tools/arvbox/lib/arvbox/docker/service/certificate/run

   1 #!/bin/bash
   2 # Copyright (C) The Arvados Authors. All rights reserved.
   3 #
   4 # SPDX-License-Identifier: AGPL-3.0
   5
   6 exec 2>&1
   7 set -ex -o pipefail
   8
   9 . /usr/local/lib/arvbox/common.sh
  10
  11 if test ! -s /var/lib/arvados/root-cert.pem ; then
  12     # req           signing request sub-command
  13     # -new          new certificate request
  14     # -nodes        "no des" don't encrypt key
  15     # -sha256       include sha256 fingerprint
  16     # -x509         generate self-signed certificate
  17     # -subj         certificate subject
  18     # -reqexts      certificate request extension for subjectAltName
  19     # -extensions   certificate request extension for subjectAltName
  20     # -config       certificate generation configuration plus subjectAltName
  21     # -out          certificate output
  22     # -keyout       private key output
  23     # -days         certificate lifetime
  24     openssl req \
  25             -new \
  26             -nodes \
  27             -sha256 \
  28             -x509 \
  29             -subj "/C=US/ST=MA/O=Arvados testing/OU=arvbox/CN=arvbox testing root CA for ${uuid_prefix}" \
  30             -extensions x509_ext \
  31             -config <(cat /etc/ssl/openssl.cnf \
  32                           <(printf "\n[x509_ext]\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,keyCertSign,cRLSign")) \
  33             -out /var/lib/arvados/root-cert.pem \
  34             -keyout /var/lib/arvados/root-cert.key \
  35             -days 365
  36     chown arvbox:arvbox /var/lib/arvados/root-cert.*
  37 fi
  38
  39 if test ! -s /var/lib/arvados/server-cert-${localip}.pem ; then
  40
  41     if [[ $localip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
  42         san=IP:$localip
  43     else
  44         san=DNS:$localip
  45     fi
  46
  47     # req           signing request sub-command
  48     # -new          new certificate request
  49     # -nodes        "no des" don't encrypt key
  50     # -sha256       include sha256 fingerprint
  51     # -subj         certificate subject
  52     # -reqexts      certificate request extension for subjectAltName
  53     # -extensions   certificate request extension for subjectAltName
  54     # -config       certificate generation configuration plus subjectAltName
  55     # -out          certificate output
  56     # -keyout       private key output
  57     # -days         certificate lifetime
  58     openssl req \
  59             -new \
  60             -nodes \
  61             -sha256 \
  62             -subj "/C=US/ST=MA/O=Arvados testing for ${uuid_prefix}/OU=arvbox/CN=localhost" \
  63             -reqexts x509_ext \
  64             -extensions x509_ext \
  65             -config <(cat /etc/ssl/openssl.cnf \
  66                           <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,$san")) \
  67             -out /var/lib/arvados/server-cert-${localip}.csr \
  68             -keyout /var/lib/arvados/server-cert-${localip}.key \
  69             -days 365
  70
  71     openssl x509 \
  72             -req \
  73             -in /var/lib/arvados/server-cert-${localip}.csr \
  74             -CA /var/lib/arvados/root-cert.pem \
  75             -CAkey /var/lib/arvados/root-cert.key \
  76             -out /var/lib/arvados/server-cert-${localip}.pem \
  77             -set_serial $RANDOM$RANDOM \
  78             -extfile <(cat /etc/ssl/openssl.cnf \
  79                           <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,$san")) \
  80             -extensions x509_ext
  81
  82     chown arvbox:arvbox /var/lib/arvados/server-cert-${localip}.*
  83 fi
  84
  85 cp /var/lib/arvados/root-cert.pem /usr/local/share/ca-certificates/arvados-testing-cert.crt
  86 update-ca-certificates
  87
  88 sv stop certificate