ca stack: request nginx certificate on CA through http, ca-nginx support http and https URL

stack/certificate-authority/instance-certificate-authority.cfg.jinja2.in

@@ -9,8 +9,10 @@ parts =
 
 [certificate-authority-parameters]
 server-port = 8009
-# Overrite this to set frontend URL
-external-url = https://[${slap-configuration:ipv6-random}]:${:server-port}
+server-https-port = 8010
+# Overrite this to set frontend URL (URL is used as CRL distribution point)
+# Please set http not HTTPS scheme
+external-url = http://[${slap-configuration:ipv6-random}]:${:server-port}
 
 [directory]
 recipe = slapos.cookbook:mkdirectory
@@ -52,18 +54,50 @@ ca-certs = ${ca-directory:certs}
 ca-newcerts = ${ca-directory:newcerts}
 ca-crl = ${ca-directory:crl}
 
-[ca-nginx-ssl]
+[nginx-certificate-request-base]
+recipe = slapos.cookbook:wrapper
+wrapper-path = ${directory:bin}/request-base-certificate
+cert-file = ${ca-nginx-ssl-config:cert}
+key-file = ${ca-nginx-ssl-config:key}
+ca-cert = ${directory:ssl}/cacert.pem
+parameters-extra = true
+command-line = {{ certificate_request_bin }}
+  --crt-file ${:cert-file}
+  --key-file ${:key-file}
+  --ca-url http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port}
+  --ca-crt-file ${:ca-cert}
+  --no-check-certificate
+
+[nginx-certificate-request]
+recipe = slapos.cookbook:wrapper
+wrapper-path = ${directory:scripts}/request-server-certificate
+command-line =
+  ${nginx-certificate-request-base:wrapper-path}
+  --cn nginx@certificate.authority
+  --request
+
+[ca-nginx-ssl-config]
 recipe = plone.recipe.command
-# XXX - For now, generate ca httpd certificate here, because it's not possible to start CA without this files
-command = "{{ openssl_executable_location }}" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
+command = 
+  if [ -s "${:key}" ] && [ -s "${:cert}" ]; then
+    echo -e "[ca-nginx-ssl]\nkey=${:key}\ncert=${:cert}" > ${:output}
+  else:
+    echo -e "[ca-nginx-ssl]\nkey=\ncert=" > ${:output}
+  fi
 key = ${directory:ssl}/ca-cert.key
 cert = ${directory:ssl}/ca-cert.crt
-update-command = 
+update-command = ${:command}
+output = ${directory:etc}/ca-nginx-ssl.cfg
 stop-on-error = true
 
+[ca-nginx-ssl]
+recipe = slapos.cookbook:zero-knowledge.read
+file-path = ${ca-nginx-ssl-config:output}
+
 [ca-nginx-conf-parameter]
 ip = ${slap-configuration:ipv6-random}
 port = ${certificate-authority-parameters:server-port}
+https-port = ${certificate-authority-parameters:server-https-port}
 pid-file = ${directory:run}/nginx-ca.pid
 access-log = ${directory:log}/nginx-ca-access.log
 error-log = ${directory:log}/nginx-ca-error.log
@@ -102,6 +136,8 @@ input = inline:
   crl-life-period 0.02
   # ca-life-time = ca-life-period * crt-life-time
   ca-life-period 10
+  # time before clean certificate on CA: 60*24*60*60
+  crt-keep-time 5184000
 
 output = ${directory:etc}/ca.conf
 mode = 700
@@ -129,21 +165,56 @@ wrapper-path = ${directory:services}/ca-gunicorn
 recipe = slapos.cookbook:wrapper
 command-line = {{ ngix_location }}/sbin/nginx -p ${directory:ca-dir} -c ${ca-nginx-conf:rendered}
 wrapper-path = ${directory:services}/ca-server
-wait-for-files =
-  ${ca-nginx-ssl:cert}
-  ${ca-nginx-ssl:key}
-#environment = 
-#  CA_CONFIGURATION_FILE=${certificate-authority-conf:output}
+#wait-for-files =
+#  ${ca-nginx-ssl:cert}
+#  ${ca-nginx-ssl:key}
 url = ${certificate-authority-parameters:external-url}
+secure-url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port}
 depends = 
+  ${nginx-certificate-request:wrapper-path}
   ${certificate-authority-server-promise:filename}
+  ${certificate-authority-https-server-promise:filename}
   ${ca-nginx-graceful:output}
+  ${certificate-renew-cron-entry:name}
+
+[ca-server-certificate-renew]
+recipe = collective.recipe.template
+input = inline:
+  #!{{ dash_executable_location }}
+
+  d=$({{ openssl_executable_location }} x509 -enddate -noout -in ${nginx-certificate-request-base:cert-file} | cut -d'=' -f 2)
+  cert_time=$(date -d "$d" +"%s")
+  now=$(date +"%s")
+  thresold=2592000  # 30*24*60*60  equivalent to one month in seconds
+  remind=$(($cert_time - $now))
+
+  if [ $remind -lt $thresold ]; then
+    exec ${nginx-certificate-request-base:wrapper-path} --renew
+  fi
+
+output = ${directory:bin}/server-certificate-renew
+mode = 700
+
+[certificate-renew-cron-entry]
+recipe = slapos.cookbook:cron.d
+cron-entries = ${cron:cron-entries}
+name = ca-server-certificate-auto-renew
+frequency = 0 */2 * * *
+command = ${ca-server-certificate-renew:output}
 
 [certificate-authority-server-promise]
 recipe = slapos.cookbook:check_url_available
 path = ${directory:promises}/${:filename}
 filename = certificate-authority-server-listening-on-tcp
 url = http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port}
+dash_path = {{ dash_executable_location }}
+curl_path = {{ curl_executable_location }}
+
+[certificate-authority-https-server-promise]
+recipe = slapos.cookbook:check_url_available
+path = ${directory:promises}/${:filename}
+filename = certificate-authority-server-https-on-${certificate-authority-parameters:server-https-port}
+url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port}
 check-secure = 1
 dash_path = {{ dash_executable_location }}
 curl_path = {{ curl_executable_location }}

stack/certificate-authority/template/ca-nginx.conf.in

@@ -26,36 +26,70 @@ http {
       server unix:{{ parameter_dict['socket'] }} fail_timeout=0;
     }
 
-     server {
-        listen [{{ parameter_dict['ip'] }}]:{{ parameter_dict['port'] }} ssl;
-        server_name _;
-        ssl_certificate     {{ parameter_dict['cert-file'] }};
-        ssl_certificate_key {{ parameter_dict['key-file'] }};
-        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
-        ssl_ciphers         ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5;
-        ssl_prefer_server_ciphers on;
-        keepalive_timeout 90s;
-        client_body_temp_path {{ parameter_dict['client-body-temp-path'] }};
-        proxy_temp_path {{ parameter_dict['proxy-temp-path'] }};
-        fastcgi_temp_path {{ parameter_dict['fastcgi-temp-path'] }};
-        uwsgi_temp_path {{ parameter_dict['uwsgi-temp-path'] }};
-        scgi_temp_path {{ parameter_dict['scgi-temp-path'] }};
-
-        location / {
-            proxy_redirect off;
-            proxy_set_header   X-Forwarded-Proto $scheme;
-            proxy_set_header   X-Real-IP $remote_addr;
-            proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
-            proxy_set_header   X-Forwarded-Host  $http_host;
-            proxy_set_header   Host $http_host;
-            proxy_set_header   Authorization $http_authorization;
-            proxy_pass_header  Authorization;
-            proxy_connect_timeout 90;
-            proxy_send_timeout    90;
-            proxy_read_timeout    90;
-            send_timeout          90;
-
-            proxy_pass http://app_server;
-        }
+    {% if parameter_dict['cert-file'] and parameter_dict['key-file'] -%}
+    server {
+      listen [{{ parameter_dict['ip'] }}]:{{ parameter_dict['https-port'] }} ssl;
+      server_name _;
+      ssl_certificate     {{ parameter_dict['cert-file'] }};
+      ssl_certificate_key {{ parameter_dict['key-file'] }};
+      ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+      ssl_ciphers         ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5;
+      ssl_prefer_server_ciphers on;
+      keepalive_timeout 90s;
+      client_body_temp_path {{ parameter_dict['client-body-temp-path'] }};
+      proxy_temp_path {{ parameter_dict['proxy-temp-path'] }};
+      fastcgi_temp_path {{ parameter_dict['fastcgi-temp-path'] }};
+      uwsgi_temp_path {{ parameter_dict['uwsgi-temp-path'] }};
+      scgi_temp_path {{ parameter_dict['scgi-temp-path'] }};
+
+      location / {
+          proxy_redirect off;
+          proxy_set_header   X-Forwarded-Proto $scheme;
+          proxy_set_header   X-Real-IP $remote_addr;
+          proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+          proxy_set_header   X-Forwarded-Host  $http_host;
+          proxy_set_header   Host $http_host;
+          proxy_set_header   Authorization $http_authorization;
+          proxy_pass_header  Authorization;
+          proxy_connect_timeout 90;
+          proxy_send_timeout    90;
+          proxy_read_timeout    90;
+          send_timeout          90;
+
+          proxy_pass http://app_server;
+      }
+    }
+    {% endif -%}
+
+    server {
+      listen [{{ parameter_dict['ip'] }}]:parameter_dict['port'] ssl;
+      server_name _;
+      keepalive_timeout 90s;
+      client_body_temp_path {{ parameter_dict['client-body-temp-path'] }};
+      proxy_temp_path {{ parameter_dict['proxy-temp-path'] }};
+      fastcgi_temp_path {{ parameter_dict['fastcgi-temp-path'] }};
+      uwsgi_temp_path {{ parameter_dict['uwsgi-temp-path'] }};
+      scgi_temp_path {{ parameter_dict['scgi-temp-path'] }};
+
+      location ~ ^(/admin|/user) {
+        # http is not used for /admin and /user
+      }
+
+      location / {
+          proxy_redirect off;
+          proxy_set_header   X-Forwarded-Proto $scheme;
+          proxy_set_header   X-Real-IP $remote_addr;
+          proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+          proxy_set_header   X-Forwarded-Host  $http_host;
+          proxy_set_header   Host $http_host;
+          proxy_set_header   Authorization $http_authorization;
+          proxy_pass_header  Authorization;
+          proxy_connect_timeout 90;
+          proxy_send_timeout    90;
+          proxy_read_timeout    90;
+          send_timeout          90;
+
+          proxy_pass http://app_server;
+      }
     }
 }