16267: switch to `arvados-server install -type test` for installing

[arvados.git] / tools / arvbox / lib / arvbox / docker / service / certificate / run

#!/bin/bash
# Copyright (C) The Arvados Authors. All rights reserved.
#
# SPDX-License-Identifier: AGPL-3.0

exec 2>&1
set -ex -o pipefail

. /usr/local/lib/arvbox/common.sh

/usr/local/lib/arvbox/runsu.sh flock $ARVADOS_CONTAINER_PATH/cluster_config.yml.lock /usr/local/lib/arvbox/cluster-config.sh

uuid_prefix=$(cat $ARVADOS_CONTAINER_PATH/api_uuid_prefix)

if ! openssl verify -CAfile $root_cert $root_cert ; then
    # req           signing request sub-command
    # -new          new certificate request
    # -nodes        "no des" don't encrypt key
    # -sha256       include sha256 fingerprint
    # -x509         generate self-signed certificate
    # -subj         certificate subject
    # -reqexts      certificate request extension for subjectAltName
    # -extensions   certificate request extension for subjectAltName
    # -config       certificate generation configuration plus subjectAltName
    # -out          certificate output
    # -keyout       private key output
    # -days         certificate lifetime
    openssl req \
            -new \
            -nodes \
            -sha256 \
            -x509 \
            -subj "/C=US/ST=MA/O=Arvados testing/OU=arvbox/CN=test root CA for ${uuid_prefix} generated $(date --rfc-3339=seconds)" \
            -extensions x509_ext \
            -config <(cat /etc/ssl/openssl.cnf \
                          <(printf "\n[x509_ext]\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,keyCertSign,cRLSign")) \
            -out $root_cert \
            -keyout $root_cert_key \
            -days 365
    chown arvbox:arvbox $root_cert $root_cert_key
    rm -f $server_cert $server_cert_key
fi

cp $root_cert /usr/local/share/ca-certificates/arvados-testing-cert.crt
update-ca-certificates

if ! openssl verify -CAfile $root_cert $server_cert ; then

    rm -f $server_cert $server_cert_key

    if [[ $localip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
        san=IP:$localip
    else
        san=DNS:$localip
    fi

    # req           signing request sub-command
    # -new          new certificate request
    # -nodes        "no des" don't encrypt key
    # -sha256       include sha256 fingerprint
    # -subj         certificate subject
    # -reqexts      certificate request extension for subjectAltName
    # -extensions   certificate request extension for subjectAltName
    # -config       certificate generation configuration plus subjectAltName
    # -out          certificate output
    # -keyout       private key output
    # -days         certificate lifetime
    openssl req \
            -new \
            -nodes \
            -sha256 \
            -subj "/C=US/ST=MA/O=Arvados testing/OU=arvbox/CN=test server cert for ${uuid_prefix} generated $(date --rfc-3339=seconds)" \
            -reqexts x509_ext \
            -extensions x509_ext \
            -config <(cat /etc/ssl/openssl.cnf \
                          <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,$san")) \
            -out $ARVADOS_CONTAINER_PATH/server-cert-${localip}.csr \
            -keyout $server_cert_key \
            -days 365

    openssl x509 \
            -req \
            -in $ARVADOS_CONTAINER_PATH/server-cert-${localip}.csr \
            -CA $root_cert \
            -CAkey $root_cert_key \
            -out $server_cert \
            -set_serial $RANDOM$RANDOM \
            -extfile <(cat /etc/ssl/openssl.cnf \
                          <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,$san")) \
            -extensions x509_ext \
            -days 365

    chown arvbox:arvbox $server_cert $server_cert_key
fi

sv stop certificate