprint,
os.environ['conf_stepcerts_ca_url']))
sudo('echo "{0}" > /home/{1}/keys/provisioner_password'.format(
os.environ['conf_stepcerts_kid_password'], user))
sans = "--san localhost --san 127.0.0.1
{0}".format(step_cert_sans)
cn = edge_ip
- sudo('step ca token {3} --kid {0} --ca-url "{1}" --root
/home/{2}/keys/root_ca.crt '
+ sudo('step ca token {3} --kid {0} --ca-url "{1}" --root
/etc/ssl/certs/root_ca.crt '
'--password-file /home/{2}/keys/provisioner_password {4}
--output-file /tmp/step_token'.format(
os.environ['conf_stepcerts_kid'],
os.environ['conf_stepcerts_ca_url'], user, cn, sans))
token = sudo('cat /tmp/step_token')
- sudo('step ca certificate "{0}" /home/{2}/keys/dlab.crt
/home/{2}/keys/dlab.key '
- '--token "{1}" --kty=RSA --size 2048 --provisioner {3}
'.format(cn, token, user,
+ sudo('step ca certificate "{0}" /etc/ssl/certs/dlab.crt
/etc/ssl/certs/dlab.key '
+ '--token "{1}" --kty=RSA --size 2048 --provisioner {2}
'.format(cn, token,
os.environ['conf_stepcerts_kid']))
- sudo('cp /home/{0}/keys/dlab.crt /etc/ssl/certs/'.format(user))
- sudo('cp /home/{0}/keys/dlab.key /etc/ssl/certs/'.format(user))
sudo('touch /var/log/renew_certificates.log')
- sudo('bash -c \'echo "0 */3 * * * root /usr/bin/step ca renew
/etc/ssl/certs/dlab.crt '
- '/etc/ssl/certs/dlab.key --exec "nginx -s reload"
--ca-url "{1}" '
- '--root /home/{0}/keys/root_ca.crt --force --expires-in
8h >> /var/log/renew_certificates.log '
- '2>&1" >> /etc/crontab \''.format(user,
os.environ['conf_stepcerts_ca_url']))
+ put('/root/templates/manage_step_certs.sh',
'/usr/local/bin/manage_step_certs.sh', use_sudo=True)
+ sudo('chmod +x /usr/local/bin/manage_step_certs.sh')
+ sudo('sed -i
"s|STEP_ROOT_CERT_PATH|/etc/ssl/certs/root_ca.crt|g" '
+ '/usr/local/bin/manage_step_certs.sh')
+ sudo('sed -i "s|STEP_CERT_PATH|/etc/ssl/certs/dlab.crt|g"
/usr/local/bin/manage_step_certs.sh')
+ sudo('sed -i "s|STEP_KEY_PATH|/etc/ssl/certs/dlab.key|g"
/usr/local/bin/manage_step_certs.sh')
+ sudo('sed -i "s|STEP_CA_URL|{0}|g"
/usr/local/bin/manage_step_certs.sh'.format(
+ os.environ['conf_stepcerts_ca_url']))
+ sudo('sed -i "s|RESOURCE_TYPE|edge|g"
/usr/local/bin/manage_step_certs.sh')
+ sudo('sed -i "s|SANS|{0}|g"
/usr/local/bin/manage_step_certs.sh'.format(sans))
+ sudo('sed -i "s|CN|{0}|g"
/usr/local/bin/manage_step_certs.sh'.format(cn))
+ sudo('sed -i "s|KID|{0}|g"
/usr/local/bin/manage_step_certs.sh'.format(
+ os.environ['conf_stepcerts_kid']))
+ sudo('sed -i
"s|STEP_PROVISIONER_PASSWORD_PATH|/home/{0}/keys/provisioner_password|g" '
+ '/usr/local/bin/manage_step_certs.sh'.format(user))
+ sudo('bash -c \'echo "0 */3 * * * root
/usr/local/bin/manage_step_certs.sh >> '
+ '/var/log/renew_certificates.log 2>&1" >> /etc/crontab
\'')
+ put('/root/templates/step-cert-manager.service',
'/etc/systemd/system/step-cert-manager.service',
+ use_sudo=True)
+ sudo('systemctl daemon-reload')
+ sudo('systemctl enable step-cert-manager.service')
else:
sudo('openssl req -x509 -nodes -days 3650 -newkey rsa:2048
-keyout /etc/ssl/certs/dlab.key \
-out /etc/ssl/certs/dlab.crt -subj
"/C=US/ST=US/L=US/O=dlab/CN={}"'.format(hostname))
diff --git a/infrastructure-provisioning/src/general/lib/os/redhat/ssn_lib.py
b/infrastructure-provisioning/src/general/lib/os/redhat/ssn_lib.py
index 18ac0bf..4d8d1e1 100644
--- a/infrastructure-provisioning/src/general/lib/os/redhat/ssn_lib.py
+++ b/infrastructure-provisioning/src/general/lib/os/redhat/ssn_lib.py
@@ -348,12 +348,12 @@ def start_ss(keyfile, host_string, dlab_conf_dir,
web_path,
'-storepass changeit -keystore
{0}/lib/security/cacerts'.format(java_path))
else:
- sudo('keytool -genkeypair -alias dlab -keyalg RSA
-validity 730 -storepass {1} -keypass {1} \
+ sudo('keytool -genkeypair -alias ssn -keyalg RSA -validity
730 -storepass {1} -keypass {1} \
-keystore /home/{0}/keys/ssn.keystore.jks -keysize
2048 -dname "CN=localhost"'.format(
os_user, keystore_passwd))
- sudo('keytool -exportcert -alias dlab -storepass {1} -file
/home/{0}/keys/dlab.crt \
+ sudo('keytool -exportcert -alias ssn -storepass {1} -file
/home/{0}/keys/dlab.crt \
-keystore
/home/{0}/keys/ssn.keystore.jks'.format(os_user, keystore_passwd))
- sudo('keytool -importcert -trustcacerts -alias dlab -file
/home/{0}/keys/dlab.crt -noprompt \
+ sudo('keytool -importcert -trustcacerts -alias ssn -file
/home/{0}/keys/dlab.crt -noprompt \
-storepass changeit -keystore
{1}/lib/security/cacerts'.format(os_user, java_path))
except:
append_result("Unable to generate cert and copy to java
keystore")
diff --git
a/infrastructure-provisioning/src/general/templates/os/manage_step_certs.sh
b/infrastructure-provisioning/src/general/templates/os/manage_step_certs.sh
new file mode 100644
index 0000000..a0487e0
--- /dev/null
+++ b/infrastructure-provisioning/src/general/templates/os/manage_step_certs.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+#
******************************************************************************
+
+root_crt_path=STEP_ROOT_CERT_PATH
+crt_path=STEP_CERT_PATH
+key_path=STEP_KEY_PATH
+ca_url=STEP_CA_URL
+resource_type=RESOURCE_TYPE
+renew_status=0
+sans='SANS'
+cn=CN
+kid=KID
+provisioner_password_path=STEP_PROVISIONER_PASSWORD_PATH
+
+function log() {
+ dt=$(date '+%d/%m/%Y %H:%M:%S');
+ echo "[${dt} | ${1}]"
+}
+
+function renew_cert() {
+ log "Trying to renew certificate ${crt_path}"
+ if [ $resource_type = 'edge' ]; then
+ step ca renew ${crt_path} ${key_path} --exec 'nginx -s reload' --ca-url
${ca_url} --root ${root_crt_path} --force --expires-in 8h
+ elif [ $resource_type = 'endpoint' ]; then
+ step ca renew ${crt_path} ${key_path} --exec
"/usr/local/bin/renew_certificates.sh" --ca-url ${ca_url} --root
${root_crt_path} --force --expires-in 8h
+ else
+ log "Wrong resource type. Aborting..."
+ exit 1
+ fi
+}
+
+function recreate_cert() {
+ log "Trying to recreate certificate ${crt_path}"
+ step ca token ${cn} --kid ${kid} --ca-url "${ca_url}" --root
${root_crt_path} --password-file ${provisioner_password_path} ${sans}
--output-file /tmp/step_token --force
+ token=$(cat /tmp/step_token)
+ step ca certificate ${cn} ${crt_path} ${key_path} --token "${token}"
--kty=RSA --size 2048 --provisioner ${kid} --force
+ if [ $resource_type = 'edge' ]; then
+ nginx -s reload
+ elif [ $resource_type = 'endpoint' ]; then
+ /usr/local/bin/renew_certificates.sh
+ else
+ log "Wrong resource type. Aborting..."
+ exit 1
+ fi
+}
+renew_cert
+if [ $? -eq 0 ]; then
+ log "Certificate ${crt_path} has been renewed or hasn't been expired"
+else
+ renew_status=1
+fi
+
+if [ $renew_status -ne 0 ]; then
+ recreate_cert
+ if [ $? -eq 0 ]; then
+ log "Certificate ${crt_path} has been recreated"
+ else
+ log "Failed to recreate the certificate ${crt_path}"
+ fi
+fi
\ No newline at end of file
diff --git
a/infrastructure-provisioning/src/general/templates/os/renew_certificates.sh
b/infrastructure-provisioning/src/general/templates/os/renew_certificates.sh
new file mode 100644
index 0000000..d3b4093
--- /dev/null
+++ b/infrastructure-provisioning/src/general/templates/os/renew_certificates.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+#
******************************************************************************
+
+KEYSTORE_PASS=$(cat /opt/dlab/conf/provisioning.yml | grep '<#assign
KEY_STORE_PASSWORD' | awk -F '\"' '{print $2}')
+
+# Removing old certificates
+keytool -delete -alias RESOURCE_TYPE -keystore
/home/OS_USER/keys/RESOURCE_TYPE.keystore.jks -storepass "${KEYSTORE_PASS}"
+keytool -delete -alias CARoot -keystore
/home/OS_USER/keys/RESOURCE_TYPE.keystore.jks -storepass "${KEYSTORE_PASS}"
+keytool -delete -alias mykey -keystore JAVA_HOME/lib/security/cacerts
-storepass changeit
+keytool -delete -alias RESOURCE_TYPE -keystore JAVA_HOME/lib/security/cacerts
-storepass changeit
+
+# Importing new certificates to keystore
+openssl pkcs12 -export -in /etc/ssl/certs/RESOURCE_TYPE.crt -inkey
/etc/ssl/certs/RESOURCE_TYPE.key -name RESOURCE_TYPE -out
/home/OS_USER/keys/RESOURCE_TYPE.p12 -password pass:${KEYSTORE_PASS}
+keytool -importkeystore -srckeystore /home/OS_USER/keys/RESOURCE_TYPE.p12
-srcstoretype PKCS12 -alias RESOURCE_TYPE -destkeystore
/home/OS_USER/keys/RESOURCE_TYPE.keystore.jks -deststorepass "${KEYSTORE_PASS}"
-srcstorepass "${KEYSTORE_PASS}"
+keytool -keystore /home/OS_USER/keys/RESOURCE_TYPE.keystore.jks -alias CARoot
-import -file /etc/ssl/certs/root_ca.crt -deststorepass "${KEYSTORE_PASS}"
-noprompt
+
+
+# Adding new certificates
+keytool -importcert -trustcacerts -alias RESOURCE_TYPE -file
/etc/ssl/certs/RESOURCE_TYPE.crt -noprompt -storepass changeit -keystore
JAVA_HOME/lib/security/cacerts
+keytool -importcert -trustcacerts -file /etc/ssl/certs/root_ca.crt -noprompt
-storepass changeit -keystore JAVA_HOME/lib/security/cacerts
+
+# Restarting service
+supervisorctl restart provserv
\ No newline at end of file
diff --git
a/infrastructure-provisioning/src/general/files/azure/project_Dockerfile
b/infrastructure-provisioning/src/general/templates/os/step-cert-manager.service
similarity index 76%
copy from infrastructure-provisioning/src/general/files/azure/project_Dockerfile
copy to
infrastructure-provisioning/src/general/templates/os/step-cert-manager.service
index 29c80ec..994eea7 100644
--- a/infrastructure-provisioning/src/general/files/azure/project_Dockerfile
+++
b/infrastructure-provisioning/src/general/templates/os/step-cert-manager.service
@@ -19,15 +19,14 @@
#
#
******************************************************************************
+[Unit]
+Description=Check Step certificates
+After=network.target
-FROM docker.dlab-base:latest
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/manage_step_certs.sh
+TimeoutStartSec=0
-ARG OS
-
-COPY project/ /root/
-COPY general/scripts/azure/project_* /root/scripts/
-COPY general/scripts/azure/edge_* /root/scripts/
-COPY general/lib/os/${OS}/edge_lib.py /usr/lib/python2.7/dlab/edge_lib.py
-
-RUN chmod a+x /root/fabfile.py; \
- chmod a+x /root/scripts/*
\ No newline at end of file
+[Install]
+WantedBy=default.target
\ No newline at end of file
diff --git a/infrastructure-provisioning/src/ssn/scripts/configure_ssn_node.py
b/infrastructure-provisioning/src/ssn/scripts/configure_ssn_node.py
index 9960ee0..0cf8e4d 100644
--- a/infrastructure-provisioning/src/ssn/scripts/configure_ssn_node.py
+++ b/infrastructure-provisioning/src/ssn/scripts/configure_ssn_node.py
@@ -133,31 +133,51 @@ def configure_ssl_certs(hostname, custom_ssl_cert):
if os.environ['conf_stepcerts_enabled'] == 'true':
ensure_step(args.os_user)
sudo('mkdir -p /home/{0}/keys'.format(args.os_user))
- sudo('echo "{0}" | base64 --decode >
/home/{1}/keys/root_ca.crt'.format(
- os.environ['conf_stepcerts_root_ca'], args.os_user))
- fingerprint = sudo('step certificate fingerprint
/home/{0}/keys/root_ca.crt'.format(
- args.os_user))
+ sudo('echo "{0}" | base64 --decode >
/etc/ssl/certs/root_ca.crt'.format(
+ os.environ['conf_stepcerts_root_ca']))
+ fingerprint = sudo('step certificate fingerprint
/etc/ssl/certs/root_ca.crt')
sudo('step ca bootstrap --fingerprint {0} --ca-url
"{1}"'.format(fingerprint,
os.environ['conf_stepcerts_ca_url']))
sudo('echo "{0}" > /home/{1}/keys/provisioner_password'.format(
os.environ['conf_stepcerts_kid_password'], args.os_user))
sans = "--san localhost --san 127.0.0.1
{0}".format(args.step_cert_sans)
cn = hostname
- sudo('step ca token {3} --kid {0} --ca-url "{1}" --root
/home/{2}/keys/root_ca.crt '
+ sudo('step ca token {3} --kid {0} --ca-url "{1}" --root
/etc/ssl/certs/root_ca.crt '
'--password-file /home/{2}/keys/provisioner_password {4}
--output-file /tmp/step_token'.format(
os.environ['conf_stepcerts_kid'],
os.environ['conf_stepcerts_ca_url'],
args.os_user, cn, sans))
token = sudo('cat /tmp/step_token')
- sudo('step ca certificate "{0}" /home/{2}/keys/dlab.crt
/home/{2}/keys/dlab.key '
- '--token "{1}" --kty=RSA --size 2048 --provisioner {3}
'.format(cn, token, args.os_user,
+ sudo('step ca certificate "{0}" /etc/ssl/certs/dlab.crt
/etc/ssl/certs/dlab.key '
+ '--token "{1}" --kty=RSA --size 2048 --provisioner {2}
'.format(cn, token,
os.environ['conf_stepcerts_kid']))
- sudo('cp /home/{0}/keys/dlab.crt
/etc/ssl/certs/'.format(args.os_user))
- sudo('cp /home/{0}/keys/dlab.key
/etc/ssl/certs/'.format(args.os_user))
sudo('touch /var/log/renew_certificates.log')
- sudo('bash -c \'echo "0 */3 * * * root /usr/bin/step ca renew
/etc/ssl/certs/dlab.crt '
- '/etc/ssl/certs/dlab.key --exec "nginx -s reload"
--ca-url "{1}" '
- '--root /home/{0}/keys/root_ca.crt --force --expires-in
8h >> /var/log/renew_certificates.log '
- '2>&1" >> /etc/crontab \''.format(args.os_user,
os.environ['conf_stepcerts_ca_url']))
+ put('./renew_certificates.sh', '/tmp/renew_certificates.sh')
+ sudo('mv /tmp/renew_certificates.sh /usr/local/bin/')
+ sudo('chmod +x /usr/local/bin/renew_certificates.sh')
+ sudo('sed -i "s/OS_USER/{0}/g"
/usr/local/bin/renew_certificates.sh'.format(args.os_user))
+ sudo('sed -i "s|JAVA_HOME|{0}|g"
/usr/local/bin/renew_certificates.sh'.format(find_java_path_remote()))
+
+ put('/root/templates/manage_step_certs.sh',
'/usr/local/bin/manage_step_certs.sh', use_sudo=True)
+ sudo('chmod +x /usr/local/bin/manage_step_certs.sh')
+ sudo('sed -i
"s|STEP_ROOT_CERT_PATH|/etc/ssl/certs/root_ca.crt|g" '
+ '/usr/local/bin/manage_step_certs.sh')
+ sudo('sed -i "s|STEP_CERT_PATH|/etc/ssl/certs/dlab.crt|g"
/usr/local/bin/manage_step_certs.sh')
+ sudo('sed -i "s|STEP_KEY_PATH|/etc/ssl/certs/dlab.key|g"
/usr/local/bin/manage_step_certs.sh')
+ sudo('sed -i "s|STEP_CA_URL|{0}|g"
/usr/local/bin/manage_step_certs.sh'.format(
+ os.environ['conf_stepcerts_ca_url']))
+ sudo('sed -i "s|RESOURCE_TYPE|ssn|g"
/usr/local/bin/manage_step_certs.sh')
+ sudo('sed -i "s|SANS|{0}|g"
/usr/local/bin/manage_step_certs.sh'.format(sans))
+ sudo('sed -i "s|CN|{0}|g"
/usr/local/bin/manage_step_certs.sh'.format(cn))
+ sudo('sed -i "s|KID|{0}|g"
/usr/local/bin/manage_step_certs.sh'.format(
+ os.environ['conf_stepcerts_kid']))
+ sudo('sed -i
"s|STEP_PROVISIONER_PASSWORD_PATH|/home/{0}/keys/provisioner_password|g" '
+
'/usr/local/bin/manage_step_certs.sh'.format(args.os_user))
+ sudo('bash -c \'echo "0 */3 * * * root
/usr/local/bin/manage_step_certs.sh >> '
+ '/var/log/renew_certificates.log 2>&1" >> /etc/crontab
\'')
+ put('/root/templates/step-cert-manager.service',
'/etc/systemd/system/step-cert-manager.service',
+ use_sudo=True)
+ sudo('systemctl daemon-reload')
+ sudo('systemctl enable step-cert-manager.service')
else:
sudo('openssl req -x509 -nodes -days 3650 -newkey rsa:2048
-keyout /etc/ssl/certs/dlab.key \
diff --git a/infrastructure-provisioning/terraform/bin/deploy/endpoint_fab.py
b/infrastructure-provisioning/terraform/bin/deploy/endpoint_fab.py
index 5179397..9d4426df 100644
--- a/infrastructure-provisioning/terraform/bin/deploy/endpoint_fab.py
+++ b/infrastructure-provisioning/terraform/bin/deploy/endpoint_fab.py
@@ -104,10 +104,8 @@ def ensure_step_certs():
conn.sudo('wget
https://github.com/smallstep/cli/releases/download/v0.13.3/step-cli_0.13.3_amd64.deb
'
'-O /tmp/step-cli_0.13.3_amd64.deb')
conn.sudo('dpkg -i /tmp/step-cli_0.13.3_amd64.deb')
- conn.sudo('echo "{0}" | base64 --decode >
/home/{1}/keys/root_ca.crt'.format(args.step_root_ca,
-
args.os_user))
- fingerprint = conn.sudo('step certificate fingerprint
/home/{0}/keys/root_ca.crt'.format(
- args.os_user)).stdout.replace('\n', '')
+ conn.sudo('echo "{0}" | base64 --decode >
/etc/ssl/certs/root_ca.crt'.format(args.step_root_ca))
+ fingerprint = conn.sudo('step certificate fingerprint
/etc/ssl/certs/root_ca.crt').stdout.replace('\n', '')
conn.sudo('step ca bootstrap --fingerprint {0} --ca-url
"{1}"'.format(fingerprint,
args.step_ca_url))
conn.sudo('echo "{0}" >
/home/{1}/keys/provisioner_password'.format(args.step_kid_password,
args.os_user))
@@ -128,7 +126,7 @@ def ensure_step_certs():
'http://metadata/computeMetadata/v1/instance/network-interfaces/0/'
'ip').stdout.replace('\n',
'')
except:
- public_ip_address = None
+ public_ip_address = None
else:
local_ip_address = None
public_ip_address = None
@@ -137,23 +135,38 @@ def ensure_step_certs():
if public_ip_address:
sans += "--san {0}".format(public_ip_address)
cn = public_ip_address
- conn.sudo('step ca token {3} --kid {0} --ca-url "{1}" --root
/home/{2}/keys/root_ca.crt '
+ conn.sudo('step ca token {3} --kid {0} --ca-url "{1}" --root
/etc/ssl/certs/root_ca.crt '
'--password-file /home/{2}/keys/provisioner_password {4}
--output-file /tmp/step_token'.format(
args.step_kid, args.step_ca_url, args.os_user,
cn, sans))
token = conn.sudo('cat /tmp/step_token').stdout.replace('\n', '')
- conn.sudo('step ca certificate "{0}" /home/{2}/keys/endpoint.crt
/home/{2}/keys/endpoint.key '
- '--token "{1}" --kty=RSA --size 2048 --provisioner {3}
'.format(cn, token, args.os_user,
-
args.step_kid))
- conn.put('./renew_certificates.sh', '/tmp/renew_certificates.sh')
+ conn.sudo('step ca certificate "{0}" /etc/ssl/certs/dlab.crt
/etc/ssl/certs/dlab.key '
+ '--token "{1}" --kty=RSA --size 2048 --provisioner {2}
'.format(cn, token, args.step_kid))
+ conn.put('/root/templates/renew_certificates.sh',
'/tmp/renew_certificates.sh')
conn.sudo('mv /tmp/renew_certificates.sh /usr/local/bin/')
conn.sudo('chmod +x /usr/local/bin/renew_certificates.sh')
conn.sudo('sed -i "s/OS_USER/{0}/g"
/usr/local/bin/renew_certificates.sh'.format(args.os_user))
conn.sudo('sed -i "s|JAVA_HOME|{0}|g"
/usr/local/bin/renew_certificates.sh'.format(java_home))
conn.sudo('touch /var/log/renew_certificates.log')
- conn.sudo('bash -c \'echo "0 */3 * * * root /usr/bin/step ca renew
/home/{0}/keys/endpoint.crt '
- '/home/{0}/keys/endpoint.key --exec
"/usr/local/bin/renew_certificates.sh" --ca-url "{1}" '
- '--root /home/{0}/keys/root_ca.crt --force --expires-in
8h >> /var/log/renew_certificates.log '
- '2>&1" >> /etc/crontab \''.format(args.os_user,
args.step_ca_url))
+ conn.put('./manage_step_certs.sh', '/tmp/manage_step_certs.sh')
+ conn.sudo('mv /tmp/manage_step_certs.sh
/usr/local/bin/manage_step_certs.sh')
+ conn.sudo('chmod +x /usr/local/bin/manage_step_certs.sh')
+ conn.sudo('sed -i
"s|STEP_ROOT_CERT_PATH|/etc/ssl/certs/root_ca.crt|g" '
+ '/usr/local/bin/manage_step_certs.sh')
+ conn.sudo('sed -i "s|STEP_CERT_PATH|/etc/ssl/certs/dlab.crt|g"
/usr/local/bin/manage_step_certs.sh')
+ conn.sudo('sed -i "s|STEP_KEY_PATH|/etc/ssl/certs/dlab.key|g"
/usr/local/bin/manage_step_certs.sh')
+ conn.sudo('sed -i "s|STEP_CA_URL|{0}|g"
/usr/local/bin/manage_step_certs.sh'.format(args.step_ca_url))
+ conn.sudo('sed -i "s|RESOURCE_TYPE|endpoint|g"
/usr/local/bin/manage_step_certs.sh')
+ conn.sudo('sed -i "s|SANS|{0}|g"
/usr/local/bin/manage_step_certs.sh'.format(sans))
+ conn.sudo('sed -i "s|CN|{0}|g"
/usr/local/bin/manage_step_certs.sh'.format(cn))
+ conn.sudo('sed -i "s|KID|{0}|g"
/usr/local/bin/manage_step_certs.sh'.format(args.step_kid))
+ conn.sudo('sed -i
"s|STEP_PROVISIONER_PASSWORD_PATH|/home/{0}/keys/provisioner_password|g" '
+
'/usr/local/bin/manage_step_certs.sh'.format(args.os_user))
+ conn.sudo('bash -c \'echo "0 */3 * * * root
/usr/local/bin/manage_step_certs.sh >> '
+ '/var/log/renew_certificates.log 2>&1" >> /etc/crontab
\'')
+ conn.put('./step-cert-manager.service',
'/tmp/step-cert-manager.service')
+ conn.sudo('mv /tmp/step-cert-manager.service
/etc/systemd/system/step-cert-manager.service')
+ conn.sudo('systemctl daemon-reload')
+ conn.sudo('systemctl enable step-cert-manager.service')
conn.sudo('touch /home/{}/.ensure_dir/step_ensured'
.format(args.os_user))
except Exception as err:
diff --git
a/infrastructure-provisioning/terraform/bin/deploy/manage_step_certs.sh
b/infrastructure-provisioning/terraform/bin/deploy/manage_step_certs.sh
new file mode 100644
index 0000000..a0487e0
--- /dev/null
+++ b/infrastructure-provisioning/terraform/bin/deploy/manage_step_certs.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+#
******************************************************************************
+
+root_crt_path=STEP_ROOT_CERT_PATH
+crt_path=STEP_CERT_PATH
+key_path=STEP_KEY_PATH
+ca_url=STEP_CA_URL
+resource_type=RESOURCE_TYPE
+renew_status=0
+sans='SANS'
+cn=CN
+kid=KID
+provisioner_password_path=STEP_PROVISIONER_PASSWORD_PATH
+
+function log() {
+ dt=$(date '+%d/%m/%Y %H:%M:%S');
+ echo "[${dt} | ${1}]"
+}
+
+function renew_cert() {
+ log "Trying to renew certificate ${crt_path}"
+ if [ $resource_type = 'edge' ]; then
+ step ca renew ${crt_path} ${key_path} --exec 'nginx -s reload' --ca-url
${ca_url} --root ${root_crt_path} --force --expires-in 8h
+ elif [ $resource_type = 'endpoint' ]; then
+ step ca renew ${crt_path} ${key_path} --exec
"/usr/local/bin/renew_certificates.sh" --ca-url ${ca_url} --root
${root_crt_path} --force --expires-in 8h
+ else
+ log "Wrong resource type. Aborting..."
+ exit 1
+ fi
+}
+
+function recreate_cert() {
+ log "Trying to recreate certificate ${crt_path}"
+ step ca token ${cn} --kid ${kid} --ca-url "${ca_url}" --root
${root_crt_path} --password-file ${provisioner_password_path} ${sans}
--output-file /tmp/step_token --force
+ token=$(cat /tmp/step_token)
+ step ca certificate ${cn} ${crt_path} ${key_path} --token "${token}"
--kty=RSA --size 2048 --provisioner ${kid} --force
+ if [ $resource_type = 'edge' ]; then
+ nginx -s reload
+ elif [ $resource_type = 'endpoint' ]; then
+ /usr/local/bin/renew_certificates.sh
+ else
+ log "Wrong resource type. Aborting..."
+ exit 1
+ fi
+}
+renew_cert
+if [ $? -eq 0 ]; then
+ log "Certificate ${crt_path} has been renewed or hasn't been expired"
+else
+ renew_status=1
+fi
+
+if [ $renew_status -ne 0 ]; then
+ recreate_cert
+ if [ $? -eq 0 ]; then
+ log "Certificate ${crt_path} has been recreated"
+ else
+ log "Failed to recreate the certificate ${crt_path}"
+ fi
+fi
\ No newline at end of file
diff --git
a/infrastructure-provisioning/terraform/bin/deploy/renew_certificates.sh
b/infrastructure-provisioning/terraform/bin/deploy/renew_certificates.sh
index c48e51b..d3b4093 100644
--- a/infrastructure-provisioning/terraform/bin/deploy/renew_certificates.sh
+++ b/infrastructure-provisioning/terraform/bin/deploy/renew_certificates.sh
@@ -1,21 +1,43 @@
#!/bin/bash
+
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+#
******************************************************************************
+
KEYSTORE_PASS=$(cat /opt/dlab/conf/provisioning.yml | grep '<#assign
KEY_STORE_PASSWORD' | awk -F '\"' '{print $2}')
# Removing old certificates
-keytool -delete -alias endpoint -keystore
/home/OS_USER/keys/endpoint.keystore.jks -storepass "${KEYSTORE_PASS}"
-keytool -delete -alias CARoot -keystore
/home/OS_USER/keys/endpoint.keystore.jks -storepass "${KEYSTORE_PASS}"
+keytool -delete -alias RESOURCE_TYPE -keystore
/home/OS_USER/keys/RESOURCE_TYPE.keystore.jks -storepass "${KEYSTORE_PASS}"
+keytool -delete -alias CARoot -keystore
/home/OS_USER/keys/RESOURCE_TYPE.keystore.jks -storepass "${KEYSTORE_PASS}"
keytool -delete -alias mykey -keystore JAVA_HOME/lib/security/cacerts
-storepass changeit
-keytool -delete -alias endpoint -keystore JAVA_HOME/lib/security/cacerts
-storepass changeit
+keytool -delete -alias RESOURCE_TYPE -keystore JAVA_HOME/lib/security/cacerts
-storepass changeit
# Importing new certificates to keystore
-openssl pkcs12 -export -in /home/OS_USER/keys/endpoint.crt -inkey
/home/OS_USER/keys/endpoint.key -name endpoint -out
/home/OS_USER/keys/endpoint.p12 -password pass:${KEYSTORE_PASS}
-keytool -importkeystore -srckeystore /home/OS_USER/keys/endpoint.p12
-srcstoretype PKCS12 -alias endpoint -destkeystore
/home/OS_USER/keys/endpoint.keystore.jks -deststorepass "${KEYSTORE_PASS}"
-srcstorepass "${KEYSTORE_PASS}"
-keytool -keystore /home/OS_USER/keys/endpoint.keystore.jks -alias CARoot
-import -file /home/OS_USER/keys/root_ca.crt -deststorepass
"${KEYSTORE_PASS}" -noprompt
+openssl pkcs12 -export -in /etc/ssl/certs/RESOURCE_TYPE.crt -inkey
/etc/ssl/certs/RESOURCE_TYPE.key -name RESOURCE_TYPE -out
/home/OS_USER/keys/RESOURCE_TYPE.p12 -password pass:${KEYSTORE_PASS}
+keytool -importkeystore -srckeystore /home/OS_USER/keys/RESOURCE_TYPE.p12
-srcstoretype PKCS12 -alias RESOURCE_TYPE -destkeystore
/home/OS_USER/keys/RESOURCE_TYPE.keystore.jks -deststorepass "${KEYSTORE_PASS}"
-srcstorepass "${KEYSTORE_PASS}"
+keytool -keystore /home/OS_USER/keys/RESOURCE_TYPE.keystore.jks -alias CARoot
-import -file /etc/ssl/certs/root_ca.crt -deststorepass "${KEYSTORE_PASS}"
-noprompt
# Adding new certificates
-keytool -importcert -trustcacerts -alias endpoint -file
/home/OS_USER/keys/endpoint.crt -noprompt -storepass changeit -keystore
JAVA_HOME/lib/security/cacerts
-keytool -importcert -trustcacerts -file /home/OS_USER/keys/root_ca.crt
-noprompt -storepass changeit -keystore JAVA_HOME/lib/security/cacerts
+keytool -importcert -trustcacerts -alias RESOURCE_TYPE -file
/etc/ssl/certs/RESOURCE_TYPE.crt -noprompt -storepass changeit -keystore
JAVA_HOME/lib/security/cacerts
+keytool -importcert -trustcacerts -file /etc/ssl/certs/root_ca.crt -noprompt
-storepass changeit -keystore JAVA_HOME/lib/security/cacerts
# Restarting service
supervisorctl restart provserv
\ No newline at end of file
diff --git
a/infrastructure-provisioning/src/general/files/azure/project_Dockerfile
b/infrastructure-provisioning/terraform/bin/deploy/step-cert-manager.service
similarity index 76%
copy from infrastructure-provisioning/src/general/files/azure/project_Dockerfile
copy to
infrastructure-provisioning/terraform/bin/deploy/step-cert-manager.service
index 29c80ec..994eea7 100644
--- a/infrastructure-provisioning/src/general/files/azure/project_Dockerfile
+++ b/infrastructure-provisioning/terraform/bin/deploy/step-cert-manager.service
@@ -19,15 +19,14 @@
#
#
******************************************************************************
+[Unit]
+Description=Check Step certificates
+After=network.target
-FROM docker.dlab-base:latest
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/manage_step_certs.sh
+TimeoutStartSec=0
-ARG OS
-
-COPY project/ /root/
-COPY general/scripts/azure/project_* /root/scripts/
-COPY general/scripts/azure/edge_* /root/scripts/
-COPY general/lib/os/${OS}/edge_lib.py /usr/lib/python2.7/dlab/edge_lib.py
-
-RUN chmod a+x /root/fabfile.py; \
- chmod a+x /root/scripts/*
\ No newline at end of file
+[Install]
+WantedBy=default.target
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@dlab.apache.org
For additional commands, e-mail: commits-h...@dlab.apache.org
