This is an automated email from the ASF dual-hosted git repository. omartushevskyi pushed a commit to branch DLAB-1158 in repository https://gitbox.apache.org/repos/asf/incubator-dlab.git
The following commit(s) were added to refs/heads/DLAB-1158 by this push: new 111d716 fixed issue with SSL certs expiration 111d716 is described below commit 111d7162cd767e8b7bd7c498776d32cb85aa1c13 Author: Oleh Martushevskyi <oleh_martushevs...@epam.com> AuthorDate: Thu Jan 16 16:25:17 2020 +0200 fixed issue with SSL certs expiration --- .../src/general/files/aws/project_Dockerfile | 2 + .../src/general/files/aws/ssn_Dockerfile | 3 + .../src/general/files/azure/project_Dockerfile | 2 + .../src/general/files/azure/ssn_Dockerfile | 3 + .../src/general/files/gcp/project_Dockerfile | 2 + .../src/general/files/gcp/ssn_Dockerfile | 4 ++ .../src/general/lib/os/debian/edge_lib.py | 40 +++++++---- .../src/general/lib/os/debian/ssn_lib.py | 6 +- .../src/general/lib/os/redhat/edge_lib.py | 40 +++++++---- .../src/general/lib/os/redhat/ssn_lib.py | 6 +- .../src/general/templates/os/manage_step_certs.sh | 80 ++++++++++++++++++++++ .../src/general/templates/os/renew_certificates.sh | 43 ++++++++++++ .../os/step-cert-manager.service} | 19 +++-- .../src/ssn/scripts/configure_ssn_node.py | 46 +++++++++---- .../terraform/bin/deploy/endpoint_fab.py | 41 +++++++---- .../terraform/bin/deploy/manage_step_certs.sh | 80 ++++++++++++++++++++++ .../terraform/bin/deploy/renew_certificates.sh | 38 +++++++--- .../bin/deploy/step-cert-manager.service} | 19 +++-- 18 files changed, 387 insertions(+), 87 deletions(-) diff --git a/infrastructure-provisioning/src/general/files/aws/project_Dockerfile b/infrastructure-provisioning/src/general/files/aws/project_Dockerfile index 4fa38da..0c23ae0 100644 --- a/infrastructure-provisioning/src/general/files/aws/project_Dockerfile +++ b/infrastructure-provisioning/src/general/files/aws/project_Dockerfile @@ -29,6 +29,8 @@ COPY general/scripts/aws/project_* /root/scripts/ COPY general/scripts/aws/edge_* /root/scripts/ COPY general/lib/os/${OS}/edge_lib.py /usr/lib/python2.7/dlab/edge_lib.py COPY general/templates/aws/edge_s3_policy.json /root/templates/edge_s3_policy.json +COPY general/templates/os/manage_step_certs.sh /root/templates/ +COPY general/templates/os/step-cert-manager.service /root/templates/ RUN chmod a+x /root/fabfile.py; \ chmod a+x /root/scripts/* diff --git a/infrastructure-provisioning/src/general/files/aws/ssn_Dockerfile b/infrastructure-provisioning/src/general/files/aws/ssn_Dockerfile index 7283925..aeef12b 100644 --- a/infrastructure-provisioning/src/general/files/aws/ssn_Dockerfile +++ b/infrastructure-provisioning/src/general/files/aws/ssn_Dockerfile @@ -28,6 +28,9 @@ COPY infrastructure-provisioning/src/general/scripts/aws/ssn_* /root/scripts/ COPY infrastructure-provisioning/src/general/lib/os/${OS}/ssn_lib.py /usr/lib/python2.7/dlab/ssn_lib.py COPY infrastructure-provisioning/src/general/files/aws/ssn_policy.json /root/files/ COPY infrastructure-provisioning/src/general/templates/aws/jenkins_jobs /root/templates/jenkins_jobs +COPY infrastructure-provisioning/src/general/templates/os/manage_step_certs.sh /root/templates/ +COPY infrastructure-provisioning/src/general/templates/os/step-cert-manager.service /root/templates/ +COPY infrastructure-provisioning/src/general/templates/os/renew_certificates.sh /root/templates/ RUN chmod a+x /root/fabfile.py; \ chmod a+x /root/scripts/* diff --git a/infrastructure-provisioning/src/general/files/azure/project_Dockerfile b/infrastructure-provisioning/src/general/files/azure/project_Dockerfile index 29c80ec..823becc 100644 --- a/infrastructure-provisioning/src/general/files/azure/project_Dockerfile +++ b/infrastructure-provisioning/src/general/files/azure/project_Dockerfile @@ -28,6 +28,8 @@ COPY project/ /root/ COPY general/scripts/azure/project_* /root/scripts/ COPY general/scripts/azure/edge_* /root/scripts/ COPY general/lib/os/${OS}/edge_lib.py /usr/lib/python2.7/dlab/edge_lib.py +COPY general/templates/os/manage_step_certs.sh /root/templates/ +COPY general/templates/os/step-cert-manager.service /root/templates/ RUN chmod a+x /root/fabfile.py; \ chmod a+x /root/scripts/* \ No newline at end of file diff --git a/infrastructure-provisioning/src/general/files/azure/ssn_Dockerfile b/infrastructure-provisioning/src/general/files/azure/ssn_Dockerfile index b1e87aa..ee9be75 100644 --- a/infrastructure-provisioning/src/general/files/azure/ssn_Dockerfile +++ b/infrastructure-provisioning/src/general/files/azure/ssn_Dockerfile @@ -27,6 +27,9 @@ COPY infrastructure-provisioning/src/ssn/ /root/ COPY infrastructure-provisioning/src/general/scripts/azure/ssn_* /root/scripts/ COPY infrastructure-provisioning/src/general/lib/os/${OS}/ssn_lib.py /usr/lib/python2.7/dlab/ssn_lib.py COPY infrastructure-provisioning/src/general/templates/azure/jenkins_jobs /root/templates/jenkins_jobs +COPY infrastructure-provisioning/src/general/templates/os/manage_step_certs.sh /root/templates/ +COPY infrastructure-provisioning/src/general/templates/os/step-cert-manager.service /root/templates/ +COPY infrastructure-provisioning/src/general/templates/os/renew_certificates.sh /root/templates/ RUN chmod a+x /root/fabfile.py; \ chmod a+x /root/scripts/* diff --git a/infrastructure-provisioning/src/general/files/gcp/project_Dockerfile b/infrastructure-provisioning/src/general/files/gcp/project_Dockerfile index fb9ecde..7fc44e5 100644 --- a/infrastructure-provisioning/src/general/files/gcp/project_Dockerfile +++ b/infrastructure-provisioning/src/general/files/gcp/project_Dockerfile @@ -30,6 +30,8 @@ COPY general/scripts/gcp/edge_* /root/scripts/ COPY general/lib/os/${OS}/edge_lib.py /usr/lib/python2.7/dlab/edge_lib.py COPY general/files/gcp/ps_policy.json /root/files/ps_policy.json COPY general/files/gcp/ps_roles.json /root/files/ps_roles.json +COPY general/templates/os/manage_step_certs.sh /root/templates/ +COPY general/templates/os/step-cert-manager.service /root/templates/ RUN chmod a+x /root/fabfile.py; \ chmod a+x /root/scripts/* \ No newline at end of file diff --git a/infrastructure-provisioning/src/general/files/gcp/ssn_Dockerfile b/infrastructure-provisioning/src/general/files/gcp/ssn_Dockerfile index 152e35d..c0c3916 100644 --- a/infrastructure-provisioning/src/general/files/gcp/ssn_Dockerfile +++ b/infrastructure-provisioning/src/general/files/gcp/ssn_Dockerfile @@ -29,6 +29,10 @@ COPY infrastructure-provisioning/src/general/lib/os/${OS}/ssn_lib.py /usr/lib/py COPY infrastructure-provisioning/src/general/files/gcp/ssn_policy.json /root/files/ COPY infrastructure-provisioning/src/general/files/gcp/ssn_roles.json /root/files/ COPY infrastructure-provisioning/src/general/templates/gcp/jenkins_jobs /root/templates/jenkins_jobs +COPY infrastructure-provisioning/src/general/templates/os/manage_step_certs.sh /root/templates/ +COPY infrastructure-provisioning/src/general/templates/os/step-cert-manager.service /root/templates/ +COPY infrastructure-provisioning/src/general/templates/os/renew_certificates.sh /root/templates/ +renew_certificates.sh RUN chmod a+x /root/fabfile.py; \ chmod a+x /root/scripts/* diff --git a/infrastructure-provisioning/src/general/lib/os/debian/edge_lib.py b/infrastructure-provisioning/src/general/lib/os/debian/edge_lib.py index 64bd2e7..753ab1b 100644 --- a/infrastructure-provisioning/src/general/lib/os/debian/edge_lib.py +++ b/infrastructure-provisioning/src/general/lib/os/debian/edge_lib.py @@ -67,30 +67,44 @@ def install_nginx_lua(edge_ip, nginx_version, keycloak_auth_server_url, keycloak sudo('apt-get -y install gcc build-essential make automake zlib1g-dev libpcre++-dev libssl-dev git libldap2-dev libc6-dev libgd-dev libgeoip-dev libpcre3-dev apt-utils autoconf liblmdb-dev libtool libxml2-dev libyajl-dev pkgconf liblua5.1-0 liblua5.1-0-dev libreadline-dev libreadline6-dev libtinfo-dev libtool-bin lua5.1 zip readline-doc') if os.environ['conf_stepcerts_enabled'] == 'true': sudo('mkdir -p /home/{0}/keys'.format(user)) - sudo('echo "{0}" | base64 --decode > /home/{1}/keys/root_ca.crt'.format( - os.environ['conf_stepcerts_root_ca'], user)) - fingerprint = sudo('step certificate fingerprint /home/{0}/keys/root_ca.crt'.format( - user)) + sudo('echo "{0}" | base64 --decode > /etc/ssl/certs/root_ca.crt'.format( + os.environ['conf_stepcerts_root_ca'])) + fingerprint = sudo('step certificate fingerprint /etc/ssl/certs/root_ca.crt') sudo('step ca bootstrap --fingerprint {0} --ca-url "{1}"'.format(fingerprint, os.environ['conf_stepcerts_ca_url'])) sudo('echo "{0}" > /home/{1}/keys/provisioner_password'.format( os.environ['conf_stepcerts_kid_password'], user)) sans = "--san localhost --san 127.0.0.1 {0}".format(step_cert_sans) cn = edge_ip - sudo('step ca token {3} --kid {0} --ca-url "{1}" --root /home/{2}/keys/root_ca.crt ' + sudo('step ca token {3} --kid {0} --ca-url "{1}" --root /etc/ssl/certs/root_ca.crt ' '--password-file /home/{2}/keys/provisioner_password {4} --output-file /tmp/step_token'.format( os.environ['conf_stepcerts_kid'], os.environ['conf_stepcerts_ca_url'], user, cn, sans)) token = sudo('cat /tmp/step_token') - sudo('step ca certificate "{0}" /home/{2}/keys/dlab.crt /home/{2}/keys/dlab.key ' - '--token "{1}" --kty=RSA --size 2048 --not-after=10m --provisioner {3} '.format(cn, token, user, + sudo('step ca certificate "{0}" /etc/ssl/certs/dlab.crt /etc/ssl/certs/dlab.key ' + '--token "{1}" --kty=RSA --size 2048 --provisioner {2} '.format(cn, token, os.environ['conf_stepcerts_kid'])) - sudo('cp /home/{0}/keys/dlab.crt /etc/ssl/certs/'.format(user)) - sudo('cp /home/{0}/keys/dlab.key /etc/ssl/certs/'.format(user)) sudo('touch /var/log/renew_certificates.log') - sudo('bash -c \'echo "0 */3 * * * root /usr/bin/step ca renew /etc/ssl/certs/dlab.crt ' - '/etc/ssl/certs/dlab.key --exec "nginx -s reload" --ca-url "{1}" ' - '--root /home/{0}/keys/root_ca.crt --force --expires-in 8h >> /var/log/renew_certificates.log ' - '2>&1" >> /etc/crontab \''.format(user, os.environ['conf_stepcerts_ca_url'])) + put('/root/templates/manage_step_certs.sh', '/usr/local/bin/manage_step_certs.sh', use_sudo=True) + sudo('chmod +x /usr/local/bin/manage_step_certs.sh') + sudo('sed -i "s|STEP_ROOT_CERT_PATH|/etc/ssl/certs/root_ca.crt|g" ' + '/usr/local/bin/manage_step_certs.sh') + sudo('sed -i "s|STEP_CERT_PATH|/etc/ssl/certs/dlab.crt|g" /usr/local/bin/manage_step_certs.sh') + sudo('sed -i "s|STEP_KEY_PATH|/etc/ssl/certs/dlab.key|g" /usr/local/bin/manage_step_certs.sh') + sudo('sed -i "s|STEP_CA_URL|{0}|g" /usr/local/bin/manage_step_certs.sh'.format( + os.environ['conf_stepcerts_ca_url'])) + sudo('sed -i "s|RESOURCE_TYPE|edge|g" /usr/local/bin/manage_step_certs.sh') + sudo('sed -i "s|SANS|{0}|g" /usr/local/bin/manage_step_certs.sh'.format(sans)) + sudo('sed -i "s|CN|{0}|g" /usr/local/bin/manage_step_certs.sh'.format(cn)) + sudo('sed -i "s|KID|{0}|g" /usr/local/bin/manage_step_certs.sh'.format( + os.environ['conf_stepcerts_kid'])) + sudo('sed -i "s|STEP_PROVISIONER_PASSWORD_PATH|/home/{0}/keys/provisioner_password|g" ' + '/usr/local/bin/manage_step_certs.sh'.format(user)) + sudo('bash -c \'echo "0 */3 * * * root /usr/local/bin/manage_step_certs.sh >> ' + '/var/log/renew_certificates.log 2>&1" >> /etc/crontab \'') + put('/root/templates/step-cert-manager.service', '/etc/systemd/system/step-cert-manager.service', + use_sudo=True) + sudo('systemctl daemon-reload') + sudo('systemctl enable step-cert-manager.service') else: sudo('openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/certs/dlab.key \ -out /etc/ssl/certs/dlab.crt -subj "/C=US/ST=US/L=US/O=dlab/CN={}"'.format(hostname)) diff --git a/infrastructure-provisioning/src/general/lib/os/debian/ssn_lib.py b/infrastructure-provisioning/src/general/lib/os/debian/ssn_lib.py index 4d97449..10bb844 100644 --- a/infrastructure-provisioning/src/general/lib/os/debian/ssn_lib.py +++ b/infrastructure-provisioning/src/general/lib/os/debian/ssn_lib.py @@ -321,12 +321,12 @@ def start_ss(keyfile, host_string, dlab_conf_dir, web_path, sudo('keytool -importcert -trustcacerts -alias step-crt -file /etc/ssl/certs/dlab.crt -noprompt ' '-storepass changeit -keystore {0}/lib/security/cacerts'.format(java_path)) else: - sudo('keytool -genkeypair -alias dlab -keyalg RSA -validity 730 -storepass {1} -keypass {1} \ + sudo('keytool -genkeypair -alias ssn -keyalg RSA -validity 730 -storepass {1} -keypass {1} \ -keystore /home/{0}/keys/ssn.keystore.jks -keysize 2048 -dname "CN=localhost"'.format( os_user, keystore_passwd)) - sudo('keytool -exportcert -alias dlab -storepass {1} -file /home/{0}/keys/dlab.crt \ + sudo('keytool -exportcert -alias ssn -storepass {1} -file /home/{0}/keys/dlab.crt \ -keystore /home/{0}/keys/ssn.keystore.jks'.format(os_user, keystore_passwd)) - sudo('keytool -importcert -trustcacerts -alias dlab -file /home/{0}/keys/dlab.crt -noprompt \ + sudo('keytool -importcert -trustcacerts -alias ssn -file /home/{0}/keys/dlab.crt -noprompt \ -storepass changeit -keystore {1}/lib/security/cacerts'.format(os_user, java_path)) except: append_result("Unable to generate cert and copy to java keystore") diff --git a/infrastructure-provisioning/src/general/lib/os/redhat/edge_lib.py b/infrastructure-provisioning/src/general/lib/os/redhat/edge_lib.py index 122d0e1..25a28cc 100644 --- a/infrastructure-provisioning/src/general/lib/os/redhat/edge_lib.py +++ b/infrastructure-provisioning/src/general/lib/os/redhat/edge_lib.py @@ -72,30 +72,44 @@ def install_nginx_ldap(edge_ip, nginx_version, ldap_ip, ldap_dn, ldap_ou, ldap_s 'yum -y install gcc gcc-c++ make zlib-devel pcre-devel openssl-devel git openldap-devel') if os.environ['conf_stepcerts_enabled'] == 'true': sudo('mkdir -p /home/{0}/keys'.format(user)) - sudo('echo "{0}" | base64 --decode > /home/{1}/keys/root_ca.crt'.format( - os.environ['conf_stepcerts_root_ca'], user)) - fingerprint = sudo('step certificate fingerprint /home/{0}/keys/root_ca.crt'.format( - user)) + sudo('echo "{0}" | base64 --decode > /etc/ssl/certs/root_ca.crt'.format( + os.environ['conf_stepcerts_root_ca'])) + fingerprint = sudo('step certificate fingerprint /etc/ssl/certs/root_ca.crt') sudo('step ca bootstrap --fingerprint {0} --ca-url "{1}"'.format(fingerprint, os.environ['conf_stepcerts_ca_url'])) sudo('echo "{0}" > /home/{1}/keys/provisioner_password'.format( os.environ['conf_stepcerts_kid_password'], user)) sans = "--san localhost --san 127.0.0.1 {0}".format(step_cert_sans) cn = edge_ip - sudo('step ca token {3} --kid {0} --ca-url "{1}" --root /home/{2}/keys/root_ca.crt ' + sudo('step ca token {3} --kid {0} --ca-url "{1}" --root /etc/ssl/certs/root_ca.crt ' '--password-file /home/{2}/keys/provisioner_password {4} --output-file /tmp/step_token'.format( os.environ['conf_stepcerts_kid'], os.environ['conf_stepcerts_ca_url'], user, cn, sans)) token = sudo('cat /tmp/step_token') - sudo('step ca certificate "{0}" /home/{2}/keys/dlab.crt /home/{2}/keys/dlab.key ' - '--token "{1}" --kty=RSA --size 2048 --provisioner {3} '.format(cn, token, user, + sudo('step ca certificate "{0}" /etc/ssl/certs/dlab.crt /etc/ssl/certs/dlab.key ' + '--token "{1}" --kty=RSA --size 2048 --provisioner {2} '.format(cn, token, os.environ['conf_stepcerts_kid'])) - sudo('cp /home/{0}/keys/dlab.crt /etc/ssl/certs/'.format(user)) - sudo('cp /home/{0}/keys/dlab.key /etc/ssl/certs/'.format(user)) sudo('touch /var/log/renew_certificates.log') - sudo('bash -c \'echo "0 */3 * * * root /usr/bin/step ca renew /etc/ssl/certs/dlab.crt ' - '/etc/ssl/certs/dlab.key --exec "nginx -s reload" --ca-url "{1}" ' - '--root /home/{0}/keys/root_ca.crt --force --expires-in 8h >> /var/log/renew_certificates.log ' - '2>&1" >> /etc/crontab \''.format(user, os.environ['conf_stepcerts_ca_url'])) + put('/root/templates/manage_step_certs.sh', '/usr/local/bin/manage_step_certs.sh', use_sudo=True) + sudo('chmod +x /usr/local/bin/manage_step_certs.sh') + sudo('sed -i "s|STEP_ROOT_CERT_PATH|/etc/ssl/certs/root_ca.crt|g" ' + '/usr/local/bin/manage_step_certs.sh') + sudo('sed -i "s|STEP_CERT_PATH|/etc/ssl/certs/dlab.crt|g" /usr/local/bin/manage_step_certs.sh') + sudo('sed -i "s|STEP_KEY_PATH|/etc/ssl/certs/dlab.key|g" /usr/local/bin/manage_step_certs.sh') + sudo('sed -i "s|STEP_CA_URL|{0}|g" /usr/local/bin/manage_step_certs.sh'.format( + os.environ['conf_stepcerts_ca_url'])) + sudo('sed -i "s|RESOURCE_TYPE|edge|g" /usr/local/bin/manage_step_certs.sh') + sudo('sed -i "s|SANS|{0}|g" /usr/local/bin/manage_step_certs.sh'.format(sans)) + sudo('sed -i "s|CN|{0}|g" /usr/local/bin/manage_step_certs.sh'.format(cn)) + sudo('sed -i "s|KID|{0}|g" /usr/local/bin/manage_step_certs.sh'.format( + os.environ['conf_stepcerts_kid'])) + sudo('sed -i "s|STEP_PROVISIONER_PASSWORD_PATH|/home/{0}/keys/provisioner_password|g" ' + '/usr/local/bin/manage_step_certs.sh'.format(user)) + sudo('bash -c \'echo "0 */3 * * * root /usr/local/bin/manage_step_certs.sh >> ' + '/var/log/renew_certificates.log 2>&1" >> /etc/crontab \'') + put('/root/templates/step-cert-manager.service', '/etc/systemd/system/step-cert-manager.service', + use_sudo=True) + sudo('systemctl daemon-reload') + sudo('systemctl enable step-cert-manager.service') else: sudo('openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/certs/dlab.key \ -out /etc/ssl/certs/dlab.crt -subj "/C=US/ST=US/L=US/O=dlab/CN={}"'.format(hostname)) diff --git a/infrastructure-provisioning/src/general/lib/os/redhat/ssn_lib.py b/infrastructure-provisioning/src/general/lib/os/redhat/ssn_lib.py index 18ac0bf..4d8d1e1 100644 --- a/infrastructure-provisioning/src/general/lib/os/redhat/ssn_lib.py +++ b/infrastructure-provisioning/src/general/lib/os/redhat/ssn_lib.py @@ -348,12 +348,12 @@ def start_ss(keyfile, host_string, dlab_conf_dir, web_path, '-storepass changeit -keystore {0}/lib/security/cacerts'.format(java_path)) else: - sudo('keytool -genkeypair -alias dlab -keyalg RSA -validity 730 -storepass {1} -keypass {1} \ + sudo('keytool -genkeypair -alias ssn -keyalg RSA -validity 730 -storepass {1} -keypass {1} \ -keystore /home/{0}/keys/ssn.keystore.jks -keysize 2048 -dname "CN=localhost"'.format( os_user, keystore_passwd)) - sudo('keytool -exportcert -alias dlab -storepass {1} -file /home/{0}/keys/dlab.crt \ + sudo('keytool -exportcert -alias ssn -storepass {1} -file /home/{0}/keys/dlab.crt \ -keystore /home/{0}/keys/ssn.keystore.jks'.format(os_user, keystore_passwd)) - sudo('keytool -importcert -trustcacerts -alias dlab -file /home/{0}/keys/dlab.crt -noprompt \ + sudo('keytool -importcert -trustcacerts -alias ssn -file /home/{0}/keys/dlab.crt -noprompt \ -storepass changeit -keystore {1}/lib/security/cacerts'.format(os_user, java_path)) except: append_result("Unable to generate cert and copy to java keystore") diff --git a/infrastructure-provisioning/src/general/templates/os/manage_step_certs.sh b/infrastructure-provisioning/src/general/templates/os/manage_step_certs.sh new file mode 100644 index 0000000..a0487e0 --- /dev/null +++ b/infrastructure-provisioning/src/general/templates/os/manage_step_certs.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# ***************************************************************************** +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# ****************************************************************************** + +root_crt_path=STEP_ROOT_CERT_PATH +crt_path=STEP_CERT_PATH +key_path=STEP_KEY_PATH +ca_url=STEP_CA_URL +resource_type=RESOURCE_TYPE +renew_status=0 +sans='SANS' +cn=CN +kid=KID +provisioner_password_path=STEP_PROVISIONER_PASSWORD_PATH + +function log() { + dt=$(date '+%d/%m/%Y %H:%M:%S'); + echo "[${dt} | ${1}]" +} + +function renew_cert() { + log "Trying to renew certificate ${crt_path}" + if [ $resource_type = 'edge' ]; then + step ca renew ${crt_path} ${key_path} --exec 'nginx -s reload' --ca-url ${ca_url} --root ${root_crt_path} --force --expires-in 8h + elif [ $resource_type = 'endpoint' ]; then + step ca renew ${crt_path} ${key_path} --exec "/usr/local/bin/renew_certificates.sh" --ca-url ${ca_url} --root ${root_crt_path} --force --expires-in 8h + else + log "Wrong resource type. Aborting..." + exit 1 + fi +} + +function recreate_cert() { + log "Trying to recreate certificate ${crt_path}" + step ca token ${cn} --kid ${kid} --ca-url "${ca_url}" --root ${root_crt_path} --password-file ${provisioner_password_path} ${sans} --output-file /tmp/step_token --force + token=$(cat /tmp/step_token) + step ca certificate ${cn} ${crt_path} ${key_path} --token "${token}" --kty=RSA --size 2048 --provisioner ${kid} --force + if [ $resource_type = 'edge' ]; then + nginx -s reload + elif [ $resource_type = 'endpoint' ]; then + /usr/local/bin/renew_certificates.sh + else + log "Wrong resource type. Aborting..." + exit 1 + fi +} +renew_cert +if [ $? -eq 0 ]; then + log "Certificate ${crt_path} has been renewed or hasn't been expired" +else + renew_status=1 +fi + +if [ $renew_status -ne 0 ]; then + recreate_cert + if [ $? -eq 0 ]; then + log "Certificate ${crt_path} has been recreated" + else + log "Failed to recreate the certificate ${crt_path}" + fi +fi \ No newline at end of file diff --git a/infrastructure-provisioning/src/general/templates/os/renew_certificates.sh b/infrastructure-provisioning/src/general/templates/os/renew_certificates.sh new file mode 100644 index 0000000..d3b4093 --- /dev/null +++ b/infrastructure-provisioning/src/general/templates/os/renew_certificates.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +# ***************************************************************************** +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# ****************************************************************************** + +KEYSTORE_PASS=$(cat /opt/dlab/conf/provisioning.yml | grep '<#assign KEY_STORE_PASSWORD' | awk -F '\"' '{print $2}') + +# Removing old certificates +keytool -delete -alias RESOURCE_TYPE -keystore /home/OS_USER/keys/RESOURCE_TYPE.keystore.jks -storepass "${KEYSTORE_PASS}" +keytool -delete -alias CARoot -keystore /home/OS_USER/keys/RESOURCE_TYPE.keystore.jks -storepass "${KEYSTORE_PASS}" +keytool -delete -alias mykey -keystore JAVA_HOME/lib/security/cacerts -storepass changeit +keytool -delete -alias RESOURCE_TYPE -keystore JAVA_HOME/lib/security/cacerts -storepass changeit + +# Importing new certificates to keystore +openssl pkcs12 -export -in /etc/ssl/certs/RESOURCE_TYPE.crt -inkey /etc/ssl/certs/RESOURCE_TYPE.key -name RESOURCE_TYPE -out /home/OS_USER/keys/RESOURCE_TYPE.p12 -password pass:${KEYSTORE_PASS} +keytool -importkeystore -srckeystore /home/OS_USER/keys/RESOURCE_TYPE.p12 -srcstoretype PKCS12 -alias RESOURCE_TYPE -destkeystore /home/OS_USER/keys/RESOURCE_TYPE.keystore.jks -deststorepass "${KEYSTORE_PASS}" -srcstorepass "${KEYSTORE_PASS}" +keytool -keystore /home/OS_USER/keys/RESOURCE_TYPE.keystore.jks -alias CARoot -import -file /etc/ssl/certs/root_ca.crt -deststorepass "${KEYSTORE_PASS}" -noprompt + + +# Adding new certificates +keytool -importcert -trustcacerts -alias RESOURCE_TYPE -file /etc/ssl/certs/RESOURCE_TYPE.crt -noprompt -storepass changeit -keystore JAVA_HOME/lib/security/cacerts +keytool -importcert -trustcacerts -file /etc/ssl/certs/root_ca.crt -noprompt -storepass changeit -keystore JAVA_HOME/lib/security/cacerts + +# Restarting service +supervisorctl restart provserv \ No newline at end of file diff --git a/infrastructure-provisioning/src/general/files/azure/project_Dockerfile b/infrastructure-provisioning/src/general/templates/os/step-cert-manager.service similarity index 76% copy from infrastructure-provisioning/src/general/files/azure/project_Dockerfile copy to infrastructure-provisioning/src/general/templates/os/step-cert-manager.service index 29c80ec..994eea7 100644 --- a/infrastructure-provisioning/src/general/files/azure/project_Dockerfile +++ b/infrastructure-provisioning/src/general/templates/os/step-cert-manager.service @@ -19,15 +19,14 @@ # # ****************************************************************************** +[Unit] +Description=Check Step certificates +After=network.target -FROM docker.dlab-base:latest +[Service] +Type=simple +ExecStart=/usr/local/bin/manage_step_certs.sh +TimeoutStartSec=0 -ARG OS - -COPY project/ /root/ -COPY general/scripts/azure/project_* /root/scripts/ -COPY general/scripts/azure/edge_* /root/scripts/ -COPY general/lib/os/${OS}/edge_lib.py /usr/lib/python2.7/dlab/edge_lib.py - -RUN chmod a+x /root/fabfile.py; \ - chmod a+x /root/scripts/* \ No newline at end of file +[Install] +WantedBy=default.target \ No newline at end of file diff --git a/infrastructure-provisioning/src/ssn/scripts/configure_ssn_node.py b/infrastructure-provisioning/src/ssn/scripts/configure_ssn_node.py index 9960ee0..0cf8e4d 100644 --- a/infrastructure-provisioning/src/ssn/scripts/configure_ssn_node.py +++ b/infrastructure-provisioning/src/ssn/scripts/configure_ssn_node.py @@ -133,31 +133,51 @@ def configure_ssl_certs(hostname, custom_ssl_cert): if os.environ['conf_stepcerts_enabled'] == 'true': ensure_step(args.os_user) sudo('mkdir -p /home/{0}/keys'.format(args.os_user)) - sudo('echo "{0}" | base64 --decode > /home/{1}/keys/root_ca.crt'.format( - os.environ['conf_stepcerts_root_ca'], args.os_user)) - fingerprint = sudo('step certificate fingerprint /home/{0}/keys/root_ca.crt'.format( - args.os_user)) + sudo('echo "{0}" | base64 --decode > /etc/ssl/certs/root_ca.crt'.format( + os.environ['conf_stepcerts_root_ca'])) + fingerprint = sudo('step certificate fingerprint /etc/ssl/certs/root_ca.crt') sudo('step ca bootstrap --fingerprint {0} --ca-url "{1}"'.format(fingerprint, os.environ['conf_stepcerts_ca_url'])) sudo('echo "{0}" > /home/{1}/keys/provisioner_password'.format( os.environ['conf_stepcerts_kid_password'], args.os_user)) sans = "--san localhost --san 127.0.0.1 {0}".format(args.step_cert_sans) cn = hostname - sudo('step ca token {3} --kid {0} --ca-url "{1}" --root /home/{2}/keys/root_ca.crt ' + sudo('step ca token {3} --kid {0} --ca-url "{1}" --root /etc/ssl/certs/root_ca.crt ' '--password-file /home/{2}/keys/provisioner_password {4} --output-file /tmp/step_token'.format( os.environ['conf_stepcerts_kid'], os.environ['conf_stepcerts_ca_url'], args.os_user, cn, sans)) token = sudo('cat /tmp/step_token') - sudo('step ca certificate "{0}" /home/{2}/keys/dlab.crt /home/{2}/keys/dlab.key ' - '--token "{1}" --kty=RSA --size 2048 --provisioner {3} '.format(cn, token, args.os_user, + sudo('step ca certificate "{0}" /etc/ssl/certs/dlab.crt /etc/ssl/certs/dlab.key ' + '--token "{1}" --kty=RSA --size 2048 --provisioner {2} '.format(cn, token, os.environ['conf_stepcerts_kid'])) - sudo('cp /home/{0}/keys/dlab.crt /etc/ssl/certs/'.format(args.os_user)) - sudo('cp /home/{0}/keys/dlab.key /etc/ssl/certs/'.format(args.os_user)) sudo('touch /var/log/renew_certificates.log') - sudo('bash -c \'echo "0 */3 * * * root /usr/bin/step ca renew /etc/ssl/certs/dlab.crt ' - '/etc/ssl/certs/dlab.key --exec "nginx -s reload" --ca-url "{1}" ' - '--root /home/{0}/keys/root_ca.crt --force --expires-in 8h >> /var/log/renew_certificates.log ' - '2>&1" >> /etc/crontab \''.format(args.os_user, os.environ['conf_stepcerts_ca_url'])) + put('./renew_certificates.sh', '/tmp/renew_certificates.sh') + sudo('mv /tmp/renew_certificates.sh /usr/local/bin/') + sudo('chmod +x /usr/local/bin/renew_certificates.sh') + sudo('sed -i "s/OS_USER/{0}/g" /usr/local/bin/renew_certificates.sh'.format(args.os_user)) + sudo('sed -i "s|JAVA_HOME|{0}|g" /usr/local/bin/renew_certificates.sh'.format(find_java_path_remote())) + + put('/root/templates/manage_step_certs.sh', '/usr/local/bin/manage_step_certs.sh', use_sudo=True) + sudo('chmod +x /usr/local/bin/manage_step_certs.sh') + sudo('sed -i "s|STEP_ROOT_CERT_PATH|/etc/ssl/certs/root_ca.crt|g" ' + '/usr/local/bin/manage_step_certs.sh') + sudo('sed -i "s|STEP_CERT_PATH|/etc/ssl/certs/dlab.crt|g" /usr/local/bin/manage_step_certs.sh') + sudo('sed -i "s|STEP_KEY_PATH|/etc/ssl/certs/dlab.key|g" /usr/local/bin/manage_step_certs.sh') + sudo('sed -i "s|STEP_CA_URL|{0}|g" /usr/local/bin/manage_step_certs.sh'.format( + os.environ['conf_stepcerts_ca_url'])) + sudo('sed -i "s|RESOURCE_TYPE|ssn|g" /usr/local/bin/manage_step_certs.sh') + sudo('sed -i "s|SANS|{0}|g" /usr/local/bin/manage_step_certs.sh'.format(sans)) + sudo('sed -i "s|CN|{0}|g" /usr/local/bin/manage_step_certs.sh'.format(cn)) + sudo('sed -i "s|KID|{0}|g" /usr/local/bin/manage_step_certs.sh'.format( + os.environ['conf_stepcerts_kid'])) + sudo('sed -i "s|STEP_PROVISIONER_PASSWORD_PATH|/home/{0}/keys/provisioner_password|g" ' + '/usr/local/bin/manage_step_certs.sh'.format(args.os_user)) + sudo('bash -c \'echo "0 */3 * * * root /usr/local/bin/manage_step_certs.sh >> ' + '/var/log/renew_certificates.log 2>&1" >> /etc/crontab \'') + put('/root/templates/step-cert-manager.service', '/etc/systemd/system/step-cert-manager.service', + use_sudo=True) + sudo('systemctl daemon-reload') + sudo('systemctl enable step-cert-manager.service') else: sudo('openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/certs/dlab.key \ diff --git a/infrastructure-provisioning/terraform/bin/deploy/endpoint_fab.py b/infrastructure-provisioning/terraform/bin/deploy/endpoint_fab.py index 5179397..9d4426df 100644 --- a/infrastructure-provisioning/terraform/bin/deploy/endpoint_fab.py +++ b/infrastructure-provisioning/terraform/bin/deploy/endpoint_fab.py @@ -104,10 +104,8 @@ def ensure_step_certs(): conn.sudo('wget https://github.com/smallstep/cli/releases/download/v0.13.3/step-cli_0.13.3_amd64.deb ' '-O /tmp/step-cli_0.13.3_amd64.deb') conn.sudo('dpkg -i /tmp/step-cli_0.13.3_amd64.deb') - conn.sudo('echo "{0}" | base64 --decode > /home/{1}/keys/root_ca.crt'.format(args.step_root_ca, - args.os_user)) - fingerprint = conn.sudo('step certificate fingerprint /home/{0}/keys/root_ca.crt'.format( - args.os_user)).stdout.replace('\n', '') + conn.sudo('echo "{0}" | base64 --decode > /etc/ssl/certs/root_ca.crt'.format(args.step_root_ca)) + fingerprint = conn.sudo('step certificate fingerprint /etc/ssl/certs/root_ca.crt').stdout.replace('\n', '') conn.sudo('step ca bootstrap --fingerprint {0} --ca-url "{1}"'.format(fingerprint, args.step_ca_url)) conn.sudo('echo "{0}" > /home/{1}/keys/provisioner_password'.format(args.step_kid_password, args.os_user)) @@ -128,7 +126,7 @@ def ensure_step_certs(): 'http://metadata/computeMetadata/v1/instance/network-interfaces/0/' 'ip').stdout.replace('\n', '') except: - public_ip_address = None + public_ip_address = None else: local_ip_address = None public_ip_address = None @@ -137,23 +135,38 @@ def ensure_step_certs(): if public_ip_address: sans += "--san {0}".format(public_ip_address) cn = public_ip_address - conn.sudo('step ca token {3} --kid {0} --ca-url "{1}" --root /home/{2}/keys/root_ca.crt ' + conn.sudo('step ca token {3} --kid {0} --ca-url "{1}" --root /etc/ssl/certs/root_ca.crt ' '--password-file /home/{2}/keys/provisioner_password {4} --output-file /tmp/step_token'.format( args.step_kid, args.step_ca_url, args.os_user, cn, sans)) token = conn.sudo('cat /tmp/step_token').stdout.replace('\n', '') - conn.sudo('step ca certificate "{0}" /home/{2}/keys/endpoint.crt /home/{2}/keys/endpoint.key ' - '--token "{1}" --kty=RSA --size 2048 --provisioner {3} '.format(cn, token, args.os_user, - args.step_kid)) - conn.put('./renew_certificates.sh', '/tmp/renew_certificates.sh') + conn.sudo('step ca certificate "{0}" /etc/ssl/certs/dlab.crt /etc/ssl/certs/dlab.key ' + '--token "{1}" --kty=RSA --size 2048 --provisioner {2} '.format(cn, token, args.step_kid)) + conn.put('/root/templates/renew_certificates.sh', '/tmp/renew_certificates.sh') conn.sudo('mv /tmp/renew_certificates.sh /usr/local/bin/') conn.sudo('chmod +x /usr/local/bin/renew_certificates.sh') conn.sudo('sed -i "s/OS_USER/{0}/g" /usr/local/bin/renew_certificates.sh'.format(args.os_user)) conn.sudo('sed -i "s|JAVA_HOME|{0}|g" /usr/local/bin/renew_certificates.sh'.format(java_home)) conn.sudo('touch /var/log/renew_certificates.log') - conn.sudo('bash -c \'echo "0 */3 * * * root /usr/bin/step ca renew /home/{0}/keys/endpoint.crt ' - '/home/{0}/keys/endpoint.key --exec "/usr/local/bin/renew_certificates.sh" --ca-url "{1}" ' - '--root /home/{0}/keys/root_ca.crt --force --expires-in 8h >> /var/log/renew_certificates.log ' - '2>&1" >> /etc/crontab \''.format(args.os_user, args.step_ca_url)) + conn.put('./manage_step_certs.sh', '/tmp/manage_step_certs.sh') + conn.sudo('mv /tmp/manage_step_certs.sh /usr/local/bin/manage_step_certs.sh') + conn.sudo('chmod +x /usr/local/bin/manage_step_certs.sh') + conn.sudo('sed -i "s|STEP_ROOT_CERT_PATH|/etc/ssl/certs/root_ca.crt|g" ' + '/usr/local/bin/manage_step_certs.sh') + conn.sudo('sed -i "s|STEP_CERT_PATH|/etc/ssl/certs/dlab.crt|g" /usr/local/bin/manage_step_certs.sh') + conn.sudo('sed -i "s|STEP_KEY_PATH|/etc/ssl/certs/dlab.key|g" /usr/local/bin/manage_step_certs.sh') + conn.sudo('sed -i "s|STEP_CA_URL|{0}|g" /usr/local/bin/manage_step_certs.sh'.format(args.step_ca_url)) + conn.sudo('sed -i "s|RESOURCE_TYPE|endpoint|g" /usr/local/bin/manage_step_certs.sh') + conn.sudo('sed -i "s|SANS|{0}|g" /usr/local/bin/manage_step_certs.sh'.format(sans)) + conn.sudo('sed -i "s|CN|{0}|g" /usr/local/bin/manage_step_certs.sh'.format(cn)) + conn.sudo('sed -i "s|KID|{0}|g" /usr/local/bin/manage_step_certs.sh'.format(args.step_kid)) + conn.sudo('sed -i "s|STEP_PROVISIONER_PASSWORD_PATH|/home/{0}/keys/provisioner_password|g" ' + '/usr/local/bin/manage_step_certs.sh'.format(args.os_user)) + conn.sudo('bash -c \'echo "0 */3 * * * root /usr/local/bin/manage_step_certs.sh >> ' + '/var/log/renew_certificates.log 2>&1" >> /etc/crontab \'') + conn.put('./step-cert-manager.service', '/tmp/step-cert-manager.service') + conn.sudo('mv /tmp/step-cert-manager.service /etc/systemd/system/step-cert-manager.service') + conn.sudo('systemctl daemon-reload') + conn.sudo('systemctl enable step-cert-manager.service') conn.sudo('touch /home/{}/.ensure_dir/step_ensured' .format(args.os_user)) except Exception as err: diff --git a/infrastructure-provisioning/terraform/bin/deploy/manage_step_certs.sh b/infrastructure-provisioning/terraform/bin/deploy/manage_step_certs.sh new file mode 100644 index 0000000..a0487e0 --- /dev/null +++ b/infrastructure-provisioning/terraform/bin/deploy/manage_step_certs.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# ***************************************************************************** +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# ****************************************************************************** + +root_crt_path=STEP_ROOT_CERT_PATH +crt_path=STEP_CERT_PATH +key_path=STEP_KEY_PATH +ca_url=STEP_CA_URL +resource_type=RESOURCE_TYPE +renew_status=0 +sans='SANS' +cn=CN +kid=KID +provisioner_password_path=STEP_PROVISIONER_PASSWORD_PATH + +function log() { + dt=$(date '+%d/%m/%Y %H:%M:%S'); + echo "[${dt} | ${1}]" +} + +function renew_cert() { + log "Trying to renew certificate ${crt_path}" + if [ $resource_type = 'edge' ]; then + step ca renew ${crt_path} ${key_path} --exec 'nginx -s reload' --ca-url ${ca_url} --root ${root_crt_path} --force --expires-in 8h + elif [ $resource_type = 'endpoint' ]; then + step ca renew ${crt_path} ${key_path} --exec "/usr/local/bin/renew_certificates.sh" --ca-url ${ca_url} --root ${root_crt_path} --force --expires-in 8h + else + log "Wrong resource type. Aborting..." + exit 1 + fi +} + +function recreate_cert() { + log "Trying to recreate certificate ${crt_path}" + step ca token ${cn} --kid ${kid} --ca-url "${ca_url}" --root ${root_crt_path} --password-file ${provisioner_password_path} ${sans} --output-file /tmp/step_token --force + token=$(cat /tmp/step_token) + step ca certificate ${cn} ${crt_path} ${key_path} --token "${token}" --kty=RSA --size 2048 --provisioner ${kid} --force + if [ $resource_type = 'edge' ]; then + nginx -s reload + elif [ $resource_type = 'endpoint' ]; then + /usr/local/bin/renew_certificates.sh + else + log "Wrong resource type. Aborting..." + exit 1 + fi +} +renew_cert +if [ $? -eq 0 ]; then + log "Certificate ${crt_path} has been renewed or hasn't been expired" +else + renew_status=1 +fi + +if [ $renew_status -ne 0 ]; then + recreate_cert + if [ $? -eq 0 ]; then + log "Certificate ${crt_path} has been recreated" + else + log "Failed to recreate the certificate ${crt_path}" + fi +fi \ No newline at end of file diff --git a/infrastructure-provisioning/terraform/bin/deploy/renew_certificates.sh b/infrastructure-provisioning/terraform/bin/deploy/renew_certificates.sh index c48e51b..d3b4093 100644 --- a/infrastructure-provisioning/terraform/bin/deploy/renew_certificates.sh +++ b/infrastructure-provisioning/terraform/bin/deploy/renew_certificates.sh @@ -1,21 +1,43 @@ #!/bin/bash + +# ***************************************************************************** +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# ****************************************************************************** + KEYSTORE_PASS=$(cat /opt/dlab/conf/provisioning.yml | grep '<#assign KEY_STORE_PASSWORD' | awk -F '\"' '{print $2}') # Removing old certificates -keytool -delete -alias endpoint -keystore /home/OS_USER/keys/endpoint.keystore.jks -storepass "${KEYSTORE_PASS}" -keytool -delete -alias CARoot -keystore /home/OS_USER/keys/endpoint.keystore.jks -storepass "${KEYSTORE_PASS}" +keytool -delete -alias RESOURCE_TYPE -keystore /home/OS_USER/keys/RESOURCE_TYPE.keystore.jks -storepass "${KEYSTORE_PASS}" +keytool -delete -alias CARoot -keystore /home/OS_USER/keys/RESOURCE_TYPE.keystore.jks -storepass "${KEYSTORE_PASS}" keytool -delete -alias mykey -keystore JAVA_HOME/lib/security/cacerts -storepass changeit -keytool -delete -alias endpoint -keystore JAVA_HOME/lib/security/cacerts -storepass changeit +keytool -delete -alias RESOURCE_TYPE -keystore JAVA_HOME/lib/security/cacerts -storepass changeit # Importing new certificates to keystore -openssl pkcs12 -export -in /home/OS_USER/keys/endpoint.crt -inkey /home/OS_USER/keys/endpoint.key -name endpoint -out /home/OS_USER/keys/endpoint.p12 -password pass:${KEYSTORE_PASS} -keytool -importkeystore -srckeystore /home/OS_USER/keys/endpoint.p12 -srcstoretype PKCS12 -alias endpoint -destkeystore /home/OS_USER/keys/endpoint.keystore.jks -deststorepass "${KEYSTORE_PASS}" -srcstorepass "${KEYSTORE_PASS}" -keytool -keystore /home/OS_USER/keys/endpoint.keystore.jks -alias CARoot -import -file /home/OS_USER/keys/root_ca.crt -deststorepass "${KEYSTORE_PASS}" -noprompt +openssl pkcs12 -export -in /etc/ssl/certs/RESOURCE_TYPE.crt -inkey /etc/ssl/certs/RESOURCE_TYPE.key -name RESOURCE_TYPE -out /home/OS_USER/keys/RESOURCE_TYPE.p12 -password pass:${KEYSTORE_PASS} +keytool -importkeystore -srckeystore /home/OS_USER/keys/RESOURCE_TYPE.p12 -srcstoretype PKCS12 -alias RESOURCE_TYPE -destkeystore /home/OS_USER/keys/RESOURCE_TYPE.keystore.jks -deststorepass "${KEYSTORE_PASS}" -srcstorepass "${KEYSTORE_PASS}" +keytool -keystore /home/OS_USER/keys/RESOURCE_TYPE.keystore.jks -alias CARoot -import -file /etc/ssl/certs/root_ca.crt -deststorepass "${KEYSTORE_PASS}" -noprompt # Adding new certificates -keytool -importcert -trustcacerts -alias endpoint -file /home/OS_USER/keys/endpoint.crt -noprompt -storepass changeit -keystore JAVA_HOME/lib/security/cacerts -keytool -importcert -trustcacerts -file /home/OS_USER/keys/root_ca.crt -noprompt -storepass changeit -keystore JAVA_HOME/lib/security/cacerts +keytool -importcert -trustcacerts -alias RESOURCE_TYPE -file /etc/ssl/certs/RESOURCE_TYPE.crt -noprompt -storepass changeit -keystore JAVA_HOME/lib/security/cacerts +keytool -importcert -trustcacerts -file /etc/ssl/certs/root_ca.crt -noprompt -storepass changeit -keystore JAVA_HOME/lib/security/cacerts # Restarting service supervisorctl restart provserv \ No newline at end of file diff --git a/infrastructure-provisioning/src/general/files/azure/project_Dockerfile b/infrastructure-provisioning/terraform/bin/deploy/step-cert-manager.service similarity index 76% copy from infrastructure-provisioning/src/general/files/azure/project_Dockerfile copy to infrastructure-provisioning/terraform/bin/deploy/step-cert-manager.service index 29c80ec..994eea7 100644 --- a/infrastructure-provisioning/src/general/files/azure/project_Dockerfile +++ b/infrastructure-provisioning/terraform/bin/deploy/step-cert-manager.service @@ -19,15 +19,14 @@ # # ****************************************************************************** +[Unit] +Description=Check Step certificates +After=network.target -FROM docker.dlab-base:latest +[Service] +Type=simple +ExecStart=/usr/local/bin/manage_step_certs.sh +TimeoutStartSec=0 -ARG OS - -COPY project/ /root/ -COPY general/scripts/azure/project_* /root/scripts/ -COPY general/scripts/azure/edge_* /root/scripts/ -COPY general/lib/os/${OS}/edge_lib.py /usr/lib/python2.7/dlab/edge_lib.py - -RUN chmod a+x /root/fabfile.py; \ - chmod a+x /root/scripts/* \ No newline at end of file +[Install] +WantedBy=default.target \ No newline at end of file --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@dlab.apache.org For additional commands, e-mail: commits-h...@dlab.apache.org