clearlinux/koji-setup-scripts
2
0
Fork 0
mirror of https://github.com/clearlinux/koji-setup-scripts.git synced 2026-04-28 11:03:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update cert generation process

Browse Source 
With the latest urllib3 the CN match is no longer used for hostname
verification and instead the use of subjectAltName is required. With
openssl 3.3.1 this is needed to be handled with both an additional
parameter when generating the cert/request and also some new
configuration for the ssl.cnf. It is also necessary to have extensions
copied so the SAN information is preserved down the cert chain.

Signed-off-by: William Douglas <william.douglas@intel.com>
This commit is contained in:
William Douglas
2024-07-11 03:02:07 -07:00
parent ba5f172421
commit 7b752b5ff3
3 changed files with 17 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
koji-setup/deploy-koji.sh
View File

@@ -44,6 +44,7 @@ default_crl_days = 30
default_md = sha512
preserve = no
policy = policy_match
copy_extensions = copy
[policy_match]
countryName = match
@@ -90,14 +91,19 @@ authorityKeyIdentifier = keyid,issuer:always
[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
basicConstraints = CA:TRUE
subjectAltName = @alternate_names
[alternate_names]
DNS.1 = $KOJI_MASTER_FQDN
IP.1 = $KOJI_MASTER_IP
EOF
# Generate and trust CA
touch "$KOJI_PKI_DIR"/index.txt
echo 01 > "$KOJI_PKI_DIR"/serial
openssl genrsa -out "$KOJI_PKI_DIR"/private/koji_ca_cert.key 2048
openssl req -subj "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=koji_ca/CN=$KOJI_MASTER_FQDN" -config "$KOJI_PKI_DIR"/ssl.cnf -new -x509 -days 3650 -key "$KOJI_PKI_DIR"/private/koji_ca_cert.key -out "$KOJI_PKI_DIR"/koji_ca_cert.crt -extensions v3_ca
openssl req -subj "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=koji_ca/CN=$KOJI_MASTER_FQDN" -addext "subjectAltName=DNS:$KOJI_MASTER_FQDN,IP:$KOJI_MASTER_IP" -config "$KOJI_PKI_DIR"/ssl.cnf -new -x509 -days 3650 -key "$KOJI_PKI_DIR"/private/koji_ca_cert.key -out "$KOJI_PKI_DIR"/koji_ca_cert.crt -extensions v3_ca
mkdir -p /etc/ca-certs/trusted
cp -a "$KOJI_PKI_DIR"/koji_ca_cert.crt /etc/ca-certs/trusted
while true; do
@@ -109,10 +115,10 @@ done
# Generate the koji component certificates and the admin certificate and generate a PKCS12 user certificate (for web browser)
cp "$SCRIPT_DIR"/gencert.sh "$KOJI_PKI_DIR"
pushd "$KOJI_PKI_DIR"
./gencert.sh kojiweb "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=kojiweb/CN=$KOJI_MASTER_FQDN"
./gencert.sh kojihub "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=kojihub/CN=$KOJI_MASTER_FQDN"
./gencert.sh kojiadmin "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORG_UNIT/CN=kojiadmin"
./gencert.sh kojira "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORG_UNIT/CN=kojira"
./gencert.sh kojiweb "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=kojiweb/CN=$KOJI_MASTER_FQDN" "subjectAltName=DNS:$KOJI_MASTER_FQDN,IP:$KOJI_MASTER_IP"
./gencert.sh kojihub "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=kojihub/CN=$KOJI_MASTER_FQDN" "subjectAltName=DNS:$KOJI_MASTER_FQDN,IP:$KOJI_MASTER_IP"
./gencert.sh kojiadmin "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORG_UNIT/CN=kojiadmin" "subjectAltName=DNS:kojiadmin,IP:$KOJI_MASTER_IP"
./gencert.sh kojira "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORG_UNIT/CN=kojira" "subjectAltName=DNS:kojira,IP:$KOJI_MASTER_IP"
popd
# Copy certificates into ~/.koji for kojiadmin
@@ -326,7 +332,7 @@ sudo -u kojiadmin koji edit-host --capacity="$KOJID_CAPACITY" "$KOJI_SLAVE_FQDN"
# Generate certificates
pushd "$KOJI_PKI_DIR"
./gencert.sh "$KOJI_SLAVE_FQDN" "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/CN=$KOJI_SLAVE_FQDN"
./gencert.sh "$KOJI_SLAVE_FQDN" "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/CN=$KOJI_SLAVE_FQDN" "subjectAltName=DNS:$KOJI_SLAVE_FQDN,IP:$KOJI_SLAVE_IP"
popd
if [[ "$KOJI_SLAVE_FQDN" = "$KOJI_MASTER_FQDN" ]]; then

3
koji-setup/gencert.sh
View File

@@ -4,12 +4,13 @@
KOJI_USER="$1"
CERT_SUBJECT="$2"
CERT_EXT="$3"
openssl genrsa -out private/"$KOJI_USER".key 2048
if [ -z "$CERT_SUBJECT" ]; then
openssl req -config ssl.cnf -new -nodes -out certs/"$KOJI_USER".csr -key private/"$KOJI_USER".key
else
openssl req -subj "$CERT_SUBJECT" -config ssl.cnf -new -nodes -out certs/"$KOJI_USER".csr -key private/"$KOJI_USER".key
openssl req -subj "$CERT_SUBJECT" -addext "$CERT_EXT" -config ssl.cnf -new -nodes -out certs/"$KOJI_USER".csr -key private/"$KOJI_USER".key
fi
openssl ca -batch -config ssl.cnf -keyfile private/koji_ca_cert.key -cert koji_ca_cert.crt -out certs/"$KOJI_USER".crt -outdir certs -infiles certs/"$KOJI_USER".csr
cat certs/"$KOJI_USER".crt private/"$KOJI_USER".key > "$KOJI_USER".pem

2
koji-setup/parameters.sh
View File

@@ -6,7 +6,9 @@
export KOJI_DIR=/srv/koji
export KOJI_MOUNT_DIR=/mnt/koji
export KOJI_MASTER_FQDN="$(hostname -f)"
export KOJI_MASTER_IP="$(hostname -i)"
export KOJI_SLAVE_FQDN="$KOJI_MASTER_FQDN"
export KOJI_SLAVE_IP="$KOJI_MASTER_IP"
export KOJI_URL=https://"$KOJI_MASTER_FQDN"
export KOJID_CAPACITY=16
export TAG_NAME=clear