stack ca: apply some fixes

stack/certificate-authority/buildout.cfg

@@ -20,11 +20,12 @@ parts =
 
 [extra-eggs]
 recipe = zc.recipe.egg
-interpreter = python.ca
+interpreter = python_ca
 eggs =
   gunicorn # for WSGI HTTP Server
   futures
   certificate.authority
+# are also required
   plone.recipe.command
   collective.recipe.template
 
@@ -52,11 +53,10 @@ context =
   raw certificate_request_bin ${buildout:directory}/bin/ca-cliweb
   raw curl_executable_location ${curl:location}/bin/curl
   raw dash_executable_location ${dash:location}/bin/dash
-  raw dcron_executable_location ${dcron:location}/sbin/crond
   raw slapos_kill_bin ${buildout:directory}/bin/slapos-kill
   raw template_httpd_auth_conf ${template-httpd-auth-conf:location}/${template-httpd-auth-conf:filename}
   raw openssl_executable_location ${openssl:location}/bin/openssl
-  raw python_executable ${buildout:directory}/bin/${extra-eggs:interpreter}
+  raw python_bin ${buildout:directory}/bin/${extra-eggs:interpreter}
 
 [template-certificate-authority]
 recipe = slapos.recipe.template:jinja2
@@ -70,8 +70,7 @@ context =
   raw certificate_request_bin ${buildout:directory}/bin/ca-cliweb
   raw template_nginx_ca_conf ${template-nginx-ca-conf:location}/${template-nginx-ca-conf:filename}
   raw dash_executable_location ${dash:location}/bin/dash
+  raw slapos_kill_bin ${buildout:directory}/bin/slapos-kill
   raw gunicorn_bin ${buildout:directory}/bin/gunicorn
   raw openssl_executable_location ${openssl:location}/bin/openssl
   raw python_bin ${buildout:directory}/bin/${extra-eggs:interpreter}
-  raw eggs_directory  ${buildout:eggs-directory}
-  raw develop_eggs_directory ${buildout:develop-eggs-directory}

stack/certificate-authority/buildout.hash.cfg

@@ -19,13 +19,13 @@ md5sum = ea445b0a9b143d12b5700a71ac06293c
 filename = template-httpd-auth.conf.in
 
 [template-nginx-ca-conf]
-md5sum = 608b221009981fddfd9bb6cc6c5d465c
+md5sum = d8bebf1629aacffd619541f363687b4a
 filename = ca-nginx.conf.in
 
 [template-authenticated-server]
 filename = template-authenticated-server.cfg
-md5sum = 39c1494b45dcbd5388b0d1c1d9b27ffb
+md5sum = 444ada31a9a453fc0550df3ccccac6a7
 
 [template-certificate-authority]
 filename = template-certificate-authority.cfg
-md5sum = 50d678bfc056489fd9817e4da6599e8f
\ No newline at end of file
+md5sum = e097dab69a38e428600b171ce2f6d68c
\ No newline at end of file

stack/certificate-authority/instance-auth-server.cfg.jinja2.in

@@ -39,7 +39,6 @@ command-line = {{ certificate_request_bin }}
   --key-file ${:key-file}
   --ca-url ${authenticated-server-parameters:ca-url}
   --ca-crt-file ${:ca-cert}
-  --no-check-certificate
 
 [server-certificate-request]
 recipe = slapos.cookbook:wrapper
@@ -121,7 +120,7 @@ mode = 700
 recipe = slapos.cookbook:cron.d
 cron-entries = ${cron:cron-entries}
 name = certificate-auto-renew
-frequency = 0 */2 * * *
+frequency = 5 6 * * 6
 command = ${certificate-renew:output}
 
 [logrotate-authenticated-httpd]

stack/certificate-authority/instance-certificate-authority.cfg.jinja2.in

@@ -10,9 +10,9 @@ parts =
 [certificate-authority-parameters]
 server-port = 8009
 server-https-port = 8010
-# Overrite this to set frontend URL (URL is used as CRL distribution point)
+# Overrite this to set frontend or DNS URL (URL is used as CRL distribution point)
 # Please set http not HTTPS scheme
-external-url = http://[${slap-configuration:ipv6-random}]:${:server-port}
+crl-external-url = http://[${slap-configuration:ipv6-random}]:${:server-port}
 
 [directory]
 recipe = slapos.cookbook:mkdirectory
@@ -66,7 +66,6 @@ command-line = {{ certificate_request_bin }}
   --key-file ${:key-file}
   --ca-url http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port}
   --ca-crt-file ${:ca-cert}
-  --no-check-certificate
 
 [nginx-certificate-request]
 recipe = slapos.cookbook:wrapper
@@ -77,12 +76,15 @@ command-line =
   --request
 
 [ca-nginx-ssl-config]
+# if ssl certificate is signed write to file so that zero-knowledge can read
 recipe = plone.recipe.command
 command = 
   if [ -s "${:key}" ] && [ -s "${:cert}" ]; then
-    echo -e "[ca-nginx-ssl]\nkey=${:key}\ncert=${:cert}" > ${:output}
-  else:
-    echo -e "[ca-nginx-ssl]\nkey=\ncert=" > ${:output}
+    cat << EOF > ${:output}
+    [ca-nginx-ssl]
+    key=${:key}
+    cert=${:cert}
+    EOF
   fi
 key = ${directory:ssl}/ca-cert.key
 cert = ${directory:ssl}/ca-cert.crt
@@ -93,6 +95,9 @@ stop-on-error = true
 [ca-nginx-ssl]
 recipe = slapos.cookbook:zero-knowledge.read
 file-path = ${ca-nginx-ssl-config:output}
+# initials values are empty, the section https (ssl) in nginx config will be skipped
+cert = 
+key = 
 
 [ca-nginx-conf-parameter]
 ip = ${slap-configuration:ipv6-random}
@@ -122,6 +127,7 @@ context =
 
 [certificate-authority-conf]
 recipe = collective.recipe.template
+# Values here are intended to be changed in your instance. override this section
 input = inline:
   ca-dir ${directory:ca-dir}
   # enable debug
@@ -129,7 +135,7 @@ input = inline:
   # log-file ${directory:log}/ca-server.log
   subject /C=XX/ST=State/L=City/OU=OUnit/O=Company/CN=SlapOS Certificate Authority/emailAddress=xx@example.com
   max-request-amount 10
-  external-url ${certificate-authority-parameters:external-url}
+  external-url ${certificate-authority-parameters:crl-external-url}
   # one year (in seconds)
   crt-life-time 31536000
   # crl-life-period correspond to about one week
@@ -165,17 +171,15 @@ wrapper-path = ${directory:services}/ca-gunicorn
 recipe = slapos.cookbook:wrapper
 command-line = {{ ngix_location }}/sbin/nginx -p ${directory:ca-dir} -c ${ca-nginx-conf:rendered}
 wrapper-path = ${directory:services}/ca-server
-#wait-for-files =
-#  ${ca-nginx-ssl:cert}
-#  ${ca-nginx-ssl:key}
-url = ${certificate-authority-parameters:external-url}
-secure-url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port}
+url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port}
+insecure-url = ${certificate-authority-parameters:crl-external-url}
 depends = 
   ${nginx-certificate-request:wrapper-path}
   ${certificate-authority-server-promise:filename}
   ${certificate-authority-https-server-promise:filename}
   ${ca-nginx-graceful:output}
-  ${certificate-renew-cron-entry:name}
+  ${ca-certificate-renew-cron-entry:name}
+  ${logrotate-ca-nginx:name}
 
 [ca-server-certificate-renew]
 recipe = collective.recipe.template
@@ -190,18 +194,27 @@ input = inline:
 
   if [ $remind -lt $thresold ]; then
     exec ${nginx-certificate-request-base:wrapper-path} --renew
+    # run nginx grancefull restart to reload renewed certificates
+    excec ${ca-nginx-graceful:output}
   fi
 
 output = ${directory:bin}/server-certificate-renew
 mode = 700
 
-[certificate-renew-cron-entry]
+[ca-certificate-renew-cron-entry]
 recipe = slapos.cookbook:cron.d
 cron-entries = ${cron:cron-entries}
 name = ca-server-certificate-auto-renew
-frequency = 0 */2 * * *
+# check renew every-week
+frequency = 5 4 * * 6
 command = ${ca-server-certificate-renew:output}
 
+[logrotate-ca-nginx]
+< = logrotate-entry-base
+name = certificate-authority-nginx-server
+log = ${ca-nginx-conf-parameter:access-log} ${ca-nginx-conf-parameter:access-log}
+post = {{ slapos_kill_bin }} --pidfile ${ca-nginx-conf-parameter:pid-file} -s USR1
+
 [certificate-authority-server-promise]
 recipe = slapos.cookbook:check_url_available
 path = ${directory:promises}/${:filename}
@@ -226,5 +239,3 @@ partition = ${slap-connection:partition-id}
 url = ${slap-connection:server-url}
 key = ${slap-connection:key-file}
 cert = ${slap-connection:cert-file}
-
-[slap-parameter]

stack/certificate-authority/template/ca-nginx.conf.in

@@ -62,7 +62,7 @@ http {
     {% endif -%}
 
     server {
-      listen [{{ parameter_dict['ip'] }}]:parameter_dict['port'] ssl;
+      listen [{{ parameter_dict['ip'] }}]:{{ parameter_dict['port'] }};
       server_name _;
       keepalive_timeout 90s;
       client_body_temp_path {{ parameter_dict['client-body-temp-path'] }};