Updates:
Status: Fixed
Comment #3 on issue 1094 by [email protected]: mismatch in encodings
between server.pem and client.pem breaks RPC communication
https://code.google.com/p/ganeti/issues/detail?id=1094
Fixed in 2.12 with:
commit 1e80aa9d75a5b55ab5413d79b1d5da82d78b7e7a
Author: Helga Velroyen <[email protected]>
Date: Wed Jul 1 10:45:02 2015 +0200
Handle SSL setup when downgrading
This patch will handle the downgrade of the SSL setup
from 2.12 to 2.11. Essentially, all client.pem and
ssconf_master_candidates_certs files will be deleted.
This will kick the cluster in a pre-2.11 mode wrt to
SSL and result in a nagging message to re-run
'gnt-cluster renew-crypto' when as output of 'gnt-cluster
verify'.
Signed-off-by: Helga Velroyen <[email protected]>
commit 10f3a95e74d0b5cef3b52c5dd2abf316055d98cc
Author: Helga Velroyen <[email protected]>
Date: Tue Jun 30 10:48:11 2015 +0200
Write SSH ports to ssconf files
For the downgrading of the SSL setup from 2.12 to 2.11, we
need to be able to SSH into machines while no daemons are
running. Unfortunately currently the only way to obtain
custom-configured SSH ports is by queries. In order to
access this information with daemons being shutdown, this
patch adds the SSH port information to an ssconf file.
This will also be used to simplify some backend calls for
the *SSH* handling in 2.13.
Signed-off-by: Helga Velroyen <[email protected]>
commit b1fcc16b91304c8c9570ea69e74ccd7d8c54d5b4
Author: Helga Velroyen <[email protected]>
Date: Wed Jun 24 14:19:17 2015 +0200
Noded: Consider certificate chain in callback
This patch significantly changes the callback that is
called upon receiving an incoming SSL connection. Since
this callback is called not only with the certificate
that the client sends, but also (in some implementations)
with the entire certificate chain of the client
certificate.
In our case, the certficate chain contains
the client certificate and the server certificate as
the one that signed the client certificate. This means
that we have to accept the server certificate, but only
if we receive it with the 'depth' greater than 0, meaning
that this is part of the chain and not the actual
certificate. If the depth value is 0, we can be sure
to have received the actual certficate and match it
against the list of master candidate certificates as
before.
Signed-off-by: Helga Velroyen <[email protected]>
commit 6ce588212dc8826e5be4b76d965a28ffefe3283d
Author: Helga Velroyen <[email protected]>
Date: Wed Jun 24 14:03:03 2015 +0200
Cluster-keys-replacement: update documentation
This patch updates the cluster-keys-replacement document
which assists user about how to replace the crypto keys
for their cluster. This now reflects the changes wrt
server/client certificates.
Signed-off-by: Helga Velroyen <[email protected]>
commit ac4cf07abf9bb7ee8426b02eb1c826a11a565a19
Author: Helga Velroyen <[email protected]>
Date: Wed Jun 24 13:27:30 2015 +0200
Backend: Use timestamp as serial no for server cert
So far, all of Ganeti's server certificates had the serial
number '1'. While this works, it makes it hard to
distinguish situations where the certificate is
renewed from those where it wasn't. This patch uses
a timestamp as serial number.
While this is still not stricly according to the SSL RFC,
it is at least a number that is stricly growing and we
can be sure that no two different server certificates
will have the same serial number.
Signed-off-by: Helga Velroyen <[email protected]>
commit 2821c917b2c32a4276bbfeb556ca7f636eadd611
Author: Helga Velroyen <[email protected]>
Date: Wed Jun 24 13:22:02 2015 +0200
UPGRADE: add note about 2.12.5
This patch adds comments to the upgrade documentation
to advise users to rerun renew-crypto if they update
to 2.12.5.
Signed-off-by: Helga Velroyen <[email protected]>
commit 8906d0b9709a489f0bdac4b202992439c0633fe9
Author: Helga Velroyen <[email protected]>
Date: Wed Jun 24 13:19:46 2015 +0200
NEWS: Mention issue 1094
This patch updates the NEWS file to advise users to rerun
renew-crypto after an update to 2.12.5.
Signed-off-by: Helga Velroyen <[email protected]>
commit 8fbfc79d4bcd59729739a04a5fafe971913c39e2
Author: Helga Velroyen <[email protected]>
Date: Wed Jun 24 13:17:19 2015 +0200
man: mention changes in renew-crypto
This updates the gnt-cluster man page wrt to the changes
about server and client certificates and how they affect
the operation 'gnt-cluster renew-crypto'.
Signed-off-by: Helga Velroyen <[email protected]>
commit f28676a8885e967ecf4d5cfe8a952c4ff37c0e72
Author: Helga Velroyen <[email protected]>
Date: Wed Jun 24 11:56:23 2015 +0200
Verify: warn about self-signed client certs
Since from this patch series on, there should be no
self-sigend certificates in a cluster anymore, add
a warning to cluster-verify to nag people to renew
their certificates.
Signed-off-by: Helga Velroyen <[email protected]>
commit 3adb2240db46b904153e6c35a7ca2bf11359c3a1
Author: Helga Velroyen <[email protected]>
Date: Mon Jun 22 15:01:04 2015 +0200
Bootstrap: validate SSL setup before starting noded
This patch adds a few checks which ensure that all
files necessary for proper SSL communication are
in place before noded is started on the master node.
Signed-off-by: Helga Velroyen <[email protected]>
commit 29e607e535c19dfea085b04c6cde451261ceaf21
Author: Helga Velroyen <[email protected]>
Date: Mon Jun 22 14:43:12 2015 +0200
Clean up configuration of curl request
This is a small patch cleaning up some thing in the
composition of the pycurl object for RPC calls.
For example, it removes some superfluous 'str' and
increases the logging level to warning when the
server cert is used.
Signed-off-by: Helga Velroyen <[email protected]>
commit 34abb6e992aa6c452530cde8cfd7a8cfcc03182d
Author: Helga Velroyen <[email protected]>
Date: Mon Jun 22 10:59:09 2015 +0200
Renew-crypto: remove superflous copying of node certs
Since now the server certificates are copied in their
own dedicated function, remove adding their file name
in the general function for renewing crypto tokens.
Signed-off-by: Helga Velroyen <[email protected]>
commit 7891b30503d8fbbd03f271ca3c9d6d181619169e
Author: Helga Velroyen <[email protected]>
Date: Fri Jun 19 13:36:06 2015 +0200
Renew-crypto: propagate verbose and debug option
This patch enables the user to add --debug and/or --verbose
to the call of 'renew-crypto'. This way, more output is
shown to debug SSL problems easier.
Signed-off-by: Helga Velroyen <[email protected]>
commit 37f270a70d180eac0b2a9f2dcc0634af8b19cd9b
Author: Helga Velroyen <[email protected]>
Date: Fri Jun 19 11:52:36 2015 +0200
Noded: log the certificate and digest on noded startup
This patch adds logging of the filename and the digest of the
certificate which is loaded by noded on startup. This will
help debugging SSL problems as it will make clear whether or
not the noded is still using a stale/replaced/old server
certificate after a renewal.
Signed-off-by: Helga Velroyen <[email protected]>
commit d704c940bb53461827a541d78070b2bccb469ec0
Author: Helga Velroyen <[email protected]>
Date: Thu Jun 18 15:52:30 2015 +0200
QA: reload rapi cert after renew crypto
When running the QA, we copy the rapi certficate to the
machine which steers the QA to use it later in the QA
for testing RAPI calls. However, before we get to that
part of the QA, the rapi certificate is replaced when
'gnt-renew crypto' is called.
This patch makes sure that the new rapi certificate is
copied to the steering machine so that later RAPI calls
do not fail. It remains mysterious how this worked before.
Signed-off-by: Helga Velroyen <[email protected]>
commit e8d6aaca13a339ce6fb419c01beef51f9ce3f1ce
Author: Helga Velroyen <[email protected]>
Date: Tue Jun 16 17:46:04 2015 +0200
Prepare-node-join: use common functions
This patch makes prepare_node_join use some of the functions
that were moved to tools/common.py. The respective unittests
are removed, because they are already tested in
common_unittest.py.
Signed-off-by: Helga Velroyen <[email protected]>
commit 50f9f554d34689b89aefc6c879d8efbdf4cd848f
Author: Helga Velroyen <[email protected]>
Date: Tue Jun 16 17:35:46 2015 +0200
Renew-crypto: remove dead code
This patch removes the code for renewing the master
nodes' client certificate using SSL. This is no longer
needed, as the master nodes' certificate is created
in gnt_cluster.py already.
Signed-off-by: Helga Velroyen <[email protected]>
commit e9ba23b70a7f4cbff11f19e6c33ddb913adf07dd
Author: Helga Velroyen <[email protected]>
Date: Tue Jun 16 16:17:27 2015 +0200
Init: add master client certificate to configuration
This patch adds a few steps to bootstrap.py. After the
creation of the server (cluster) certificate and the
master node's client certificate, the digest of that
client certificate is added to the configuration and
by an update of the configuraiton written to the
ssconf_master_candidates_certs file.
Signed-off-by: Helga Velroyen <[email protected]>
commit 192b0ae2e60f18a97b11e57c6bde76841f34f0b9
Author: Helga Velroyen <[email protected]>
Date: Tue Jun 16 14:40:12 2015 +0200
Renew-crypto: rebuild digest map of all nodes
During a renew-crypto operation, all nodes will create
new client certificates. Afterwards, the fingerprints
(digests) of the master candidate nodes needs to be
collected and added to the configuration. This is done
by an RPC call, which will succeed as the master
node's certficate digest was propagated to the nodes
before.
This also removes two unittest which are no longer
necessary, because there will be no RPC call from
the master to itself anymore.
Signed-off-by: Helga Velroyen <[email protected]>
commit 0d670a11ab9865a81459c8740001e2617bef1438
Author: Helga Velroyen <[email protected]>
Date: Tue Jun 16 14:24:11 2015 +0200
Noded: make "bootstrap" a constant
Noded uses the constant "bootstrap" when starting
without client certificates. This patch moves the
constant to Constants.hs.
Signed-off-by: Helga Velroyen <[email protected]>
commit 6bd7a53876d25cd07a5a655fac106b7f86b8994a
Author: Helga Velroyen <[email protected]>
Date: Mon Jun 15 16:43:24 2015 +0200
node-daemon-setup: generate client certificate
So far, the client certificate of a node that is added
to the cluster was created in LUNodeAdd using an RPC
call. This is now simplified by creating the certificate
already in tools/node_daemon_setup.py and only retrieving
its fingerprint by RPC to add it to the configuration.
This simplifies the backend function from only reading
the fingerprint instead of creating the certificate.
Signed-off-by: Helga Velroyen <[email protected]>
commit 65ab0b3b54ec3adc226e9819032912ad6dd7105d
Author: Helga Velroyen <[email protected]>
Date: Mon Jun 15 16:36:24 2015 +0200
tools: Move (Re)GenerateClientCert to common
So far the generation of client certificates was only
called from ssl_update.py used in when calling 'gnt-cluster
renew-crypto'. This patch moves the function from
ssl_update.py to tools/common.py, because it will also
be needed by prepare_node_join.py when adding nodes
(see next patch in the series).
Signed-off-by: Helga Velroyen <[email protected]>
commit 186880dff05835c06f039cee916bbd0ac53d6d3f
Author: Helga Velroyen <[email protected]>
Date: Wed Jun 10 12:56:15 2015 +0200
Renew cluster and client certificates together
So far, the cluster certificate and the individual node
certificate could be renewed independent of each other.
This is no longer possible, because when renewing the
server certificate, all node certificates need to be
renewed as well, because they are signed by the server
certificate. This patch couples the two operations
together.
Signed-off-by: Helga Velroyen <[email protected]>
commit 5d409d9651b8904ffaa41690c13ced288dd4a873
Author: Helga Velroyen <[email protected]>
Date: Tue Jun 9 17:56:09 2015 +0200
Init: create the master's client cert in bootstrap
This patch extends bootstrap.py to not only create
the cluster certificate but also the master node's
client certificate.
Signed-off-by: Helga Velroyen <[email protected]>
commit 4eec7e90277e9787aff0295ebc27eced20ec6f22
Author: Helga Velroyen <[email protected]>
Date: Tue Jun 9 14:19:15 2015 +0200
Renew client certs using ssl_update tool
This patch integrates renewing the client certificate
of non-master nodes using the new ssl_update tool.
Signed-off-by: Helga Velroyen <[email protected]>
commit 598af7bc7668640b5704493e30426bc45222b33a
Author: Helga Velroyen <[email protected]>
Date: Tue Jun 9 11:10:04 2015 +0200
Run functions while (some) daemons are stopped
For the new renew-crypto operation, we need to run
functions while most of the daemons are stopped,
except for WConfd. This refactors our code a bit
and generalizes the method that runs functions
while *all* daemons are stopped to one that
accepts a list of daemons to not be stopped.
Signed-off-by: Helga Velroyen <[email protected]>
commit 927de93b068e6c1bd6692812ce3c262729903b62
Author: Helga Velroyen <[email protected]>
Date: Mon Jun 8 11:43:00 2015 +0200
Back up old client.pem files
For post-mortems, let's make a backup of the client
certificate before renewing them.
Signed-off-by: Helga Velroyen <[email protected]>
commit 844b1da179b32e5099925172bdfb76400739731a
Author: Helga Velroyen <[email protected]>
Date: Fri Jun 5 15:45:00 2015 +0200
Introduce ssl_update tool
In order to renew client certificates via SSH (rather than
on the fly via SSL as it was before), we need a new tool
which can be called on remote nodes via SSH.
Signed-off-by: Helga Velroyen <[email protected]>
commit 2be1f39cfc0b6cabf7ea0aa543c204ea02dd10b7
Author: Helga Velroyen <[email protected]>
Date: Fri Jun 5 15:35:00 2015 +0200
x509 function for creating signed certs
So far, all our SSL certficates were self-signed. As from
this patch series on client certificates will be signed by
the cluster certificate, we need a utility function for
creation of not self-signed certificates.
Signed-off-by: Helga Velroyen <[email protected]>
commit e2980e8fecb305ee2af04e756b1e29e3e740887e
Author: Helga Velroyen <[email protected]>
Date: Wed Jun 3 13:53:15 2015 +0200
Add tools/common.py from 2.13
We will need some functions from tools/common.py, which
are only present from 2.13 on. Unfortunately there were
not clear commits for that, so cherry-picking is not
an option. This patch simply copies the file and one
has to be careful with the next merge.
Signed-off-by: Helga Velroyen <[email protected]>
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
