diff --git a/acceptance/tests/external_ca_support/fixtures/agent-ca/ca-agent-ca.crt b/acceptance/tests/external_ca_support/fixtures/agent-ca/ca-agent-ca.crt index c23be12d2..0337bc3a5 100644 --- a/acceptance/tests/external_ca_support/fixtures/agent-ca/ca-agent-ca.crt +++ b/acceptance/tests/external_ca_support/fixtures/agent-ca/ca-agent-ca.crt @@ -1,16 +1,23 @@ -----BEGIN CERTIFICATE----- -MIIClTCCAf6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBJMRAwDgYDVQQDDAdSb290 +MIID3jCCAsagAwIBAgIBATANBgkqhkiG9w0BAQUFADBJMRAwDgYDVQQDDAdSb290 IENBMRowGAYDVQQLDBFTZXJ2ZXIgT3BlcmF0aW9uczEZMBcGA1UECgwQRXhhbXBs -ZSBPcmcsIExMQzAeFw0xMzAzMzAwNTUwNDhaFw0zMzAzMjUwNTUwNDhaMH0xIzAh +ZSBPcmcsIExMQzAeFw0xNDA0MDgwMTI1MzZaFw0zNDA0MDMwMTI1MzZaMH0xIzAh BgNVBAMTGkludGVybWVkaWF0ZSBDQSAoYWdlbnQtY2EpMR8wHQYJKoZIhvcNAQkB FhB0ZXN0QGV4YW1wbGUub3JnMRkwFwYDVQQKExBFeGFtcGxlIE9yZywgTExDMRow -GAYDVQQLExFTZXJ2ZXIgT3BlcmF0aW9uczBcMA0GCSqGSIb3DQEBAQUAA0sAMEgC -QQDkEj/Msmi4hJImxP5+ocixMTHuYC1M1E2p4QcuzOkZYrfHf+5hJMcahfYhLiXU -jHBredOXhgSisHh6CLSb/rKzAgMBAAGjgZwwgZkweQYDVR0jBHIwcIAUME3Wao41 -ziBStoTjNG3Dq54UMNqhTaRLMEkxEDAOBgNVBAMMB1Jvb3QgQ0ExGjAYBgNVBAsM -EVNlcnZlciBPcGVyYXRpb25zMRkwFwYDVQQKDBBFeGFtcGxlIE9yZywgTExDggkA -t/Y+TYe+0HMwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN -AQEFBQADgYEAujSj9rxIxJHEuuYXb15L30yxs9Tdvy4OCLiKdjvs9Z7gG8Pbutls -ooCwyYAkmzKVs/8cYjZJnvJrPEW1gFwqX7Xknp85Cfrl+/pQEPYq5sZVa5BIm9tI -0EvlDax/Hd28jI6Bgq5fsTECNl9GDGknCy7vwRZem0h+hI56lzR3pYE= +GAYDVQQLExFTZXJ2ZXIgT3BlcmF0aW9uczCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBANAjnBQPul4VZp8/PgnQxZtJQHhgWCRtLw5KDoZHFfQQxGW6utHb +MPIoX4qgJDb8msojb7ZO63C2BAjO5FHwhAwk3SciZX7VEt5YUYg0X1J7GyWHKWEt +yXEiIlXZ0xfXdzZ0kPskITQTLmKav7d08cN8SSqhAMeWhbiZ9xaCFWnYneqGdHc/ +Ps8EPszuJTiwrJsQtoxXFEdZfnJctlleGyZZFk/zg4M3P3RWr/ATBnMqL1Q4VfTd +9C23p+6kYhrYMxfWrawWAqyzn/G17X1TzQY4qW9Imn+RYLEQeBkO+KTl0Y+eaIOD +1PLfGaUu+XUumcMcbqyYgM5heqPEKHMs3g0CAwEAAaOBnDCBmTB5BgNVHSMEcjBw +gBQWr4Al4/rqSL+RM2YB/VHvJGdMY6FNpEswSTEQMA4GA1UEAwwHUm9vdCBDQTEa +MBgGA1UECwwRU2VydmVyIE9wZXJhdGlvbnMxGTAXBgNVBAoMEEV4YW1wbGUgT3Jn +LCBMTEOCCQCxuQRy+xEn4zAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAN +BgkqhkiG9w0BAQUFAAOCAQEAqyvoi3vDeE0Do7k2QiVF4WBhfGEW6921+UMVgMqB +SSV4mJ98ep4lrJA4VZPEW7jZWbox8fpH2WmA4DSK6lBMf7MoLSuDxaTmVDCvauGU +jtOD4ejIKWcJN8tkyFjz7DCca8x7EryZpr5sZMU78jZ/jOVwIK85FX/5ptQdoyo+ +j7TxWz464bUrlCOyzZEKIDViFeahY6Krfsfn60lmaWjXD5WSc9g5V/RA59cECpiT +Dl9Li9Weu0aXoF8nmWVhhBI1drmqvKbffAvQ42K4x2OTFG3r5wbCRSZTCGT2BWZW +M2HXCE5pMoTvM6H4PbMJsJw/x4qonM9HG81EcjHtKDUFGA== -----END CERTIFICATE----- diff --git a/acceptance/tests/external_ca_support/fixtures/agent-ca/ca-agent-ca.key b/acceptance/tests/external_ca_support/fixtures/agent-ca/ca-agent-ca.key index 7f23a5cfd..c83dca3b5 100644 --- a/acceptance/tests/external_ca_support/fixtures/agent-ca/ca-agent-ca.key +++ b/acceptance/tests/external_ca_support/fixtures/agent-ca/ca-agent-ca.key @@ -1,9 +1,28 @@ ------BEGIN RSA PRIVATE KEY----- -MIIBPAIBAAJBAOQSP8yyaLiEkibE/n6hyLExMe5gLUzUTanhBy7M6Rlit8d/7mEk -xxqF9iEuJdSMcGt505eGBKKweHoItJv+srMCAwEAAQJBAImrmmdtqlj3bWGJuDWo -YwTStVk3JSEjZl4NP9C4UFzJXmJdQJOq9JY39TtJxegD1NDddMdF9pWKCv+W5GCD -RUECIQD4YthjsrMlOMniY0JzquSHoImJSC6bJ/0Tz7RV9N6WLQIhAOsP/OP6UKdP -Wl2lzXRxI2ZoJdXMS5IYfXIqp2Hdy9hfAiEA0rDNyqvfZ/hmz0DRMlpIZX9YivmO -hxABjVeHKc5/LLUCIFbYWFGOSMAXxEY3HLo5lp+eOORNj1oRrD9C3QZ+YHK3AiEA -kOzde+VQkTzxZSAvQV9m9O16tQZtRivsV3+O58QJxKY= ------END RSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDQI5wUD7peFWaf +Pz4J0MWbSUB4YFgkbS8OSg6GRxX0EMRlurrR2zDyKF+KoCQ2/JrKI2+2TutwtgQI +zuRR8IQMJN0nImV+1RLeWFGINF9SexslhylhLclxIiJV2dMX13c2dJD7JCE0Ey5i +mr+3dPHDfEkqoQDHloW4mfcWghVp2J3qhnR3Pz7PBD7M7iU4sKybELaMVxRHWX5y +XLZZXhsmWRZP84ODNz90Vq/wEwZzKi9UOFX03fQtt6fupGIa2DMX1q2sFgKss5/x +te19U80GOKlvSJp/kWCxEHgZDvik5dGPnmiDg9Ty3xmlLvl1LpnDHG6smIDOYXqj +xChzLN4NAgMBAAECggEARD2Ym584fEZJ+iYzAebYEvymTZFQ9MhzaBzxvCasVPP2 +YGAjhlB2ML757CprFTgmy+VoZ/5iBPc4RWcHxrGzqYOgmocVfcsAP7P3L0/0fMdt +9BTnhTwM0rHdTgZ3xlZXeJwpOJ304Oz1BVE1UEHgTjZ+iqJ07fs05nxcXZ3SxXuu +yte/CtOxfiu12qw0Pa3en/wvkqeHPMrPYLD4PJznPIFmcfzVH6qO4DWtblW4HHLW +OqoqgjpuDLe1hjN5RZY0dLnvuKAr1d+ZKhvvuPPKGUR9J2/h/vV1ZMJDW45zJIu3 +XfoFUxxnrSBynBtyfFwkC2Btriryuu9HdfnMxCHpYQKBgQD/r0f36Zj7M571E+5Q +owCAE0qHRd/++p+KA3x/mVnECQ4c42QVwAwW99wd062k/9IbzVS6okbz1tKNsSvS +7TgWc1qAWeoxV8y2Fo3ovs8mOuRxnKMjWwlf9vOVEr49r1h/CP9iEzcjW147hw0m +EyWdBFBLQVLi/XdbguJW9e0bxQKBgQDQZVGM88r60yzo50kFLx4gVPx7nH8LDLkM +HM6Lxk5UQxbHZEzpGpxM+GEypHdRb5d5uITTzZSmosRuUc73mvTJE8hc5kcSZPsh +pEpSS4El7gcp/cmDNrHpqJdW4VwftJ8WYwFNOCCgLcmSNLJovc11j5NtGeP+Leqh +EsjWXOr1qQKBgAxuBv+kWY2MuuOLLoC5C+MuDOd6nCMXJ/5boQfK+rQvBIKfA1ST +W4MaVZcVnVFyJlK3rrDMBsr/3IiK3miIo7tjrDilJl9ztz365rcz33oqTsS/Kqcj +W9dQeBL9MEZrac/zLgcki/+qB3C5Zgg90gxKE2U1LcRfMhg+yqYTmo1JAoGBALWf +J+TdcJELzP8q26Pt/aaWCvo8WSirLPdWf9inuwqK8eZTDwi1jXUzn5qAZhEOXYjS +/MiPSje0cdfn6qY3YZGBcUUt2NE6OviF89QnQ+ZnvcymB6MY3xPSQBuTCzQCugfL +v42qFh0j6qJG1RqeGNuVhxo1z1NudydsdKcGkiwJAoGAYNbfuY3ccWmvX3K9ufL9 +M8m9ADXVE0o9LUQzZZwdv9IsQoeyufR7q0NUxrLqsracbJVhIoRzWZ7AUsWZ2qiX +eME8gioXoJVShTw9TpZY/nuH72iP/SbpZ9s+/43wNP0PTCS2ZQKwxmszz8Eg3qxN +D6ThCdnUCDA4JNQou0GozRQ= +-----END PRIVATE KEY----- diff --git a/acceptance/tests/external_ca_support/fixtures/agent-ca/openssl.conf b/acceptance/tests/external_ca_support/fixtures/agent-ca/openssl.conf index e4b64b8ce..4259157e1 100644 --- a/acceptance/tests/external_ca_support/fixtures/agent-ca/openssl.conf +++ b/acceptance/tests/external_ca_support/fixtures/agent-ca/openssl.conf @@ -1,96 +1,96 @@ SAN = DNS:puppet [ca] default_ca = master_ca_config # Root CA [root_ca_config] -certificate = /tmp/certchain.KfrH8RDv/agent-ca/ca-agent-ca.crt -private_key = /tmp/certchain.KfrH8RDv/agent-ca/ca-agent-ca.key -database = /tmp/certchain.KfrH8RDv/agent-ca/inventory.txt -new_certs_dir = /tmp/certchain.KfrH8RDv/agent-ca/certs -serial = /tmp/certchain.KfrH8RDv/agent-ca/serial +certificate = /tmp/certchain.KDOYxTc2/agent-ca/ca-agent-ca.crt +private_key = /tmp/certchain.KDOYxTc2/agent-ca/ca-agent-ca.key +database = /tmp/certchain.KDOYxTc2/agent-ca/inventory.txt +new_certs_dir = /tmp/certchain.KDOYxTc2/agent-ca/certs +serial = /tmp/certchain.KDOYxTc2/agent-ca/serial default_crl_days = 7300 default_days = 7300 default_md = sha1 policy = root_ca_policy x509_extensions = root_ca_exts [root_ca_policy] commonName = supplied emailAddress = supplied organizationName = supplied organizationalUnitName = supplied [root_ca_exts] authorityKeyIdentifier = keyid,issuer:always basicConstraints = critical,CA:true keyUsage = keyCertSign, cRLSign # Master CA [master_ca_config] -certificate = /tmp/certchain.KfrH8RDv/agent-ca/ca-agent-ca.crt -private_key = /tmp/certchain.KfrH8RDv/agent-ca/ca-agent-ca.key -database = /tmp/certchain.KfrH8RDv/agent-ca/inventory.txt -new_certs_dir = /tmp/certchain.KfrH8RDv/agent-ca/certs -serial = /tmp/certchain.KfrH8RDv/agent-ca/serial +certificate = /tmp/certchain.KDOYxTc2/agent-ca/ca-agent-ca.crt +private_key = /tmp/certchain.KDOYxTc2/agent-ca/ca-agent-ca.key +database = /tmp/certchain.KDOYxTc2/agent-ca/inventory.txt +new_certs_dir = /tmp/certchain.KDOYxTc2/agent-ca/certs +serial = /tmp/certchain.KDOYxTc2/agent-ca/serial default_crl_days = 7300 default_days = 7300 default_md = sha1 policy = master_ca_policy x509_extensions = master_ca_exts # Master CA (Email) [master_ca_email_config] -certificate = /tmp/certchain.KfrH8RDv/agent-ca/ca-agent-ca.crt -private_key = /tmp/certchain.KfrH8RDv/agent-ca/ca-agent-ca.key -database = /tmp/certchain.KfrH8RDv/agent-ca/inventory.txt -new_certs_dir = /tmp/certchain.KfrH8RDv/agent-ca/certs -serial = /tmp/certchain.KfrH8RDv/agent-ca/serial +certificate = /tmp/certchain.KDOYxTc2/agent-ca/ca-agent-ca.crt +private_key = /tmp/certchain.KDOYxTc2/agent-ca/ca-agent-ca.key +database = /tmp/certchain.KDOYxTc2/agent-ca/inventory.txt +new_certs_dir = /tmp/certchain.KDOYxTc2/agent-ca/certs +serial = /tmp/certchain.KDOYxTc2/agent-ca/serial default_crl_days = 7300 default_days = 7300 default_md = sha1 email_in_dn = yes policy = master_ca_email_policy x509_extensions = master_ca_exts [master_ca_policy] commonName = supplied [master_ca_email_policy] commonName = supplied emailAddress = supplied # default extensions for clients [master_ca_exts] authorityKeyIdentifier = keyid,issuer:always basicConstraints = critical,CA:false keyUsage = keyEncipherment, digitalSignature extendedKeyUsage = serverAuth, clientAuth [master_ssl_exts] authorityKeyIdentifier = keyid,issuer:always basicConstraints = critical,CA:false keyUsage = keyEncipherment, digitalSignature extendedKeyUsage = serverAuth, clientAuth subjectAltName = $ENV::SAN # extensions for the master certificate (specifically adding subjectAltName) [master_self_ca_exts] authorityKeyIdentifier = keyid,issuer:always basicConstraints = critical,CA:false keyUsage = keyEncipherment, digitalSignature extendedKeyUsage = serverAuth, clientAuth # include the master's fqdn here, as well as in the CN, to work # around https://bugs.ruby-lang.org/issues/6493 # NOTE: Alt Names should be set in the request, so they know # their FQDN # subjectAltName = DNS:puppet,DNS:agent-ca.example.org diff --git a/acceptance/tests/external_ca_support/fixtures/certchain.sh b/acceptance/tests/external_ca_support/fixtures/certchain.sh index 3ada98795..b104db175 100755 --- a/acceptance/tests/external_ca_support/fixtures/certchain.sh +++ b/acceptance/tests/external_ca_support/fixtures/certchain.sh @@ -1,553 +1,553 @@ #! /bin/bash ## NOTE: ## This script requires the following in /etc/hosts: ## 127.0.0.2 puppet master1.example.org # This will fail with a stock puppet 3.1.1, but will succeed if all of the # certificate subjects contain only the "CN" portion, and no O, OU, or # emailAddress. # basic config to describe the environment # B="/tmp/certchain" B="$(mktemp -d -t certchain.XXXXXXXX)" HTTPS_PORT=8443 OPENSSL=$(which openssl) # utility method to dedent a heredoc dedent() { python -c 'import sys, textwrap; print textwrap.dedent(sys.stdin.read())' } # invoke openssl openssl() { echo "----" echo "running" ${OPENSSL} ${@} echo " in $PWD" ${OPENSSL} "${@}" } show_cert() { local cert="$1" # openssl x509 -in "${cert}" -noout -text -nameopt RFC2253 openssl x509 -in "${cert}" -noout -text } hash_cert() { local cert="$1" local certdir="${B}/certdir" local h=$(${OPENSSL} x509 -hash -noout -in ${cert}) mkdir -p "${certdir}" ln -s "$cert" "${certdir}/${h}.0" } show_crl() { local crl="$1" openssl crl -in "${crl}" -noout -text } hash_crl() { local crl="$1" local certdir="${B}/certdir" local h=$(${OPENSSL} crl -hash -noout -in ${crl}) mkdir -p "${certdir}" ln -s "$crl" "${certdir}/${h}.r0" } # clean out any messes this script has made clean_up() { stop_apache rm -rf "$B" } stop_apache() { local pid pidfile="${B}/apache/httpd.pid" while true; do pid=$(cat "${pidfile}" 2>/dev/null || true) [ -z "$pid" ] && break # break if the pid is gone kill "$pid" || break # break if the kill fails (process is gone) sleep 0.1 done } # perform basic setup: make directories, etc. set_up() { mkdir -p "$B" } # create CA certificates: # # * $B/root_ca # * $B/master{1..2}_ca # # with each containing: # # * openssl.conf -- suitable for signing certificates # * ca-$name.key -- PEM format certificate key, with no password # * ca-$name.crt -- PEM format certificate create_ca_certs() { local name cn dir subj ca_config for name in root agent-ca master-ca; do dir="${B}/${name}" mkdir -p "${dir}" ( cd "${dir}" # if this is the root cert, make a self-signed cert if [ "$name" = "root" ]; then subj="/CN=Root CA/OU=Server Operations/O=Example Org, LLC" - openssl req -new -newkey rsa -days 7300 -nodes -x509 \ + openssl req -new -newkey rsa:2048 -days 7300 -nodes -x509 \ -subj "${subj}" -keyout "ca-${name}.key" -out "ca-${name}.crt" else # make a new key for the CA - openssl genrsa -out "ca-${name}.key" + openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out "ca-${name}.key" # build a CSR out of it dedent > openssl.tmp << OPENSSL_TMP [req] prompt = no distinguished_name = dn_config [dn_config] commonName = Intermediate CA (${name}) emailAddress = test@example.org organizationalUnitName = Server Operations organizationName = Example Org, LLC OPENSSL_TMP openssl req -config openssl.tmp -new -key "ca-${name}.key" -out "ca-${name}.csr" rm openssl.tmp # sign it with the root CA openssl ca -config ../root/openssl.conf -in "ca-${name}.csr" -notext -out "ca-${name}.crt" -batch # clean up the now-redundant csr rm "ca-${name}.csr" fi # set up the CA config; this uses the same file for all, but with different options # for the root and master CAs [ "$name" = "root" ] && ca_config=root_ca_config || ca_config=master_ca_config dedent > openssl.conf << OPENSSL_CONF SAN = DNS:puppet [ca] default_ca = ${ca_config} # Root CA [root_ca_config] certificate = ${dir}/ca-${name}.crt private_key = ${dir}/ca-${name}.key database = ${dir}/inventory.txt new_certs_dir = ${dir}/certs serial = ${dir}/serial default_crl_days = 7300 default_days = 7300 default_md = sha1 policy = root_ca_policy x509_extensions = root_ca_exts [root_ca_policy] commonName = supplied emailAddress = supplied organizationName = supplied organizationalUnitName = supplied [root_ca_exts] authorityKeyIdentifier = keyid,issuer:always basicConstraints = critical,CA:true keyUsage = keyCertSign, cRLSign # Master CA [master_ca_config] certificate = ${dir}/ca-${name}.crt private_key = ${dir}/ca-${name}.key database = ${dir}/inventory.txt new_certs_dir = ${dir}/certs serial = ${dir}/serial default_crl_days = 7300 default_days = 7300 default_md = sha1 policy = master_ca_policy x509_extensions = master_ca_exts # Master CA (Email) [master_ca_email_config] certificate = ${dir}/ca-${name}.crt private_key = ${dir}/ca-${name}.key database = ${dir}/inventory.txt new_certs_dir = ${dir}/certs serial = ${dir}/serial default_crl_days = 7300 default_days = 7300 default_md = sha1 email_in_dn = yes policy = master_ca_email_policy x509_extensions = master_ca_exts [master_ca_policy] commonName = supplied [master_ca_email_policy] commonName = supplied emailAddress = supplied # default extensions for clients [master_ca_exts] authorityKeyIdentifier = keyid,issuer:always basicConstraints = critical,CA:false keyUsage = keyEncipherment, digitalSignature extendedKeyUsage = serverAuth, clientAuth [master_ssl_exts] authorityKeyIdentifier = keyid,issuer:always basicConstraints = critical,CA:false keyUsage = keyEncipherment, digitalSignature extendedKeyUsage = serverAuth, clientAuth subjectAltName = \$ENV::SAN # extensions for the master certificate (specifically adding subjectAltName) [master_self_ca_exts] authorityKeyIdentifier = keyid,issuer:always basicConstraints = critical,CA:false keyUsage = keyEncipherment, digitalSignature extendedKeyUsage = serverAuth, clientAuth # include the master's fqdn here, as well as in the CN, to work # around https://bugs.ruby-lang.org/issues/6493 # NOTE: Alt Names should be set in the request, so they know # their FQDN # subjectAltName = DNS:puppet,DNS:${name}.example.org OPENSSL_CONF touch inventory.txt mkdir certs echo 01 > serial show_cert "${dir}/ca-${name}.crt" hash_cert "${dir}/ca-${name}.crt" # generate an empty CRL for this CA openssl ca -config "${dir}/openssl.conf" -gencrl -out "${dir}/ca-${name}.crl" show_crl "${dir}/ca-${name}.crl" hash_crl "${dir}/ca-${name}.crl" ) done } # revoke leaf cert for $1 issued by master CA $2 revoke_leaf_cert() { local fqdn="$1" local ca="${2:-agent-ca}" local dir="${B}/${ca}" # revoke the cert and regenerate the crl openssl ca -config "${dir}/openssl.conf" -revoke "${B}/leaves/${fqdn}.issued_by.${ca}.crt" openssl ca -config "${dir}/openssl.conf" -gencrl -out "${dir}/ca-${ca}.crl" show_crl "${dir}/ca-${ca}.crl" # kill -HUP $(< "${B}/apache/httpd.pid") } # revoke CA cert for $1 revoke_ca_cert() { local master="$1" local dir="${B}/root" # revoke the cert and regenerate the crl openssl ca -config "${dir}/openssl.conf" -revoke "${B}/${master}/ca-${master}.crt" openssl ca -config "${dir}/openssl.conf" -gencrl -out "${dir}/ca-root.crl" show_crl "${dir}/ca-root.crl" kill -HUP $(< "${B}/apache/httpd.pid") } # create a "leaf" certificate for the given fqdn, signed by the given ca name. # $fqdn.issued_by.${ca}.{key,crt} will be placed in "${B}/leaves" create_leaf_cert() { local fqdn="$1" ca="$2" exts="$3" local masterdir="${B}/${ca}" local dir="${B}/leaves" local fname="${fqdn}.issued_by.${ca}" [ -n "$exts" ] && exts="-extensions $exts" mkdir -p "${dir}" ( cd "${dir}" - openssl genrsa -out "${fname}.key" + openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out "${fname}.key" openssl req -subj "/CN=${fqdn}" -new -key "${fname}.key" -out "${fname}.csr" CN="${fqdn}" SAN="DNS:${fqdn}, DNS:${fqdn%%.*}, DNS:puppet, DNS:puppetmaster" \ openssl ca -config "${B}/${ca}/openssl.conf" -in "${fname}.csr" -notext \ -out "${fname}.crt" -batch $exts ) show_cert "${dir}/${fname}.crt" } # Note, we can parameterize SubjectAltNames using environment variables. create_leaf_certs() { create_leaf_cert master1.example.org master-ca master_ssl_exts create_leaf_cert master2.example.org master-ca master_ssl_exts create_leaf_cert agent1.example.org agent-ca create_leaf_cert agent2.example.org agent-ca create_leaf_cert agent3.example.org agent-ca create_leaf_cert master1.example.org agent-ca master_ssl_exts # rogue # create_leaf_cert master1.example.org root master_ssl_exts # rogue create_leaf_cert agent1.example.org master-ca # rogue # create_leaf_cert agent1.example.org root # rogue } # create a "leaf" certificate for the given fqdn, signed by the given ca name, # with an email address in the subject. # $fqdn.issued_by.${ca}.{key,crt} will be placed in "${B}/leaves" create_leaf_email_cert() { local fqdn="$1" ca="$2" exts="$3" local masterdir="${B}/${ca}" local dir="${B}/leaves" local fname="${fqdn}.issued_by.${ca}" mkdir -p "${dir}" ( cd "${dir}" - openssl genrsa -out "${fname}.key" + openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out "${fname}.key" openssl req -subj "/CN=${fqdn}/emailAddress=test@example.com" -new -key "${fname}.key" -out "${fname}.csr" openssl ca -config "${B}/${ca}/openssl.conf" -name master_ca_email_config \ -in "${fname}.csr" -notext -out "${fname}.crt" -batch $exts_arg ) show_cert "${dir}/${fname}.crt" } create_leaf_email_certs() { create_leaf_email_cert master-email1.example.org master-ca master_self_ca_exts create_leaf_email_cert master-email2.example.org master-ca master_self_ca_exts create_leaf_email_cert agent-email1.example.org agent-ca create_leaf_email_cert agent-email2.example.org agent-ca create_leaf_email_cert agent-email3.example.org agent-ca } set_up_apache() { local apachedir="${B}/apache" mkdir -p "${apachedir}/puppetmaster/public" echo 'passed'> "${apachedir}/puppetmaster/public/test.txt" dedent > "${apachedir}/httpd.conf" < Require all granted RackAutoDetect On RackBaseURI / HTTPD_CONF } set_up_puppetmaster() { local apachedir="${B}/apache" local masterdir="${B}/puppetmaster" mkdir -p "${masterdir}/conf" "${masterdir}/var" "${masterdir}/manifests" dedent > "${apachedir}/puppetmaster/config.ru" < "${masterdir}/conf/puppet.conf" < "${masterdir}/manifests/site.pp" < "yes I was" } } SITE_PP } start_apache() { local apachedir="${B}/apache" if ! httpd -f "${apachedir}/httpd.conf"; then [ -f "${apachedir}/error_log" ] && tail "${apachedir}/error_log" false fi } check_apache() { # verify the SSL config with openssl. Note that s_client exits with 0 # no matter what, so this greps the output for an OK status. Also note # that this only checks that the validation of the server certs is OK, since # client validation is optional in the httpd config. echo $'GET /test.txt HTTP/1.0\n' | \ openssl s_client -connect "127.0.0.1:${HTTPS_PORT}" -verify 2 \ -cert "${B}/leaves/client2a.example.org.crt" \ -key "${B}/leaves/client2a.example.org.key" \ -CAfile "${B}/root/ca-root.crt" \ | tee "${B}/verify.out" cat "${B}/apache/error_log" grep -q "Verify return code: 0 (ok)" "${B}/verify.out" } check_puppetmaster() { # this is insecure, because otherwise curl will check that 127.0.0.1 == # master1.example.org and fail; validation of the server certs is done # above in check_apache, so this is fine. curl -vks --fail \ --header 'Accept: yaml' \ --cert "${B}/leaves/client2a.example.org.crt" \ --key "${B}/leaves/client2a.example.org.key" \ "https://127.0.0.1:${HTTPS_PORT}/production/catalog/client2a.example.org" >/dev/null echo } # set up the agent with the given fqdn set_up_agent() { local fqdn="$1" local agentdir="${B}/agent" mkdir -p "${agentdir}/conf" "${agentdir}/var" mkdir -p "${agentdir}/conf/ssl/private_keys" "${agentdir}/conf/ssl/certs" dedent > "${agentdir}/conf/puppet.conf" <