tools/arvbox/lib/arvbox/docker/service/certificate/run

   1 #!/bin/bash
   2 # Copyright (C) The Arvados Authors. All rights reserved.
   3 #
   4 # SPDX-License-Identifier: AGPL-3.0
   5
   6 exec 2>&1
   7 set -ex -o pipefail
   8
   9 . /usr/local/lib/arvbox/common.sh
  10
  11 uuid_prefix=$(cat /var/lib/arvados/api_uuid_prefix)
  12
  13 if ! openssl verify -CAfile $root_cert $root_cert ; then
  14     # req           signing request sub-command
  15     # -new          new certificate request
  16     # -nodes        "no des" don't encrypt key
  17     # -sha256       include sha256 fingerprint
  18     # -x509         generate self-signed certificate
  19     # -subj         certificate subject
  20     # -reqexts      certificate request extension for subjectAltName
  21     # -extensions   certificate request extension for subjectAltName
  22     # -config       certificate generation configuration plus subjectAltName
  23     # -out          certificate output
  24     # -keyout       private key output
  25     # -days         certificate lifetime
  26     openssl req \
  27             -new \
  28             -nodes \
  29             -sha256 \
  30             -x509 \
  31             -subj "/C=US/ST=MA/O=Arvados testing/OU=arvbox/CN=test root CA for ${uuid_prefix} generated $(date --rfc-3339=seconds)" \
  32             -extensions x509_ext \
  33             -config <(cat /etc/ssl/openssl.cnf \
  34                           <(printf "\n[x509_ext]\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,keyCertSign,cRLSign")) \
  35             -out $root_cert \
  36             -keyout $root_cert_key \
  37             -days 365
  38     chown arvbox:arvbox $root_cert $root_cert_key
  39     rm -f $server_cert $server_cert_key
  40 fi
  41
  42 cp $root_cert /usr/local/share/ca-certificates/arvados-testing-cert.crt
  43 update-ca-certificates
  44
  45 if ! openssl verify -CAfile $root_cert $server_cert ; then
  46
  47     rm -f $server_cert $server_cert_key
  48
  49     if [[ $localip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
  50         san=IP:$localip
  51     else
  52         san=DNS:$localip
  53     fi
  54
  55     # req           signing request sub-command
  56     # -new          new certificate request
  57     # -nodes        "no des" don't encrypt key
  58     # -sha256       include sha256 fingerprint
  59     # -subj         certificate subject
  60     # -reqexts      certificate request extension for subjectAltName
  61     # -extensions   certificate request extension for subjectAltName
  62     # -config       certificate generation configuration plus subjectAltName
  63     # -out          certificate output
  64     # -keyout       private key output
  65     # -days         certificate lifetime
  66     openssl req \
  67             -new \
  68             -nodes \
  69             -sha256 \
  70             -subj "/C=US/ST=MA/O=Arvados testing/OU=arvbox/CN=test server cert for ${uuid_prefix} generated $(date --rfc-3339=seconds)" \
  71             -reqexts x509_ext \
  72             -extensions x509_ext \
  73             -config <(cat /etc/ssl/openssl.cnf \
  74                           <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,$san")) \
  75             -out /var/lib/arvados/server-cert-${localip}.csr \
  76             -keyout $server_cert_key \
  77             -days 365
  78
  79     openssl x509 \
  80             -req \
  81             -in /var/lib/arvados/server-cert-${localip}.csr \
  82             -CA $root_cert \
  83             -CAkey $root_cert_key \
  84             -out $server_cert \
  85             -set_serial $RANDOM$RANDOM \
  86             -extfile <(cat /etc/ssl/openssl.cnf \
  87                           <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,$san")) \
  88             -extensions x509_ext \
  89             -days 365
  90
  91     chown arvbox:arvbox $server_cert $server_cert_key
  92 fi
  93
  94 sv stop certificate