Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mgr-ssl-cert-setup: Store ca in db #7267

Merged
merged 4 commits into from
Jul 18, 2023
Merged

mgr-ssl-cert-setup: Store ca in db #7267

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
17eeadc
rhn-ssl-dbstore accept ca from STDIN
mcalmer Jul 15, 2023
a8f8103
store CA in DB during setup
mcalmer Jul 15, 2023
6acba98
drop rhn-ssl-dbstore during setup. Its now called from inside mgr-ssl…
mcalmer Jul 15, 2023
f95d410
update changelogs
mcalmer Jul 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions python/spacewalk/satellite_tools/rhn_ssl_dbstore.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ def processCommandline():

options = [
Option('--ca-cert', action='store', default=DEFAULT_TRUSTED_CERT, type="string",
help='public CA certificate, default is %s' % DEFAULT_TRUSTED_CERT),
help='public CA certificate, default is %s. If the value is \'-\' the CA is read from STDIN' % DEFAULT_TRUSTED_CERT),
Option('--label', action='store', default='RHN-ORG-TRUSTED-SSL-CERT', type="string",
help='FOR TESTING ONLY - alternative database label for this CA certificate, '
+ 'default is "RHN-ORG-TRUSTED-SSL-CERT"'),
Expand All @@ -45,7 +45,9 @@ def processCommandline():
"--help): %s\n" % repr(args))
raise ValueError(msg)

if not os.path.exists(values.ca_cert):
if values.ca_cert == '-':
values.ca_cert = sys.stdin.read().strip()
elif not os.path.exists(values.ca_cert):
sys.stderr.write("ERROR: can't find CA certificate at this location: "
"%s\n" % values.ca_cert)
sys.exit(10)
Expand Down
15 changes: 9 additions & 6 deletions python/spacewalk/satellite_tools/satCerts.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,12 +160,15 @@ def _lobUpdate_rhnCryptoKey(rhn_cryptokey_id, cert):
def store_CaCert(description, caCert, verbosity=0):
org_ids = get_all_orgs()
org_ids.append({'id': None})
f = open(caCert, 'rb')
try:
cert = f.read().strip()
finally:
if f is not None:
f.close()
if " CERTIFICATE-----" in caCert:
cert = caCert
else:
f = open(caCert, 'rb')
try:
cert = f.read().strip()
finally:
if f is not None:
f.close()
for org_id in org_ids:
org_id = org_id['id']
store_rhnCryptoKey(description, cert, org_id, verbosity)
Expand Down
1 change: 1 addition & 0 deletions python/spacewalk/spacewalk-backend.changes.mcalmer.store-ca-in-db
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
- rhn-ssl-dbstore read ca from STDIN (bsc#1212856)
21 changes: 21 additions & 0 deletions spacewalk/certs-tools/mgr_ssl_cert_setup.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -483,6 +483,25 @@ def deployPg(server_key_content):

log("""$> systemctl restart postgresql.service """)

def deployCAInDB(certData):
if not os.path.exists("/usr/bin/rhn-ssl-dbstore"):
# not a Uyuni Server - skip deploying into DB
return

for h, ca in certData.items():
if ca["root"]:
out = subprocess.run(
["/usr/bin/rhn-ssl-dbstore", "--ca-cert", "-"],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
input=ca["content"],
)
if out.returncode:
log_error("Failed to upload CA Certificate to DB: {}".format(out.stderr.decode("utf-8")))
raise OSError("Failed to upload CA Certificate to DB")
break


def deployCAUyuni(certData):
for h, ca in certData.items():
if ca["root"]:
Expand Down Expand Up @@ -536,6 +555,7 @@ def getContainersSetup(root_ca_content, intermediate_ca_content, server_cert_con
apache_cert_content = generateApacheCert(server_cert_content, certData)
if not apache_cert_content:
raise CertCheckError("Failed to generate certificates")
deployCAInDB(certData)
return apache_cert_content


Expand Down Expand Up @@ -568,6 +588,7 @@ def _main():
deployApache(apache_cert_content, files_content.server_key)
deployPg(files_content.server_key)
deployCAUyuni(certData)
deployCAInDB(certData)


def main():
Expand Down
1 change: 1 addition & 0 deletions spacewalk/certs-tools/spacewalk-certs-tools.changes.mcalmer.store-ca-in-db
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
- mgr-ssl-cert-setup: store CA certificate in database (bsc#1212856)
17 changes: 0 additions & 17 deletions spacewalk/setup/bin/spacewalk-setup
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -696,8 +696,6 @@ sub setup_ssl_certs {

Spacewalk::Setup::system_or_exit(['/usr/bin/mgr-ssl-cert-setup', @opts], 37,
"Could not deploy the certificates.");

store_ssl_cert(-ssl_dir => $answers->{'ssl-dir'});
}

sub print_country_list {
Expand Down Expand Up @@ -781,21 +779,6 @@ sub generate_server_cert {
return;
}

sub store_ssl_cert {
my %params = validate(@_, { ssl_dir => 1,
ca_cert => { default => DEFAULT_CA_CERT_NAME },
});


my $cert_path = File::Spec->catfile($params{ssl_dir}, $params{ca_cert});
my @opts = ("--ca-cert=${cert_path}");

Spacewalk::Setup::system_or_exit(['/usr/bin/rhn-ssl-dbstore', @opts], 39,
"There was a problem storing the SSL certificate.");

return;
}

sub populate_initial_configs {
my $opts = shift;
my $answers = shift;
Expand Down
1 change: 1 addition & 0 deletions spacewalk/setup/spacewalk-setup.changes.mcalmer.store-ca-in-db
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
- remove storing CA in DB directly as it is now part of mgr-ssl-cert-setup (bsc#1212856)