Revision 632362d5
Added by Benoît PECCATTE over 6 years ago
rudder-server-relay/SOURCES/openssl.cnf | ||
---|---|---|
[ req ]
|
||
distinguished_name = req_distinguished_name
|
||
|
||
[ req_distinguished_name ]
|
||
|
||
[ server_cert ]
|
||
|
||
# Self signed cert must be a CA to authenticate
|
||
basicConstraints = CA:TRUE
|
||
|
||
# Client authentication and signature (deprecated)
|
||
#nsCertType = client, objsign
|
||
|
||
# digitalSignature: to sign files (e.g. inventories)
|
||
# keyEncipherment: to cipher session keys (e.g. TLS session)
|
||
# dataEncipherment: to cipher files, mays be used some day
|
||
# keyCertSign: to sign certificate (as a CA or for self signed certs)
|
||
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
|
||
|
||
# Optional, no generic signature usage, do not use
|
||
# clientAuth: for TLS communication
|
||
#extendedKeyUsage = clientAuth
|
||
|
||
# PKIX recommendations
|
||
subjectKeyIdentifier=hash
|
||
|
||
subjectAltName = $ENV::SUBJALTNAME
|
||
|
rudder-server-relay/SPECS/rudder-server-relay.spec | ||
---|---|---|
install -m 644 %{SOURCE6} %{buildroot}/etc/sysconfig/rudder-relay-apache
|
||
install -m 644 %{SOURCE9} %{buildroot}/etc/cron.d/rudder-relay
|
||
install -m 644 %{SOURCE10} %{buildroot}/etc/sudoers.d/rudder-relay
|
||
install -m 644 %{SOURCE14} %{buildroot}%{rudderdir}/etc/ssl/openssl.cnf
|
||
|
||
# Copy stub rudder-networks*.conf
|
||
cp %{SOURCE2} %{buildroot}%{rudderdir}/etc/
|
||
... | ... | |
# Generate certificates if needed
|
||
if [ ! -f /opt/rudder/etc/ssl/rudder.crt ] || [ ! -f /opt/rudder/etc/ssl/rudder.key ]; then
|
||
echo -n "INFO: No usable SSL certificate detected for Rudder HTTP/S support, generating one automatically..."
|
||
openssl req -new -x509 -newkey rsa:2048 -subj "/C=FR/ST=France/L=Paris/CN=$(hostname --fqdn)/emailAddress=root@$(hostname --fqdn)/" -keyout /opt/rudder/etc/ssl/rudder.key -out /opt/rudder/etc/ssl/rudder.crt -days 1460 -nodes -sha256 >/dev/null 2>&1
|
||
SUBJALTNAME=DNS:$(hostname --fqdn) openssl req -new -x509 -newkey rsa:2048 -subj "/C=FR/ST=France/L=Paris/CN=$(hostname --fqdn)/emailAddress=root@$(hostname --fqdn)/" -keyout /opt/ rudder/etc/ssl/rudder.key -out /opt/rudder/etc/ssl/rudder.crt -days 1460 -nodes -sha256 -config /opt/rudder/etc/ssl/openssl.cnf -extensions server_cert >/dev/null 2>&1
|
||
chgrp %{apache_group} /opt/rudder/etc/ssl/rudder.key && chmod 640 /opt/rudder/etc/ssl/rudder.key
|
||
echo " Done"
|
||
fi
|
rudder-server-relay/debian/postinst | ||
---|---|---|
# Generate certificates if needed
|
||
if [ ! -f /opt/rudder/etc/ssl/rudder.crt ] || [ ! -f /opt/rudder/etc/ssl/rudder.key ]; then
|
||
echo -n "INFO: No usable SSL certificate detected for Rudder relay HTTP/S support, generating one automatically..."
|
||
openssl req -new -x509 -newkey rsa:2048 -subj "/C=FR/ST=France/L=Paris/CN=$(hostname --fqdn)/emailAddress=root@$(hostname --fqdn)/" -keyout /opt/rudder/etc/ssl/rudder.key -out /opt/rudder/etc/ssl/rudder.crt -days 1460 -nodes -sha256 >/dev/null 2>&1
|
||
SUBJALTNAME=DNS:$(hostname --fqdn) openssl req -new -x509 -newkey rsa:2048 -subj "/C=FR/ST=France/L=Paris/CN=$(hostname --fqdn)/emailAddress=root@$(hostname --fqdn)/" -keyout /opt/rudder/etc/ssl/rudder.key -out /opt/rudder/etc/ssl/rudder.crt -days 1460 -nodes -sha256 -config /opt/rudder/etc/ssl/openssl.cnf -extensions server_cert >/dev/null 2>&1
|
||
chgrp www-data /opt/rudder/etc/ssl/rudder.key && chmod 640 /opt/rudder/etc/ssl/rudder.key
|
||
echo " Done"
|
||
fi
|
rudder-server-relay/debian/rules | ||
---|---|---|
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ rudder-networks-24.conf /opt/rudder/etc/
|
||
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ rudder-networks-policy-server.conf /opt/rudder/etc/
|
||
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ rudder-networks-policy-server-24.conf /opt/rudder/etc/
|
||
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ openssl.cnf /opt/rudder/etc/ssl/
|
||
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/relay-api relay_api/ /opt/rudder/share/relay-api/
|
||
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/relay-api flask/ /opt/rudder/share/relay-api/
|
||
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/relay-api apache/relay-api.wsgi /opt/rudder/share/relay-api/
|
Also available in: Unified diff
Fixes #11790: Add a subjectaltname to server certificate