1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
|
#!/bin/sh
# This script has been written thanks to the doc here:
# https://docs.openstack.org/octavia/latest/admin/guides/certificates.html
# Author: Thomas Goirand <zigo@debian.org>
set -e
#set -x
GENCERT_PATH=/root/certs-octavia
CA_HOSTNAME=$(hostname --fqdn)
OCTAVIA_CA_PASSWORD=octavia
CWD=$(pwd)
rm -rf ${GENCERT_PATH}
mkdir -p ${GENCERT_PATH}
cd ${GENCERT_PATH}
echo "-> Generating Octavia SSL PKI"
# 1. Create a working directory for the certificate authorities. Make sure to set the proper permissions on this directory such that others cannot access the private keys, random bits, etc. being generated here.
mkdir -p certs
chmod 700 certs
cd certs
# 2. Create the OpenSSL configuration file. This can be shared between the two certificate authorities.
echo "# OpenSSL root CA configuration file.
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./
certs = \$dir/certs
crl_dir = \$dir/crl
new_certs_dir = \$dir/newcerts
database = \$dir/index.txt
serial = \$dir/serial
RANDFILE = \$dir/private/.rand
# The root key and root certificate.
private_key = \$dir/private/ca.key.pem
certificate = \$dir/certs/ca.cert.pem
# For certificate revocation lists.
crlnumber = \$dir/crlnumber
crl = \$dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 3650
preserve = no
policy = policy_strict
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of man ca.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the 'req' tool ('man req').
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = CH
stateOrProvinceName_default = Geneva
localityName_default = Geneva
0.organizationName_default = Debian
organizationalUnitName_default = Octavia
emailAddress_default = debian-devel@lists.debian.org
commonName_default = example.com
[ v3_ca ]
# Extensions for a typical CA ('man x509v3_config').
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates ('man x509v3_config').
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = \"OpenSSL Generated Client Certificate\"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates ('man x509v3_config').
basicConstraints = CA:FALSE
nsCertType = server
nsComment = \"OpenSSL Generated Server Certificate\"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ crl_ext ]
# Extension for CRLs ('man x509v3_config').
authorityKeyIdentifier=keyid:always" > ${GENCERT_PATH}/certs/openssl.cnf
# 3. Customize the above file
# 4. Make directories for the two certificate authorities.
mkdir -p client_ca
mkdir -p server_ca
# 5. Starting with the server certificate authority, prepare the CA.
cd server_ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
# 6. Create the server CA key.
openssl genrsa -passout pass:${OCTAVIA_CA_PASSWORD} -aes256 -out private/ca.key.pem 4096
chmod 400 private/ca.key.pem
# 7. Create the server CA certificate.
openssl req -config ../openssl.cnf -passin pass:${OCTAVIA_CA_PASSWORD} -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem \
-subj "/C=CH/ST=Geneva/L=Geneva/O=OCI/OU=Infomaniak/CN=${CA_HOSTNAME}/emailAddress=noreply@infomaniak.com/subjectAltName=${CA_HOSTNAME}"
# 8. Moving to the client certificate authority, prepare the CA.
cd ../client_ca
mkdir certs crl csr newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
# 9. Create the client CA key.
openssl genrsa -aes256 -passout pass:${OCTAVIA_CA_PASSWORD} -out private/ca.key.pem 4096
chmod 400 private/ca.key.pem
# 10. Create the client CA certificate.
openssl req -config ../openssl.cnf -passin pass:${OCTAVIA_CA_PASSWORD} -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem \
-subj "/C=CH/ST=Geneva/L=Geneva/O=OCI/OU=Infomaniak/CN=${CA_HOSTNAME}/emailAddress=noreply@infomaniak.com/subjectAltName=${CA_HOSTNAME}"
# 11. Create a key for the client certificate to use.
openssl genrsa -aes256 -passout pass:${OCTAVIA_CA_PASSWORD} -out private/client.key.pem 2048
# 12. Create the certificate request for the client certificate used on the controllers.
openssl req -config ../openssl.cnf -passin pass:${OCTAVIA_CA_PASSWORD} -new -sha256 -key private/client.key.pem -out csr/client.csr.pem \
-subj "/C=CH/ST=Geneva/L=Geneva/O=OCI/OU=Infomaniak/CN=${CA_HOSTNAME}/emailAddress=noreply@infomaniak.com/subjectAltName=${CA_HOSTNAME}"
# 13. Sign the client certificate request.
openssl ca -batch -config ../openssl.cnf -passin pass:${OCTAVIA_CA_PASSWORD} -extensions usr_cert -days 7300 -notext -md sha256 -in csr/client.csr.pem -out certs/client.cert.pem
# 14. Create a concatenated client certificate and key file.
openssl rsa -passin pass:${OCTAVIA_CA_PASSWORD} -in private/client.key.pem -out private/client.cert-and-key.pem
cat certs/client.cert.pem >> private/client.cert-and-key.pem
cd ..
# Now we copy these new certs into Octavia's config
mkdir -p /etc/octavia/certs
chmod 700 /etc/octavia/certs
cp server_ca/private/ca.key.pem /etc/octavia/certs/server_ca.key.pem
chmod 700 /etc/octavia/certs/server_ca.key.pem
cp server_ca/certs/ca.cert.pem /etc/octavia/certs/server_ca.cert.pem
cp client_ca/certs/ca.cert.pem /etc/octavia/certs/client_ca.cert.pem
cp client_ca/private/client.cert-and-key.pem /etc/octavia/certs/client.cert-and-key.pem
chmod 700 /etc/octavia/certs/client.cert-and-key.pem
chown -R octavia:octavia /etc/octavia/certs
# Restart the daemons
MY_HOSTNAME=$(hostname --fqdn)
for i in worker health-manager housekeeping ; do
echo "-> Restarting octavia-$i on ${MY_HOSTNAME}"
systemctl restart octavia-${i}.service
done
for HOST in $(cat /etc/hosts | grep controller | awk '{print $2}') ; do
if [ "${HOST}" != "${MY_HOSTNAME}" ] ; then
echo "-> Copying Octavia certs to ${HOST}"
scp -r /etc/octavia/certs root@${HOST}:/etc/octavia
ssh ${HOST} "chown -R octavia:octavia /etc/octavia/certs"
for i in worker health-manager housekeeping ; do
echo "-> Restarting octavia-$i on ${HOST}"
ssh ${HOST} "systemctl restart octavia-${i}.service"
done
fi
done
cd ${CWD}
|
