Commit d90a7620 authored by Kazuhiko Shiozaki's avatar Kazuhiko Shiozaki

*: stronger SSL keys and certificates.

* use the default RSA key length, instead of hardcoding 1024 (too weak) or 2048 (same as the current default).
* use SHA256 in certificates.
parent d905d7c1
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
[instance-jupyter-notebook] [instance-jupyter-notebook]
filename = instance.cfg.in filename = instance.cfg.in
md5sum = 9f412363ce2c2ac99e3328f7d87d456d md5sum = fd7ed44da8d8723983b8666df2971a36
[jupyter-notebook-config] [jupyter-notebook-config]
filename = jupyter_notebook_config.py.jinja filename = jupyter_notebook_config.py.jinja
......
...@@ -43,9 +43,9 @@ recipe = plone.recipe.command ...@@ -43,9 +43,9 @@ recipe = plone.recipe.command
command = command =
if [ ! -e ${instance-parameter:key_file} ] if [ ! -e ${instance-parameter:key_file} ]
then then
{{ openssl_output }} req -x509 -nodes -days 3650 \ {{ openssl_output }} req -x509 -nodes -sha256 -days 3650 \
-subj "/C=AA/ST=X/L=X/O=Dis/CN=${instance-parameter:host}" \ -subj "/C=AA/ST=X/L=X/O=Dis/CN=${instance-parameter:host}" \
-newkey rsa:1024 -keyout ${instance-parameter:key_file} \ -newkey rsa -keyout ${instance-parameter:key_file} \
-out ${instance-parameter:cert_file} -out ${instance-parameter:cert_file}
fi fi
update-command = ${:command} update-command = ${:command}
......
...@@ -46,7 +46,7 @@ class CertificateAuthority: ...@@ -46,7 +46,7 @@ class CertificateAuthority:
try: try:
# no CA, let us create new one # no CA, let us create new one
popenCommunicate([self.openssl_binary, 'req', '-utf8', '-nodes', popenCommunicate([self.openssl_binary, 'req', '-utf8', '-nodes',
'-config', self.openssl_configuration, '-new', '-x509', '-config', self.openssl_configuration, '-new', '-sha256', '-x509',
'-extensions', 'v3_ca', '-keyout', self.key, '-out', '-extensions', 'v3_ca', '-keyout', self.key, '-out',
self.certificate, '-days', '10950'], self.certificate, '-days', '10950'],
'Certificate Authority %s\n' % uuid.uuid1()) 'Certificate Authority %s\n' % uuid.uuid1())
...@@ -75,7 +75,7 @@ class CertificateAuthority: ...@@ -75,7 +75,7 @@ class CertificateAuthority:
csr = certificate + '.csr' csr = certificate + '.csr'
try: try:
popenCommunicate([self.openssl_binary, 'req', '-config', popenCommunicate([self.openssl_binary, 'req', '-config',
self.openssl_configuration, '-nodes', '-new', '-keyout', self.openssl_configuration, '-nodes', '-new', '-sha256', '-keyout',
key, '-out', csr, '-days', '3650'], key, '-out', csr, '-days', '3650'],
common_name + '\n') common_name + '\n')
try: try:
......
...@@ -78,7 +78,7 @@ class Recipe(GenericBaseRecipe): ...@@ -78,7 +78,7 @@ class Recipe(GenericBaseRecipe):
'%s' % key_file, self.options['key-size']] '%s' % key_file, self.options['key-size']]
#'-config', openssl_configuration #'-config', openssl_configuration
cert_command = [self.options['openssl-bin'], 'req', '-nodes', '-new', cert_command = [self.options['openssl-bin'], 'req', '-nodes', '-new', '-sha256',
'-x509', '-batch', '-key', '%s' % key_file, '-set_serial', '-x509', '-batch', '-key', '%s' % key_file, '-set_serial',
'%s' % serial, '-days', '3650', '-out', '%s' % cert_file] '%s' % serial, '-days', '3650', '-out', '%s' % cert_file]
......
...@@ -19,7 +19,7 @@ md5sum = ed2bd38b78f2a66f474205249f6e6f2c ...@@ -19,7 +19,7 @@ md5sum = ed2bd38b78f2a66f474205249f6e6f2c
[template-instance-beremiz] [template-instance-beremiz]
filename = instance-beremiz.cfg.jinja2.in filename = instance-beremiz.cfg.jinja2.in
md5sum = bca63fc8943e7c5fa7dd43841e49bf95 md5sum = 29c65611d51975e5bb2a1e2002a0a6c8
[template-instance-beremiz-test] [template-instance-beremiz-test]
filename = instance-beremiz-test.cfg.jinja2.in filename = instance-beremiz-test.cfg.jinja2.in
......
...@@ -25,7 +25,7 @@ fluxbox = ${buildout:directory}/.fluxbox ...@@ -25,7 +25,7 @@ fluxbox = ${buildout:directory}/.fluxbox
[gen-certificate] [gen-certificate]
recipe = plone.recipe.command recipe = plone.recipe.command
command = "{{ openssl_bin }}" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key-file}" -out "${:cert-file}" command = "{{ openssl_bin }}" req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes -keyout "${:key-file}" -out "${:cert-file}"
stop-on-error = true stop-on-error = true
cert-file = ${directory:ssl}/beremiz.crt cert-file = ${directory:ssl}/beremiz.crt
key-file = ${directory:ssl}/beremiz.key key-file = ${directory:ssl}/beremiz.key
......
...@@ -18,7 +18,7 @@ md5sum = d1e4d7306c39f2ebc64d0407860d4301 ...@@ -18,7 +18,7 @@ md5sum = d1e4d7306c39f2ebc64d0407860d4301
[template-cloudooo-instance] [template-cloudooo-instance]
filename = instance-cloudooo.cfg.in filename = instance-cloudooo.cfg.in
md5sum = 13759bf9720f0e7109fc35a8ad8a50a9 md5sum = 06dc19acd28ab412beffa61890be2095
[template-haproxy-cfg] [template-haproxy-cfg]
filename = haproxy.cfg.in filename = haproxy.cfg.in
......
...@@ -116,7 +116,7 @@ crl = ${directory:apache-conf}/crl.pem ...@@ -116,7 +116,7 @@ crl = ${directory:apache-conf}/crl.pem
[apache-ssl] [apache-ssl]
recipe = plone.recipe.command recipe = plone.recipe.command
command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}" command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
key = ${apache-conf-ssl:key} key = ${apache-conf-ssl:key}
cert = ${apache-conf-ssl:cert} cert = ${apache-conf-ssl:cert}
......
...@@ -15,4 +15,4 @@ ...@@ -15,4 +15,4 @@
[instance.cfg.in] [instance.cfg.in]
filename = instance.cfg.in filename = instance.cfg.in
md5sum = f7a283e3288d3a9ddfd5de7e9b309273 md5sum = 1e9012cb8476e00497b3fe9881158440
...@@ -115,6 +115,7 @@ command = ...@@ -115,6 +115,7 @@ command =
-newkey rsa \ -newkey rsa \
-batch \ -batch \
-new \ -new \
-sha256 \
-nodes \ -nodes \
-keyout /dev/null \ -keyout /dev/null \
-config '${dufs-certificate-csr-config:output}' \ -config '${dufs-certificate-csr-config:output}' \
......
...@@ -18,4 +18,4 @@ md5sum = 06b0acece285ecbc0e746fa267a374b6 ...@@ -18,4 +18,4 @@ md5sum = 06b0acece285ecbc0e746fa267a374b6
[template-default] [template-default]
filename = instance-default.cfg.jinja.in filename = instance-default.cfg.jinja.in
md5sum = 164c4610ab20a081b3db26f23566bb7c md5sum = bf95d5f4ac107ad27a0c980633ad20be
...@@ -118,9 +118,9 @@ recipe = plone.recipe.command ...@@ -118,9 +118,9 @@ recipe = plone.recipe.command
command = command =
if [ ! -e $${:cert-file} ] if [ ! -e $${:cert-file} ]
then then
${openssl-output:openssl} req -x509 -nodes -days 3650 \ ${openssl-output:openssl} req -x509 -nodes -sha256 -days 3650 \
-subj "/C=AA/ST=X/L=X/O=Dis/CN=$${:common-name}" \ -subj "/C=AA/ST=X/L=X/O=Dis/CN=$${:common-name}" \
-newkey rsa:2048 -keyout $${:cert-file} \ -newkey rsa -keyout $${:cert-file} \
-out $${:cert-file} -out $${:cert-file}
fi fi
update-command = $${:command} update-command = $${:command}
......
...@@ -19,4 +19,4 @@ md5sum = 1747b8cda8d815055453420de4ed677f ...@@ -19,4 +19,4 @@ md5sum = 1747b8cda8d815055453420de4ed677f
[template-default] [template-default]
filename = instance-default.cfg.in filename = instance-default.cfg.in
md5sum = fa9bd07d6a5fcf55e9548f63a943f022 md5sum = 452599c3067904a9decb8c5dba55eb46
...@@ -58,7 +58,7 @@ recordings = $${:srv}/recordings ...@@ -58,7 +58,7 @@ recordings = $${:srv}/recordings
recipe = plone.recipe.command recipe = plone.recipe.command
cert-file = $${directory:data}/cert.pem cert-file = $${directory:data}/cert.pem
key-file = $${directory:data}/key.pem key-file = $${directory:data}/key.pem
command = ${openssl:location}/bin/openssl req -newkey rsa:2048 -batch -new -x509 -days 3650 -nodes -keyout "$${:key-file}" -out "$${:cert-file}" command = ${openssl:location}/bin/openssl req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes -keyout "$${:key-file}" -out "$${:cert-file}"
update-command = update-command =
stop-on-error = true stop-on-error = true
......
...@@ -54,7 +54,7 @@ md5sum = 58e3d5bbda32583d00cd8f44ec0525b0 ...@@ -54,7 +54,7 @@ md5sum = 58e3d5bbda32583d00cd8f44ec0525b0
[instance-gitlab.cfg.in] [instance-gitlab.cfg.in]
_update_hash_filename_ = instance-gitlab.cfg.in _update_hash_filename_ = instance-gitlab.cfg.in
md5sum = 9303fa3912e6eaea04add760b55521f3 md5sum = b913c4a1f199a87ad71da6d102adffa4
[instance-gitlab-export.cfg.in] [instance-gitlab-export.cfg.in]
_update_hash_filename_ = instance-gitlab-export.cfg.in _update_hash_filename_ = instance-gitlab-export.cfg.in
......
...@@ -766,7 +766,7 @@ key_file = ${nginx-ssl-dir:ssl}/gitlab_backend.key ...@@ -766,7 +766,7 @@ key_file = ${nginx-ssl-dir:ssl}/gitlab_backend.key
command = command =
test -e ${:key_file} || \ test -e ${:key_file} || \
{{ openssl_bin }} req -newkey rsa -batch -new -x509 -days 3650 -nodes \ {{ openssl_bin }} req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes \
-keyout ${:key_file} -out ${:cert_file} -keyout ${:key_file} -out ${:cert_file}
update-command = ${:command} update-command = ${:command}
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
[instance-profile] [instance-profile]
filename = instance.cfg.in filename = instance.cfg.in
md5sum = 94674d597e3ea7e9eca3637a737765ff md5sum = 8c9dc41c176ba01116de5b71aaa704de
[influxdb-config-file] [influxdb-config-file]
filename = influxdb-config-file.cfg.in filename = influxdb-config-file.cfg.in
......
...@@ -55,9 +55,9 @@ recipe = plone.recipe.command ...@@ -55,9 +55,9 @@ recipe = plone.recipe.command
command = command =
if [ ! -e ${:key-file} ] if [ ! -e ${:key-file} ]
then then
{{ openssl_bin }} req -x509 -nodes -days 3650 \ {{ openssl_bin }} req -x509 -nodes -sha256 -days 3650 \
-subj "/C=AA/ST=X/L=X/O=Dis/CN=${:common-name}" \ -subj "/C=AA/ST=X/L=X/O=Dis/CN=${:common-name}" \
-newkey rsa:1024 -keyout ${:key-file} \ -newkey rsa -keyout ${:key-file} \
-out ${:cert-file} -out ${:cert-file}
fi fi
update-command = ${:command} update-command = ${:command}
......
...@@ -4,7 +4,7 @@ md5sum = c6cdcee1e16dd4bd3bc462d286dcb999 ...@@ -4,7 +4,7 @@ md5sum = c6cdcee1e16dd4bd3bc462d286dcb999
[instance-headless-chromium] [instance-headless-chromium]
_update_hash_filename_ = instance-headless-chromium.cfg.in _update_hash_filename_ = instance-headless-chromium.cfg.in
md5sum = 8a7e024569d92b0992f40ddac232cff5 md5sum = df3ae1220c58cde5555ee596ef4a8b1d
[template-nginx-conf] [template-nginx-conf]
_update_hash_filename_ = templates/nginx.conf.in _update_hash_filename_ = templates/nginx.conf.in
......
...@@ -50,7 +50,7 @@ command-line = ...@@ -50,7 +50,7 @@ command-line =
--user-data-dir=${directory:tmp} --user-data-dir=${directory:tmp}
--window-size="${headless-chromium:window-size}" --window-size="${headless-chromium:window-size}"
{% if parameter_dict['incognito'] %} --incognito{% endif -%} {% if parameter_dict['incognito'] %} --incognito{% endif -%}
{% if parameter_dict['block-new-web-contents'] %} --block-new-web-contents{% endif -%} {% if parameter_dict['block-new -sha256-web-contents'] %} --block-new-web-contents{% endif -%}
{{ '\n "${headless-chromium:target-url}"' }} {{ '\n "${headless-chromium:target-url}"' }}
environment = environment =
FONTCONFIG_FILE=${font-config:output} FONTCONFIG_FILE=${font-config:output}
...@@ -114,7 +114,7 @@ command = ...@@ -114,7 +114,7 @@ command =
then then
openssl req -x509 -nodes -days 3650 \ openssl req -x509 -nodes -days 3650 \
-subj "/C=AA/ST=X/L=X/O=Dis/CN=${:common-name}" \ -subj "/C=AA/ST=X/L=X/O=Dis/CN=${:common-name}" \
-newkey rsa:1024 -keyout ${:key-file} \ -newkey rsa -keyout ${:key-file} \
-out ${:cert-file} -out ${:cert-file}
openssl x509 -addtrust serverAuth \ openssl x509 -addtrust serverAuth \
-in ${:cert-file} \ -in ${:cert-file} \
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
[template-cfg] [template-cfg]
filename = instance.cfg.in filename = instance.cfg.in
md5sum = edddaa4f6145f3eab4463063dacacfaa md5sum = 6799fbb8d8e485725a046ba6361d20fa
[template_nginx_conf] [template_nginx_conf]
_update_hash_filename_ = templates/nginx_conf.in _update_hash_filename_ = templates/nginx_conf.in
......
...@@ -174,9 +174,9 @@ recipe = plone.recipe.command ...@@ -174,9 +174,9 @@ recipe = plone.recipe.command
command = command =
if [ ! -e ${:key-file} ] if [ ! -e ${:key-file} ]
then then
{{ parameter_list['openssl_location'] }}/bin/openssl req -x509 -nodes -days 3650 \ {{ parameter_list['openssl_location'] }}/bin/openssl req -x509 -nodes -sha256 -days 3650 \
-subj "/C=AA/ST=X/L=X/O=Dis/CN=${hugo:ip}" \ -subj "/C=AA/ST=X/L=X/O=Dis/CN=${hugo:ip}" \
-newkey rsa:1024 -keyout ${:key-file} \ -newkey rsa -keyout ${:key-file} \
-out ${:cert-file} -out ${:cert-file}
fi fi
update-command = ${:command} update-command = ${:command}
......
...@@ -19,7 +19,7 @@ md5sum = 7333d1dfd4e8e4c375f7f1748292f554 ...@@ -19,7 +19,7 @@ md5sum = 7333d1dfd4e8e4c375f7f1748292f554
[template-jscrawler] [template-jscrawler]
filename = instance-jscrawler.cfg.jinja2.in filename = instance-jscrawler.cfg.jinja2.in
md5sum = 2ba9d6a30b420c9bf67d4a135b48212b md5sum = 2d8da11d54464422110f92dc62c55c78
[template-jscrawler-builder] [template-jscrawler-builder]
filename = template-jscrawler.builder.sh.in filename = template-jscrawler.builder.sh.in
......
...@@ -19,7 +19,7 @@ tmp = ${:srv}/tmp ...@@ -19,7 +19,7 @@ tmp = ${:srv}/tmp
################################# #################################
[gen-certificate] [gen-certificate]
recipe = plone.recipe.command recipe = plone.recipe.command
command = "{{ parameter_dict['openssl'] }}" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:ssl_key}" -out "${:ssl_crt}" command = "{{ parameter_dict['openssl'] }}" req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes -keyout "${:ssl_key}" -out "${:ssl_crt}"
stop-on-error = true stop-on-error = true
ssl_crt = ${directory:ssl}/httpd.crt ssl_crt = ${directory:ssl}/httpd.crt
ssl_key = ${directory:ssl}/httpd.key ssl_key = ${directory:ssl}/httpd.key
......
...@@ -19,7 +19,7 @@ md5sum = 5f39952f94095b1f12f41db76867e71e ...@@ -19,7 +19,7 @@ md5sum = 5f39952f94095b1f12f41db76867e71e
[instance-jupyter] [instance-jupyter]
filename = instance-jupyter.cfg.in filename = instance-jupyter.cfg.in
md5sum = 1ac942c544d2a2aa3d1e16a61a1f8bc8 md5sum = f9a0e5a134456d74ca8b4d87862f903d
[jupyter-notebook-config] [jupyter-notebook-config]
filename = jupyter_notebook_config.py.jinja filename = jupyter_notebook_config.py.jinja
......
...@@ -61,9 +61,9 @@ recipe = plone.recipe.command ...@@ -61,9 +61,9 @@ recipe = plone.recipe.command
command = command =
if [ ! -e ${instance-parameter:key_file} ] if [ ! -e ${instance-parameter:key_file} ]
then then
{{ openssl_output }} req -x509 -nodes -days 3650 \ {{ openssl_output }} req -x509 -nodes -sha256 -days 3650 \
-subj "/C=AA/ST=X/L=X/O=Dis/CN=${instance-parameter:host}" \ -subj "/C=AA/ST=X/L=X/O=Dis/CN=${instance-parameter:host}" \
-newkey rsa:1024 -keyout ${instance-parameter:key_file} \ -newkey rsa -keyout ${instance-parameter:key_file} \
-out ${instance-parameter:cert_file} -out ${instance-parameter:cert_file}
fi fi
update-command = ${:command} update-command = ${:command}
......
...@@ -79,7 +79,7 @@ md5sum = a97ba5a5afcfd6f6bb9f4e77f37555dd ...@@ -79,7 +79,7 @@ md5sum = a97ba5a5afcfd6f6bb9f4e77f37555dd
[template-httpd] [template-httpd]
filename = instance-kvm-http.cfg.in filename = instance-kvm-http.cfg.in
md5sum = 438192aab9f11e40dc521b46a4854dcf md5sum = 12779e690aa8341da660d833e102e552
[image-download-controller] [image-download-controller]
filename = template/image-download-controller.py.in filename = template/image-download-controller.py.in
......
...@@ -57,7 +57,7 @@ mode = 700 ...@@ -57,7 +57,7 @@ mode = 700
[httpd-ssl] [httpd-ssl]
recipe = plone.recipe.command recipe = plone.recipe.command
command = "{{ openssl_executable_location }}" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}" command = "{{ openssl_executable_location }}" req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
key = ${directory:ssl}/key key = ${directory:ssl}/key
cert = ${directory:ssl}/cert cert = ${directory:ssl}/cert
update-command = update-command =
......
[instance-profile] [instance-profile]
filename = instance.cfg.in filename = instance.cfg.in
md5sum = f753802ad631a57c559d868e525cf81b md5sum = 798485b3dd08749ff8ec92d65c6a180f
...@@ -78,7 +78,7 @@ recipe = plone.recipe.command ...@@ -78,7 +78,7 @@ recipe = plone.recipe.command
command = command =
if [ ! -e $${:cert-file} ] if [ ! -e $${:cert-file} ]
then then
${openssl-output:openssl} req -x509 -nodes -days 3650 \ ${openssl-output:openssl} req -x509 -nodes -sha256 -days 3650 \
-subj "/C=AA/ST=X/L=X/O=Dis/CN=$${:common-name}" \ -subj "/C=AA/ST=X/L=X/O=Dis/CN=$${:common-name}" \
-newkey rsa -keyout $${:cert-file} \ -newkey rsa -keyout $${:cert-file} \
-out $${:cert-file} -out $${:cert-file}
......
[template] [template]
filename = instance.cfg.in filename = instance.cfg.in
md5sum = 6482b6aea742357350f0d7e350f9baa6 md5sum = 52e599b14817e28e7ee48706360ad3cc
[template-nginx-configuration] [template-nginx-configuration]
filename = template-nginx.cfg.in filename = template-nginx.cfg.in
......
...@@ -60,9 +60,9 @@ recipe = plone.recipe.command ...@@ -60,9 +60,9 @@ recipe = plone.recipe.command
command = command =
if [ ! -e $${:key-file} ] if [ ! -e $${:key-file} ]
then then
${openssl:location}/bin/openssl req -x509 -nodes -days 3650 \ ${openssl:location}/bin/openssl req -x509 -nodes -sha256 -days 3650 \
-subj "/C=AA/ST=X/L=X/O=Dis/CN=$${nginx-configuration:ip}" \ -subj "/C=AA/ST=X/L=X/O=Dis/CN=$${nginx-configuration:ip}" \
-newkey rsa:1024 -keyout $${:key-file} \ -newkey rsa -keyout $${:key-file} \
-out $${:cert-file} -out $${:cert-file}
fi fi
update-command = $${:command} update-command = $${:command}
......
...@@ -22,15 +22,15 @@ md5sum = 5784bea3bd608913769ff9a8afcccb68 ...@@ -22,15 +22,15 @@ md5sum = 5784bea3bd608913769ff9a8afcccb68
[profile-frontend] [profile-frontend]
filename = instance-frontend.cfg.in filename = instance-frontend.cfg.in
md5sum = bb8129cdd89632c3c3ce86556496cb0f md5sum = b3c5694042035f13832479dca3481597
[profile-master] [profile-master]
filename = instance-master.cfg.in filename = instance-master.cfg.in
md5sum = 3006197ddce87bd92866b76b5ce8ce08 md5sum = 934b7f5e8d470e18bc980942bf467ada
[profile-slave-list] [profile-slave-list]
filename = instance-slave-list.cfg.in filename = instance-slave-list.cfg.in
md5sum = b75e42233c1b7bdd5f21971ed8907efc md5sum = 96bd66e98c7b4492ab4aba46e0e14e13
[profile-master-publish-slave-information] [profile-master-publish-slave-information]
filename = instance-master-publish-slave-information.cfg.in filename = instance-master-publish-slave-information.cfg.in
...@@ -102,7 +102,7 @@ md5sum = e82ccdb0b26552a1c88ff523d8fae24a ...@@ -102,7 +102,7 @@ md5sum = e82ccdb0b26552a1c88ff523d8fae24a
[profile-kedifa] [profile-kedifa]
filename = instance-kedifa.cfg.in filename = instance-kedifa.cfg.in
md5sum = 669da915003122e48646dc75fec239a5 md5sum = 107dc147d94d02d2084b97b8ec591831
[template-frontend-haproxy-rsyslogd-conf] [template-frontend-haproxy-rsyslogd-conf]
_update_hash_filename_ = templates/frontend-haproxy-rsyslogd.conf.in _update_hash_filename_ = templates/frontend-haproxy-rsyslogd.conf.in
......
...@@ -209,7 +209,7 @@ command = ...@@ -209,7 +209,7 @@ command =
rm -f ${:certificate} rm -f ${:certificate}
/bin/bash -c ' \ /bin/bash -c ' \
{{ software_parameter_dict['openssl'] }} req \ {{ software_parameter_dict['openssl'] }} req \
-new -newkey rsa:2048 -sha256 \ -new -newkey rsa -sha256 \
-nodes -x509 -days 36500 \ -nodes -x509 -days 36500 \
-keyout ${:certificate} \ -keyout ${:certificate} \
-subj "/CN=Self Signed IP Access" \ -subj "/CN=Self Signed IP Access" \
...@@ -233,7 +233,7 @@ command = ...@@ -233,7 +233,7 @@ command =
rm -f ${:certificate} rm -f ${:certificate}
/bin/bash -c ' \ /bin/bash -c ' \
{{ software_parameter_dict['openssl'] }} req \ {{ software_parameter_dict['openssl'] }} req \
-new -newkey rsa:2048 -sha256 \ -new -newkey rsa -sha256 \
-nodes -x509 -days 36500 \ -nodes -x509 -days 36500 \
-keyout ${:certificate} \ -keyout ${:certificate} \
-subj "/CN=Fallback certificate/OU={{ instance_parameter_dict['configuration.frontend-name'] }}" \ -subj "/CN=Fallback certificate/OU={{ instance_parameter_dict['configuration.frontend-name'] }}" \
...@@ -282,7 +282,7 @@ command = ...@@ -282,7 +282,7 @@ command =
{% if slapparameter_dict['kedifa-caucase-url'] %} {% if slapparameter_dict['kedifa-caucase-url'] %}
if [ ! -f ${:template-csr} ] && [ ! -f ${:key} ] ; then if [ ! -f ${:template-csr} ] && [ ! -f ${:key} ] ; then
{{ software_parameter_dict['openssl'] }} req -new -sha256 \ {{ software_parameter_dict['openssl'] }} req -new -sha256 \
-newkey rsa:2048 -nodes -keyout ${:key} \ -newkey rsa -nodes -keyout ${:key} \
-subj "/O=${:organization}/OU=${:organizational_unit}" \ -subj "/O=${:organization}/OU=${:organizational_unit}" \
-out ${:template-csr} -out ${:template-csr}
fi fi
...@@ -335,7 +335,7 @@ command = ...@@ -335,7 +335,7 @@ command =
{% if slapparameter_dict['backend-client-caucase-url'] %} {% if slapparameter_dict['backend-client-caucase-url'] %}
if [ ! -f ${:template-csr} ] && [ ! -f ${:key} ] ; then if [ ! -f ${:template-csr} ] && [ ! -f ${:key} ] ; then
{{ software_parameter_dict['openssl'] }} req -new -sha256 \ {{ software_parameter_dict['openssl'] }} req -new -sha256 \
-newkey rsa:2048 -nodes -keyout ${:key} \ -newkey rsa -nodes -keyout ${:key} \
-subj "/O=${:organization}/OU=${:organizational_unit}" \ -subj "/O=${:organization}/OU=${:organizational_unit}" \
-out ${:template-csr} -out ${:template-csr}
fi fi
......
...@@ -89,7 +89,7 @@ organizational_unit = Kedifa Partition ...@@ -89,7 +89,7 @@ organizational_unit = Kedifa Partition
command = command =
if [ ! -f ${:template-csr} ] && [ ! -f ${:key} ] ; then if [ ! -f ${:template-csr} ] && [ ! -f ${:key} ] ; then
/bin/bash -c '{{ software_parameter_dict['openssl'] }} req -new -sha256 \ /bin/bash -c '{{ software_parameter_dict['openssl'] }} req -new -sha256 \
-newkey rsa:2048 -nodes -keyout ${:key} \ -newkey rsa -nodes -keyout ${:key} \
-subj "/O=${:organization}/OU=${:organizational_unit}" \ -subj "/O=${:organization}/OU=${:organizational_unit}" \
-reqexts SAN \ -reqexts SAN \
-config <(cat {{ software_parameter_dict['openssl_cnf'] }} \ -config <(cat {{ software_parameter_dict['openssl_cnf'] }} \
...@@ -135,7 +135,7 @@ stop-on-error = True ...@@ -135,7 +135,7 @@ stop-on-error = True
update-command = ${:command} update-command = ${:command}
command = command =
if ! [ -f ${:key} ] && ! [ -f ${:certificate} ] ; then if ! [ -f ${:key} ] && ! [ -f ${:certificate} ] ; then
{{ software_parameter_dict['openssl'] }} req -new -newkey rsa:2048 -sha256 -subj \ {{ software_parameter_dict['openssl'] }} req -new -newkey rsa -sha256 -subj \
"/O=${kedifa-csr:organization}/OU=${kedifa-csr:organizational_unit}/CN={{ instance_parameter_dict['ipv6-random'] }}" \ "/O=${kedifa-csr:organization}/OU=${kedifa-csr:organizational_unit}/CN={{ instance_parameter_dict['ipv6-random'] }}" \
-days 5 -nodes -x509 -keyout ${:key} -out ${:certificate} -days 5 -nodes -x509 -keyout ${:key} -out ${:certificate}
fi fi
......
...@@ -631,7 +631,7 @@ organizational_unit = Automatic Internal Kedifa Caucase CSR ...@@ -631,7 +631,7 @@ organizational_unit = Automatic Internal Kedifa Caucase CSR
command = command =
if [ ! -f ${:csr} ] && [ ! -f ${:key} ] ; then if [ ! -f ${:csr} ] && [ ! -f ${:key} ] ; then
{{ software_parameter_dict['openssl'] }} req -new -sha256 \ {{ software_parameter_dict['openssl'] }} req -new -sha256 \
-newkey rsa:2048 -nodes -keyout ${:key} \ -newkey rsa -nodes -keyout ${:key} \
-subj "/O=${:organization}/OU=${:organizational_unit}" \ -subj "/O=${:organization}/OU=${:organizational_unit}" \
-out ${:csr} -out ${:csr}
fi fi
...@@ -752,7 +752,7 @@ organizational_unit = Automatic Sign Backend Client Caucase CSR ...@@ -752,7 +752,7 @@ organizational_unit = Automatic Sign Backend Client Caucase CSR
command = command =
if [ ! -f ${:csr} ] && [ ! -f ${:key} ] ; then if [ ! -f ${:csr} ] && [ ! -f ${:key} ] ; then
{{ software_parameter_dict['openssl'] }} req -new -sha256 \ {{ software_parameter_dict['openssl'] }} req -new -sha256 \
-newkey rsa:2048 -nodes -keyout ${:key} \ -newkey rsa -nodes -keyout ${:key} \
-subj "/O=${:organization}/OU=${:organizational_unit}" \ -subj "/O=${:organization}/OU=${:organizational_unit}" \
-out ${:csr} -out ${:csr}
fi fi
...@@ -927,7 +927,7 @@ update-command = ${:command} ...@@ -927,7 +927,7 @@ update-command = ${:command}
command = command =
[ -f ${:certificate} ] && {{ software_parameter_dict['findutils'] }}/bin/find ${:certificate} -type f -mtime +3 -delete [ -f ${:certificate} ] && {{ software_parameter_dict['findutils'] }}/bin/find ${:certificate} -type f -mtime +3 -delete
if ! [ -f ${:certificate} ] ; then if ! [ -f ${:certificate} ] ; then
openssl req -new -newkey rsa:2048 -sha256 -subj \ openssl req -new -newkey rsa -sha256 -subj \
"/CN=${master-introspection-server-configuration:ip}" \ "/CN=${master-introspection-server-configuration:ip}" \
-days 5 -nodes -x509 -keyout ${:certificate} -out ${:certificate} -days 5 -nodes -x509 -keyout ${:certificate} -out ${:certificate}
fi fi
......
...@@ -611,7 +611,7 @@ stop-on-error = True ...@@ -611,7 +611,7 @@ stop-on-error = True
update-command = ${:command} update-command = ${:command}
command = command =
if ! [ -f ${:key} ] && ! [ -f ${:certificate} ] ; then if ! [ -f ${:key} ] && ! [ -f ${:certificate} ] ; then
openssl req -new -newkey rsa:2048 -sha256 -subj \ openssl req -new -newkey rsa -sha256 -subj \
"/O={{ expose_csr_organization }}/OU={{ expose_csr_organizational_unit }}/CN=${slap-configuration:ipv6-random}" \ "/O={{ expose_csr_organization }}/OU={{ expose_csr_organizational_unit }}/CN=${slap-configuration:ipv6-random}" \
-days 5 -nodes -x509 -keyout ${:key} -out ${:certificate} -days 5 -nodes -x509 -keyout ${:key} -out ${:certificate}
fi fi
......
...@@ -15,4 +15,4 @@ ...@@ -15,4 +15,4 @@
[instance.cfg.in] [instance.cfg.in]
filename = instance.cfg.in filename = instance.cfg.in
md5sum = b5c479ebb4cf2fd2f63623af88b95078 md5sum = 1d9513c44185ad47bd3bb50f748c372a
...@@ -111,9 +111,10 @@ recipe = plone.recipe.command ...@@ -111,9 +111,10 @@ recipe = plone.recipe.command
command = command =
if [ ! -f '${:csr}' ] ; then if [ ! -f '${:csr}' ] ; then
{{ openssl_bin }} req \ {{ openssl_bin }} req \
-newkey rsa:2048 \ -newkey rsa \
-batch \ -batch \
-new \ -new \
-sha256 \
-nodes \ -nodes \
-keyout /dev/null \ -keyout /dev/null \
-config '${rest-server-certificate-csr-config:output}' \ -config '${rest-server-certificate-csr-config:output}' \
......
...@@ -19,4 +19,4 @@ md5sum = 10e19df182c692b71ea552da183a0bcf ...@@ -19,4 +19,4 @@ md5sum = 10e19df182c692b71ea552da183a0bcf
[template-selenium] [template-selenium]
filename = instance-selenium.cfg.in filename = instance-selenium.cfg.in
md5sum = 7239845e758b2d10299699e061b0fc75 md5sum = 9bef75759623a660cfaf4b6f5a48a923
\ No newline at end of file \ No newline at end of file
...@@ -137,7 +137,7 @@ command = ...@@ -137,7 +137,7 @@ command =
then then
${openssl-output:openssl} req -x509 -nodes -days 3650 \ ${openssl-output:openssl} req -x509 -nodes -days 3650 \
-subj "/C=AA/ST=X/L=X/O=Dis/CN=$${:common-name}" \ -subj "/C=AA/ST=X/L=X/O=Dis/CN=$${:common-name}" \
-newkey rsa:2048 -keyout $${:cert-file} \ -newkey rsa -keyout $${:cert-file} \
-out $${:cert-file} -out $${:cert-file}
fi fi
update-command = $${:command} update-command = $${:command}
......
...@@ -18,7 +18,7 @@ md5sum = 38eab3283d175230231c998fa4a3416e ...@@ -18,7 +18,7 @@ md5sum = 38eab3283d175230231c998fa4a3416e
[template-balancer] [template-balancer]
filename = instance-balancer.cfg.in filename = instance-balancer.cfg.in
md5sum = 88e15a803df4aa35285e59ae9186438a md5sum = 8af2ed33ef2a57cf5c5df4dd5d834d69
[template-apache-backend-conf] [template-apache-backend-conf]
filename = apache-backend.conf.in filename = apache-backend.conf.in
......
...@@ -148,7 +148,7 @@ cert = ${apache-ssl-cert:output} ...@@ -148,7 +148,7 @@ cert = ${apache-ssl-cert:output}
{{ simplefile('apache-ssl-cert', '${apache-conf-ssl:cert}', ssl_parameter_dict['cert']) }} {{ simplefile('apache-ssl-cert', '${apache-conf-ssl:cert}', ssl_parameter_dict['cert']) }}
{% else %} {% else %}
recipe = plone.recipe.command recipe = plone.recipe.command
command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}" command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
key = ${apache-conf-ssl:key} key = ${apache-conf-ssl:key}
cert = ${apache-conf-ssl:cert} cert = ${apache-conf-ssl:cert}
{%- endif %} {%- endif %}
......
...@@ -446,7 +446,7 @@ class TestDeploymentScriptInstantiation(ERP5InstanceTestCase): ...@@ -446,7 +446,7 @@ class TestDeploymentScriptInstantiation(ERP5InstanceTestCase):
cert = os.path.join(self.ca_path, 'certs', 'test.crt') cert = os.path.join(self.ca_path, 'certs', 'test.crt')
common_name = 'TEST-SSL-AUTH' common_name = 'TEST-SSL-AUTH'
popenCommunicate([ popenCommunicate([
'openssl', 'req', '-utf8', '-nodes', '-config', openssl_config, '-new', 'openssl', 'req', '-utf8', '-nodes', '-config', openssl_config, '-new', '-sha256',
'-keyout', key, '-out', csr, '-days', '3650'], f'{common_name}\n'.encode(), '-keyout', key, '-out', csr, '-days', '3650'], f'{common_name}\n'.encode(),
stdin=subprocess.PIPE) stdin=subprocess.PIPE)
popenCommunicate([ popenCommunicate([
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
[instance-theia] [instance-theia]
_update_hash_filename_ = instance-theia.cfg.jinja.in _update_hash_filename_ = instance-theia.cfg.jinja.in
md5sum = 07b222d8c29d446fc0957e4e37706585 md5sum = 23b498618bce83a6eb8df0470417f59e
[instance] [instance]
_update_hash_filename_ = instance.cfg.in _update_hash_filename_ = instance.cfg.in
......
...@@ -237,7 +237,7 @@ command = ...@@ -237,7 +237,7 @@ command =
then then
${openssl-output:openssl} req -x509 -nodes -days 3650 \ ${openssl-output:openssl} req -x509 -nodes -days 3650 \
-subj "/C=AA/ST=X/L=X/O=Dis/CN=$${:common-name}" \ -subj "/C=AA/ST=X/L=X/O=Dis/CN=$${:common-name}" \
-newkey rsa:2048 -keyout $${:cert-file} \ -newkey rsa -keyout $${:cert-file} \
-out $${:cert-file} -out $${:cert-file}
fi fi
update-command = $${:command} update-command = $${:command}
......
...@@ -19,7 +19,7 @@ md5sum = f47adc5131a3096e916dbf9ef0061f50 ...@@ -19,7 +19,7 @@ md5sum = f47adc5131a3096e916dbf9ef0061f50
[template-turnserver] [template-turnserver]
filename = instance-turnserver.cfg.jinja2.in filename = instance-turnserver.cfg.jinja2.in
md5sum = f7ae944a28366c8888946af440d513ed md5sum = 016dd3bbebac4b223c11d17512a36296
[template-insecure-turnserver] [template-insecure-turnserver]
filename = instance-insecure-turnserver.cfg.jinja2.in filename = instance-insecure-turnserver.cfg.jinja2.in
......
...@@ -39,7 +39,7 @@ mode = {{ mode }} ...@@ -39,7 +39,7 @@ mode = {{ mode }}
{% do part_list.append('gen-certificate') -%} {% do part_list.append('gen-certificate') -%}
[gen-certificate] [gen-certificate]
recipe = plone.recipe.command recipe = plone.recipe.command
command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${turnserver-ssl:key}" -out "${turnserver-ssl:certificate}" command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes -keyout "${turnserver-ssl:key}" -out "${turnserver-ssl:certificate}"
{% endif -%} {% endif -%}
[turnserver-ssl] [turnserver-ssl]
......
...@@ -15,4 +15,4 @@ ...@@ -15,4 +15,4 @@
[caucase-jinja2-library] [caucase-jinja2-library]
filename = caucase.jinja2.library filename = caucase.jinja2.library
md5sum = 962ee4f16cef2b4b44ce0f5a87f7549c md5sum = a16311ab9a8965ea9020929c7100209b
...@@ -96,7 +96,7 @@ output = ${ {{- prefix }}-directory:data-dir}/provided.csr.pem ...@@ -96,7 +96,7 @@ output = ${ {{- prefix }}-directory:data-dir}/provided.csr.pem
recipe = plone.recipe.command recipe = plone.recipe.command
command = command =
if [ ! -f '{{ key_path or crt_path }}' ] && [ ! -f '${:csr}' ] ; then if [ ! -f '{{ key_path or crt_path }}' ] && [ ! -f '${:csr}' ] ; then
'{{ openssl }}' req -newkey rsa:2048 -batch -new -nodes -subj /CN=example.com -keyout '{{ key_path or crt_path }}' -out '${:csr}' '{{ openssl }}' req -newkey rsa -batch -new -sha256 -nodes -subj /CN=example.com -keyout '{{ key_path or crt_path }}' -out '${:csr}'
fi fi
{%- endif %} {%- endif %}
csr = ${ {{- prefix }}-directory:data-dir}/good.csr.pem csr = ${ {{- prefix }}-directory:data-dir}/good.csr.pem
......
...@@ -50,7 +50,7 @@ md5sum = f928b9dc99f7f970caadfe7dd6f95d34 ...@@ -50,7 +50,7 @@ md5sum = f928b9dc99f7f970caadfe7dd6f95d34
[template-postfix] [template-postfix]
filename = instance-postfix.cfg.in filename = instance-postfix.cfg.in
md5sum = 8f7bfca893a01c390df7a3dc9c2410e1 md5sum = 36e2563b306cf7de6297eee415929078
[template-postfix-master-cf] [template-postfix-master-cf]
filename = postfix_master.cf.in filename = postfix_master.cf.in
...@@ -90,7 +90,7 @@ md5sum = 0451190711157fc204418662126d5cf8 ...@@ -90,7 +90,7 @@ md5sum = 0451190711157fc204418662126d5cf8
[template-balancer] [template-balancer]
filename = instance-balancer.cfg.in filename = instance-balancer.cfg.in
md5sum = b0751d3d12cfcc8934cb1027190f5e5e md5sum = d570ef33e67ca223eac790f2729c04da
[template-haproxy-cfg] [template-haproxy-cfg]
filename = haproxy.cfg.in filename = haproxy.cfg.in
......
...@@ -295,7 +295,7 @@ certificate-and-key = ${tls-certificate-and-key-from-parameters:output} ...@@ -295,7 +295,7 @@ certificate-and-key = ${tls-certificate-and-key-from-parameters:output}
ssl_parameter_dict['cert'] ~ "\n" ~ ssl_parameter_dict['key']) }} ssl_parameter_dict['cert'] ~ "\n" ~ ssl_parameter_dict['key']) }}
{% else %} {% else %}
recipe = plone.recipe.command recipe = plone.recipe.command
command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:certificate-and-key}" -out "${:certificate-and-key}" command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes -keyout "${:certificate-and-key}" -out "${:certificate-and-key}"
certificate-and-key = ${directory:etc}/certificate-and-key-generated.pem certificate-and-key = ${directory:etc}/certificate-and-key-generated.pem
{%- endif %} {%- endif %}
......
...@@ -141,7 +141,7 @@ command = ...@@ -141,7 +141,7 @@ command =
${:openssl} dhparam -out '${:dh-2048}' 2048 && ${:openssl} dhparam -out '${:dh-2048}' 2048 &&
${:update} ${:update}
update = update =
${:openssl} req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout '${:key}' -out '${:cert}' ${:openssl} req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes -keyout '${:key}' -out '${:cert}'
[{{ section('postfix-logrotate') }}] [{{ section('postfix-logrotate') }}]
recipe = slapos.cookbook:cron.d recipe = slapos.cookbook:cron.d
......
...@@ -50,7 +50,7 @@ md5sum = f928b9dc99f7f970caadfe7dd6f95d34 ...@@ -50,7 +50,7 @@ md5sum = f928b9dc99f7f970caadfe7dd6f95d34
[template-postfix] [template-postfix]
filename = instance-postfix.cfg.in filename = instance-postfix.cfg.in
md5sum = b1cdeb8fe02d47c093658b50afa7d6b9 md5sum = eacbaeecb0c7a311eb9663d411201d6b
[template-postfix-master-cf] [template-postfix-master-cf]
filename = postfix_master.cf.in filename = postfix_master.cf.in
...@@ -90,7 +90,7 @@ md5sum = 8725a6b42de735b64b51d9bac598f94b ...@@ -90,7 +90,7 @@ md5sum = 8725a6b42de735b64b51d9bac598f94b
[template-balancer] [template-balancer]
filename = instance-balancer.cfg.in filename = instance-balancer.cfg.in
md5sum = 0fad9497da12ed0186dca5236c23f3a7 md5sum = 727c6f045da382fe50916e6ea5ae6405
[template-haproxy-cfg] [template-haproxy-cfg]
filename = haproxy.cfg.in filename = haproxy.cfg.in
......
...@@ -93,6 +93,7 @@ command = ...@@ -93,6 +93,7 @@ command =
-newkey rsa \ -newkey rsa \
-batch \ -batch \
-new \ -new \
-sha256 \
-nodes \ -nodes \
-keyout /dev/null \ -keyout /dev/null \
-config '${haproxy-certificate-csr-config:output}' \ -config '${haproxy-certificate-csr-config:output}' \
......
...@@ -141,7 +141,7 @@ command = ...@@ -141,7 +141,7 @@ command =
${:openssl} dhparam -out '${:dh-2048}' 2048 && ${:openssl} dhparam -out '${:dh-2048}' 2048 &&
${:update} ${:update}
update = update =
${:openssl} req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout '${:key}' -out '${:cert}' ${:openssl} req -newkey rsa -batch -new -sha256 -x509 -days 3650 -nodes -keyout '${:key}' -out '${:cert}'
[{{ section('postfix-logrotate') }}] [{{ section('postfix-logrotate') }}]
recipe = slapos.cookbook:cron.d recipe = slapos.cookbook:cron.d
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment