ci: generate koji certs with SAN in make-certs.sh

Generate the certificate to be used for koji in make-certs.sh by the same CA that also generates the composer and client certs. Create a single certificate that uses the SubjectAltName (SAN) extension to cover two domains: localhost, org.osbuild.koji.koji, which previously was done via two separate certificates; this is the legacy usage which stopped working with go 1.15 (see previous commit). As a consequence the apache config is modified to use only one virtual host with a ServerAlias directive.
2020-11-11 16:52:02 +01:00 · 2020-11-11 16:52:02 +01:00 · 630d09f6c4
commit 630d09f6c4
parent 6f439dc34f
6 changed files with 43 additions and 63 deletions
--- a/test/container/builder/kojid.conf
+++ b/test/container/builder/kojid.conf
@ -10,6 +10,6 @@ keytab = /share/kojid.keytab

 ; cert = /share/ssl/kojid/client.pem
 ; ca = /share/ssl/kojid/serverca.crt
-serverca = /share/ca-crt.pem
+serverca = /share/koji-ca.pem

 plugins = osbuild
--- a/test/container/hub/ssl.conf
+++ b/test/container/hub/ssl.conf
@ -13,6 +13,7 @@ SSLCryptoDevice builtin
 # localhost
 <VirtualHost _default_:443>
 ServerName localhost
+ServerAlias org.osbuild.koji.koji

 ErrorLog logs/ssl_error_log
 TransferLog logs/ssl_access_log
@ -23,44 +24,10 @@ SSLEngine on
 SSLHonorCipherOrder on
 SSLCipherSuite PROFILE=SYSTEM
 SSLProxyCipherSuite PROFILE=SYSTEM
-SSLCertificateFile /share/crt.pem
-SSLCertificateKeyFile /share/key.pem
-SSLCertificateChainFile /share/ca-crt.pem
-SSLCACertificateFile /share/ca-crt.pem
-SSLVerifyDepth 1
-
-<FilesMatch "\.(cgi|shtml|phtml|php)$">
-    SSLOptions +StdEnvVars
-</FilesMatch>
-<Directory "/var/www/cgi-bin">
-    SSLOptions +StdEnvVars
-</Directory>
-
-BrowserMatch "MSIE [2-5]" \
-         nokeepalive ssl-unclean-shutdown \
-         downgrade-1.0 force-response-1.0
-
-CustomLog logs/ssl_request_log \
-          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-
-</VirtualHost>
-
-# Full Qualified Domain Name, org.osbuild.koji.koji
-<VirtualHost _default_:443>
-ServerName org.osbuild.koji.koji
-
-ErrorLog logs/ssl_error_log
-TransferLog logs/ssl_access_log
-LogLevel debug
-
-SSLEngine on
-SSLHonorCipherOrder on
-SSLCipherSuite PROFILE=SYSTEM
-SSLProxyCipherSuite PROFILE=SYSTEM
-SSLCertificateFile /share/crt-fqdn.pem
-SSLCertificateKeyFile /share/key.pem
-SSLCertificateChainFile /share/ca-crt.pem
-SSLCACertificateFile /share/ca-crt.pem
+SSLCertificateFile /share/koji-crt.pem
+SSLCertificateKeyFile /share/koji-key.pem
+SSLCertificateChainFile /share/koji-ca.pem
+SSLCACertificateFile /share/koji-ca.pem
 SSLVerifyDepth 1

 <FilesMatch "\.(cgi|shtml|phtml|php)$">
--- a/test/copy-creds.sh
+++ b/test/copy-creds.sh
@ -10,13 +10,7 @@ fi
 TEST_DATA=${TEST_DATA:-test/data}
 SHARE_DIR=${SHARE_DIR:-/tmp/osbuild-composer-koji-test}

-if [[ -f "/etc/osbuild-composer/client-key.pem" ]]; then
-  echo "Copying client certificates"
-
-  cp /etc/osbuild-composer/client-key.pem ${SHARE_DIR}
-  cp /etc/osbuild-composer/client-crt.pem ${SHARE_DIR}
-  cp /etc/osbuild-composer/ca-crt.pem ${SHARE_DIR}/client-ca.pem
-fi
+mkdir -p "${SHARE_DIR}"

 mkdir -p /etc/osbuild-composer
 mkdir -p /etc/osbuild-worker
@ -39,9 +33,3 @@ cp ${TEST_DATA}/osbuild-worker.toml \
 echo "Copying system kerberos configuration"
 cp ${TEST_DATA}/krb5.local.conf \
   /etc/krb5.conf.d/local
-
-echo "Updating system trust chain"
-cp ${SHARE_DIR}/ca-crt.pem \
-   /etc/pki/ca-trust/source/anchors/koji-ca-crt.pem
-
-update-ca-trust
--- a/test/integration.sh
+++ b/test/integration.sh
@ -75,6 +75,5 @@ greenprint "Stopping containers"
 sudo test/run-koji-container.sh stop

 greenprint "Removing generated CA cert"
-sudo rm \
-    /etc/pki/ca-trust/source/anchors/koji-ca-crt.pem
+sudo rm /etc/pki/ca-trust/source/anchors/osbuild-ca-crt.pem
 sudo update-ca-trust
--- a/test/make-certs.sh
+++ b/test/make-certs.sh
@ -40,6 +40,21 @@ openssl ca -config "$CONFIG" -batch \
        -in "${CA_DIR}/composer-csr.pem" \
        -out "${CA_DIR}/composer-crt.pem"

+# koji
+echo "-=[ koji"
+openssl genrsa -out ${CA_DIR}/koji-key.pem 2048
+openssl req -new -sha256 \
+        -config "${CONFIG}" \
+        -key ${CA_DIR}/koji-key.pem	\
+        -out ${CA_DIR}/koji-csr.pem \
+        -subj "/CN=localhost" \
+        -addext "subjectAltName=DNS.1:localhost,DNS.2:org.osbuild.koji.koji"
+
+openssl ca -config "$CONFIG" -batch \
+        -extensions osbuild_server_ext \
+        -in "${CA_DIR}/koji-csr.pem" \
+        -out "${CA_DIR}/koji-crt.pem"
+
 # client
 echo "-=[ client"
 openssl genrsa -out ${CA_DIR}/client-key.pem 2048
@ -57,3 +72,9 @@ openssl ca -config "$CONFIG" -batch \

 # fix permissions for composer
 chown _osbuild-composer:_osbuild-composer ${CA_DIR}/composer-*
+
+echo "-=[ Updating system trust chain"
+cp ${CA_DIR}/ca-crt.pem \
+   /etc/pki/ca-trust/source/anchors/osbuild-ca-crt.pem
+
+update-ca-trust
--- a/test/run-koji-container.sh
+++ b/test/run-koji-container.sh
@ -50,17 +50,22 @@ koji_start() {
  # create a share directory which is used to share files between the host and containers
  mkdir -p "${SHARE_DIR}"

-  # generate self-signed certificates in the share directory
-  openssl req -new -nodes -x509 -days 365 -keyout "${SHARE_DIR}/ca-key.pem" -out "${SHARE_DIR}/ca-crt.pem" -subj "/CN=osbuild.org"
-  openssl genrsa -out "${SHARE_DIR}/key.pem" 2048
+  # copy the koji certificates to the shared dir
+  if [[ -f "/etc/osbuild-composer/koji-key.pem" ]]; then
+    echo "Copying koji certificates"

-  # certificate for "localhost" hostname
-  openssl req -new -sha256 -key "${SHARE_DIR}/key.pem"	-out "${SHARE_DIR}/csr.pem" -subj "/CN=localhost"
-  openssl x509 -req -in "${SHARE_DIR}/csr.pem"  -CA "${SHARE_DIR}/ca-crt.pem" -CAkey "${SHARE_DIR}/ca-key.pem" -CAcreateserial -out "${SHARE_DIR}/crt.pem"
+    cp /etc/osbuild-composer/koji-key.pem ${SHARE_DIR}
+    cp /etc/osbuild-composer/koji-crt.pem ${SHARE_DIR}
+    cp /etc/osbuild-composer/ca-crt.pem ${SHARE_DIR}/koji-ca.pem
+  fi

-  # certificate for "org.osbuild.koji.koji" hostname
-  openssl req -new -sha256 -key "${SHARE_DIR}/key.pem"	-out "${SHARE_DIR}/csr-fqdn.pem" -subj "/CN=org.osbuild.koji.koji"
-  openssl x509 -req -in "${SHARE_DIR}/csr-fqdn.pem"  -CA "${SHARE_DIR}/ca-crt.pem" -CAkey "${SHARE_DIR}/ca-key.pem" -CAcreateserial -out "${SHARE_DIR}/crt-fqdn.pem"
+  if [[ -f "/etc/osbuild-composer/client-key.pem" ]]; then
+    echo "Copying client certificates"
+
+    cp /etc/osbuild-composer/client-key.pem ${SHARE_DIR}
+    cp /etc/osbuild-composer/client-crt.pem ${SHARE_DIR}
+    cp /etc/osbuild-composer/ca-crt.pem ${SHARE_DIR}/client-ca.pem
+  fi

  ${CONTAINER_RUNTIME} network create org.osbuild.koji