This fixes bug 853, which was rather subtle: When adding nodes with a different openssl library than the master node, the SSL server certificate could be encoded differently from the master node. This caused 'gnt-cluster verify' to complain about differing 'server.pem' files although all certificates would work and private keys could be matched sucessfully to the public part of the certificate.
This patch does two things: - It checks if the encoded versions of the certificate differ and if yes, an error is logged. - It writes exactly the file to disk that it receives from the master node so that file inconsistency is prevented. Signed-off-by: Helga Velroyen <[email protected]> --- lib/tools/node_daemon_setup.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/lib/tools/node_daemon_setup.py b/lib/tools/node_daemon_setup.py index 9048ace..7dc8de5 100644 --- a/lib/tools/node_daemon_setup.py +++ b/lib/tools/node_daemon_setup.py @@ -117,10 +117,18 @@ def _VerifyCertificate(cert_pem, _check_fn=utils.CheckNodeCertificate): # (no-op if that doesn't exist) _check_fn(cert) + key_encoded = OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key) + cert_encoded = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, + cert) + complete_cert_encoded = key_encoded + cert_encoded + if not cert_pem == complete_cert_encoded: + logging.error("The certificate differs after being reencoded. Please" + " renew the certificates cluster-wide to prevent future" + " inconsistencies.") + # Format for storing on disk buf = StringIO() - buf.write(OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key)) - buf.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, cert)) + buf.write(cert_pem) return buf.getvalue() -- 2.0.0.526.g5318336
