From e01bf415d80883c369dfd4247aae401fde421b80 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 28 Jan 2015 22:19:25 -0800 Subject: cert generation: (1) auto generate certs (2) actually support configuring expiration times. REQUIRES platform >= 0.6.1. closes #6387 --- lib/leap_cli/commands/ca.rb | 71 +++++++++++++++++++++++++-------------------- 1 file changed, 39 insertions(+), 32 deletions(-) (limited to 'lib/leap_cli/commands/ca.rb') diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb index 357792f..785e043 100644 --- a/lib/leap_cli/commands/ca.rb +++ b/lib/leap_cli/commands/ca.rb @@ -28,22 +28,7 @@ module LeapCli; module Commands cert.command :update do |update| update.switch 'force', :desc => 'Always generate new certificates', :negatable => false update.action do |global_options,options,args| - assert_files_exist! :ca_cert, :ca_key, :msg => 'Run `leap cert ca` to create them' - assert_config! 'provider.ca.server_certificates.bit_size' - assert_config! 'provider.ca.server_certificates.digest' - assert_config! 'provider.ca.server_certificates.life_span' - assert_config! 'common.x509.use' - - nodes = manager.filter!(args) - nodes.each_node do |node| - warn_if_commercial_cert_will_soon_expire(node) - if !node.x509.use - remove_file!([:node_x509_key, node.name]) - remove_file!([:node_x509_cert, node.name]) - elsif options[:force] || cert_needs_updating?(node) - generate_cert_for_node(node) - end - end + update_certificates(manager.filter!(args), options) end end @@ -139,7 +124,7 @@ module LeapCli; module Commands cert = csr.to_cert cert.serial_number.number = cert_serial_number(domain) cert.not_before = yesterday - cert.not_after = years_from_yesterday(1) + cert.not_after = yesterday.advance(:years => 1) cert.parent = ca_root cert.sign! domain_test_signing_profile write_file! [:commercial_cert, domain], cert.to_pem @@ -158,6 +143,29 @@ module LeapCli; module Commands end end + protected + + # + # will generate new certificates for the specified nodes, if needed. + # + def update_certificates(nodes, options={}) + assert_files_exist! :ca_cert, :ca_key, :msg => 'Run `leap cert ca` to create them' + assert_config! 'provider.ca.server_certificates.bit_size' + assert_config! 'provider.ca.server_certificates.digest' + assert_config! 'provider.ca.server_certificates.life_span' + assert_config! 'common.x509.use' + + nodes.each_node do |node| + warn_if_commercial_cert_will_soon_expire(node) + if !node.x509.use + remove_file!([:node_x509_key, node.name]) + remove_file!([:node_x509_cert, node.name]) + elsif options[:force] || cert_needs_updating?(node) + generate_cert_for_node(node) + end + end + end + private def generate_new_certificate_authority(key_file, cert_file, common_name) @@ -179,7 +187,7 @@ module LeapCli; module Commands # set expiration root.not_before = yesterday - root.not_after = years_from_yesterday(provider.ca.life_span.to_i) + root.not_after = yesterday_advance(provider.ca.life_span) # generate private key root.serial_number.number = 1 @@ -203,7 +211,7 @@ module LeapCli; module Commands return true else cert = load_certificate_file([:node_x509_cert, node.name]) - if cert.not_after < months_from_yesterday(2) + if cert.not_after < Time.now.advance(:months => 2) log :updating, "cert for node '#{node.name}' because it will expire soon" return true end @@ -242,7 +250,7 @@ module LeapCli; module Commands if cert.not_after < Time.now.utc log :error, "the commercial certificate '#{path}' has EXPIRED! " + "You should renew it with `leap cert csr --domain #{domain}`." - elsif cert.not_after < months_from_yesterday(2) + elsif cert.not_after < Time.now.advance(:months => 2) log :warning, "the commercial certificate '#{path}' will expire soon. "+ "You should renew it with `leap cert csr --domain #{domain}`." end @@ -261,7 +269,7 @@ module LeapCli; module Commands # set expiration cert.not_before = yesterday - cert.not_after = years_from_yesterday(provider.ca.server_certificates.life_span.to_i) + cert.not_after = yesterday_advance(provider.ca.server_certificates.life_span) # generate key cert.key_material.generate_key(provider.ca.server_certificates.bit_size) @@ -283,7 +291,7 @@ module LeapCli; module Commands cert.serial_number.number = cert_serial_number(provider.domain) cert.subject.common_name = [prefix, random_common_name(provider.domain)].join cert.not_before = yesterday - cert.not_after = years_from_yesterday(1) + cert.not_after = yesterday.advance(:years => 1) cert.key_material.generate_key(1024) # just for testing, remember! cert.parent = client_ca_root cert.sign! client_test_signing_profile @@ -492,16 +500,15 @@ module LeapCli; module Commands Time.utc t.year, t.month, t.day end - def years_from_yesterday(num) - t = yesterday - Time.utc t.year + num, t.month, t.day - end - - def months_from_yesterday(num) - t = yesterday - date = Date.new t.year, t.month, t.day - date = date >> num # >> is months in the future operator - Time.utc date.year, date.month, date.day + def yesterday_advance(string) + number, unit = string.split(' ') + unless ['years', 'months', 'days', 'hours', 'minutes'].include? unit + bail("The time property '#{string}' is missing a unit (one of: years, months, days, hours, minutes).") + end + unless number.to_i.to_s == number + bail("The time property '#{string}' is missing a number.") + end + yesterday.advance(unit.to_sym => number.to_i) end end; end -- cgit v1.2.3 From 406a5bc18a5e5733d081c785984f06ad730a8dba Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 2 Feb 2015 14:54:35 -0800 Subject: fix bail! typo --- lib/leap_cli/commands/ca.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/leap_cli/commands/ca.rb') diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb index 785e043..9b3409a 100644 --- a/lib/leap_cli/commands/ca.rb +++ b/lib/leap_cli/commands/ca.rb @@ -503,10 +503,10 @@ module LeapCli; module Commands def yesterday_advance(string) number, unit = string.split(' ') unless ['years', 'months', 'days', 'hours', 'minutes'].include? unit - bail("The time property '#{string}' is missing a unit (one of: years, months, days, hours, minutes).") + bail!("The time property '#{string}' is missing a unit (one of: years, months, days, hours, minutes).") end unless number.to_i.to_s == number - bail("The time property '#{string}' is missing a number.") + bail!("The time property '#{string}' is missing a number.") end yesterday.advance(unit.to_sym => number.to_i) end -- cgit v1.2.3 From 39c8a357ec10b9cb4ecf75324561ed82241e27d6 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 9 Feb 2015 22:44:49 -0800 Subject: more verbose `leap cert update` --- lib/leap_cli/commands/ca.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/leap_cli/commands/ca.rb') diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb index 9b3409a..356e616 100644 --- a/lib/leap_cli/commands/ca.rb +++ b/lib/leap_cli/commands/ca.rb @@ -216,7 +216,7 @@ module LeapCli; module Commands return true end if cert.subject.common_name != node.domain.full - log :updating, "cert for node '#{node.name}' because domain.full has changed" + log :updating, "cert for node '#{node.name}' because domain.full has changed (was #{cert.subject.common_name}, now #{node.domain.full})" return true end cert.openssl_body.extensions.each do |ext| -- cgit v1.2.3 From 26842662815d1409400d85275b32789156d50db5 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 7 Apr 2015 11:14:46 +0200 Subject: make clear that dh file is only needed for VPN --- lib/leap_cli/commands/ca.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/leap_cli/commands/ca.rb') diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb index 356e616..cfa18f5 100644 --- a/lib/leap_cli/commands/ca.rb +++ b/lib/leap_cli/commands/ca.rb @@ -32,7 +32,7 @@ module LeapCli; module Commands end end - cert.desc 'Creates a Diffie-Hellman parameter file.' # (needed for server-side of some TLS connections) + cert.desc 'Creates a Diffie-Hellman parameter file, needed for forward secret OpenVPN ciphers.' # (needed for server-side of some TLS connections) cert.command :dh do |dh| dh.action do |global_options,options,args| long_running do -- cgit v1.2.3 From ab3184ff6dea960e347da299deaabeb23e2cf86e Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 5 May 2015 14:58:03 -0700 Subject: add --force to 'leap cert csr' --- lib/leap_cli/commands/ca.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'lib/leap_cli/commands/ca.rb') diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb index cfa18f5..d5c6240 100644 --- a/lib/leap_cli/commands/ca.rb +++ b/lib/leap_cli/commands/ca.rb @@ -87,7 +87,11 @@ module LeapCli; module Commands assert_config! 'provider.ca.server_certificates.bit_size' assert_config! 'provider.ca.server_certificates.digest' domain = options[:domain] || provider.domain - assert_files_missing! [:commercial_key, domain], [:commercial_csr, domain], :msg => 'If you really want to create a new key and CSR, remove these files first.' + + unless global_options[:force] + assert_files_missing! [:commercial_key, domain], [:commercial_csr, domain], + :msg => 'If you really want to create a new key and CSR, remove these files first or run with --force.' + end server_certificates = provider.ca.server_certificates -- cgit v1.2.3