From ce56ff2faed817f11b86ab7410004442c87c089d Mon Sep 17 00:00:00 2001 From: Wenkai Yin Date: Wed, 16 Nov 2016 18:49:09 +0800 Subject: [PATCH] generate self-signed certificate --- make/harbor.cfg | 4 +- tools/ova/script/config.sh | 109 +++++++++++++++++++++++++++++----- tools/ova/script/firstboot.sh | 3 +- 3 files changed, 99 insertions(+), 17 deletions(-) diff --git a/make/harbor.cfg b/make/harbor.cfg index f2d00554e..489b21418 100644 --- a/make/harbor.cfg +++ b/make/harbor.cfg @@ -85,6 +85,6 @@ crt_email = example@example.com #The path of cert and key files for nginx, they are applied only the protocol is set to https -ssl_cert = /data/server.crt -ssl_cert_key = /data/server.key +ssl_cert = /data/cert/server.crt +ssl_cert_key = /data/cert/server.key ############# diff --git a/tools/ova/script/config.sh b/tools/ova/script/config.sh index 884835a51..6cf2487e5 100755 --- a/tools/ova/script/config.sh +++ b/tools/ova/script/config.sh @@ -18,9 +18,21 @@ attrs=( verify_remote_cert self_registration ) + +cert=/data/cert/server.crt +key=/data/cert/server.key +csr=/data/cert/server.csr +ca_cert=/data/cert/ca.crt +ca_key=/data/cert/ca.key +ext=/data/cert/extfile.cnf + +hostname="" base_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../" && pwd )" +isFQDN=true +flag=$base_dir/cert_gen_type + #The location of harbor.cfg cfg=$base_dir/harbor/harbor.cfg @@ -35,10 +47,82 @@ function format { echo $tail >> $file } +function genCert { + if [ ! -e $ca_cert ] || [ ! -e $ca_key ] + then + openssl req -newkey rsa:4096 -nodes -sha256 -keyout $ca_key \ + -x509 -days 365 -out $ca_cert -subj \ + "/C=US/ST=California/L=Palo Alto/O=VMware/OU=CA/CN=CA" + fi + openssl req -newkey rsa:4096 -nodes -sha256 -keyout $key \ + -out $csr -subj \ + "/C=US/ST=California/L=Palo Alto/O=VMware/OU=Harbor/CN=$hostname" + if [ "$isFQDN" = false ] + then + echo "Add subjectAltName = IP: $hostname to certificate" + echo subjectAltName = IP:$hostname > $ext + #openssl x509 -req -days 365 -in $csr -signkey $key -extfile $ext -out $cert + openssl x509 -req -days 365 -in $csr -CA $ca_cert -CAkey $ca_key -CAcreateserial -extfile $ext -out $cert + else + #openssl x509 -req -days 365 -in $csr -signkey $key -out $cert + openssl x509 -req -days 365 -in $csr -CA $ca_cert -CAkey $ca_key -CAcreateserial -out $cert + fi + echo "self-signed" > $flag +} + +function secure { + echo "Read attribute using ovfenv: [ ssl_cert ]" + ssl_cert=$(ovfenv -k ssl_cert) + echo "Read attribute using ovfenv: [ ssl_cert_key ]" + ssl_cert_key=$(ovfenv -k ssl_cert_key) + if [ -n "$ssl_cert" ] && [ -n "$ssl_cert_key" ] + then + echo "ssl_cert and ssl_cert_key are both set, using customized certificate" + echo $ssl_cert > $cert + format $cert + echo $ssl_cert_key > $key + format $key + echo "customized" > $flag + return + fi + + if [ ! -e $cert ] || [ ! -e $key ] + then + echo "Certificate or key file does not exist, will generate a self-signed certificate" + genCert + return + fi + + if [ ! -e $flag ] + then + echo "The file which records the way generating certificate does not exist, will generate a new self-signed certificate" + genCert + return + fi + + if [ ! $(cat $flag) = "self-signed" ] + then + echo "The way generating certificate changed, will generate a new self-signed certificate" + genCert + return + fi + + cn=$(openssl x509 -noout -subject -in $cert | sed -n '/^subject/s/^.*CN=//p') || true + if [ "$hostname" != "$cn" ] + then + echo "Common name changed: $cn -> $hostname , will generate a new self-signed certificate" + genCert + return + fi + + echo "Use the existing certificate and key file" +} + #Modify hostname hostname=$(hostname --fqdn) || true if [ -z "$hostname" ] then + isFQDN=false hostname=$(ip addr show eth0|grep "inet "|tr -s ' '|cut -d ' ' -f 3|cut -d '/' -f 1) fi @@ -52,22 +136,19 @@ else fi #Handle http/https -protocol=http -echo "Read attribute using ovfenv: [ ssl_cert ]" -ssl_cert=$(ovfenv -k ssl_cert) -echo "Read attribute using ovfenv: [ ssl_cert_key ]" -ssl_cert_key=$(ovfenv -k ssl_cert_key) -if [ -n "$ssl_cert" ] && [ -n "$ssl_cert_key" ] +echo "Read attribute using ovfenv: [ protocol ]" +protocol=$(ovfenv -k protocol) +if [ -z $protocol ] then - echo "ssl_cert and ssl_cert_key are set, using HTTPS protocol" protocol=https - sed -i -r s%"#?ui_url_protocol\s*=\s*.*"%"ui_url_protocol = $protocol"% $cfg - echo $ssl_cert > /data/server.crt - format /data/server.crt - echo $ssl_cert_key > /data/server.key - format /data/server.key -else - echo "ssl_cert and ssl_cert_key are not set, using HTTP protocol" +fi + +echo "Protocol: $protocol" +sed -i -r s%"#?ui_url_protocol\s*=\s*.*"%"ui_url_protocol = $protocol"% $cfg + +if [ $protocol = "https" ] +then + secure fi for attr in "${attrs[@]}" diff --git a/tools/ova/script/firstboot.sh b/tools/ova/script/firstboot.sh index a59da1d3d..5867f8a46 100755 --- a/tools/ova/script/firstboot.sh +++ b/tools/ova/script/firstboot.sh @@ -45,7 +45,8 @@ then sed -i -r s%"#?auth_mode\s*=\s*.*"%"auth_mode = $auth_mode"% $base_dir/../harbor/harbor.cfg fi -#Configure other attrs +#Configure other attrs +mkdir -p /data/cert/ configure #Start Harbor