Fix issues when switch between HTTP and HTTPS
Issues: 1- wrs-ssl.rpm installs a key file that is expected to be modified by user. Updating, patching or removing this RPM can potentially change the user file. 2- Going back to HTTP after going to HTTPS fails 3- Going back to HTTPS again after going back to HTTP, access fails until a new key is installed 4- key files under /etc/ssl/private are required to be removed when going back to HTTP 5- sysinv creates backup copies of key (.pem) files Fixes: 1- renaming the self signed certificate installed by wrs-ssl.rpm so that: - the key file is not installed in place - the self-signed certificate remains available to reinstall when going back and forth between HTTP and HTTPS 2- updating the lighttpd.conf manifest so that the daemon does not look for pem files in HTTP mode 3- modifying sysinv so that the pem files are removed from both controllers when going back to HTTP 4- modifying sysinv so that the tool does not create a backup copy of the pem file. Story: 2002894 Task: 22857 Change-Id: Ibd0958e910a8914a3c65d3504ff82ebbef24c6c5 Signed-off-by: Jack Ding <jack.ding@windriver.com>
This commit is contained in:
parent
5f6ba4f658
commit
885a23ef09
|
@ -245,6 +245,7 @@ $HTTP["url"] !~ "^/(rel-[^/]*|feed|updates|static)/" {
|
||||||
# ".cgi" => "/usr/bin/perl" )
|
# ".cgi" => "/usr/bin/perl" )
|
||||||
#
|
#
|
||||||
|
|
||||||
|
<% if @enable_https %>
|
||||||
#### SSL engine
|
#### SSL engine
|
||||||
$SERVER["socket"] == ":443" {
|
$SERVER["socket"] == ":443" {
|
||||||
ssl.engine = "enable"
|
ssl.engine = "enable"
|
||||||
|
@ -263,6 +264,11 @@ $SERVER["socket"] == "[::]:443" {
|
||||||
ssl.use-sslv3 = "disable"
|
ssl.use-sslv3 = "disable"
|
||||||
ssl.cipher-list = "ALL:!aNULL:!eNULL:!EXPORT:!TLSv1:!DES:!MD5:!PSK:!RC4:!EDH-RSA-DES-CBC3-SHA:!EDH-DSS-DES-CBC3-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA:!DES-CBC3-SHA:!AES128-SHA:!AES256-SHA:!DHE-DSS-AES128-SHA:!DHE-DSS-AES256-SHA:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!DHE-DSS-CAMELLIA128-SHA:!DHE-DSS-CAMELLIA256-SHA:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA:!ECDHE-ECDSA-DES-CBC3-SHA:!ECDHE-ECDSA-AES128-SHA:!ECDHE-ECDSA-AES256-SHA"
|
ssl.cipher-list = "ALL:!aNULL:!eNULL:!EXPORT:!TLSv1:!DES:!MD5:!PSK:!RC4:!EDH-RSA-DES-CBC3-SHA:!EDH-DSS-DES-CBC3-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA:!DES-CBC3-SHA:!AES128-SHA:!AES256-SHA:!DHE-DSS-AES128-SHA:!DHE-DSS-AES256-SHA:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!DHE-DSS-CAMELLIA128-SHA:!DHE-DSS-CAMELLIA256-SHA:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA:!ECDHE-ECDSA-DES-CBC3-SHA:!ECDHE-ECDSA-AES128-SHA:!ECDHE-ECDSA-AES256-SHA"
|
||||||
}
|
}
|
||||||
|
<% else %>
|
||||||
|
###
|
||||||
|
# HTTPS not enabled
|
||||||
|
###
|
||||||
|
<% end %>
|
||||||
|
|
||||||
#### status module
|
#### status module
|
||||||
#status.status-url = "/server-status"
|
#status.status-url = "/server-status"
|
||||||
|
|
|
@ -1290,6 +1290,7 @@ class AgentManager(service.PeriodicService):
|
||||||
self._ihost_personality))
|
self._ihost_personality))
|
||||||
|
|
||||||
permissions = iconfig_dict.get('permissions')
|
permissions = iconfig_dict.get('permissions')
|
||||||
|
nobackup = iconfig_dict.get('nobackup')
|
||||||
if not permissions:
|
if not permissions:
|
||||||
permissions = constants.CONFIG_FILE_PERMISSION_DEFAULT
|
permissions = constants.CONFIG_FILE_PERMISSION_DEFAULT
|
||||||
|
|
||||||
|
@ -1311,8 +1312,9 @@ class AgentManager(service.PeriodicService):
|
||||||
iconfig_dict['file_content']))
|
iconfig_dict['file_content']))
|
||||||
|
|
||||||
if os.path.isfile(file_name):
|
if os.path.isfile(file_name):
|
||||||
if not os.path.isfile(file_name_sysinv):
|
if not nobackup:
|
||||||
shutil.copy2(file_name, file_name_sysinv)
|
if not os.path.isfile(file_name_sysinv):
|
||||||
|
shutil.copy2(file_name, file_name_sysinv)
|
||||||
|
|
||||||
# Remove resolv.conf file. It may have been created as a
|
# Remove resolv.conf file. It may have been created as a
|
||||||
# symlink by the volatile configuration scripts.
|
# symlink by the volatile configuration scripts.
|
||||||
|
@ -1324,9 +1326,10 @@ class AgentManager(service.PeriodicService):
|
||||||
f_content = file_content
|
f_content = file_content
|
||||||
|
|
||||||
os.umask(0)
|
os.umask(0)
|
||||||
with os.fdopen(os.open(file_name, os.O_CREAT | os.O_WRONLY,
|
if f_content is not None:
|
||||||
|
with os.fdopen(os.open(file_name, os.O_CREAT | os.O_WRONLY,
|
||||||
permissions), 'wb') as f:
|
permissions), 'wb') as f:
|
||||||
f.write(f_content)
|
f.write(f_content)
|
||||||
|
|
||||||
self._update_config_applied(iconfig_uuid)
|
self._update_config_applied(iconfig_uuid)
|
||||||
self._report_config_applied(context)
|
self._report_config_applied(context)
|
||||||
|
|
|
@ -1142,11 +1142,14 @@ SYSINV_GRPNAME = "sysinv"
|
||||||
CERT_TYPE_SSL = 'ssl'
|
CERT_TYPE_SSL = 'ssl'
|
||||||
SSL_CERT_DIR = "/etc/ssl/private/"
|
SSL_CERT_DIR = "/etc/ssl/private/"
|
||||||
SSL_CERT_FILE = "server-cert.pem" # pem with PK and cert
|
SSL_CERT_FILE = "server-cert.pem" # pem with PK and cert
|
||||||
|
# self signed pem to get started
|
||||||
|
SSL_CERT_SS_FILE = "self-signed-server-cert.pem"
|
||||||
CERT_MURANO_DIR = "/etc/ssl/private/murano-rabbit"
|
CERT_MURANO_DIR = "/etc/ssl/private/murano-rabbit"
|
||||||
CERT_FILE = "cert.pem"
|
CERT_FILE = "cert.pem"
|
||||||
CERT_KEY_FILE = "key.pem"
|
CERT_KEY_FILE = "key.pem"
|
||||||
CERT_CA_FILE = "ca-cert.pem"
|
CERT_CA_FILE = "ca-cert.pem"
|
||||||
SSL_PEM_FILE = os.path.join(SSL_CERT_DIR, SSL_CERT_FILE)
|
SSL_PEM_FILE = os.path.join(SSL_CERT_DIR, SSL_CERT_FILE)
|
||||||
|
SSL_PEM_SS_FILE = os.path.join(SSL_CERT_DIR, SSL_CERT_SS_FILE)
|
||||||
SSL_PEM_FILE_SHARED = os.path.join(tsc.CONFIG_PATH, SSL_CERT_FILE)
|
SSL_PEM_FILE_SHARED = os.path.join(tsc.CONFIG_PATH, SSL_CERT_FILE)
|
||||||
|
|
||||||
MURANO_CERT_KEY_FILE = os.path.join(CERT_MURANO_DIR, CERT_KEY_FILE)
|
MURANO_CERT_KEY_FILE = os.path.join(CERT_MURANO_DIR, CERT_KEY_FILE)
|
||||||
|
|
|
@ -5199,7 +5199,10 @@ class ConductorManager(service.PeriodicService):
|
||||||
:param context: an admin context.
|
:param context: an admin context.
|
||||||
"""
|
"""
|
||||||
personalities = [constants.CONTROLLER]
|
personalities = [constants.CONTROLLER]
|
||||||
config_uuid = self._config_update_hosts(context, personalities)
|
system = self.dbapi.isystem_get_one()
|
||||||
|
|
||||||
|
if system.capabilities.get('https_enabled', False):
|
||||||
|
self._config_selfsigned_certificate(context)
|
||||||
|
|
||||||
config_dict = {
|
config_dict = {
|
||||||
"personalities": personalities,
|
"personalities": personalities,
|
||||||
|
@ -5209,12 +5212,13 @@ class ConductorManager(service.PeriodicService):
|
||||||
'openstack::nova::api::runtime',
|
'openstack::nova::api::runtime',
|
||||||
'openstack::heat::engine::runtime']
|
'openstack::heat::engine::runtime']
|
||||||
}
|
}
|
||||||
|
|
||||||
|
config_uuid = self._config_update_hosts(context, personalities)
|
||||||
self._config_apply_runtime_manifest(context, config_uuid, config_dict)
|
self._config_apply_runtime_manifest(context, config_uuid, config_dict)
|
||||||
|
|
||||||
system = self.dbapi.isystem_get_one()
|
|
||||||
if not system.capabilities.get('https_enabled', False):
|
if not system.capabilities.get('https_enabled', False):
|
||||||
self._destroy_tpm_config(context)
|
self._destroy_tpm_config(context)
|
||||||
self._destroy_certificates()
|
self._destroy_certificates(context)
|
||||||
|
|
||||||
def update_oam_config(self, context):
|
def update_oam_config(self, context):
|
||||||
"""Update the OAM network configuration"""
|
"""Update the OAM network configuration"""
|
||||||
|
@ -9573,7 +9577,7 @@ class ConductorManager(service.PeriodicService):
|
||||||
|
|
||||||
self._config_apply_runtime_manifest(context, config_uuid, config_dict)
|
self._config_apply_runtime_manifest(context, config_uuid, config_dict)
|
||||||
|
|
||||||
def _destroy_certificates(self):
|
def _destroy_certificates(self, context):
|
||||||
"""Delete certificates."""
|
"""Delete certificates."""
|
||||||
LOG.info("_destroy_certificates clear ssl/tpm certificates")
|
LOG.info("_destroy_certificates clear ssl/tpm certificates")
|
||||||
|
|
||||||
|
@ -9583,6 +9587,18 @@ class ConductorManager(service.PeriodicService):
|
||||||
constants.CERT_MODE_SSL, constants.CERT_MODE_TPM]:
|
constants.CERT_MODE_SSL, constants.CERT_MODE_TPM]:
|
||||||
self.dbapi.certificate_destroy(certificate.uuid)
|
self.dbapi.certificate_destroy(certificate.uuid)
|
||||||
|
|
||||||
|
personalities = [constants.CONTROLLER]
|
||||||
|
|
||||||
|
config_uuid = self._config_update_hosts(context, personalities)
|
||||||
|
config_dict = {
|
||||||
|
'personalities': personalities,
|
||||||
|
'file_names': [constants.SSL_PEM_FILE],
|
||||||
|
'file_content': None,
|
||||||
|
'permissions': constants.CONFIG_FILE_PERMISSION_ROOT_READ_ONLY,
|
||||||
|
'nobackup': True,
|
||||||
|
}
|
||||||
|
self._config_update_file(context, config_uuid, config_dict)
|
||||||
|
|
||||||
def _destroy_tpm_config(self, context, tpm_obj=None):
|
def _destroy_tpm_config(self, context, tpm_obj=None):
|
||||||
"""Delete a tpmconfig."""
|
"""Delete a tpmconfig."""
|
||||||
|
|
||||||
|
@ -9771,6 +9787,7 @@ class ConductorManager(service.PeriodicService):
|
||||||
'personalities': personalities,
|
'personalities': personalities,
|
||||||
'file_names': [constants.SSL_PEM_FILE],
|
'file_names': [constants.SSL_PEM_FILE],
|
||||||
'file_content': file_content,
|
'file_content': file_content,
|
||||||
|
'nobackup': True,
|
||||||
'permissions': constants.CONFIG_FILE_PERMISSION_ROOT_READ_ONLY,
|
'permissions': constants.CONFIG_FILE_PERMISSION_ROOT_READ_ONLY,
|
||||||
}
|
}
|
||||||
self._config_update_file(context, config_uuid, config_dict)
|
self._config_update_file(context, config_uuid, config_dict)
|
||||||
|
@ -9857,3 +9874,46 @@ class ConductorManager(service.PeriodicService):
|
||||||
raise exception.SysinvException(_(msg))
|
raise exception.SysinvException(_(msg))
|
||||||
|
|
||||||
return signature
|
return signature
|
||||||
|
|
||||||
|
def _config_selfsigned_certificate(self, context):
|
||||||
|
"""
|
||||||
|
This code is invoked when https is enabled
|
||||||
|
to install a self signed certificate to get started
|
||||||
|
|
||||||
|
:param context: an admin context.
|
||||||
|
|
||||||
|
"""
|
||||||
|
|
||||||
|
mode = constants.CERT_MODE_SSL
|
||||||
|
passphrase = None
|
||||||
|
certificate_file = constants.SSL_PEM_SS_FILE
|
||||||
|
|
||||||
|
with open(certificate_file) as pemfile:
|
||||||
|
pem_contents = pemfile.read()
|
||||||
|
|
||||||
|
LOG.info("_config_selfsigned_certificate mode=%s file=%s" % (mode, certificate_file))
|
||||||
|
|
||||||
|
private_bytes, public_bytes, signature = \
|
||||||
|
self._extract_keys_from_pem(mode, pem_contents, passphrase)
|
||||||
|
|
||||||
|
personalities = [constants.CONTROLLER]
|
||||||
|
|
||||||
|
config_uuid = self._config_update_hosts(context, personalities)
|
||||||
|
file_content = private_bytes + public_bytes
|
||||||
|
config_dict = {
|
||||||
|
'personalities': personalities,
|
||||||
|
'file_names': [constants.SSL_PEM_FILE],
|
||||||
|
'file_content': file_content,
|
||||||
|
'permissions': constants.CONFIG_FILE_PERMISSION_ROOT_READ_ONLY,
|
||||||
|
'nobackup': True,
|
||||||
|
}
|
||||||
|
self._config_update_file(context, config_uuid, config_dict)
|
||||||
|
|
||||||
|
# copy the certificate to shared directory
|
||||||
|
with os.fdopen(os.open(constants.SSL_PEM_FILE_SHARED,
|
||||||
|
os.O_CREAT | os.O_WRONLY,
|
||||||
|
constants.CONFIG_FILE_PERMISSION_ROOT_READ_ONLY),
|
||||||
|
'wb') as f:
|
||||||
|
f.write(file_content)
|
||||||
|
|
||||||
|
return signature
|
||||||
|
|
Loading…
Reference in New Issue