summaryrefslogtreecommitdiff
path: root/lib/leap_cli
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2012-12-15 23:35:35 -0800
committerelijah <elijah@riseup.net>2012-12-15 23:35:35 -0800
commit1e6e6b94e80bf085b139c6706754f66ab1356a55 (patch)
tree72bb4563dd9bf526c275e76b6247020e294777f2 /lib/leap_cli
parent19d41877d1ad2c0b0090ec303e171113f6ddeaf9 (diff)
fixed bug with certificate dates
Diffstat (limited to 'lib/leap_cli')
-rw-r--r--lib/leap_cli/commands/ca.rb66
1 files changed, 38 insertions, 28 deletions
diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb
index 779fa30..bf55674 100644
--- a/lib/leap_cli/commands/ca.rb
+++ b/lib/leap_cli/commands/ca.rb
@@ -6,7 +6,6 @@ require 'digest/md5'
module LeapCli; module Commands
desc "Manage X.509 certificates"
- #long_desc ""
command :cert do |cert|
cert.desc 'Creates a Certificate Authority (private key and CA certificate)'
@@ -30,8 +29,8 @@ module LeapCli; module Commands
end
# set expiration
- root.not_before = today
- root.not_after = years_from_today(provider.ca.life_span.to_i)
+ root.not_before = yesterday
+ root.not_after = years_from_yesterday(provider.ca.life_span.to_i)
# generate private key
root.serial_number.number = 1
@@ -48,9 +47,15 @@ module LeapCli; module Commands
end
end
- cert.desc 'Creates or renews a X.509 certificate/key pair for a single node or all nodes'
- cert.arg_name 'node-name', :optional => false
+ cert.desc 'Creates or renews a X.509 certificate/key pair for a single node or all nodes, but only if needed'
+ cert.long_desc 'This command will a generate new certificate for a node if some value in the node has changed ' +
+ 'that is included in the certificate (like hostname or IP address), or if the old certificate will be expiring soon. ' +
+ 'Sometimes, you might want to force the generation of a new certificate, ' +
+ 'such as in the cases where you have changed a CA parameter for server certificates, like bit size or digest hash. ' +
+ 'In this case, use --force. If <node-filter> is empty, this command will apply to all nodes.'
+ cert.arg_name '<node-filter>'
cert.command :update do |update|
+ update.switch 'force', :desc => 'Always generate new certificates', :negatable => false
update.action do |global_options,options,args|
assert_files_exist! :ca_cert, :ca_key, :msg => 'Run `leap cert ca` to create them'
assert_config! 'provider.ca.server_certificates.bit_size'
@@ -59,13 +64,12 @@ module LeapCli; module Commands
assert_config! 'common.x509.use'
nodes = manager.filter!(args)
- if nodes.size == 1
- generate_cert_for_node(nodes.values.first)
- else
- nodes.each_node do |node|
- if cert_needs_updating?(node)
- generate_cert_for_node(node)
- end
+ nodes.each_node do |node|
+ if options[:force] || cert_needs_updating?(node)
+ generate_cert_for_node(node)
+ elsif !node.x509.use
+ remove_file!([:node_x509_key, node.name])
+ remove_file!([:node_x509_cert, node.name])
end
end
end
@@ -146,8 +150,8 @@ module LeapCli; module Commands
log :generating, "self-signed x509 server certificate for testing purposes" do
cert = csr.to_cert
cert.serial_number.number = cert_serial_number(manager.provider.domain)
- cert.not_before = today
- cert.not_after = years_from_today(1)
+ cert.not_before = yesterday
+ cert.not_after = years_from_yesterday(1)
cert.parent = ca_root
cert.sign! domain_test_signing_profile
write_file! [:commercial_cert, manager.provider.domain], cert.to_pem
@@ -165,7 +169,7 @@ module LeapCli; module Commands
return true
else
cert = load_certificate_file([:node_x509_cert, node.name])
- if cert.not_after < months_from_today(1)
+ if cert.not_after < months_from_yesterday(1)
log :updating, "cert for node '#{node.name}' because it will expire soon"
return true
end
@@ -174,9 +178,6 @@ module LeapCli; module Commands
return true
end
cert.openssl_body.extensions.each do |ext|
- #
- # TODO: currently this only works with a single IP or DNS.
- #
if ext.oid == "subjectAltName"
ips = []
dns_names = []
@@ -208,8 +209,8 @@ module LeapCli; module Commands
cert.serial_number.number = cert_serial_number(node.domain.full)
# set expiration
- cert.not_before = today
- cert.not_after = years_from_today(manager.provider.ca.server_certificates.life_span.to_i)
+ cert.not_before = yesterday
+ cert.not_after = years_from_yesterday(manager.provider.ca.server_certificates.life_span.to_i)
# generate key
cert.key_material.generate_key(manager.provider.ca.server_certificates.bit_size)
@@ -227,8 +228,8 @@ module LeapCli; module Commands
cert = CertificateAuthority::Certificate.new
cert.serial_number.number = cert_serial_number(manager.provider.domain)
cert.subject.common_name = random_common_name(manager.provider.domain)
- cert.not_before = today
- cert.not_after = years_from_today(1)
+ cert.not_before = yesterday
+ cert.not_after = years_from_yesterday(1)
cert.key_material.generate_key(1024) # just for testing, remember!
cert.parent = ca_root
cert.sign! client_test_signing_profile
@@ -373,18 +374,27 @@ module LeapCli; module Commands
cert_serial_number(domain_name).to_s(36)
end
- def today
- t = Time.now
+ ##
+ ## TIME HELPERS
+ ##
+ ## note: we use 'yesterday' instead of 'today', because times are in UTC, and some people on the planet
+ ## are behind UTC.
+ ##
+
+ def yesterday
+ t = Time.now - 24*24*60
Time.utc t.year, t.month, t.day
end
- def years_from_today(num)
- t = Time.now
+ def years_from_yesterday(num)
+ t = yesterday
Time.utc t.year + num, t.month, t.day
end
- def months_from_today(num)
- date = Date.today >> num # >> is months in the future operator
+ def months_from_yesterday(num)
+ t = yesterday
+ date = Date.new t.year, t.month, t.day
+ date = date >> num # >> is months in the future operator
Time.utc date.year, date.month, date.day
end