[ARVADOS] updated: 1.3.0-1296-g2ddb3a386
Git user
git at public.curoverse.com
Thu Jul 11 21:00:27 UTC 2019
Summary of changes:
tools/arvbox/lib/arvbox/docker/common.sh | 5 ++++
.../lib/arvbox/docker/service/certificate/run | 29 ++++++++++++----------
tools/arvbox/lib/arvbox/docker/service/nginx/run | 18 ++++++++------
.../lib/arvbox/docker/service/sso/run-service | 2 +-
.../arvbox/lib/arvbox/docker/service/workbench/run | 1 +
5 files changed, 33 insertions(+), 22 deletions(-)
via 2ddb3a386c8ef91ef2bb041c5ef0bc385debd737 (commit)
from e44092b29d6fbf3798c7f2b37164abd8f6f4e088 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 2ddb3a386c8ef91ef2bb041c5ef0bc385debd737
Author: Peter Amstutz <pamstutz at veritasgenetics.com>
Date: Thu Jul 11 16:59:36 2019 -0400
arvbox rotates its TLS certificates when they expire
no issue #
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz at veritasgenetics.com>
diff --git a/tools/arvbox/lib/arvbox/docker/common.sh b/tools/arvbox/lib/arvbox/docker/common.sh
index 36ff49db5..8e4e74ca0 100644
--- a/tools/arvbox/lib/arvbox/docker/common.sh
+++ b/tools/arvbox/lib/arvbox/docker/common.sh
@@ -18,6 +18,11 @@ else
localip=$(ip addr show $defaultdev | grep 'inet ' | sed 's/ *inet \(.*\)\/.*/\1/')
fi
+root_cert=/var/lib/arvados/root-cert.pem
+root_cert_key=/var/lib/arvados/root-cert.key
+server_cert=/var/lib/arvados/server-cert-${localip}.pem
+server_cert_key=/var/lib/arvados/server-cert-${localip}.key
+
declare -A services
services=(
[workbench]=443
diff --git a/tools/arvbox/lib/arvbox/docker/service/certificate/run b/tools/arvbox/lib/arvbox/docker/service/certificate/run
index 8e5e1ed77..f951eef18 100755
--- a/tools/arvbox/lib/arvbox/docker/service/certificate/run
+++ b/tools/arvbox/lib/arvbox/docker/service/certificate/run
@@ -10,7 +10,7 @@ set -ex -o pipefail
uuid_prefix=$(cat /var/lib/arvados/api_uuid_prefix)
-if test ! -s /var/lib/arvados/root-cert.pem ; then
+if ! openssl verify -CAfile $root_cert $root_cert ; then
# req signing request sub-command
# -new new certificate request
# -nodes "no des" don't encrypt key
@@ -32,13 +32,19 @@ if test ! -s /var/lib/arvados/root-cert.pem ; then
-extensions x509_ext \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[x509_ext]\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,keyCertSign,cRLSign")) \
- -out /var/lib/arvados/root-cert.pem \
- -keyout /var/lib/arvados/root-cert.key \
+ -out $root_cert \
+ -keyout $root_cert_key \
-days 365
- chown arvbox:arvbox /var/lib/arvados/root-cert.*
+ chown arvbox:arvbox $root_cert $root_cert_key
+ rm -f $server_cert $server_cert_key
fi
-if test ! -s /var/lib/arvados/server-cert-${localip}.pem ; then
+cp $root_cert /usr/local/share/ca-certificates/arvados-testing-cert.crt
+update-ca-certificates
+
+if ! openssl verify -CAfile $root_cert $server_cert ; then
+
+ rm -f $server_cert $server_cert_key
if [[ $localip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
san=IP:$localip
@@ -67,25 +73,22 @@ if test ! -s /var/lib/arvados/server-cert-${localip}.pem ; then
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,$san")) \
-out /var/lib/arvados/server-cert-${localip}.csr \
- -keyout /var/lib/arvados/server-cert-${localip}.key \
+ -keyout $server_cert_key \
-days 365
openssl x509 \
-req \
-in /var/lib/arvados/server-cert-${localip}.csr \
- -CA /var/lib/arvados/root-cert.pem \
- -CAkey /var/lib/arvados/root-cert.key \
- -out /var/lib/arvados/server-cert-${localip}.pem \
+ -CA $root_cert \
+ -CAkey $root_cert_key \
+ -out $server_cert \
-set_serial $RANDOM$RANDOM \
-extfile <(cat /etc/ssl/openssl.cnf \
<(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,$san")) \
-extensions x509_ext \
-days 365
- chown arvbox:arvbox /var/lib/arvados/server-cert-${localip}.*
+ chown arvbox:arvbox $server_cert $server_cert_key
fi
-cp /var/lib/arvados/root-cert.pem /usr/local/share/ca-certificates/arvados-testing-cert.crt
-update-ca-certificates
-
sv stop certificate
diff --git a/tools/arvbox/lib/arvbox/docker/service/nginx/run b/tools/arvbox/lib/arvbox/docker/service/nginx/run
index 2353e949f..18c56ce9d 100755
--- a/tools/arvbox/lib/arvbox/docker/service/nginx/run
+++ b/tools/arvbox/lib/arvbox/docker/service/nginx/run
@@ -8,6 +8,8 @@ set -ex -o pipefail
. /usr/local/lib/arvbox/common.sh
+openssl verify -CAfile $root_cert $server_cert
+
cat <<EOF >/var/lib/arvados/nginx.conf
worker_processes auto;
pid /var/lib/arvados/nginx.pid;
@@ -46,8 +48,8 @@ http {
server {
listen *:${services[controller-ssl]} ssl default_server;
server_name controller;
- ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
- ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
+ ssl_certificate "${server_cert}";
+ ssl_certificate_key "${server_cert_key}";
location / {
proxy_pass http://controller;
proxy_set_header Host \$http_host;
@@ -68,8 +70,8 @@ server {
proxy_read_timeout 300s;
ssl on;
- ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
- ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
+ ssl_certificate "${server_cert}";
+ ssl_certificate_key "${server_cert_key}";
location / {
proxy_pass http://arvados-ws;
@@ -86,8 +88,8 @@ server {
server {
listen *:${services[workbench2-ssl]} ssl default_server;
server_name workbench2;
- ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
- ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
+ ssl_certificate "${server_cert}";
+ ssl_certificate_key "${server_cert_key}";
location / {
proxy_pass http://workbench2;
proxy_set_header Host \$http_host;
@@ -110,8 +112,8 @@ server {
server {
listen *:${services[keep-web-ssl]} ssl default_server;
server_name keep-web;
- ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
- ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
+ ssl_certificate "${server_cert}";
+ ssl_certificate_key "${server_cert_key}";
location / {
proxy_pass http://keep-web;
proxy_set_header Host \$http_host;
diff --git a/tools/arvbox/lib/arvbox/docker/service/sso/run-service b/tools/arvbox/lib/arvbox/docker/service/sso/run-service
index cbd3b2fbe..a7d3b1ca2 100755
--- a/tools/arvbox/lib/arvbox/docker/service/sso/run-service
+++ b/tools/arvbox/lib/arvbox/docker/service/sso/run-service
@@ -35,7 +35,7 @@ if ! test -s /var/lib/arvados/sso_secret_token ; then
fi
secret_token=$(cat /var/lib/arvados/sso_secret_token)
-test -s /var/lib/arvados/server-cert-${localip}.pem
+openssl verify -CAfile $root_cert $server_cert
cat >config/application.yml <<EOF
$RAILS_ENV:
diff --git a/tools/arvbox/lib/arvbox/docker/service/workbench/run b/tools/arvbox/lib/arvbox/docker/service/workbench/run
index e65801b44..e16349378 100755
--- a/tools/arvbox/lib/arvbox/docker/service/workbench/run
+++ b/tools/arvbox/lib/arvbox/docker/service/workbench/run
@@ -22,6 +22,7 @@ else
fi
if test "$1" != "--only-deps" ; then
+ openssl verify -CAfile $root_cert $server_cert
exec bundle exec passenger start --port=${services[workbench]} \
--ssl --ssl-certificate=/var/lib/arvados/server-cert-${localip}.pem \
--ssl-certificate-key=/var/lib/arvados/server-cert-${localip}.key \
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list