Project

General

Profile

« Previous | Next » 

Revision 632362d5

Added by Benoît PECCATTE over 6 years ago

Fixes #11790: Add a subjectaltname to server certificate

View differences:

rudder-server-relay/SOURCES/openssl.cnf
[ req ]
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
[ server_cert ]
# Self signed cert must be a CA to authenticate
basicConstraints = CA:TRUE
# Client authentication and signature (deprecated)
#nsCertType = client, objsign
# digitalSignature: to sign files (e.g. inventories)
# keyEncipherment: to cipher session keys (e.g. TLS session)
# dataEncipherment: to cipher files, mays be used some day
# keyCertSign: to sign certificate (as a CA or for self signed certs)
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
# Optional, no generic signature usage, do not use
# clientAuth: for TLS communication
#extendedKeyUsage = clientAuth
# PKIX recommendations
subjectKeyIdentifier=hash
subjectAltName = $ENV::SUBJALTNAME
rudder-server-relay/SPECS/rudder-server-relay.spec
install -m 644 %{SOURCE6} %{buildroot}/etc/sysconfig/rudder-relay-apache
install -m 644 %{SOURCE9} %{buildroot}/etc/cron.d/rudder-relay
install -m 644 %{SOURCE10} %{buildroot}/etc/sudoers.d/rudder-relay
install -m 644 %{SOURCE14} %{buildroot}%{rudderdir}/etc/ssl/openssl.cnf
# Copy stub rudder-networks*.conf
cp %{SOURCE2} %{buildroot}%{rudderdir}/etc/
......
# Generate certificates if needed
if [ ! -f /opt/rudder/etc/ssl/rudder.crt ] || [ ! -f /opt/rudder/etc/ssl/rudder.key ]; then
echo -n "INFO: No usable SSL certificate detected for Rudder HTTP/S support, generating one automatically..."
openssl req -new -x509 -newkey rsa:2048 -subj "/C=FR/ST=France/L=Paris/CN=$(hostname --fqdn)/emailAddress=root@$(hostname --fqdn)/" -keyout /opt/rudder/etc/ssl/rudder.key -out /opt/rudder/etc/ssl/rudder.crt -days 1460 -nodes -sha256 >/dev/null 2>&1
SUBJALTNAME=DNS:$(hostname --fqdn) openssl req -new -x509 -newkey rsa:2048 -subj "/C=FR/ST=France/L=Paris/CN=$(hostname --fqdn)/emailAddress=root@$(hostname --fqdn)/" -keyout /opt/ rudder/etc/ssl/rudder.key -out /opt/rudder/etc/ssl/rudder.crt -days 1460 -nodes -sha256 -config /opt/rudder/etc/ssl/openssl.cnf -extensions server_cert >/dev/null 2>&1
chgrp %{apache_group} /opt/rudder/etc/ssl/rudder.key && chmod 640 /opt/rudder/etc/ssl/rudder.key
echo " Done"
fi
rudder-server-relay/debian/postinst
# Generate certificates if needed
if [ ! -f /opt/rudder/etc/ssl/rudder.crt ] || [ ! -f /opt/rudder/etc/ssl/rudder.key ]; then
echo -n "INFO: No usable SSL certificate detected for Rudder relay HTTP/S support, generating one automatically..."
openssl req -new -x509 -newkey rsa:2048 -subj "/C=FR/ST=France/L=Paris/CN=$(hostname --fqdn)/emailAddress=root@$(hostname --fqdn)/" -keyout /opt/rudder/etc/ssl/rudder.key -out /opt/rudder/etc/ssl/rudder.crt -days 1460 -nodes -sha256 >/dev/null 2>&1
SUBJALTNAME=DNS:$(hostname --fqdn) openssl req -new -x509 -newkey rsa:2048 -subj "/C=FR/ST=France/L=Paris/CN=$(hostname --fqdn)/emailAddress=root@$(hostname --fqdn)/" -keyout /opt/rudder/etc/ssl/rudder.key -out /opt/rudder/etc/ssl/rudder.crt -days 1460 -nodes -sha256 -config /opt/rudder/etc/ssl/openssl.cnf -extensions server_cert >/dev/null 2>&1
chgrp www-data /opt/rudder/etc/ssl/rudder.key && chmod 640 /opt/rudder/etc/ssl/rudder.key
echo " Done"
fi
rudder-server-relay/debian/rules
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ rudder-networks-24.conf /opt/rudder/etc/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ rudder-networks-policy-server.conf /opt/rudder/etc/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ rudder-networks-policy-server-24.conf /opt/rudder/etc/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ openssl.cnf /opt/rudder/etc/ssl/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/relay-api relay_api/ /opt/rudder/share/relay-api/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/relay-api flask/ /opt/rudder/share/relay-api/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/relay-api apache/relay-api.wsgi /opt/rudder/share/relay-api/

Also available in: Unified diff