Module: check_mk
Branch: master
Commit: 69009d27e17df21fd3f04bc26884a547c234f4e9
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=69009d27e17df2…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Feb 5 16:31:41 2019 +0100
Write certifiate chain to site CA file
This makes the site CA certificate available to the SSL clients
through stunnel. This way the user will be able to add the CA
certficate to the list of trusted CAs using the GUI.
CMK-1535
Change-Id: If6ace1ded887055ea6104c8cf31e9f3980782bd9
---
omd/packages/omd/omdlib/certs.py | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/omd/packages/omd/omdlib/certs.py b/omd/packages/omd/omdlib/certs.py
index e321f2b..5d7c2b1 100644
--- a/omd/packages/omd/omdlib/certs.py
+++ b/omd/packages/omd/omdlib/certs.py
@@ -61,7 +61,8 @@ class CertificateAuthority(object):
"""Initialize the root CA key / certficate in case it does not
exist yet"""
if self.is_initialized:
return
- self._write_pem(self._root_cert_path, *self._create_root_certificate())
+ root_cert, root_key = self._create_root_certificate()
+ self._write_pem(self._root_cert_path, [root_cert], root_key)
def _create_root_certificate(self):
# type: () -> Tuple[str, str]
@@ -93,10 +94,7 @@ class CertificateAuthority(object):
def create_site_certificate(self, site_id):
# type: (str) -> str
- """Creates the key / certificate for the given Check_MK site
-
- It lazily initializes the CA in case it has not been initialized yet.
- """
+ """Creates the key / certificate for the given Check_MK
site"""
if not self.is_initialized:
raise Exception("Certificate authority is not initialized yet")
@@ -120,7 +118,8 @@ class CertificateAuthority(object):
def write_site_certificate(self, site_id, cert, key):
# type: (str, str, str) -> None
- self._write_pem(self.site_certificate_path(site_id), cert, key)
+ certificate_chain = [cert, self._get_root_certificate()[0]]
+ self._write_pem(self.site_certificate_path(site_id), certificate_chain, key)
def site_certificate_path(self, site_id):
# type: (str) -> Path
@@ -145,12 +144,13 @@ class CertificateAuthority(object):
key.generate_key(crypto.TYPE_RSA, 2048)
return key
- def _write_pem(self, path, cert, key):
- # type: (Path, str, str) -> None
+ def _write_pem(self, path, certificate_chain, key):
+ # type: (Path, List[str], str) -> None
path.parent.mkdir(mode=0o770, parents=True, exist_ok=True)
with path.open(mode="wb") as f:
f.write(crypto.dump_privatekey(FILETYPE_PEM, key))
- f.write(crypto.dump_certificate(FILETYPE_PEM, cert))
+ for cert in certificate_chain:
+ f.write(crypto.dump_certificate(FILETYPE_PEM, cert))
path.chmod(mode=0o660)
def _read_pem(self, path):