2 # Copyright (C) The Arvados Authors. All rights reserved.
4 # SPDX-License-Identifier: AGPL-3.0
9 . /usr/local/lib/arvbox/common.sh
11 /usr/local/lib/arvbox/runsu.sh flock /var/lib/arvados/cluster_config.yml.lock /usr/local/lib/arvbox/cluster-config.sh
13 uuid_prefix=$(cat /var/lib/arvados/api_uuid_prefix)
15 if ! openssl verify -CAfile $root_cert $root_cert ; then
16 # req signing request sub-command
17 # -new new certificate request
18 # -nodes "no des" don't encrypt key
19 # -sha256 include sha256 fingerprint
20 # -x509 generate self-signed certificate
21 # -subj certificate subject
22 # -reqexts certificate request extension for subjectAltName
23 # -extensions certificate request extension for subjectAltName
24 # -config certificate generation configuration plus subjectAltName
25 # -out certificate output
26 # -keyout private key output
27 # -days certificate lifetime
33 -subj "/C=US/ST=MA/O=Arvados testing/OU=arvbox/CN=test root CA for ${uuid_prefix} generated $(date --rfc-3339=seconds)" \
34 -extensions x509_ext \
35 -config <(cat /etc/ssl/openssl.cnf \
36 <(printf "\n[x509_ext]\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,keyCertSign,cRLSign")) \
38 -keyout $root_cert_key \
40 chown arvbox:arvbox $root_cert $root_cert_key
41 rm -f $server_cert $server_cert_key
44 cp $root_cert /usr/local/share/ca-certificates/arvados-testing-cert.crt
45 update-ca-certificates
47 if ! openssl verify -CAfile $root_cert $server_cert ; then
49 rm -f $server_cert $server_cert_key
51 if [[ $localip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
57 # req signing request sub-command
58 # -new new certificate request
59 # -nodes "no des" don't encrypt key
60 # -sha256 include sha256 fingerprint
61 # -subj certificate subject
62 # -reqexts certificate request extension for subjectAltName
63 # -extensions certificate request extension for subjectAltName
64 # -config certificate generation configuration plus subjectAltName
65 # -out certificate output
66 # -keyout private key output
67 # -days certificate lifetime
72 -subj "/C=US/ST=MA/O=Arvados testing/OU=arvbox/CN=test server cert for ${uuid_prefix} generated $(date --rfc-3339=seconds)" \
74 -extensions x509_ext \
75 -config <(cat /etc/ssl/openssl.cnf \
76 <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,$san")) \
77 -out /var/lib/arvados/server-cert-${localip}.csr \
78 -keyout $server_cert_key \
83 -in /var/lib/arvados/server-cert-${localip}.csr \
85 -CAkey $root_cert_key \
87 -set_serial $RANDOM$RANDOM \
88 -extfile <(cat /etc/ssl/openssl.cnf \
89 <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,$san")) \
90 -extensions x509_ext \
93 chown arvbox:arvbox $server_cert $server_cert_key