From 74ed1718f9c35244119e0285ea14efd13ec6de3e Mon Sep 17 00:00:00 2001 From: Cameron MacLeod Date: Sun, 23 Feb 2020 16:07:14 +0000 Subject: [PATCH 1/3] Fix parameter substitution in clean script --- hack/clean_oai_on_k8s | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/clean_oai_on_k8s b/hack/clean_oai_on_k8s index 36217db..d48546b 100755 --- a/hack/clean_oai_on_k8s +++ b/hack/clean_oai_on_k8s @@ -1,6 +1,6 @@ #!/bin/bash -NAMESPACE={$NAMESPACE:-oai} +NAMESPACE=${NAMESPACE:-oai} info() { local MESSAGE=$1 From 71bdf34478c3588a008d6bf7b8dce9ae0b7ca766 Mon Sep 17 00:00:00 2001 From: Cameron MacLeod Date: Thu, 27 Feb 2020 13:28:17 +0000 Subject: [PATCH 2/3] Generate_certs fixes /etc/pki/tls doesn't exist in my env so add default file --- hack/generate_certs | 8 ++++- openssl.cnf.default | 87 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 94 insertions(+), 1 deletion(-) create mode 100644 openssl.cnf.default diff --git a/hack/generate_certs b/hack/generate_certs index c86a9b3..cfb8222 100755 --- a/hack/generate_certs +++ b/hack/generate_certs @@ -19,6 +19,7 @@ generate_certs() { local FQDN=$1 local PREFIX=$2 local DIR=$3 + local REPO_DIR=$(pwd) TMP=$(mktemp -d) function cleanup { @@ -29,7 +30,12 @@ generate_certs() { echo "01" > serial touch index.txt index.txt.attr - cat /etc/pki/tls/openssl.cnf | sed "s|/etc/pki/CA|${TMP}|" > openssl.cnf + if [ -f "/etc/pki/tls/openssl.cnf" ]; then + cat /etc/pki/tls/openssl.cnf | sed "s|/etc/pki/CA|${TMP}|" > openssl.cnf + else + dd if=/dev/urandom of=".rnd" bs=256 count=1 + cp "${REPO_DIR}/openssl.cnf.default" openssl.cnf + fi info "Creating Root CA certificate for '${FQDN}'" openssl req -new -batch -x509 -days 3650 -nodes -newkey rsa:1024 \ diff --git a/openssl.cnf.default b/openssl.cnf.default new file mode 100644 index 0000000..067066f --- /dev/null +++ b/openssl.cnf.default @@ -0,0 +1,87 @@ +# +# Example OpenSSL configuration file for use with Let's Encrypt. +# This is only being used for generation of certificate requests. +# Modified from a standard example by Parliament Hill Computers Ltd. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = ./.rnd + +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name +attributes = req_attributes + +# Stop confirmation prompts. All information is contained below. +prompt = no + +# The extensions to add to a certificate request - see [ v3_req ] +req_extensions = v3_req + +[ req_distinguished_name ] +# Describe the Subject (ie the origanisation). +# The first 6 below could be shortened to: C ST L O OU CN +# The short names are what are shown when the certificate is displayed. +# Eg the details below would be shown as: +# Subject: C=UK, ST=Hertfordshire, L=My Town, O=Some Organisation, OU=Some Department, CN=www.example.com/emailAddress=bofh@example.com + +# Leave as long names as it helps documentation + +countryName= UK +stateOrProvinceName= Midlothian +localityName= Edinburgh +organizationName= University of Edinburgh +organizationalUnitName= Informatics + +[ req_attributes ] +# None. Could put Challenge Passwords, don't want them, leave empty + +[ v3_req ] + +# X509v3 extensions to add to a certificate request +# See x509v3_config + +# What the key can/cannot be used for: +#basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth,serverAuth + +# The subjectAltName is where you give the names of extra web sites. +# You may have more than one of these, so put in the section [ alt_names ] +# If you do not have any extra names, comment the next line out. +#subjectAltName = @alt_names + +# List of all the other DNS names that the certificate should work for. +# alt_names is a name of my own invention +#[ alt_names ] +#DNS.1 = devel.example.com +#DNS.2 = ipv6.example.com +#DNS.3 = ipv4.example.com +#DNS.4 = test.example.com +#DNS.5 = party.example.com + +[ ca ] +default_ca = default_ca_opts + +[ default_ca_opts ] +serial = ./serial +database = ./index.txt +new_certs_dir = . +default_md = sha1 +default_days = 365 +# a section with a set of variables corresponding to DN fields +policy = my_policy + +[ my_policy ] +# if the value is "match" then the field value must match the same field in the +# CA certificate. If the value is "supplied" then it must be present. +# Optional means it may be present. Any fields not mentioned are silently +# deleted. +countryName = match +stateOrProvinceName = supplied +organizationName = supplied +commonName = supplied +organizationalUnitName = optional +commonName = supplied From ef96812a95909e85efca47e28808b3b8a5e37ad5 Mon Sep 17 00:00:00 2001 From: Cameron MacLeod Date: Thu, 27 Feb 2020 14:44:39 +0000 Subject: [PATCH 3/3] Eurecom defaults --- openssl.cnf.default | 24 +++++++----------------- 1 file changed, 7 insertions(+), 17 deletions(-) diff --git a/openssl.cnf.default b/openssl.cnf.default index 067066f..6b1eaab 100644 --- a/openssl.cnf.default +++ b/openssl.cnf.default @@ -1,12 +1,5 @@ -# -# Example OpenSSL configuration file for use with Let's Encrypt. -# This is only being used for generation of certificate requests. -# Modified from a standard example by Parliament Hill Computers Ltd. -# - -# This definition stops the following lines choking if HOME isn't -# defined. -HOME = . +# File based on example available here: https://www.phcomp.co.uk/Tutorials/Web-Technologies/Understanding-and-generating-OpenSSL.cnf-files.html + RANDFILE = ./.rnd [ req ] @@ -22,18 +15,15 @@ req_extensions = v3_req [ req_distinguished_name ] # Describe the Subject (ie the origanisation). -# The first 6 below could be shortened to: C ST L O OU CN # The short names are what are shown when the certificate is displayed. -# Eg the details below would be shown as: -# Subject: C=UK, ST=Hertfordshire, L=My Town, O=Some Organisation, OU=Some Department, CN=www.example.com/emailAddress=bofh@example.com # Leave as long names as it helps documentation -countryName= UK -stateOrProvinceName= Midlothian -localityName= Edinburgh -organizationName= University of Edinburgh -organizationalUnitName= Informatics +countryName= FR +stateOrProvinceName= PACA +localityName= Aix +organizationName= Eurecom +organizationalUnitName= CM [ req_attributes ] # None. Could put Challenge Passwords, don't want them, leave empty