Updated create cert script to handle empty password files

jjcollinge · Nov 2, 2017 · 3c29b27 · 3c29b27
1 parent fd1f253
commit 3c29b27
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 92 deletions.
diff --git a/Traefik/ApplicationPackageRoot/ApplicationManifest.xml b/Traefik/ApplicationPackageRoot/ApplicationManifest.xml
@@ -2,7 +2,6 @@
 <ApplicationManifest ApplicationTypeName="TraefikType" ApplicationTypeVersion="1.0.0" xmlns="http://schemas.microsoft.com/2011/01/fabric" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <Parameters>
     <Parameter Name="Traefik_InstanceCount" DefaultValue="-1" />
-    <Parameter Name="TraefikPublish" DefaultValue="" />
   </Parameters>
   <!-- Import the ServiceManifest from the ServicePackage. The ServiceManifestName and ServiceManifestVersion 
        should match the Name and Version attributes of the ServiceManifest element defined in the 

diff --git a/Traefik/ApplicationPackageRoot/TraefikPkg/Code/traefik.toml b/Traefik/ApplicationPackageRoot/TraefikPkg/Code/traefik.toml
@@ -73,7 +73,7 @@ address = ":80"
 #
 # Required
 #
-address = ":8080"
+address = ":9000"
 
 ################################################################
 # Service Fabric provider
@@ -89,10 +89,10 @@ clustermanagementurl = "https://localhost:19080"
 apiversion = "3.0"
 
 # Client certifcate file path
-clientcertfilepath = "certs/clientcert.crt"
+clientcertfilepath = "certs/client.crt"
 
 # Client certifcate key file path
-clientcertkeyfilepath = "certs/clientcert.key"
+clientcertkeyfilepath = "certs/client.key"
 
-# CA certifcate file path
-cacertfilepath = "certs/cacert.cer"
+# Skip TLS verify
+InsecureSkipVerify=true
diff --git a/Traefik/ApplicationPackageRoot/TraefikPkg/ServiceManifest.xml b/Traefik/ApplicationPackageRoot/TraefikPkg/ServiceManifest.xml
@@ -32,7 +32,7 @@
            listen. Please note that if your service is partitioned, this port is shared with 
            replicas of different partitions that are placed in your code. -->
       <Endpoint Name="TraefikTypeEndpoint" UriScheme="http" Port="80" />
-      <Endpoint Name="TraefikTypeDashboardEndpoint" UriScheme="http" Port="8080" />
+      <Endpoint Name="TraefikTypeDashboardEndpoint" UriScheme="http" Port="9000" />
     </Endpoints>
   </Resources>
 </ServiceManifest>
diff --git a/Traefik/PublishProfiles/example.Cloud.xml b/Traefik/PublishProfiles/example.Cloud.xml
diff --git a/Traefik/Scripts/Create-Certs.ps1 b/Traefik/Scripts/Create-Certs.ps1
@@ -11,17 +11,14 @@ Path to existing .Pfx certificate file
 .PARAMETER PfxPassphraseFilePath
 Path to permissioned ANSI passphrase file
 
-.PARAMETER CASubject
-CA Subject string i.e. "/C=GB/ST=England/L=London/O=Joni/CN=www.example.com"
-
 .EXAMPLE
-PS> Create-Certs.ps1 -PfxCertFilePath mycert.pfx -PfxPassphraseFilePath mypass.txt -CASubject  "/C=GB/ST=England/L=London/O=Joni/CN=www.example.com"
+PS> Create-Certs.ps1 -PfxCertFilePath mycert.pfx -PfxPassphraseFilePath mypass.txt
 
 .NOTES
 This script is meant as a tool for testing a Traefik Service Fabric deployment.
 For a production cluster - you will likely generate a READ-ONLY client certificate,
 upload it to your cluster, extract the certificate and keys from it and then pass those
-to Traefik. You will also require a more secure strategy to hanlding root CA signers.
+to Traefik.
 
 This script requires execution policy to be set to unrestricted:
 `Set-ExectuionPolicy -ExecutionPolicy unrestricted -Scope CurrentUser`
@@ -33,21 +30,15 @@ param (
     [Parameter(Mandatory=$true)]
     [string]
     $PfxCertFilePath,
-    [Parameter(Mandatory=$true)]
+    [Parameter(Mandatory=$false)]
     [string]
     $PfxPassphraseFilePath,
-    [Parameter(Mandatory=$true)]
-    [string]
-    $CASubject,
     [Parameter(Mandatory=$false)]
     [string]
     $OutputCertDir="certs",
     [Parameter(Mandatory=$false)]
     [string]
-    $CACertOutputName="cacert",
-    [Parameter(Mandatory=$false)]
-    [string]
-    $ClientCertOutputName="clientcert",
+    $ClientCertOutputName="client",
     [Parameter(Mandatory=$false)]
     [int16]
     $Duration=365
@@ -62,6 +53,7 @@ function BuildOutputPath ([String]$fileName, [String]$fileExtension) {
     return $OutputPath
 }
 
+
 ############################
 # Test Prerequisites
 ############################
@@ -80,13 +72,6 @@ if ( -Not(Test-Path -Path $PfxCertFilePath -ErrorAction SilentlyContinue))
     exit
 }
 
-# Existing .PFX passphrase file
-if ( -Not(Test-Path -Path $PfxPassphraseFilePath))
-{
-    Write-Error "PfxCertPasswordFilePath " + $PfxCertPasswordFilePath + " does not exist"
-    exit
-}
-
 # Output directory
 if ( -Not(Test-Path -Path $OutputCertDir))
 {
@@ -97,45 +82,33 @@ if ( -Not(Test-Path -Path $OutputCertDir))
 # Main
 ############################
 
-# A bug/feature in OpenSSL requires unique passphrase
-# files for passin and passout n if the same
-# See: https://rt.openssl.org/Ticket/Display.html?id=3168&user=guest&pass=guest
-
-# Create copy of existing passphrase file to use to secure PEM files
-$PemPassphraseFilePath="pempass.txt"
-if (Test-Path -Path $PemPassphraseFilePath)
+if ($PfxPassphraseFilePath) 
 {
-    Remove-Item -Path $PemPassphraseFilePath
+    # Passphrase file provided but empty
+    $UsePassphraseFile = (Get-Item $PfxPassphraseFilePath).length -gt 0kb
 }
-New-Item -Path $PemPassphraseFilePath -Type File > $null
-.\Copy-Acl.ps1 -FromPath $PfxPassphraseFilePath -Destination $PemPassphraseFilePath
-Get-Content $PfxPassphraseFilePath | Out-File $PemPassphraseFilePath
-
-# Extract client private key
-# Creates a passphrase encrypted .key file
-$EncryptedClientKeyOutputPath = BuildOutputPath -fileName $ClientCertOutputName -fileExtension "_encrypted.key"
-openssl pkcs12 -in $PfxCertFilePath -nocerts -out $EncryptedClientKeyOutputPath -passin file:$PfxPassphraseFilePath -passout file:$PemPassphraseFilePath > $null 2>&1
 
-# Extract client certificate
-# Creates a .crt certificate file
-$ClientCertOutputPath = BuildOutputPath -fileName $ClientCertOutputName -fileExtension ".crt"
-openssl pkcs12 -in $PfxCertFilePath -clcerts -nokeys -out $ClientCertOutputPath -passin file:$PfxPassphraseFilePath > $null 2>&1
-
-# CAUTION: Unencrypts private key file (store file with care)
-# Creates an unencrypted .key file
 $ClientKeyOutputPath = BuildOutputPath -fileName $ClientCertOutputName -fileExtension ".key"
-openssl rsa -in $EncryptedClientKeyOutputPath -out $ClientKeyOutputPath -passin file:$PemPassphraseFilePath > $null 2>&1
-
-# Generates a Root CA certificate using our private key file
-$CACertOutputPath = BuildOutputPath -fileName $CACertOutputName -fileExtension ".cer"
-openssl req -x509 -new -nodes -key $ClientKeyOutputPath -days $Duration -out $CACertOutputPath -subj $CASubject > $null 2>&1
+$ClientCertOutputPath = BuildOutputPath -fileName $ClientCertOutputName -fileExtension ".crt"
+if ($UsePassphraseFile)
+{
+    # Extract private key
+    openssl pkcs12 -in $PfxCertFilePath -nocerts -nodes -out $ClientKeyOutputPath -passin file:$PfxPassphraseFilePath > $null 2>&1
+    # Extract certificate
+    openssl pkcs12 -in $PfxCertFilePath -clcerts -nokeys -nodes -out $ClientCertOutputPath -passin file:$PfxPassphraseFilePath > $null 2>&1
+}
+else
+{
+    # No passphrase
 
-# Clean-up temporary files
-Remove-Item $PemPassphraseFilePath
+    # Extract private key
+    openssl pkcs12 -in $PfxCertFilePath -nocerts -nodes -out $ClientKeyOutputPath -passin pass:'' > $null 2>&1
+    # Extract certificate
+    openssl pkcs12 -in $PfxCertFilePath -clcerts -nokeys -out $ClientCertOutputPath -passin pass:'' > $null 2>&1
+}
 
 Write-Host "All generated files have been placed within the directory: $OutputCertDir"
-Write-Host "To use these files with traefik, move them to ..\ApplicationPackageRoot\TraefikPkg\Code\certs"
+Write-Host "To use these files with Traefik, move them to ..\ApplicationPackageRoot\TraefikPkg\Code\certs"
 Write-Host "Ensure your traefik.toml has the correct paths for the parameters"
 Write-Host " - clientcertfilepath"
-Write-Host " - clientcertkeyfilepath"
-Write-Host " - cacertfilepath"
+Write-Host " - clientcertkeyfilepath"
diff --git a/Traefik/Traefik.sfproj b/Traefik/Traefik.sfproj
@@ -29,18 +29,14 @@
     <None Include="Scripts\Update-Config.ps1" />
   </ItemGroup>
   <ItemGroup>
-    <Content Include="ApplicationPackageRoot\TraefikPkg\Code\certs\cacert.cer" />
-    <Content Include="ApplicationPackageRoot\TraefikPkg\Code\certs\clientcert.crt" />
-    <Content Include="ApplicationPackageRoot\TraefikPkg\Code\certs\clientcert.key" />
-    <Content Include="ApplicationPackageRoot\TraefikPkg\Code\certs\clientcert_encrypted.key" />
+    <Content Include="ApplicationPackageRoot\TraefikPkg\Code\certs\client.crt" />
+    <Content Include="ApplicationPackageRoot\TraefikPkg\Code\certs\client.key" />
     <Content Include="ApplicationPackageRoot\TraefikPkg\Code\traefik.exe" />
     <Content Include="ApplicationPackageRoot\TraefikPkg\Config\Settings.xml" />
     <Content Include="ApplicationPackageRoot\TraefikPkg\Code\traefik.toml" />
     <Content Include="ApplicationPackageRoot\TraefikPkg\ServiceManifest.xml" />
     <Content Include="packages.config" />
-  </ItemGroup>
-  <ItemGroup>
-    <Folder Include="ApplicationPackageRoot\TraefikPkg\Code\certs\" />
+    <Content Include="PublishProfiles\example.Cloud.xml" />
   </ItemGroup>
   <Import Project="$(MSBuildToolsPath)\Microsoft.Common.targets" />
   <PropertyGroup>