Use hostname in CN when generating certs.

author: Linus Nordberg <linus@nordu.net> 2015-11-20 10:57:50 +0100
committer: Linus Nordberg <linus@nordu.net> 2015-11-20 10:57:50 +0100
commit: 65f523f2f7bf4b3fbefc18e52654744e03cef319 (patch)
tree: 622afdd9a1687a966d2af98834c50c4af71aab32
parent: 6bedbcb21d20dd4e5ccbf4a446508a51f6b757c6 (diff)
1 files changed, 25 insertions, 10 deletions
diff --git a/mklog.py b/mklog.py
index 3ba95e0..8d56f10 100755
--- a/mklog.py
+++ b/mklog.py
@@ -71,7 +71,7 @@ def make_ca(logname, cakey, cacert):
 
     return True
 
-def make_certs(logname, nodenames):
+def make_certs(logname, nodenames, hostnames):
     wdir = './httpscerts'
     if not os.access(wdir, os.F_OK):
         os.mkdir(wdir)
@@ -83,23 +83,35 @@ def make_certs(logname, nodenames):
         if not make_ca(logname, ca_key, ca_cert):
             return False
 
+    created = {}
     for nodename in nodenames:
         key = './%s-key.pem' % nodename
         csr = './%s.csr' % nodename
         cert = './%s.pem' % nodename
-        subject = '/countryName=II/stateOrProvinceName=internets/organizationName=%s/CN=%s' % (logname, nodename)
+        hostname = hostnames[nodename]
 
         if os.access(key, os.R_OK) and os.access(cert, os.R_OK):
+            # Cert or key already exists -- don't create new.
             continue
-        print "creating cert for node %s" % nodename
 
-        req_args = ['req', '-new', '-newkey', 'rsa:2048', '-keyout', key,
+        if hostname in created.keys():
+            # There's already a cert for this hostname -- copy.
+            k, c = created[hostname]
+            print "copying %s for node %s on host %s" % \
+              (c, nodename, hostname)
+            shutil.copy(k, key)
+            shutil.copy(c, cert)
+        else:
+            print "creating cert for node %s on host %s" % (nodename, hostname)
+            subject = '/countryName=II/stateOrProvinceName=internets/organizationName=%s/CN=%s' % (logname, hostname)
+            req_args = ['req', '-new', '-newkey', 'rsa:2048', '-keyout', key,
                     '-out', csr, '-nodes', '-subj', subject]
-        if not run_openssl(req_args):
-            return False
-        ca_args = ['ca', '-in', csr, '-keyfile', ca_key, '-out', cert, '-batch']
-        if not run_openssl(ca_args):
-            return False
+            if not run_openssl(req_args):
+                return False
+            ca_args = ['ca', '-in', csr, '-keyfile', ca_key, '-out', cert, '-batch']
+            if not run_openssl(ca_args):
+                return False
+            created[hostname] = (key, cert)
 
         shutil.copy(ca_cert, '../nodes/%s/cacert.pem' % nodename)
         shutil.copy(cert, '../nodes/%s/webcert-%s.pem' % (nodename, nodename))
@@ -161,11 +173,14 @@ def main():
                  config["storagenodes"] +
                  config["signingnodes"]]
     mergenodenames = [node["name"] for node in config["mergenodes"]]
+    hostnames = {}
+    for node in config["frontendnodes"] + config["storagenodes"] + config["signingnodes"] + config["mergenodes"]:
+        hostnames[node['name']] = node['address'].split(':')[0]
 
     create_destdirs(logname, nodenames + mergenodenames)
     make_eckey(logname)
     copy_logkey(logname, nodenames + mergenodenames)
-    make_certs(logname, nodenames)
+    make_certs(logname, nodenames, hostnames)
     make_authkeys(nodenames + mergenodenames)
     copy_cacert(mergenodenames)
author	Linus Nordberg <linus@nordu.net>	2015-11-20 10:57:50 +0100
committer	Linus Nordberg <linus@nordu.net>	2015-11-20 10:57:50 +0100
commit	65f523f2f7bf4b3fbefc18e52654744e03cef319 (patch)
tree	622afdd9a1687a966d2af98834c50c4af71aab32
parent	6bedbcb21d20dd4e5ccbf4a446508a51f6b757c6 (diff)