Reimplement cert handling, strip useless cli params
This commit is contained in:
parent
6fb1e12ca6
commit
afe8df823f
GPG Key ID:
524BD33A0EE29499
9
basic.sh
9
basic.sh
@ -53,11 +53,9 @@ rc-update -u
|
||||
cp -r srv/vm /srv/vm
|
||||
ln -s /srv/vm/cli.py /usr/bin/vmmgr
|
||||
|
||||
# Create a self-signed certificate
|
||||
vmmgr create-selfsigned
|
||||
|
||||
# Configure nginx
|
||||
# Configure nginx and create a self-signed certificate
|
||||
cp etc/nginx/nginx.conf /etc/nginx/nginx.conf
|
||||
vmmgr install
|
||||
|
||||
# Configure postfix
|
||||
cp etc/postfix/main.cf /etc/postfix/main.cf
|
||||
@ -74,6 +72,3 @@ if [ ${DEBUG:-0} -eq 1 ]; then
|
||||
rc-update add sshd boot
|
||||
service sshd start
|
||||
fi
|
||||
|
||||
# Generate nginx default.conf
|
||||
vmmgr update-host spotter.vm 443
|
||||
|
||||
@ -11,122 +11,62 @@ from mgr import VMMgr
|
||||
parser = argparse.ArgumentParser(description='VM application manager')
|
||||
subparsers = parser.add_subparsers()
|
||||
|
||||
parser_update_login = subparsers.add_parser('update-login', help='Updates application login')
|
||||
parser_install = subparsers.add_parser('install')
|
||||
parser_install.set_defaults(action='install')
|
||||
|
||||
parser_update_login = subparsers.add_parser('update-login')
|
||||
parser_update_login.set_defaults(action='update-login')
|
||||
parser_update_login.add_argument('app', help='Application name')
|
||||
parser_update_login.add_argument('login', help='Administrative login')
|
||||
parser_update_login.add_argument('password', help='Administrative password')
|
||||
|
||||
parser_show_tiles = subparsers.add_parser('show-tiles', help='Shows application tiles in Portal')
|
||||
parser_show_tiles.set_defaults(action='show-tiles')
|
||||
parser_show_tiles.add_argument('app', help='Application name')
|
||||
|
||||
parser_hide_tiles = subparsers.add_parser('hide-tiles', help='Hides application tiles in Portal')
|
||||
parser_hide_tiles.set_defaults(action='hide-tiles')
|
||||
parser_hide_tiles.add_argument('app', help='Application name')
|
||||
|
||||
parser_start_app = subparsers.add_parser('start-app', help='Start application including it\'s dependencies')
|
||||
parser_start_app.set_defaults(action='start-app')
|
||||
parser_start_app.add_argument('app', help='Application name')
|
||||
|
||||
parser_stop_app = subparsers.add_parser('stop-app', help='Stops application including it\'s dependencies if they are not used by another running application')
|
||||
parser_stop_app.set_defaults(action='stop-app')
|
||||
parser_stop_app.add_argument('app', help='Application name')
|
||||
|
||||
parser_enable_autostart = subparsers.add_parser('enable-autostart', help='Enables application autostart')
|
||||
parser_enable_autostart.set_defaults(action='enable-autostart')
|
||||
parser_enable_autostart.add_argument('app', help='Application name')
|
||||
|
||||
parser_disable_autostart = subparsers.add_parser('disable-autostart', help='Disables application autostart')
|
||||
parser_disable_autostart.set_defaults(action='disable-autostart')
|
||||
parser_disable_autostart.add_argument('app', help='Application name')
|
||||
|
||||
parser_rebuild_issue = subparsers.add_parser('rebuild-issue', help='Rebuilds /etc/issue using current settings - used on VM startup')
|
||||
parser_rebuild_issue = subparsers.add_parser('rebuild-issue')
|
||||
parser_rebuild_issue.set_defaults(action='rebuild-issue')
|
||||
|
||||
parser_prepare_container = subparsers.add_parser('prepare-container', help='Cleans container ephemeral layer and sets common config for the app. Intended to be used with LXC hooks')
|
||||
parser_prepare_container = subparsers.add_parser('prepare-container')
|
||||
parser_prepare_container.add_argument('lxc', nargs=argparse.REMAINDER)
|
||||
parser_prepare_container.set_defaults(action='prepare-container')
|
||||
|
||||
parser_register_container = subparsers.add_parser('register-container', help='Register and assigns IP to an application container. Intended to be used with LXC hooks')
|
||||
parser_register_container = subparsers.add_parser('register-container')
|
||||
parser_register_container.add_argument('lxc', nargs=argparse.REMAINDER)
|
||||
parser_register_container.set_defaults(action='register-container')
|
||||
|
||||
parser_unregister_container = subparsers.add_parser('unregister-container', help='Removes IP assignment for an application container. Intended to be used with LXC hooks')
|
||||
parser_unregister_container = subparsers.add_parser('unregister-container')
|
||||
parser_unregister_container.add_argument('lxc', nargs=argparse.REMAINDER)
|
||||
parser_unregister_container.set_defaults(action='unregister-container')
|
||||
|
||||
parser_register_proxy = subparsers.add_parser('register-proxy', help='Rebuilds nginx proxy target for an application container')
|
||||
parser_register_proxy = subparsers.add_parser('register-proxy')
|
||||
parser_register_proxy.set_defaults(action='register-proxy')
|
||||
parser_register_proxy.add_argument('app', help='Application name')
|
||||
|
||||
parser_unregister_proxy = subparsers.add_parser('unregister-proxy', help='Removes nginx proxy target for an application container')
|
||||
parser_unregister_proxy = subparsers.add_parser('unregister-proxy')
|
||||
parser_unregister_proxy.set_defaults(action='unregister-proxy')
|
||||
parser_unregister_proxy.add_argument('app', help='Application name')
|
||||
|
||||
parser_update_host = subparsers.add_parser('update-host', help='Rebuilds domain structure of VM with new host name and new HTTPS port')
|
||||
parser_update_host.set_defaults(action='update-host')
|
||||
parser_update_host.add_argument('domain', help='Domain name')
|
||||
parser_update_host.add_argument('port', help='HTTPS port')
|
||||
|
||||
parser_update_common = subparsers.add_parser('update-common', help='Updates common configuration properties used by multiple applications')
|
||||
parser_update_common.set_defaults(action='update-common')
|
||||
parser_update_common.add_argument('--email', help='Administrative e-mail address')
|
||||
parser_update_common.add_argument('--gmaps-api-key', help='Google Maps API key')
|
||||
|
||||
parser_update_password = subparsers.add_parser('update-password', help='Updates password for HDD encryption and WSGI administration interface')
|
||||
parser_update_password.set_defaults(action='update-password')
|
||||
|
||||
parser_create_selfsigned = subparsers.add_parser('create-selfsigned', help='Creates and installs selfsigned certificate for currently set domain')
|
||||
parser_create_selfsigned.set_defaults(action='create-selfsigned')
|
||||
|
||||
parser_request_cert = subparsers.add_parser('request-cert', help='Requests and installs Let\'s Encrypt certificate for currently set domain')
|
||||
parser_request_cert.set_defaults(action='request-cert')
|
||||
|
||||
parser_install_cert = subparsers.add_parser('install-cert', help='Installs user supplied certificate')
|
||||
parser_install_cert.set_defaults(action='install-cert')
|
||||
parser_install_cert.add_argument('certificate', help='Certificate file')
|
||||
parser_install_cert.add_argument('key', help='Key file')
|
||||
|
||||
args = parser.parse_args()
|
||||
mgr = VMMgr()
|
||||
if args.action == 'update-login':
|
||||
if args.action == 'install':
|
||||
# Used during VM installation
|
||||
mgr.rebuild_nginx(False)
|
||||
mgr.create_selfsigned_cert()
|
||||
elif args.action == 'update-login':
|
||||
# Used by app install scripts
|
||||
mgr.update_login(args.app, args.login, args.password)
|
||||
elif args.action == 'show-tiles':
|
||||
mgr.show_tiles(args.app)
|
||||
elif args.action == 'hide-tiles':
|
||||
mgr.hide_tiles(args.app)
|
||||
elif args.action == 'start-app':
|
||||
mgr.start_app(args.app)
|
||||
elif args.action == 'stop-app':
|
||||
mgr.stop_app(args.app)
|
||||
elif args.action == 'enable-autostart':
|
||||
mgr.enable_autostart(args.app)
|
||||
elif args.action == 'disable-autostart':
|
||||
mgr.disable_autostart(args.app)
|
||||
elif args.action == 'rebuild-issue':
|
||||
# Used on VM startup
|
||||
mgr.rebuild_issue()
|
||||
elif args.action == 'prepare-container':
|
||||
# Used with LXC hooks
|
||||
mgr.prepare_container()
|
||||
elif args.action == 'register-container':
|
||||
# Used with LXC hooks
|
||||
mgr.register_container()
|
||||
elif args.action == 'unregister-container':
|
||||
# Used with LXC hooks
|
||||
mgr.unregister_container()
|
||||
elif args.action == 'register-proxy':
|
||||
# Used in init scripts
|
||||
mgr.register_proxy(args.app)
|
||||
elif args.action == 'unregister-proxy':
|
||||
# Used in init scripts
|
||||
mgr.unregister_proxy(args.app)
|
||||
elif args.action == 'update-host':
|
||||
mgr.update_host(args.domain, args.port)
|
||||
elif args.action == 'update-common':
|
||||
mgr.update_common(args.email, args.gmaps_api_key)
|
||||
elif args.action == 'update-password':
|
||||
oldpassword = getpass.getpass('Old password: ')
|
||||
newpassword = getpass.getpass('New password: ')
|
||||
mgr.update_password(oldpassword, newpassword)
|
||||
elif args.action == 'create-selfsigned':
|
||||
mgr.create_selfsigned()
|
||||
elif args.action == 'request-cert':
|
||||
mgr.request_cert()
|
||||
elif args.action == 'install-cert':
|
||||
mgr.install_cert(args.certificate, args.key)
|
||||
|
||||
@ -253,8 +253,8 @@ class VMMgr:
|
||||
os.unlink(os.path.join(NGINX_DIR, '{}.conf'.format(app)))
|
||||
tools.reload_nginx()
|
||||
|
||||
def update_host(self, domain, port, restart_nginx=True):
|
||||
# Update domain and port and rebuild all configurtion. Defer nginx restart when updating from web interface
|
||||
def update_host(self, domain, port):
|
||||
# Update domain and port and rebuild all configuration. Web interface calls tools.restart_nginx() in WSGI close handler
|
||||
if not validator.is_valid_domain(domain):
|
||||
raise validator.InvalidValueException('domain', domain)
|
||||
if not validator.is_valid_port(port):
|
||||
@ -266,16 +266,13 @@ class VMMgr:
|
||||
for app in self.conf['apps']:
|
||||
if tools.is_service_started(app):
|
||||
tools.restart_service(app)
|
||||
# Rebuild and restart nginx if it was requested. Web interface calls tools.restart_nginx() in WSGI close handler
|
||||
self.rebuild_nginx(restart_nginx)
|
||||
# Rebuild and restart nginx if it was requested.
|
||||
self.rebuild_nginx()
|
||||
|
||||
def rebuild_nginx(self, restart_nginx):
|
||||
# Rebuild nginx config for the portal app
|
||||
def rebuild_nginx(self):
|
||||
# Rebuild nginx config for the portal app. Web interface calls tools.restart_nginx() in WSGI close handler
|
||||
with open(os.path.join(NGINX_DIR, 'default.conf'), 'w') as f:
|
||||
f.write(NGINX_DEFAULT_TEMPLATE.format(port=self.port))
|
||||
# Restart nginx to properly bind the new listen port
|
||||
if restart_nginx:
|
||||
tools.restart_nginx()
|
||||
|
||||
def rebuild_issue(self):
|
||||
# Compile the HTTPS host displayed in terminal banner
|
||||
@ -317,14 +314,17 @@ class VMMgr:
|
||||
# Save config to file
|
||||
self.conf.save()
|
||||
|
||||
def create_selfsigned(self):
|
||||
def create_selfsigned_cert(self):
|
||||
# Remove acme.sh cronjob
|
||||
if os.path.exists(ACME_CRON):
|
||||
os.unlink(ACME_CRON)
|
||||
# Create selfsigned certificate with wildcard alternative subject name
|
||||
with open(os.path.join(CERT_SAN_FILE), 'w') as f:
|
||||
f.write(CERT_SAN.format(domain=self.domain))
|
||||
subprocess.run(['openssl', 'req', '-config', CERT_SAN_FILE, '-x509', '-new', '-out', CERT_PUB_FILE, '-keyout', CERT_KEY_FILE, '-nodes', '-days', '7305', '-subj', '/CN={}'.format(self.domain)], check=True)
|
||||
os.chmod(CERT_KEY_FILE, 0o640)
|
||||
|
||||
def request_cert(self):
|
||||
def request_acme_cert(self):
|
||||
# Remove all possible conflicting certificates requested in the past
|
||||
certs = [i for i in os.listdir('/etc/acme.sh.d') if i not in ('account.conf', 'ca', 'http.header')]
|
||||
for cert in certs:
|
||||
@ -352,7 +352,7 @@ class VMMgr:
|
||||
with open(ACME_CRON, 'w') as f:
|
||||
f.write(ACME_CRON_TEMPLATE)
|
||||
|
||||
def install_cert(self, public_file, private_file):
|
||||
def install_manual_cert(self, public_file, private_file):
|
||||
# Remove acme.sh cronjob
|
||||
if os.path.exists(ACME_CRON):
|
||||
os.unlink(ACME_CRON)
|
||||
|
||||
@ -7,9 +7,12 @@ import os
|
||||
import requests
|
||||
import shutil
|
||||
import socket
|
||||
import ssl
|
||||
import subprocess
|
||||
|
||||
from cryptography import x509
|
||||
from cryptography.hazmat.backends import default_backend
|
||||
from cryptography.x509.oid import NameOID
|
||||
|
||||
def compile_url(domain, port, proto='https'):
|
||||
port = '' if (proto == 'https' and port == '443') or (proto == 'http' and port == '80') else ':{}'.format(port)
|
||||
host = '{}{}'.format(domain, port)
|
||||
@ -94,9 +97,18 @@ def restart_nginx():
|
||||
restart_service('nginx')
|
||||
|
||||
def get_cert_info(cert):
|
||||
data = ssl._ssl._test_decode_cert(cert)
|
||||
data['subject'] = dict(data['subject'][i][0] for i in range(len(data['subject'])))
|
||||
data['issuer'] = dict(data['issuer'][i][0] for i in range(len(data['issuer'])))
|
||||
# Gather certificate data important for setup-host
|
||||
with open(cert, 'rb') as f:
|
||||
cert = x509.load_pem_x509_certificate(f.read(), default_backend())
|
||||
data = {'subject': cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value,
|
||||
'issuer': cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value,
|
||||
'expires': '{} UTC'.format(cert.not_valid_after),
|
||||
'method': 'manual'}
|
||||
if os.path.exists('/etc/periodic/daily/acme-sh'):
|
||||
data['method'] = 'letsencrypt'
|
||||
# This is really naive method of inferring if the cert is selfsigned and should never be used in production :)
|
||||
elif data['subject'] == data['issuer']:
|
||||
data['method'] = 'selfsigned'
|
||||
return data
|
||||
|
||||
def adminpwd_hash(password):
|
||||
|
||||
@ -136,9 +136,8 @@ class WSGIApp(object):
|
||||
ex_ipv6 = tools.get_external_ipv6()
|
||||
in_ipv4 = tools.get_local_ipv4()
|
||||
in_ipv6 = tools.get_local_ipv6()
|
||||
is_letsencrypt = os.path.exists('/etc/periodic/daily/acme-sh')
|
||||
cert_info = tools.get_cert_info(CERT_PUB_FILE)
|
||||
return self.render_template('setup-host.html', request, ex_ipv4=ex_ipv4, ex_ipv6=ex_ipv6, in_ipv4=in_ipv4, in_ipv6=in_ipv6, is_letsencrypt=is_letsencrypt, cert_info=cert_info)
|
||||
return self.render_template('setup-host.html', request, ex_ipv4=ex_ipv4, ex_ipv6=ex_ipv6, in_ipv4=in_ipv4, in_ipv6=in_ipv6, cert_info=cert_info)
|
||||
|
||||
def setup_apps_view(self, request):
|
||||
# Application manager view.
|
||||
@ -208,20 +207,22 @@ class WSGIApp(object):
|
||||
def update_cert_action(self, request):
|
||||
# Update certificate - either request via Let's Encrypt or manually upload files
|
||||
try:
|
||||
if request.form['method'] not in ['auto', 'manual']:
|
||||
if request.form['method'] not in ['selfsigned', 'automatic', 'manual']:
|
||||
raise BadRequest()
|
||||
if request.form['method'] == 'manual':
|
||||
if request.form['method'] == 'selfsigned':
|
||||
self.vmmgr.create_selfsigned_cert()
|
||||
elif request.form['method'] == 'automatic':
|
||||
self.vmmgr.request_acme_cert()
|
||||
else:
|
||||
if not request.files['public']:
|
||||
return self.render_json({'error': request.session.lang.cert_file_missing()})
|
||||
if not request.files['private']:
|
||||
return self.render_json({'error': request.session.lang.key_file_missing()})
|
||||
request.files['public'].save('/tmp/public.pem')
|
||||
request.files['private'].save('/tmp/private.pem')
|
||||
self.vmmgr.install_cert('/tmp/public.pem', '/tmp/private.pem')
|
||||
self.vmmgr.install_manual_cert('/tmp/public.pem', '/tmp/private.pem')
|
||||
os.unlink('/tmp/public.pem')
|
||||
os.unlink('/tmp/private.pem')
|
||||
else:
|
||||
self.vmmgr.request_cert()
|
||||
except BadRequest:
|
||||
return self.render_json({'error': request.session.lang.malformed_request()})
|
||||
except:
|
||||
|
||||
@ -75,25 +75,28 @@
|
||||
|
||||
<div class="setup-box">
|
||||
<h2>HTTPS certifikát</h2>
|
||||
<p>Stávající certifikát je vystaven na jméno <strong>{{ cert_info['subject']['commonName'] }}</strong> vystavitelem <strong>{{ cert_info['issuer']['commonName'] }}</strong> a jeho platnost vyprší <strong>{{ cert_info['notAfter'] }}</strong>.</p>
|
||||
<p>Stávající certifikát je vystaven na jméno <strong>{{ cert_info['subject'] }}</strong> vystavitelem <strong>{{ cert_info['issuer'] }}</strong> a jeho platnost vyprší <strong>{{ cert_info['expires'] }}</strong>.</p>
|
||||
<form id="update-cert" action="/update-cert" method="post">
|
||||
<table>
|
||||
<tr>
|
||||
<td>Způsob správy</td>
|
||||
<td>
|
||||
<select name="method" id="cert-method">
|
||||
<option value="auto"{% if is_letsencrypt %} selected{% endif %}>Automaticky</option>
|
||||
<option value="manual"{% if not is_letsencrypt %} selected{% endif %}>Ručně</option>
|
||||
<option value="selfsigned"{% if cert_info['method'] == 'selfsigned' %} selected{% endif %}>Self-signed</option>
|
||||
<option value="automatic"{% if cert_info['method'] == 'automatic' %} selected{% endif %}>Automaticky</option>
|
||||
<option value="manual"{% if cert_info['method'] == 'manual' %} selected{% endif %}>Ručně</option>
|
||||
</select>
|
||||
</td>
|
||||
<td class="remark">Volba "Automaticky" způsobí, že systém automaticky zažádá o certifikát certifikační autority Let's Encrypt pro všechny plně kvalifikované doménové názvy (tj. nikoliv wildcard) zmíněné v sekci <em>DNS záznamy</em> a nainstaluje úlohu pro jeho automatickou obnovu. Tato akce může trvat několik minut.<br>Volba "Ručně" znamená, že soubory certifikátu a jeho soukromého klíče je nutno nahrát a následně obnovovat ručně skrze formulář na této stránce.</td>
|
||||
<td class="remark">Volba "Self-signed" vygeneruje certifikát s vlastním podpisem a platnostÍ 20 let. Tento certifikát je použitelný pro testovací účely, ale většina mobilních aplikací s ním odmítne fungovat.
|
||||
<br>Volba "Automaticky" způsobí, že systém automaticky zažádá o certifikát certifikační autority Let's Encrypt pro všechny plně kvalifikované doménové názvy (tj. nikoliv wildcard) zmíněné v sekci <em>DNS záznamy</em>. Počet žádostí o certifikát se stejným doménovým jménem je omezený na 5 týdně, proto je vhodné tento typ certifikátu nastavovat až po instalaci aplikací. Zároveň bude nainstalována úloha pro automatickou obnovu. Proces vyžádání tohoto typu certifikátu může trvat několik minut.
|
||||
<br>Volba "Ručně" znamená, že soubory certifikátu a jeho soukromého klíče je nutno nahrát a následně obnovovat ručně skrze formulář na této stránce.</td>
|
||||
</tr>
|
||||
<tr class="cert-upload"{% if is_letsencrypt %} style="display:none"{% endif %}>
|
||||
<tr class="cert-upload"{% if cert_info['method'] != 'manual' %} style="display:none"{% endif %}>
|
||||
<td>Soubor certifikátu</td>
|
||||
<td><input type="file" name="public" accept=".cer, .crt, .der, .pem"></td>
|
||||
<td><input type="file" name="public" accept=".cer, .crt, .pem"></td>
|
||||
<td class="remark">Soubor s certifikátem ve formátu PEM.<br>Pokud je podepsán certifikační autoritou třetí strany, pak by tento soubor měl mimo koncového certifikátu obsahovat i podpisový certifikát.</td>
|
||||
</tr>
|
||||
<tr class="cert-upload"{% if is_letsencrypt %} style="display:none"{% endif %}>
|
||||
<tr class="cert-upload"{% if cert_info['method'] != 'manual' %} style="display:none"{% endif %}>
|
||||
<td>Soubor klíče</td>
|
||||
<td><input type="file" name="private" accept=".key, .pem"></td>
|
||||
<td class="remark">Soubor se soukromým klíčem ve formátu PEM pro výše vybraný certifikát.</td>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user