Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Alain Takoudjou
slapos
Commits
41231b96
Commit
41231b96
authored
Apr 21, 2017
by
Alain Takoudjou
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
stack ca: apply some fixes
parent
9e128673
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
37 additions
and
28 deletions
+37
-28
stack/certificate-authority/buildout.cfg
stack/certificate-authority/buildout.cfg
+4
-5
stack/certificate-authority/buildout.hash.cfg
stack/certificate-authority/buildout.hash.cfg
+3
-3
stack/certificate-authority/instance-auth-server.cfg.jinja2.in
.../certificate-authority/instance-auth-server.cfg.jinja2.in
+1
-2
stack/certificate-authority/instance-certificate-authority.cfg.jinja2.in
...te-authority/instance-certificate-authority.cfg.jinja2.in
+28
-17
stack/certificate-authority/template/ca-nginx.conf.in
stack/certificate-authority/template/ca-nginx.conf.in
+1
-1
No files found.
stack/certificate-authority/buildout.cfg
View file @
41231b96
...
...
@@ -20,11 +20,12 @@ parts =
[extra-eggs]
recipe = zc.recipe.egg
interpreter = python
.
ca
interpreter = python
_
ca
eggs =
gunicorn # for WSGI HTTP Server
futures
certificate.authority
# are also required
plone.recipe.command
collective.recipe.template
...
...
@@ -52,11 +53,10 @@ context =
raw certificate_request_bin ${buildout:directory}/bin/ca-cliweb
raw curl_executable_location ${curl:location}/bin/curl
raw dash_executable_location ${dash:location}/bin/dash
raw dcron_executable_location ${dcron:location}/sbin/crond
raw slapos_kill_bin ${buildout:directory}/bin/slapos-kill
raw template_httpd_auth_conf ${template-httpd-auth-conf:location}/${template-httpd-auth-conf:filename}
raw openssl_executable_location ${openssl:location}/bin/openssl
raw python_
executable
${buildout:directory}/bin/${extra-eggs:interpreter}
raw python_
bin
${buildout:directory}/bin/${extra-eggs:interpreter}
[template-certificate-authority]
recipe = slapos.recipe.template:jinja2
...
...
@@ -70,8 +70,7 @@ context =
raw certificate_request_bin ${buildout:directory}/bin/ca-cliweb
raw template_nginx_ca_conf ${template-nginx-ca-conf:location}/${template-nginx-ca-conf:filename}
raw dash_executable_location ${dash:location}/bin/dash
raw slapos_kill_bin ${buildout:directory}/bin/slapos-kill
raw gunicorn_bin ${buildout:directory}/bin/gunicorn
raw openssl_executable_location ${openssl:location}/bin/openssl
raw python_bin ${buildout:directory}/bin/${extra-eggs:interpreter}
raw eggs_directory ${buildout:eggs-directory}
raw develop_eggs_directory ${buildout:develop-eggs-directory}
stack/certificate-authority/buildout.hash.cfg
View file @
41231b96
...
...
@@ -19,13 +19,13 @@ md5sum = ea445b0a9b143d12b5700a71ac06293c
filename = template-httpd-auth.conf.in
[template-nginx-ca-conf]
md5sum =
608b221009981fddfd9bb6cc6c5d465c
md5sum =
d8bebf1629aacffd619541f363687b4a
filename = ca-nginx.conf.in
[template-authenticated-server]
filename = template-authenticated-server.cfg
md5sum =
39c1494b45dcbd5388b0d1c1d9b27ffb
md5sum =
444ada31a9a453fc0550df3ccccac6a7
[template-certificate-authority]
filename = template-certificate-authority.cfg
md5sum = 50d678bfc056489fd9817e4da6599e8f
\ No newline at end of file
md5sum = e097dab69a38e428600b171ce2f6d68c
\ No newline at end of file
stack/certificate-authority/instance-auth-server.cfg.jinja2.in
View file @
41231b96
...
...
@@ -39,7 +39,6 @@ command-line = {{ certificate_request_bin }}
--key-file ${:key-file}
--ca-url ${authenticated-server-parameters:ca-url}
--ca-crt-file ${:ca-cert}
--no-check-certificate
[server-certificate-request]
recipe = slapos.cookbook:wrapper
...
...
@@ -121,7 +120,7 @@ mode = 700
recipe = slapos.cookbook:cron.d
cron-entries = ${cron:cron-entries}
name = certificate-auto-renew
frequency =
0 */2 * * *
frequency =
5 6 * * 6
command = ${certificate-renew:output}
[logrotate-authenticated-httpd]
...
...
stack/certificate-authority/instance-certificate-authority.cfg.jinja2.in
View file @
41231b96
...
...
@@ -10,9 +10,9 @@ parts =
[certificate-authority-parameters]
server-port = 8009
server-https-port = 8010
# Overrite this to set frontend URL (URL is used as CRL distribution point)
# Overrite this to set frontend
or DNS
URL (URL is used as CRL distribution point)
# Please set http not HTTPS scheme
external-url = http://[${slap-configuration:ipv6-random}]:${:server-port}
crl-
external-url = http://[${slap-configuration:ipv6-random}]:${:server-port}
[directory]
recipe = slapos.cookbook:mkdirectory
...
...
@@ -66,7 +66,6 @@ command-line = {{ certificate_request_bin }}
--key-file ${:key-file}
--ca-url http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port}
--ca-crt-file ${:ca-cert}
--no-check-certificate
[nginx-certificate-request]
recipe = slapos.cookbook:wrapper
...
...
@@ -77,12 +76,15 @@ command-line =
--request
[ca-nginx-ssl-config]
# if ssl certificate is signed write to file so that zero-knowledge can read
recipe = plone.recipe.command
command =
if [ -s "${:key}" ] && [ -s "${:cert}" ]; then
echo -e "[ca-nginx-ssl]\nkey=${:key}\ncert=${:cert}" > ${:output}
else:
echo -e "[ca-nginx-ssl]\nkey=\ncert=" > ${:output}
cat << EOF > ${:output}
[ca-nginx-ssl]
key=${:key}
cert=${:cert}
EOF
fi
key = ${directory:ssl}/ca-cert.key
cert = ${directory:ssl}/ca-cert.crt
...
...
@@ -93,6 +95,9 @@ stop-on-error = true
[ca-nginx-ssl]
recipe = slapos.cookbook:zero-knowledge.read
file-path = ${ca-nginx-ssl-config:output}
# initials values are empty, the section https (ssl) in nginx config will be skipped
cert =
key =
[ca-nginx-conf-parameter]
ip = ${slap-configuration:ipv6-random}
...
...
@@ -122,6 +127,7 @@ context =
[certificate-authority-conf]
recipe = collective.recipe.template
# Values here are intended to be changed in your instance. override this section
input = inline:
ca-dir ${directory:ca-dir}
# enable debug
...
...
@@ -129,7 +135,7 @@ input = inline:
# log-file ${directory:log}/ca-server.log
subject /C=XX/ST=State/L=City/OU=OUnit/O=Company/CN=SlapOS Certificate Authority/emailAddress=xx@example.com
max-request-amount 10
external-url ${certificate-authority-parameters:external-url}
external-url ${certificate-authority-parameters:
crl-
external-url}
# one year (in seconds)
crt-life-time 31536000
# crl-life-period correspond to about one week
...
...
@@ -165,17 +171,15 @@ wrapper-path = ${directory:services}/ca-gunicorn
recipe = slapos.cookbook:wrapper
command-line = {{ ngix_location }}/sbin/nginx -p ${directory:ca-dir} -c ${ca-nginx-conf:rendered}
wrapper-path = ${directory:services}/ca-server
#wait-for-files =
# ${ca-nginx-ssl:cert}
# ${ca-nginx-ssl:key}
url = ${certificate-authority-parameters:external-url}
secure-url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port}
url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port}
insecure-url = ${certificate-authority-parameters:crl-external-url}
depends =
${nginx-certificate-request:wrapper-path}
${certificate-authority-server-promise:filename}
${certificate-authority-https-server-promise:filename}
${ca-nginx-graceful:output}
${certificate-renew-cron-entry:name}
${ca-certificate-renew-cron-entry:name}
${logrotate-ca-nginx:name}
[ca-server-certificate-renew]
recipe = collective.recipe.template
...
...
@@ -190,18 +194,27 @@ input = inline:
if [ $remind -lt $thresold ]; then
exec ${nginx-certificate-request-base:wrapper-path} --renew
# run nginx grancefull restart to reload renewed certificates
excec ${ca-nginx-graceful:output}
fi
output = ${directory:bin}/server-certificate-renew
mode = 700
[certificate-renew-cron-entry]
[c
a-c
ertificate-renew-cron-entry]
recipe = slapos.cookbook:cron.d
cron-entries = ${cron:cron-entries}
name = ca-server-certificate-auto-renew
frequency = 0 */2 * * *
# check renew every-week
frequency = 5 4 * * 6
command = ${ca-server-certificate-renew:output}
[logrotate-ca-nginx]
< = logrotate-entry-base
name = certificate-authority-nginx-server
log = ${ca-nginx-conf-parameter:access-log} ${ca-nginx-conf-parameter:access-log}
post = {{ slapos_kill_bin }} --pidfile ${ca-nginx-conf-parameter:pid-file} -s USR1
[certificate-authority-server-promise]
recipe = slapos.cookbook:check_url_available
path = ${directory:promises}/${:filename}
...
...
@@ -226,5 +239,3 @@ partition = ${slap-connection:partition-id}
url = ${slap-connection:server-url}
key = ${slap-connection:key-file}
cert = ${slap-connection:cert-file}
[slap-parameter]
stack/certificate-authority/template/ca-nginx.conf.in
View file @
41231b96
...
...
@@ -62,7 +62,7 @@ http {
{% endif -%}
server {
listen [{{ parameter_dict['ip'] }}]:
parameter_dict['port'] ssl
;
listen [{{ parameter_dict['ip'] }}]:
{{ parameter_dict['port'] }}
;
server_name _;
keepalive_timeout 90s;
client_body_temp_path {{ parameter_dict['client-body-temp-path'] }};
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment