1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
#!/bin/sh
set -e
PKI_CONFIG_ROOT=/etc/openstack-cluster-installer/pki
CLIENT_KEYS_FOLDER=/var/lib/oci/ssl
PUPPET_MASTER_HOSTNAME=$(hostname --fqdn)
# This script was made using http://pki-tutorial.readthedocs.io/en/latest/expert/index.html
SLAVE_NODE_HOSTNAME=${1}
if [ -z "${SLAVE_NODE_HOSTNAME}" ] ; then
echo "This script needs one hostname as parameter."
exit 1
fi
for i in $(echo ${SLAVE_NODE_HOSTNAME} | sed -e 's/[.]/ /g') ; do
if echo ${i} | grep -E -q "^(xn--)?[a-z0-9][a-z0-9-]{0,61}[a-z0-9]{0,1}\$" ; then
echo ""
else
echo "Not validated"
exit 1
fi
done
TARGET_DIR=${CLIENT_KEYS_FOLDER}/slave-nodes/${SLAVE_NODE_HOSTNAME}
mkdir -p ${TARGET_DIR}
cd ${TARGET_DIR}
# 6. Operate Component CA
# 6.1 Create TLS server request for ${SLAVE_NODE_HOSTNAME}
SAN=DNS:${PUPPET_MASTER_HOSTNAME} \
openssl req -new \
-config ${PKI_CONFIG_ROOT}/client.conf \
-out ${TARGET_DIR}/${SLAVE_NODE_HOSTNAME}_client.csr \
-keyout ${TARGET_DIR}/${SLAVE_NODE_HOSTNAME}_client.key \
-subj "/C=CH/ST=Geneva/L=Geneva/O=OCI/OU=Infomaniak/CN=${SLAVE_NODE_HOSTNAME}/emailAddress=noreply@infomaniak.com/subjectAltName=${SLAVE_NODE_HOSTNAME}"
# 6.2 Create TLS server certificate for ${SLAVE_NODE_HOSTNAME}
(echo "y"; echo "y") | \
openssl ca \
-config ${PKI_CONFIG_ROOT}/oci-ca.conf \
-in ${TARGET_DIR}/${SLAVE_NODE_HOSTNAME}_client.csr \
-out ${TARGET_DIR}/${SLAVE_NODE_HOSTNAME}_client.crt \
-extensions client_ext
cat ${TARGET_DIR}/${SLAVE_NODE_HOSTNAME}_client.crt ${TARGET_DIR}/${SLAVE_NODE_HOSTNAME}_client.key >${TARGET_DIR}/${SLAVE_NODE_HOSTNAME}_client.pem
# chown the files so that the web interface can read them
chown -R www-data:www-data ${TARGET_DIR}
|
