Commit ee49dbe7 authored by Alain Takoudjou's avatar Alain Takoudjou

ca stack: request nginx certificate on CA through http, ca-nginx support http and https URL

parent da803a17
...@@ -9,8 +9,10 @@ parts = ...@@ -9,8 +9,10 @@ parts =
[certificate-authority-parameters] [certificate-authority-parameters]
server-port = 8009 server-port = 8009
# Overrite this to set frontend URL server-https-port = 8010
external-url = https://[${slap-configuration:ipv6-random}]:${:server-port} # Overrite this to set frontend URL (URL is used as CRL distribution point)
# Please set http not HTTPS scheme
external-url = http://[${slap-configuration:ipv6-random}]:${:server-port}
[directory] [directory]
recipe = slapos.cookbook:mkdirectory recipe = slapos.cookbook:mkdirectory
...@@ -52,18 +54,50 @@ ca-certs = ${ca-directory:certs} ...@@ -52,18 +54,50 @@ ca-certs = ${ca-directory:certs}
ca-newcerts = ${ca-directory:newcerts} ca-newcerts = ${ca-directory:newcerts}
ca-crl = ${ca-directory:crl} ca-crl = ${ca-directory:crl}
[ca-nginx-ssl] [nginx-certificate-request-base]
recipe = slapos.cookbook:wrapper
wrapper-path = ${directory:bin}/request-base-certificate
cert-file = ${ca-nginx-ssl-config:cert}
key-file = ${ca-nginx-ssl-config:key}
ca-cert = ${directory:ssl}/cacert.pem
parameters-extra = true
command-line = {{ certificate_request_bin }}
--crt-file ${:cert-file}
--key-file ${:key-file}
--ca-url http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port}
--ca-crt-file ${:ca-cert}
--no-check-certificate
[nginx-certificate-request]
recipe = slapos.cookbook:wrapper
wrapper-path = ${directory:scripts}/request-server-certificate
command-line =
${nginx-certificate-request-base:wrapper-path}
--cn nginx@certificate.authority
--request
[ca-nginx-ssl-config]
recipe = plone.recipe.command recipe = plone.recipe.command
# XXX - For now, generate ca httpd certificate here, because it's not possible to start CA without this files command =
command = "{{ openssl_executable_location }}" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}" if [ -s "${:key}" ] && [ -s "${:cert}" ]; then
echo -e "[ca-nginx-ssl]\nkey=${:key}\ncert=${:cert}" > ${:output}
else:
echo -e "[ca-nginx-ssl]\nkey=\ncert=" > ${:output}
fi
key = ${directory:ssl}/ca-cert.key key = ${directory:ssl}/ca-cert.key
cert = ${directory:ssl}/ca-cert.crt cert = ${directory:ssl}/ca-cert.crt
update-command = update-command = ${:command}
output = ${directory:etc}/ca-nginx-ssl.cfg
stop-on-error = true stop-on-error = true
[ca-nginx-ssl]
recipe = slapos.cookbook:zero-knowledge.read
file-path = ${ca-nginx-ssl-config:output}
[ca-nginx-conf-parameter] [ca-nginx-conf-parameter]
ip = ${slap-configuration:ipv6-random} ip = ${slap-configuration:ipv6-random}
port = ${certificate-authority-parameters:server-port} port = ${certificate-authority-parameters:server-port}
https-port = ${certificate-authority-parameters:server-https-port}
pid-file = ${directory:run}/nginx-ca.pid pid-file = ${directory:run}/nginx-ca.pid
access-log = ${directory:log}/nginx-ca-access.log access-log = ${directory:log}/nginx-ca-access.log
error-log = ${directory:log}/nginx-ca-error.log error-log = ${directory:log}/nginx-ca-error.log
...@@ -102,6 +136,8 @@ input = inline: ...@@ -102,6 +136,8 @@ input = inline:
crl-life-period 0.02 crl-life-period 0.02
# ca-life-time = ca-life-period * crt-life-time # ca-life-time = ca-life-period * crt-life-time
ca-life-period 10 ca-life-period 10
# time before clean certificate on CA: 60*24*60*60
crt-keep-time 5184000
output = ${directory:etc}/ca.conf output = ${directory:etc}/ca.conf
mode = 700 mode = 700
...@@ -129,21 +165,56 @@ wrapper-path = ${directory:services}/ca-gunicorn ...@@ -129,21 +165,56 @@ wrapper-path = ${directory:services}/ca-gunicorn
recipe = slapos.cookbook:wrapper recipe = slapos.cookbook:wrapper
command-line = {{ ngix_location }}/sbin/nginx -p ${directory:ca-dir} -c ${ca-nginx-conf:rendered} command-line = {{ ngix_location }}/sbin/nginx -p ${directory:ca-dir} -c ${ca-nginx-conf:rendered}
wrapper-path = ${directory:services}/ca-server wrapper-path = ${directory:services}/ca-server
wait-for-files = #wait-for-files =
${ca-nginx-ssl:cert} # ${ca-nginx-ssl:cert}
${ca-nginx-ssl:key} # ${ca-nginx-ssl:key}
#environment =
# CA_CONFIGURATION_FILE=${certificate-authority-conf:output}
url = ${certificate-authority-parameters:external-url} url = ${certificate-authority-parameters:external-url}
secure-url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port}
depends = depends =
${nginx-certificate-request:wrapper-path}
${certificate-authority-server-promise:filename} ${certificate-authority-server-promise:filename}
${certificate-authority-https-server-promise:filename}
${ca-nginx-graceful:output} ${ca-nginx-graceful:output}
${certificate-renew-cron-entry:name}
[ca-server-certificate-renew]
recipe = collective.recipe.template
input = inline:
#!{{ dash_executable_location }}
d=$({{ openssl_executable_location }} x509 -enddate -noout -in ${nginx-certificate-request-base:cert-file} | cut -d'=' -f 2)
cert_time=$(date -d "$d" +"%s")
now=$(date +"%s")
thresold=2592000 # 30*24*60*60 equivalent to one month in seconds
remind=$(($cert_time - $now))
if [ $remind -lt $thresold ]; then
exec ${nginx-certificate-request-base:wrapper-path} --renew
fi
output = ${directory:bin}/server-certificate-renew
mode = 700
[certificate-renew-cron-entry]
recipe = slapos.cookbook:cron.d
cron-entries = ${cron:cron-entries}
name = ca-server-certificate-auto-renew
frequency = 0 */2 * * *
command = ${ca-server-certificate-renew:output}
[certificate-authority-server-promise] [certificate-authority-server-promise]
recipe = slapos.cookbook:check_url_available recipe = slapos.cookbook:check_url_available
path = ${directory:promises}/${:filename} path = ${directory:promises}/${:filename}
filename = certificate-authority-server-listening-on-tcp filename = certificate-authority-server-listening-on-tcp
url = http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port} url = http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port}
dash_path = {{ dash_executable_location }}
curl_path = {{ curl_executable_location }}
[certificate-authority-https-server-promise]
recipe = slapos.cookbook:check_url_available
path = ${directory:promises}/${:filename}
filename = certificate-authority-server-https-on-${certificate-authority-parameters:server-https-port}
url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port}
check-secure = 1 check-secure = 1
dash_path = {{ dash_executable_location }} dash_path = {{ dash_executable_location }}
curl_path = {{ curl_executable_location }} curl_path = {{ curl_executable_location }}
......
...@@ -26,36 +26,70 @@ http { ...@@ -26,36 +26,70 @@ http {
server unix:{{ parameter_dict['socket'] }} fail_timeout=0; server unix:{{ parameter_dict['socket'] }} fail_timeout=0;
} }
server { {% if parameter_dict['cert-file'] and parameter_dict['key-file'] -%}
listen [{{ parameter_dict['ip'] }}]:{{ parameter_dict['port'] }} ssl; server {
server_name _; listen [{{ parameter_dict['ip'] }}]:{{ parameter_dict['https-port'] }} ssl;
ssl_certificate {{ parameter_dict['cert-file'] }}; server_name _;
ssl_certificate_key {{ parameter_dict['key-file'] }}; ssl_certificate {{ parameter_dict['cert-file'] }};
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_certificate_key {{ parameter_dict['key-file'] }};
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on; ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5;
keepalive_timeout 90s; ssl_prefer_server_ciphers on;
client_body_temp_path {{ parameter_dict['client-body-temp-path'] }}; keepalive_timeout 90s;
proxy_temp_path {{ parameter_dict['proxy-temp-path'] }}; client_body_temp_path {{ parameter_dict['client-body-temp-path'] }};
fastcgi_temp_path {{ parameter_dict['fastcgi-temp-path'] }}; proxy_temp_path {{ parameter_dict['proxy-temp-path'] }};
uwsgi_temp_path {{ parameter_dict['uwsgi-temp-path'] }}; fastcgi_temp_path {{ parameter_dict['fastcgi-temp-path'] }};
scgi_temp_path {{ parameter_dict['scgi-temp-path'] }}; uwsgi_temp_path {{ parameter_dict['uwsgi-temp-path'] }};
scgi_temp_path {{ parameter_dict['scgi-temp-path'] }};
location / {
proxy_redirect off; location / {
proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Authorization $http_authorization; proxy_set_header Host $http_host;
proxy_pass_header Authorization; proxy_set_header Authorization $http_authorization;
proxy_connect_timeout 90; proxy_pass_header Authorization;
proxy_send_timeout 90; proxy_connect_timeout 90;
proxy_read_timeout 90; proxy_send_timeout 90;
send_timeout 90; proxy_read_timeout 90;
send_timeout 90;
proxy_pass http://app_server;
} proxy_pass http://app_server;
}
}
{% endif -%}
server {
listen [{{ parameter_dict['ip'] }}]:parameter_dict['port'] ssl;
server_name _;
keepalive_timeout 90s;
client_body_temp_path {{ parameter_dict['client-body-temp-path'] }};
proxy_temp_path {{ parameter_dict['proxy-temp-path'] }};
fastcgi_temp_path {{ parameter_dict['fastcgi-temp-path'] }};
uwsgi_temp_path {{ parameter_dict['uwsgi-temp-path'] }};
scgi_temp_path {{ parameter_dict['scgi-temp-path'] }};
location ~ ^(/admin|/user) {
# http is not used for /admin and /user
}
location / {
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Host $http_host;
proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
send_timeout 90;
proxy_pass http://app_server;
}
} }
} }
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment