1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
#!/bin/sh
set -e
PKI_CONFIG_ROOT=/etc/openstack-cluster-installer/pki
CLIENT_KEYS_FOLDER=/var/lib/oci/ssl
PUPPET_MASTER_HOSTNAME=$(hostname --fqdn)
# This script was made using http://pki-tutorial.readthedocs.io/en/latest/expert/index.html
if [ "${1}" = "--wildcard" ]; then
WILDCARD=yes
shift
else
WILDCARD=no
fi
SLAVE_NODE_HOSTNAME=${1}
if [ -z "${SLAVE_NODE_HOSTNAME}" ]; then
echo "This script needs one hostname as parameter."
exit 1
fi
for i in $(echo ${SLAVE_NODE_HOSTNAME} | sed -e 's/[.]/ /g'); do
if echo ${i} | grep -E -q "^(xn--)?[a-z0-9][a-z0-9-]{0,61}[a-z0-9]{0,1}\$"; then
echo ""
else
echo "Not validated"
exit 1
fi
done
TARGET_DIR=${CLIENT_KEYS_FOLDER}/slave-nodes/${SLAVE_NODE_HOSTNAME}
mkdir -p ${TARGET_DIR}
cd ${TARGET_DIR}
# 6. Operate Component CA
# 6.1 Create TLS server request for ${SLAVE_NODE_HOSTNAME}
if [ "${WILDCARD}" = "yes" ]; then
SAN="DNS:${SLAVE_NODE_HOSTNAME}, DNS:*.${SLAVE_NODE_HOSTNAME}"
else
SAN="DNS:${SLAVE_NODE_HOSTNAME}"
fi
SAN=${SAN} openssl req -new \
-config ${PKI_CONFIG_ROOT}/client.conf \
-out ${TARGET_DIR}/${SLAVE_NODE_HOSTNAME}.csr \
-keyout ${TARGET_DIR}/${SLAVE_NODE_HOSTNAME}.key \
-subj "/C=CH/ST=Geneva/L=Geneva/O=OCI/OU=Infomaniak/CN=${SLAVE_NODE_HOSTNAME}/emailAddress=noreply@infomaniak.com"
# 6.2 Create TLS server certificate for ${SLAVE_NODE_HOSTNAME}
(echo "y"; echo "y") | \
openssl ca \
-config ${PKI_CONFIG_ROOT}/oci-ca.conf \
-in ${TARGET_DIR}/${SLAVE_NODE_HOSTNAME}.csr \
-out ${TARGET_DIR}/${SLAVE_NODE_HOSTNAME}.crt \
-extensions server_ext
cat ${TARGET_DIR}/${SLAVE_NODE_HOSTNAME}.crt ${TARGET_DIR}/${SLAVE_NODE_HOSTNAME}.key >${TARGET_DIR}/${SLAVE_NODE_HOSTNAME}.pem
# chown the files so that the web interface can read them
chown -R www-data:www-data ${TARGET_DIR}
|
