particle-os/debian-koji-osbuild
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ci: generate koji certs with SAN in make-certs.sh

Browse source 
Generate the certificate to be used for koji in make-certs.sh by
the same CA that also generates the composer and client certs.
Create a single certificate that uses the SubjectAltName (SAN)
extension to cover two domains: localhost, org.osbuild.koji.koji,
which previously was done via two separate certificates; this is
the legacy usage which stopped working with go 1.15 (see previous
commit). As a consequence the apache config is modified to use
only one virtual host with a ServerAlias directive.
This commit is contained in:
Christian Kellner 2020-11-11 16:52:02 +01:00
parent 6f439dc34f
commit 630d09f6c4
6 changed files with 43 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

2
test/container/builder/kojid.conf
View file

@ -10,6 +10,6 @@ keytab = /share/kojid.keytab
; cert = /share/ssl/kojid/client.pem ; cert = /share/ssl/kojid/client.pem
; ca = /share/ssl/kojid/serverca.crt ; ca = /share/ssl/kojid/serverca.crt
serverca = /share/ca-crt.pem serverca = /share/koji-ca.pem
plugins = osbuild plugins = osbuild

43
test/container/hub/ssl.conf
View file

@ -13,6 +13,7 @@ SSLCryptoDevice builtin
# localhost # localhost
<VirtualHost _default_:443> <VirtualHost _default_:443>
ServerName localhost ServerName localhost
ServerAlias org.osbuild.koji.koji
ErrorLog logs/ssl_error_log ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log TransferLog logs/ssl_access_log
@ -23,44 +24,10 @@ SSLEngine on
SSLHonorCipherOrder on SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM SSLProxyCipherSuite PROFILE=SYSTEM
SSLCertificateFile /share/crt.pem SSLCertificateFile /share/koji-crt.pem
SSLCertificateKeyFile /share/key.pem SSLCertificateKeyFile /share/koji-key.pem
SSLCertificateChainFile /share/ca-crt.pem SSLCertificateChainFile /share/koji-ca.pem
SSLCACertificateFile /share/ca-crt.pem SSLCACertificateFile /share/koji-ca.pem
SSLVerifyDepth 1
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
# Full Qualified Domain Name, org.osbuild.koji.koji
<VirtualHost _default_:443>
ServerName org.osbuild.koji.koji
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel debug
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCertificateFile /share/crt-fqdn.pem
SSLCertificateKeyFile /share/key.pem
SSLCertificateChainFile /share/ca-crt.pem
SSLCACertificateFile /share/ca-crt.pem
SSLVerifyDepth 1 SSLVerifyDepth 1
<FilesMatch "\.(cgi|shtml|phtml|php)$"> <FilesMatch "\.(cgi|shtml|phtml|php)$">

14
test/copy-creds.sh
View file

@ -10,13 +10,7 @@ fi
TEST_DATA=${TEST_DATA:-test/data} TEST_DATA=${TEST_DATA:-test/data}
SHARE_DIR=${SHARE_DIR:-/tmp/osbuild-composer-koji-test} SHARE_DIR=${SHARE_DIR:-/tmp/osbuild-composer-koji-test}
if [[ -f "/etc/osbuild-composer/client-key.pem" ]]; then mkdir -p "${SHARE_DIR}"
echo "Copying client certificates"
cp /etc/osbuild-composer/client-key.pem ${SHARE_DIR}
cp /etc/osbuild-composer/client-crt.pem ${SHARE_DIR}
cp /etc/osbuild-composer/ca-crt.pem ${SHARE_DIR}/client-ca.pem
fi
mkdir -p /etc/osbuild-composer mkdir -p /etc/osbuild-composer
mkdir -p /etc/osbuild-worker mkdir -p /etc/osbuild-worker
@ -39,9 +33,3 @@ cp ${TEST_DATA}/osbuild-worker.toml \
echo "Copying system kerberos configuration" echo "Copying system kerberos configuration"
cp ${TEST_DATA}/krb5.local.conf \ cp ${TEST_DATA}/krb5.local.conf \
/etc/krb5.conf.d/local /etc/krb5.conf.d/local
echo "Updating system trust chain"
cp ${SHARE_DIR}/ca-crt.pem \
/etc/pki/ca-trust/source/anchors/koji-ca-crt.pem
update-ca-trust

3
test/integration.sh
View file

@ -75,6 +75,5 @@ greenprint "Stopping containers"
sudo test/run-koji-container.sh stop sudo test/run-koji-container.sh stop
greenprint "Removing generated CA cert" greenprint "Removing generated CA cert"
sudo rm \ sudo rm /etc/pki/ca-trust/source/anchors/osbuild-ca-crt.pem
/etc/pki/ca-trust/source/anchors/koji-ca-crt.pem
sudo update-ca-trust sudo update-ca-trust

21
test/make-certs.sh
View file

@ -40,6 +40,21 @@ openssl ca -config "$CONFIG" -batch \
-in "${CA_DIR}/composer-csr.pem" \ -in "${CA_DIR}/composer-csr.pem" \
-out "${CA_DIR}/composer-crt.pem" -out "${CA_DIR}/composer-crt.pem"
# koji
echo "-=[ koji"
openssl genrsa -out ${CA_DIR}/koji-key.pem 2048
openssl req -new -sha256 \
-config "${CONFIG}" \
-key ${CA_DIR}/koji-key.pem \
-out ${CA_DIR}/koji-csr.pem \
-subj "/CN=localhost" \
-addext "subjectAltName=DNS.1:localhost,DNS.2:org.osbuild.koji.koji"
openssl ca -config "$CONFIG" -batch \
-extensions osbuild_server_ext \
-in "${CA_DIR}/koji-csr.pem" \
-out "${CA_DIR}/koji-crt.pem"
# client # client
echo "-=[ client" echo "-=[ client"
openssl genrsa -out ${CA_DIR}/client-key.pem 2048 openssl genrsa -out ${CA_DIR}/client-key.pem 2048
@ -57,3 +72,9 @@ openssl ca -config "$CONFIG" -batch \
# fix permissions for composer # fix permissions for composer
chown _osbuild-composer:_osbuild-composer ${CA_DIR}/composer-* chown _osbuild-composer:_osbuild-composer ${CA_DIR}/composer-*
echo "-=[ Updating system trust chain"
cp ${CA_DIR}/ca-crt.pem \
/etc/pki/ca-trust/source/anchors/osbuild-ca-crt.pem
update-ca-trust

23
test/run-koji-container.sh
View file

@ -50,17 +50,22 @@ koji_start() {
# create a share directory which is used to share files between the host and containers # create a share directory which is used to share files between the host and containers
mkdir -p "${SHARE_DIR}" mkdir -p "${SHARE_DIR}"
# generate self-signed certificates in the share directory # copy the koji certificates to the shared dir
openssl req -new -nodes -x509 -days 365 -keyout "${SHARE_DIR}/ca-key.pem" -out "${SHARE_DIR}/ca-crt.pem" -subj "/CN=osbuild.org" if [[ -f "/etc/osbuild-composer/koji-key.pem" ]]; then
openssl genrsa -out "${SHARE_DIR}/key.pem" 2048 echo "Copying koji certificates"
# certificate for "localhost" hostname cp /etc/osbuild-composer/koji-key.pem ${SHARE_DIR}
openssl req -new -sha256 -key "${SHARE_DIR}/key.pem" -out "${SHARE_DIR}/csr.pem" -subj "/CN=localhost" cp /etc/osbuild-composer/koji-crt.pem ${SHARE_DIR}
openssl x509 -req -in "${SHARE_DIR}/csr.pem" -CA "${SHARE_DIR}/ca-crt.pem" -CAkey "${SHARE_DIR}/ca-key.pem" -CAcreateserial -out "${SHARE_DIR}/crt.pem" cp /etc/osbuild-composer/ca-crt.pem ${SHARE_DIR}/koji-ca.pem
fi
# certificate for "org.osbuild.koji.koji" hostname if [[ -f "/etc/osbuild-composer/client-key.pem" ]]; then
openssl req -new -sha256 -key "${SHARE_DIR}/key.pem" -out "${SHARE_DIR}/csr-fqdn.pem" -subj "/CN=org.osbuild.koji.koji" echo "Copying client certificates"
openssl x509 -req -in "${SHARE_DIR}/csr-fqdn.pem" -CA "${SHARE_DIR}/ca-crt.pem" -CAkey "${SHARE_DIR}/ca-key.pem" -CAcreateserial -out "${SHARE_DIR}/crt-fqdn.pem"
cp /etc/osbuild-composer/client-key.pem ${SHARE_DIR}
cp /etc/osbuild-composer/client-crt.pem ${SHARE_DIR}
cp /etc/osbuild-composer/ca-crt.pem ${SHARE_DIR}/client-ca.pem
fi
${CONTAINER_RUNTIME} network create org.osbuild.koji ${CONTAINER_RUNTIME} network create org.osbuild.koji