Merge "Update swanctl.conf cacerts w/ system-local-ca files"
This commit is contained in:
commit
de9d380dc9
|
@ -98,7 +98,7 @@ class Client(object):
|
|||
message = {}
|
||||
|
||||
puk1_data = utils.load_data(constants.TMP_PUK1_FILE)
|
||||
puc_data = utils.load_data(constants.TRUSTED_CA_CERT_PATH)
|
||||
puc_data = utils.load_data(constants.TRUSTED_CA_CERT_1_PATH)
|
||||
|
||||
LOG.info("Generate RSA Private Key (PRK2).")
|
||||
prk2 = self._generate_prk2()
|
||||
|
@ -154,14 +154,16 @@ class Client(object):
|
|||
return False
|
||||
|
||||
utils.save_data(constants.TMP_PUK1_FILE, key)
|
||||
utils.save_data(constants.TRUSTED_CA_CERT_PATH, ca_cert)
|
||||
utils.save_data(constants.TRUSTED_CA_CERT_1_PATH, ca_cert)
|
||||
if self.op_code == constants.OP_CODE_INITIAL_AUTH:
|
||||
utils.save_data(constants.TRUSTED_CA_CERT_0_PATH, ca_cert)
|
||||
|
||||
if self.state == State.STAGE_4:
|
||||
LOG.info("Received IPSec Auth CSR Response")
|
||||
cert = base64.b64decode(msg['cert'])
|
||||
digest = base64.b64decode(msg['hash'])
|
||||
|
||||
ca_cert = utils.load_data(constants.TRUSTED_CA_CERT_PATH)
|
||||
ca_cert = utils.load_data(constants.TRUSTED_CA_CERT_1_PATH)
|
||||
|
||||
data = msg['cert'].encode('utf-8')
|
||||
if self.op_code == constants.OP_CODE_INITIAL_AUTH:
|
||||
|
|
|
@ -172,7 +172,7 @@ class StrongswanPuppet(object):
|
|||
# swanctl.add_remote('id', 'CN=ipsec-*')
|
||||
swanctl.add_remote('id', 'CN=*')
|
||||
swanctl.add_remote('auth', 'pubkey')
|
||||
swanctl.add_remote('cacerts', constants.TRUSTED_CA_CERT_FILE)
|
||||
swanctl.add_remote('cacerts', constants.TRUSTED_CA_CERT_FILES)
|
||||
|
||||
swanctl.add_node('mode', 'transport')
|
||||
swanctl.add_node('start_action', 'trap')
|
||||
|
|
|
@ -24,9 +24,17 @@ NAMESPACE_DEPLOYMENT = 'deployment'
|
|||
CLUSTER_ISSUER_SYSTEM_LOCAL_CA = 'system-local-ca'
|
||||
SECRET_SYSTEM_LOCAL_CA = 'system-local-ca'
|
||||
|
||||
TRUSTED_CA_CERT_FILE = 'system-local-ca.crt'
|
||||
# The system-local-ca certificates are stored by IPsec client
|
||||
# named w/ 0 or 1 in their names. The system-local-ca-0.crt file represents
|
||||
# the last tls certificate associated with system-local-ca,
|
||||
# while system-local-ca-1.crt file is the current certificate
|
||||
# associated with system-local-ca.
|
||||
TRUSTED_CA_CERT_FILE_0 = 'system-local-ca-0.crt'
|
||||
TRUSTED_CA_CERT_FILE_1 = 'system-local-ca-1.crt'
|
||||
TRUSTED_CA_CERT_FILES = TRUSTED_CA_CERT_FILE_0 + ',' + TRUSTED_CA_CERT_FILE_1
|
||||
TRUSTED_CA_CERT_DIR = '/etc/swanctl/x509ca/'
|
||||
TRUSTED_CA_CERT_PATH = TRUSTED_CA_CERT_DIR + TRUSTED_CA_CERT_FILE
|
||||
TRUSTED_CA_CERT_0_PATH = TRUSTED_CA_CERT_DIR + TRUSTED_CA_CERT_FILE_0
|
||||
TRUSTED_CA_CERT_1_PATH = TRUSTED_CA_CERT_DIR + TRUSTED_CA_CERT_FILE_1
|
||||
|
||||
CERT_SYSTEM_LOCAL_DIR = '/etc/swanctl/x509/'
|
||||
CERT_SYSTEM_LOCAL_PRIVATE_DIR = '/etc/swanctl/private/'
|
||||
|
|
Loading…
Reference in New Issue