From 65f523f2f7bf4b3fbefc18e52654744e03cef319 Mon Sep 17 00:00:00 2001
From: Linus Nordberg <linus@nordu.net>
Date: Fri, 20 Nov 2015 10:57:50 +0100
Subject: Use hostname in CN when generating certs.

---
 mklog.py | 35 +++++++++++++++++++++++++----------
 1 file changed, 25 insertions(+), 10 deletions(-)

diff --git a/mklog.py b/mklog.py
index 3ba95e0..8d56f10 100755
--- a/mklog.py
+++ b/mklog.py
@@ -71,7 +71,7 @@ def make_ca(logname, cakey, cacert):
 
     return True
 
-def make_certs(logname, nodenames):
+def make_certs(logname, nodenames, hostnames):
     wdir = './httpscerts'
     if not os.access(wdir, os.F_OK):
         os.mkdir(wdir)
@@ -83,23 +83,35 @@ def make_certs(logname, nodenames):
         if not make_ca(logname, ca_key, ca_cert):
             return False
 
+    created = {}
     for nodename in nodenames:
         key = './%s-key.pem' % nodename
         csr = './%s.csr' % nodename
         cert = './%s.pem' % nodename
-        subject = '/countryName=II/stateOrProvinceName=internets/organizationName=%s/CN=%s' % (logname, nodename)
+        hostname = hostnames[nodename]
 
         if os.access(key, os.R_OK) and os.access(cert, os.R_OK):
+            # Cert or key already exists -- don't create new.
             continue
-        print "creating cert for node %s" % nodename
 
-        req_args = ['req', '-new', '-newkey', 'rsa:2048', '-keyout', key,
+        if hostname in created.keys():
+            # There's already a cert for this hostname -- copy.
+            k, c = created[hostname]
+            print "copying %s for node %s on host %s" % \
+              (c, nodename, hostname)
+            shutil.copy(k, key)
+            shutil.copy(c, cert)
+        else:
+            print "creating cert for node %s on host %s" % (nodename, hostname)
+            subject = '/countryName=II/stateOrProvinceName=internets/organizationName=%s/CN=%s' % (logname, hostname)
+            req_args = ['req', '-new', '-newkey', 'rsa:2048', '-keyout', key,
                     '-out', csr, '-nodes', '-subj', subject]
-        if not run_openssl(req_args):
-            return False
-        ca_args = ['ca', '-in', csr, '-keyfile', ca_key, '-out', cert, '-batch']
-        if not run_openssl(ca_args):
-            return False
+            if not run_openssl(req_args):
+                return False
+            ca_args = ['ca', '-in', csr, '-keyfile', ca_key, '-out', cert, '-batch']
+            if not run_openssl(ca_args):
+                return False
+            created[hostname] = (key, cert)
 
         shutil.copy(ca_cert, '../nodes/%s/cacert.pem' % nodename)
         shutil.copy(cert, '../nodes/%s/webcert-%s.pem' % (nodename, nodename))
@@ -161,11 +173,14 @@ def main():
                  config["storagenodes"] +
                  config["signingnodes"]]
     mergenodenames = [node["name"] for node in config["mergenodes"]]
+    hostnames = {}
+    for node in config["frontendnodes"] + config["storagenodes"] + config["signingnodes"] + config["mergenodes"]:
+        hostnames[node['name']] = node['address'].split(':')[0]
 
     create_destdirs(logname, nodenames + mergenodenames)
     make_eckey(logname)
     copy_logkey(logname, nodenames + mergenodenames)
-    make_certs(logname, nodenames)
+    make_certs(logname, nodenames, hostnames)
     make_authkeys(nodenames + mergenodenames)
     copy_cacert(mergenodenames)
 
-- 
cgit v1.1