ca stack: uses new certificate implemenatation

stack/certificate-authority/buildout.cfg

@@ -2,6 +2,7 @@
 
 extends =
   ../../component/apache/buildout.cfg
+  ../../component/nginx/buildout.cfg
   ../../component/curl/buildout.cfg
   ../../component/dash/buildout.cfg
   ../../component/dcron/buildout.cfg
@@ -18,8 +19,11 @@ parts =
 
 [extra-eggs]
 recipe = zc.recipe.egg
+interpreter = python.ca
 eggs =
-  slapos.toolbox
+  gunicorn # for WSGI HTTP Server
+  futures
+  certificate.authority
   plone.recipe.command
   collective.recipe.template
 
@@ -35,44 +39,45 @@ mode = 0644
 md5sum = ea445b0a9b143d12b5700a71ac06293c
 filename = template-httpd-auth.conf.in
 
-[template-openssl-cnf]
+[template-nginx-ca-conf]
 <= template-ca-download-base
-md5sum = ddbff3b56db7e0f9e88c8905e9c3678b
-filename = openssl.cnf.in
+md5sum = 97d8dbcdfcca92a3c2b70634f0dee8d9
+filename = ca-nginx.conf.in
 
 [template-authenticated-server]
 recipe = slapos.recipe.template:jinja2
 filename = template-authenticated-server.cfg
 template = ${:_profile_base_location_}/instance-auth-server.cfg.jinja2.in
 rendered = ${buildout:directory}/template-authenticated-server.cfg
-md5sum = 7677333023b89dc345c18eace252e34a
+md5sum = 39c1494b45dcbd5388b0d1c1d9b27ffb
 context =
   key apache_location apache:location
   key gzip_location gzip:location
   key template_logrotate_base template-logrotate-base:rendered
-  raw certificate_request_bin ${buildout:directory}/bin/ca-web-request 
+  raw certificate_request_bin ${buildout:directory}/bin/ca-cliweb
   raw curl_executable_location ${curl:location}/bin/curl
   raw dash_executable_location ${dash:location}/bin/dash
   raw dcron_executable_location ${dcron:location}/sbin/crond
   raw slapos_kill_bin ${buildout:directory}/bin/slapos-kill
-  raw template_httpd_auth_template ${template-httpd-auth-conf:location}/${template-httpd-auth-conf:filename}
+  raw template_httpd_auth_conf ${template-httpd-auth-conf:location}/${template-httpd-auth-conf:filename}
   raw openssl_executable_location ${openssl:location}/bin/openssl
-  raw python_executable ${buildout:executable}
-depends = 
-  ${extra-eggs:eggs}
+  raw python_executable ${buildout:directory}/bin/${extra-eggs:interpreter}
 
 [template-certificate-authority]
 recipe = slapos.recipe.template:jinja2
 filename = template-certificate-authority.cfg
 template = ${:_profile_base_location_}/instance-certificate-authority.cfg.jinja2.in
 rendered = ${buildout:directory}/template-certificate-authority.cfg
-md5sum = 6403eec50f70a1a989480052df42d025
+md5sum = d5139f650388256776f43b9026617564
 context =
+  key ngix_location nginx:location
   key template_logrotate_base template-logrotate-base:rendered
   raw curl_executable_location ${curl:location}/bin/curl
-  raw certificate_authority_bin ${buildout:directory}/bin/certificate_authority
+  raw certificate_authority_bin ${buildout:directory}/bin/ca-bin
+  raw template_nginx_ca_conf ${template-nginx-ca-conf:location}/${template-nginx-ca-conf:filename}
   raw dash_executable_location ${dash:location}/bin/dash
+  raw gunicorn_bin ${buildout:directory}/bin/gunicorn
   raw openssl_executable_location ${openssl:location}/bin/openssl
-  raw template_openssl_conf ${template-openssl-cnf:location}/${template-openssl-cnf:filename}
-depends = 
-  ${extra-eggs:eggs}
+  raw python_bin ${buildout:directory}/bin/${extra-eggs:interpreter}
+  raw eggs_directory  ${buildout:eggs-directory}
+  raw develop_eggs_directory ${buildout:develop-eggs-directory}

stack/certificate-authority/instance-auth-server.cfg.jinja2.in

@@ -27,18 +27,27 @@ services = ${:etc}/service
 promises = ${:etc}/promise
 document-root = ${:srv}/private
 
-[server-certificate-request]
+[certificate-request-base]
 recipe = slapos.cookbook:wrapper
-wrapper-path = ${directory:scripts}/request-instance-certificate
+wrapper-path = ${directory:bin}/request-instance-certificate
 cert-file = ${directory:ssl}/instance.cert.pem
 key-file = ${directory:ssl}/instance.key.pem
 ca-cert = ${directory:ssl}/cacert.pem
+parameters-extra = true
 command-line = {{ certificate_request_bin }}
-  --cert_file ${:cert-file}
-  --key_file ${:key-file}
+  --crt-file ${:cert-file}
+  --key-file ${:key-file}
+  --ca-url ${authenticated-server-parameters:ca-url}
+  --ca-crt-file ${:ca-cert}
+  --no-check-certificate
+
+[server-certificate-request]
+recipe = slapos.cookbook:wrapper
+wrapper-path = ${directory:scripts}/request-instance-certificate
+command-line =
+  ${certificate-request-base:wrapper-path}
   --cn ${authenticated-server-parameters:common-name}
-  --ca_url ${authenticated-server-parameters:ca-url}
-  --ca_cert_file ${:ca-cert}
+  --request
 
 [authenticated-httpd-conf-parameter]
 ip = ${slap-configuration:ipv6-random}
@@ -47,9 +56,9 @@ pid-file = ${directory:run}/httpd-auth.pid
 dav-lock = ${directory:var}/DavLockdb
 access-log = ${directory:log}/httpd-auth-access.log
 error-log = ${directory:log}/httpd-auth-error.log
-cert-file = ${server-certificate-request:cert-file}
-key-file = ${server-certificate-request:key-file}
-ca-cert = ${server-certificate-request:ca-cert}
+cert-file = ${certificate-request-base:cert-file}
+key-file = ${certificate-request-base:key-file}
+ca-cert = ${certificate-request-base:ca-cert}
 url = https://[${:ip}]:${:port}
 private = ${authenticated-server-parameters:web-directory}
 httpd-include-file = ${authenticated-server-parameters:custom-httpd-file}
@@ -57,7 +66,7 @@ crl =
 
 [authenticated-httpd-conf]
 recipe = slapos.recipe.template:jinja2
-template = {{ template_httpd_auth_template }}
+template = {{ template_httpd_auth_conf }}
 rendered = ${directory:etc}/httpd-auth.conf
 mode = 0744
 context =
@@ -77,16 +86,43 @@ recipe = slapos.cookbook:wrapper
 command-line = {{ apache_location }}/bin/httpd -f ${authenticated-httpd-conf:rendered} -DFOREGROUND
 wrapper-path = ${directory:services}/authenticated-httpd-server
 wait-for-files =
-  ${server-certificate-request:cert-file}
-  ${server-certificate-request:key-file}
-  ${server-certificate-request:ca-cert}
+  ${certificate-request-base:cert-file}
+  ${certificate-request-base:key-file}
+  ${certificate-request-base:ca-cert}
 
 url = ${authenticated-httpd-conf-parameter:url}
 
 depends = 
   ${authenticated-httpd-promise:filename}
   ${authenticated-httpd-graceful:output}
+  ${server-certificate-request:wrapper-path}
   ${logrotate-authenticated-httpd:name}
+  ${certificate-renew-cron-entry:name}
+
+[certificate-renew]
+recipe = collective.recipe.template
+input = inline:
+  #!{{ dash_executable_location }}
+
+  d=$({{ openssl_executable_location }} x509 -enddate -noout -in ${certificate-request-base:cert-file} | cut -d'=' -f 2)
+  cert_time=$(date -d "$d" +"%s")
+  now=$(date +"%s")
+  thresold=2592000  # 30*24*60*60  equivalent to one month in seconds
+  remind=$(($cert_time - $now))
+
+  if [ $remind -lt $thresold ]; then
+    exec ${certificate-request-base:wrapper-path} --renew
+  fi
+
+output = ${directory:bin}/certificate-renew
+mode = 700
+
+[certificate-renew-cron-entry]
+recipe = slapos.cookbook:cron.d
+cron-entries = ${cron:cron-entries}
+name = certificate-auto-renew
+frequency = 0 */2 * * *
+command = ${certificate-renew:output}
 
 [logrotate-authenticated-httpd]
 < = logrotate-entry-base
@@ -102,9 +138,9 @@ url = ${authenticated-httpd-conf-parameter:url}
 check-secure = 1
 dash_path = {{ dash_executable_location }}
 curl_path = {{ curl_executable_location }}
-cert-file = ${server-certificate-request:cert-file}
-key-file = ${server-certificate-request:key-file}
-ca-cert-file = ${server-certificate-request:ca-cert}
+cert-file = ${certificate-request-base:cert-file}
+key-file = ${certificate-request-base:key-file}
+ca-cert-file = ${certificate-request-base:ca-cert}
 
 [slap-configuration]
 recipe = slapos.cookbook:slapconfiguration.serialised

stack/certificate-authority/instance-certificate-authority.cfg.jinja2.in

@@ -5,11 +5,12 @@ extends =
 
 parts = 
   certificate-authority
-  certificate-authority-web
+  certificate-authority-server
 
 [certificate-authority-parameters]
 server-port = 8009
-crl-url = http://[${slap-configuration:ipv6-random}]:${:server-port}/cacrl.pem
+# Overrite this to set frontend URL
+external-url = https://[${slap-configuration:ipv6-random}]:${:server-port}
 
 [directory]
 recipe = slapos.cookbook:mkdirectory
@@ -22,11 +23,18 @@ log = ${:var}/log
 scripts = ${:etc}/run
 services = ${:etc}/service
 promises = ${:etc}/promise
+ssl=${:etc}/ssl
+ca-dir = ${directory:srv}/ca
+ca-temp = ${:ca-dir}/tmp
+client-body-temp-path = ${:ca-temp}/client_body_temp_path
+proxy-temp-path = ${:ca-temp}/proxy_temp_path
+fastcgi-temp-path = ${:ca-temp}/fastcgi_temp_path
+uwsgi-temp-path = ${:ca-temp}/uwsgi_temp_path
+scgi-temp-path = ${:ca-temp}/scgi_temp_path
 
 [ca-directory]
 recipe = slapos.cookbook:mkdirectory
 root = ${directory:srv}/ssl
-ca-web = ${directory:srv}/ca
 requests = ${:root}/requests
 private = ${:root}/private
 certs = ${:root}/certs
@@ -44,47 +52,97 @@ ca-certs = ${ca-directory:certs}
 ca-newcerts = ${ca-directory:newcerts}
 ca-crl = ${ca-directory:crl}
 
-[openssl-parameter-dict]
-ca-dir = ${ca-directory:ca-web}
-cert-days = 3650
-country-code = XX
-state = ('State',)
-city = City
-compagny = Company
-# common-name = XXX
-email = xx@example.com
-crl-url = ${certificate-authority-parameters:crl-url}
-
-[openssl-conf]
+[ca-nginx-ssl]
+recipe = plone.recipe.command
+# XXX - For now, generate ca httpd certificate here, because it's not possible to start CA without this files
+command = "{{ openssl_executable_location }}" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
+key = ${directory:ssl}/ca-cert.key
+cert = ${directory:ssl}/ca-cert.crt
+update-command = 
+stop-on-error = true
+
+[ca-nginx-conf-parameter]
+ip = ${slap-configuration:ipv6-random}
+port = ${certificate-authority-parameters:server-port}
+pid-file = ${directory:run}/nginx-ca.pid
+access-log = ${directory:log}/nginx-ca-access.log
+error-log = ${directory:log}/nginx-ca-error.log
+cert-file = ${ca-nginx-ssl:cert}
+key-file = ${ca-nginx-ssl:key}
+ca-conf = ${certificate-authority-conf:output}
+workers-processes = 1
+client-body-temp-path = ${directory:client-body-temp-path}
+proxy-temp-path = ${directory:proxy-temp-path}
+fastcgi-temp-path = ${directory:fastcgi-temp-path}
+uwsgi-temp-path = ${directory:uwsgi-temp-path}
+scgi-temp-path = ${directory:scgi-temp-path}
+socket = ${certificate-authority-gunicorn:socket}
+
+[ca-nginx-conf]
 recipe = slapos.recipe.template:jinja2
-template = {{ template_openssl_conf }}
-rendered = ${ca-directory:ca-web}/openssl.cnf
+template = {{ template_nginx_ca_conf }}
+rendered = ${directory:etc}/nginx-ca.conf
+mode = 0700
+context =
+  section parameter_dict ca-nginx-conf-parameter
+
+[certificate-authority-conf]
+recipe = collective.recipe.template
+input = inline:
+  ca-dir ${directory:ca-dir}
+  # enable debug
+  # debug
+  # log-file ${directory:log}/ca-server.log
+  subject /C=XX/ST=State/L=City/OU=OUnit/O=Company/CN=SlapOS Certificate Authority/emailAddress=xx@example.com
+  max-request-amount 10
+  external-url ${certificate-authority-parameters:external-url}
+  # one year (in seconds)
+  crt-life-time 31536000
+  # crl-life-period correspond to about one week
+  crl-life-period 0.02
+  # ca-life-time = ca-life-period * crt-life-time
+  ca-life-period 10
+
+output = ${directory:etc}/ca.conf
+mode = 700
+
+[ca-nginx-graceful]
+recipe = collective.recipe.template
+input = inline:#!{{ dash_executable_location }}
+  kill -HUP $(cat ${ca-nginx-conf-parameter:pid-file})
+
+output = ${directory:scripts}/ca-server-graceful
 mode = 700
-context = 
-  section parameter_dict openssl-parameter-dict
 
-[certificate-authority-web]
+[certificate-authority-gunicorn]
 recipe = slapos.cookbook:wrapper
-host = ${slap-configuration:ipv6-random}
-port = ${certificate-authority-parameters:server-port}
-wrapper-path = ${directory:services}/certificate-authority-web
-command-line = {{ certificate_authority_bin }}
-  --ca_dir ${ca-directory:ca-web}
-  --openssl_bin "{{ openssl_executable_location }}"
-  --config_file "${openssl-conf:rendered}"
-  --host "${:host}"
-  --port "${:port}"
-  --log_file "${directory:log}/ca-web.log"
-  --trusted_host ${:host}
-
-url = http://[${:host}]:${:port}
+socket = ${directory:ca-dir}/ca.flaskserver.sock
+command-line =  {{ gunicorn_bin }} caucase.wsgi:app -b unix:${:socket} -e CA_CONFIGURATION_FILE=${certificate-authority-conf:output} --error-logfile ${:log-file} --pid ${:pid-file} --capture-output --timeout 60 --threads 2 --log-level error --preload
+log-file = ${directory:log}/ca-gunicorn-error.log
+pid-file = ${directory:run}/ca-gunicorn.pid
+wrapper-path = ${directory:services}/ca-gunicorn
+#environment = #PATH=$${environ:PATH}:${git:location}/bin/
+#  CA_CONFIGURATION_FILE=${certificate-authority-conf:output}
+#  LANG=en_GB.UTF-8
+
+[certificate-authority-server]
+recipe = slapos.cookbook:wrapper
+command-line = {{ ngix_location }}/sbin/nginx -p ${directory:ca-dir} -c ${ca-nginx-conf:rendered}
+wrapper-path = ${directory:services}/ca-server
+wait-for-files =
+  ${ca-nginx-ssl:cert}
+  ${ca-nginx-ssl:key}
+#environment = 
+#  CA_CONFIGURATION_FILE=${certificate-authority-conf:output}
+url = ${certificate-authority-parameters:external-url}
 depends = 
-  ${certificate-authority-web-promise:filename}
+  ${certificate-authority-server-promise:filename}
+  ${ca-nginx-graceful:output}
 
-[certificate-authority-web-promise]
+[certificate-authority-server-promise]
 recipe = slapos.cookbook:check_url_available
 path = ${directory:promises}/${:filename}
-filename = certificate-authority-web-listening-on-tcp
+filename = certificate-authority-server-listening-on-tcp
 url = http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port}
 check-secure = 1
 dash_path = {{ dash_executable_location }}
@@ -97,3 +155,5 @@ partition = ${slap-connection:partition-id}
 url = ${slap-connection:server-url}
 key = ${slap-connection:key-file}
 cert = ${slap-connection:cert-file}
+
+[slap-parameter]

stack/certificate-authority/template/ca-nginx.conf.in

+worker_processes {{ parameter_dict['workers-processes'] }};
+
+pid {{ parameter_dict['pid-file'] }};
+error_log {{ parameter_dict['error-log'] }};
+
+daemon off;
+
+events {
+  worker_connections 1024;
+  accept_mutex off;
+}
+
+http {
+    # include mime.types;
+    default_type application/octet-stream;
+    access_log {{ parameter_dict['access-log'] }} combined;
+    client_max_body_size 10M;
+    map $http_upgrade $connection_upgrade {
+      default upgrade;
+      ''      close;
+    }
+    sendfile on;
+
+    upstream app_server {
+      # for UNIX domain socket setups
+      server unix:{{ parameter_dict['socket'] }} fail_timeout=0;
+    }
+
+     server {
+        listen [{{ parameter_dict['ip'] }}]:{{ parameter_dict['port'] }} ssl;
+        server_name _;
+        ssl_certificate     {{ parameter_dict['cert-file'] }};
+        ssl_certificate_key {{ parameter_dict['key-file'] }};
+        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+        ssl_ciphers         ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+        keepalive_timeout 90s;
+        client_body_temp_path {{ parameter_dict['client-body-temp-path'] }};
+        proxy_temp_path {{ parameter_dict['proxy-temp-path'] }};
+        fastcgi_temp_path {{ parameter_dict['fastcgi-temp-path'] }};
+        uwsgi_temp_path {{ parameter_dict['uwsgi-temp-path'] }};
+        scgi_temp_path {{ parameter_dict['scgi-temp-path'] }};
+
+        location / {
+            proxy_redirect off;
+            proxy_set_header   X-Forwarded-Proto $scheme;
+            proxy_set_header   X-Real-IP $remote_addr;
+            proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+            proxy_set_header   X-Forwarded-Host  $http_host;
+            proxy_set_header   Host $http_host;
+            proxy_set_header   Authorization $http_authorization;
+            proxy_pass_header  Authorization;
+            proxy_connect_timeout 90;
+            proxy_send_timeout    90;
+            proxy_read_timeout    90;
+            send_timeout          90;
+
+            proxy_pass http://app_server;
+        }
+    }
+}

stack/certificate-authority/template/template-httpd-ca.conf.in

+Listen [{{ parameter_dict['ip'] }}]:{{ parameter_dict['port'] }}
+
+LoadModule unixd_module modules/mod_unixd.so
+LoadModule access_compat_module modules/mod_access_compat.so
+LoadModule authz_core_module modules/mod_authz_core.so
+LoadModule authz_host_module modules/mod_authz_host.so
+LoadModule mime_module modules/mod_mime.so
+LoadModule dir_module modules/mod_dir.so
+LoadModule ssl_module modules/mod_ssl.so
+LoadModule alias_module modules/mod_alias.so
+LoadModule proxy_module      modules/mod_proxy.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule headers_module modules/mod_headers.so
+LoadModule env_module modules/mod_env.so
+LoadModule setenvif_module modules/mod_setenvif.so
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule wsgi_module modules/mod_wsgi.so
+
+ServerAdmin admin@
+TypesConfig conf/mime.types
+AddType application/x-compress .Z
+AddType application/x-gzip .gz .tgz
+
+ServerTokens Prod
+ServerSignature Off
+TraceEnable Off
+
+PidFile "{{ parameter_dict['pid-file'] }}"
+ErrorLog "{{ parameter_dict['error-log'] }}"
+# Default apache log format with request time in microsecond at the end
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
+CustomLog "{{ parameter_dict['access-log'] }}" combined
+
+# SSL Configuration
+Define SSLConfigured
+SSLCertificateFile {{ parameter_dict['cert-file'] }}
+SSLCertificateKeyFile {{ parameter_dict['key-file'] }}
+SSLRandomSeed startup builtin
+SSLRandomSeed connect builtin
+SSLRandomSeed startup /dev/urandom 256
+SSLRandomSeed connect builtin
+SSLProtocol all -SSLv2 -SSLv3
+SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
+SSLHonorCipherOrder on
+
+SSLEngine   On
+
+ServerName example.com
+
+WSGIDaemonProcess certificate_authority processes=2 threads=5 home={{ parameter_dict['base-dir'] }}
+WSGIProcessGroup certificate_authority
+SetEnv CA_CONFIGURATION_FILE {{ parameter_dict['ca-conf'] }}
+
+WSGIScriptAlias / {{ parameter_dict['wsgi-wrapper'] }}
+WSGIRestrictStdout Off
+
+<Directory {{ parameter_dict['base-dir'] }}>
+    WSGIPassAuthorization On
+    WSGIScriptReloading Off
+    WSGIApplicationGroup %{GLOBAL}
+    Require all granted
+</Directory>