You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2019/01/14 18:59:16 UTC
[trafficcontrol] Diff for: [GitHub] dangogh merged pull request #3193: CIAB:
Update X509 cert generation, add certs to TV, fix TR tomcat native.
diff --git a/docs/source/admin/quick_howto/ciab.rst b/docs/source/admin/quick_howto/ciab.rst
index 03d79774d..68772dc96 100644
--- a/docs/source/admin/quick_howto/ciab.rst
+++ b/docs/source/admin/quick_howto/ciab.rst
@@ -101,65 +101,72 @@ variables.env
X.509 SSL/TLS Certificates
==========================
-All components in Apache Traffic Control utilize SSL/TLS secure communications by default. For SSL/TLS connections to properly validate within the "CDN in a Box" container network a shared self-signed X.509 Certificate Authority (CA) is generated at the first initial startup. Additional self-signed wildcard certificates are generated for each container service and all delivery services of the CDN. All certificates and keys are stored in the ``ca`` host volume which is located at ``infrastruture/cdn-in-a-box/traffic_ops/ca`` [4]_.
+All components in Apache Traffic Control utilize SSL/TLS secure communications by default. For SSL/TLS connections to properly validate within the "CDN in a Box" container network a shared self-signed X.509 Root Certificate Authority (CA) is generated at the first initial startup. An X.509 Intermediate Certificate Authority (CA) is also generated and signed by the Root CA. Additional wildcard certificates are generated/signed by the Intermediate CA for each container service and demo1, demo2, and demo3 delivery services. All certificates and keys are stored in the ``ca`` host volume which is located at ``infrastruture/cdn-in-a-box/traffic_ops/ca`` [4]_.
.. _ciab-x509-certificate-list:
.. table:: Self-Signed X.509 Certificate List
- +---------------------------+-----------------------------------+------------------------------+
- | Filename | Description | X.509 CN/SAN |
- +===========================+===================================+==============================+
- | CIAB-CA.crt | Shared CA Certificate | N/A |
- +---------------------------+-----------------------------------+------------------------------+
- | infra.ciab.test.crt | Infrastruture Certificate | \*.infra.ciab.test |
- +---------------------------+-----------------------------------+------------------------------+
- | demo1.mycdn.ciab.test.crt | Demo1 Delivery Service Certificate| \*.demo1.mycdn.ciab.test |
- +---------------------------+-----------------------------------+------------------------------+
- | demo2.mycdn.ciab.test.crt | Demo2 Delivery Service Certificate| \*.demo2.mycdn.ciab.test |
- +---------------------------+-----------------------------------+------------------------------+
- | demo3.mycdn.ciab.test.crt | Demo3 Delivery Service Certificate| \*.demo3.mycdn.ciab.test |
- +---------------------------+-----------------------------------+------------------------------+
+ +---------------------------+-------------------------------------------+------------------------------+
+ | Filename | Description | X.509 CN/SAN |
+ +===========================+===========================================+==============================+
+ | CIAB-CA-root.crt | Shared Root CA Certificate | N/A |
+ +---------------------------+-------------------------------------------+------------------------------+
+ | CIAB-CA-intr.crt | Shared Intermediate CA Certificate | N/A |
+ +---------------------------+-------------------------------------------+------------------------------+
+ | CIAB-CA-fullchain.crt | Shared CA Certificate Chain Bundle [5]_ | N/A |
+ +---------------------------+-------------------------------------------+------------------------------+
+ | infra.ciab.test.crt | Infrastruture Certificate | \*.infra.ciab.test |
+ +---------------------------+-------------------------------------------+------------------------------+
+ | demo1.mycdn.ciab.test.crt | Demo1 Delivery Service Certificate | \*.demo1.mycdn.ciab.test |
+ +---------------------------+-------------------------------------------+------------------------------+
+ | demo2.mycdn.ciab.test.crt | Demo2 Delivery Service Certificate | \*.demo2.mycdn.ciab.test |
+ +---------------------------+-------------------------------------------+------------------------------+
+ | demo3.mycdn.ciab.test.crt | Demo3 Delivery Service Certificate | \*.demo3.mycdn.ciab.test |
+ +---------------------------+-------------------------------------------+------------------------------+
.. [4] The ``ca`` volume is not purged with normal ``docker volume`` commands. This feature is by design to allow the existing shared SSL certificate to be trusted at the system level across restarts. To re-generate all SSL certificates and keys, remove the ``infrastructure/cdn-in-a-box/traffic_ops/ca`` directory before startup.
+.. [5] The full chain bundle is a file that contains both the Root and Intermediate CA certificates.
Trusting the CA
---------------
-For developer and testing use-cases, it may be necessary to have full x509 CA validation by HTTPS clients [5]_. For x509 validation to work properly, the self-signed x509 CA certificate must be trusted either at the system level or by the client application itself. Procedures to import and trust the CA x.509 certificate are outlined below [6]_.
+For developer and testing use-cases, it may be necessary to have full x509 CA validation by HTTPS clients [6]_ [7]_. For x509 validation to work properly, the self-signed x509 CA certificate must be trusted either at the system level or by the client application itself. Procedures to import and trust the CA x.509 certificate are outlined below [8]_.
Importing the CA Certificate on OSX
-----------------------------------
-#. Copy the CIAB root CA certificate from ``infrastructure/cdn-in-a-box/traffic_ops/ca/CIAB-CA.crt`` to the Mac.
-#. Import the CIAB root CA certificate on the Mac.
-#. Double-click the CIAB root CA certificate to open it in Keychain Access.
+#. Copy the CIAB root and intermediate CA certificates from ``infrastructure/cdn-in-a-box/traffic_ops/ca`` to the Mac.
+#. Double-click the CIAB CA certificate to open it in Keychain Access.
#. The CIAB root CA certificate appears in login.
#. Copy the CIAB root CA certificate to System.
#. Open the CIAB root CA certificate, expand Trust, select Use System Defaults, and save your changes.
#. Reopen the CIAB root CA certificate, expand Trust, select Always Trust, and save your changes.
#. Delete the CIAB root CA certificate from login.
+#. Repeat the last six steps to import the Intermediate CA Certificate
#. Restart all HTTPS clients (browsers, etc).
Importing the CA certificate on Windows
---------------------------------------
-#. Copy the CIAB root CA certificate from ``infrastructure/cdn-in-a-box/traffic_ops/ca/CIAB-CA.crt`` to Windows filesystem.
+#. Copy the CIAB root and intermediate CA certificate from ``infrastructure/cdn-in-a-box/traffic_ops/ca`` to Windows filesystem.
#. As Administrator, start the Microsoft Management Console.
#. Add the Certificates snap-in for the computer account and manage certificates for the local computer.
#. Import the CIAB root CA certificate into Trusted Root Certification Authorities > Certificates.
+#. Import the CIAB intermediate CA certificate into Trusted Root Certification Authorities > Certificates.
#. Restart all HTTPS clients (browsers, etc).
Importing the CA certificate on Linux/Centos7
---------------------------------------------
-#. Copy the CIAB root CA certificate from ``infrastructure/cdn-in-a-box/traffic_ops/ca/CIAB-CA.crt`` to path ``/etc/pki/ca-trust/source/anchors``.
+#. Copy the CIAB full chain CA certificate bundle from ``infrastructure/cdn-in-a-box/traffic_ops/ca/CIAB-CA-fullchain.crt`` to path ``/etc/pki/ca-trust/source/anchors``.
#. Run ``update-ca-trust-extract`` as the root user.
#. Restart all HTTPS clients (browsers, etc).
Importing the CA certificate on Linux/Ubuntu
--------------------------------------------
-#. Copy the CIAB root CA certificate from ``infrastructure/cdn-in-a-box/traffic_ops/ca/CIAB-CA.crt`` to path ``/usr/local/share/ca-certificates``.
+#. Copy the CIAB full chain CA certificate bundle from ``infrastructure/cdn-in-a-box/traffic_ops/ca/CIAB-CA-fullchain.crt`` to path ``/usr/local/share/ca-certificates``.
#. Run ``update-ca-certificates`` as the root user.
#. Restart all HTTPS clients (browsers, etc).
-.. [5] All containers within CDN-in-a-Box start up with the self-signed CA already trusted.
-.. [6] HTTP Client applications such as Google Chrome, Firefox, curl, and wget can also be individually configured to trust the CA certificate. Each application procedure can be found quickly online via Google.
+.. [6] All containers within CDN-in-a-Box start up with the self-signed CA already trusted.
+.. [7] The demo1 Delivery Service X509 certificate is automatically imported into traffic vault on startup.
+.. [8] HTTP Client applications such as Google Chrome, Firefox, curl, and wget can also be individually configured to trust the CA certificate. Each application procedure can be found quickly online via Google.
Advanced Usage
==============
@@ -173,11 +180,10 @@ The enroller runs within CDN in a Box using the ``-dir <dir>`` switch which prov
Auto Snapshot/Queue-Updates
---------------------------
-An automatic snapshot of the current Traffic Ops CDN configuration/toplogy will be performed once the "enroller" has finished loading all of the data and a minimum number of servers have been enrolled. To enable this feature, set the boolean ``AUTO_SNAPQUEUE_ENABLED`` to ``true`` [7]_. The snapshot and queue-updates actions will not be performed until all servers in ``AUTO_SNAPQUEUE_SERVERS`` (comma-delimited string) have been enrolled. The current enrolled servers will be polled every ``AUTO_SNAPQUEUE_POLL_INTERVAL`` seconds, and each action (snapshot and queue-updates) will be delayed ``AUTO_SNAPQUEUE_ACTION_WAIT`` seconds [8]_.
-
-.. [7] Automatic Snapshot/Queue-Updates is enabled by default in ``infrastructure/cdn-in-a-box/variables.env``.
-.. [8] Server poll interval and delay action wait are defaulted to a value of 2 seconds.
+An automatic snapshot of the current Traffic Ops CDN configuration/toplogy will be performed once the "enroller" has finished loading all of the data and a minimum number of servers have been enrolled. To enable this feature, set the boolean ``AUTO_SNAPQUEUE_ENABLED`` to ``true`` [9]_. The snapshot and queue-updates actions will not be performed until all servers in ``AUTO_SNAPQUEUE_SERVERS`` (comma-delimited string) have been enrolled. The current enrolled servers will be polled every ``AUTO_SNAPQUEUE_POLL_INTERVAL`` seconds, and each action (snapshot and queue-updates) will be delayed ``AUTO_SNAPQUEUE_ACTION_WAIT`` seconds [10]_.
+.. [9] Automatic Snapshot/Queue-Updates is enabled by default in `variables.env`_.
+.. [10] Server poll interval and delay action wait are defaulted to a value of 2 seconds.
Mock Origin Service
-------------------
diff --git a/infrastructure/cdn-in-a-box/edge/run.sh b/infrastructure/cdn-in-a-box/edge/run.sh
index affb597ff..6119b34c8 100755
--- a/infrastructure/cdn-in-a-box/edge/run.sh
+++ b/infrastructure/cdn-in-a-box/edge/run.sh
@@ -34,7 +34,7 @@ done
source $X509_CA_ENV_FILE
# Trust the CIAB-CA at the System level
-cp $X509_CA_CERT_FILE /etc/pki/ca-trust/source/anchors
+cp $X509_CA_CERT_FULL_CHAIN_FILE /etc/pki/ca-trust/source/anchors
update-ca-trust extract
while ! to-ping 2>/dev/null; do
diff --git a/infrastructure/cdn-in-a-box/enroller/run.sh b/infrastructure/cdn-in-a-box/enroller/run.sh
index 3f0bbef25..d9d826cde 100755
--- a/infrastructure/cdn-in-a-box/enroller/run.sh
+++ b/infrastructure/cdn-in-a-box/enroller/run.sh
@@ -36,7 +36,7 @@ done
source "$X509_CA_ENV_FILE"
# Copy the CIAB-CA certificate to the traffic_router conf so it can be added to the trust store
-cp "$X509_CA_CERT_FILE" /usr/local/share/ca-certificates
+cp "$X509_CA_CERT_FULL_CHAIN_FILE" /usr/local/share/ca-certificates
update-ca-certificates
# Traffic Ops must be accepting connections before enroller can start
diff --git a/infrastructure/cdn-in-a-box/mid/run.sh b/infrastructure/cdn-in-a-box/mid/run.sh
index b707bc9f7..0dd9b0514 100755
--- a/infrastructure/cdn-in-a-box/mid/run.sh
+++ b/infrastructure/cdn-in-a-box/mid/run.sh
@@ -34,7 +34,7 @@ done
source $X509_CA_ENV_FILE
# Trust the CIAB-CA at the System level
-cp $X509_CA_CERT_FILE /etc/pki/ca-trust/source/anchors
+cp $X509_CA_CERT_FULL_CHAIN_FILE /etc/pki/ca-trust/source/anchors
update-ca-trust extract
while ! to-ping 2>/dev/null; do
diff --git a/infrastructure/cdn-in-a-box/optional/vnc/run.sh b/infrastructure/cdn-in-a-box/optional/vnc/run.sh
index 0c24db047..261e26b37 100755
--- a/infrastructure/cdn-in-a-box/optional/vnc/run.sh
+++ b/infrastructure/cdn-in-a-box/optional/vnc/run.sh
@@ -28,7 +28,7 @@ done
source $X509_CA_ENV_FILE
# Trust the CIAB-CA at the System level
-cp $X509_CA_CERT_FILE /etc/pki/ca-trust/source/anchors
+cp $X509_CA_CERT_FULL_CHAIN_FILE /etc/pki/ca-trust/source/anchors
update-ca-trust extract
################################################################################
diff --git a/infrastructure/cdn-in-a-box/origin/run.sh b/infrastructure/cdn-in-a-box/origin/run.sh
index c7e1566c7..dfe27cc3f 100755
--- a/infrastructure/cdn-in-a-box/origin/run.sh
+++ b/infrastructure/cdn-in-a-box/origin/run.sh
@@ -34,7 +34,7 @@ done
source "$X509_CA_ENV_FILE"
# Copy the CIAB-CA certificate to the traffic_router conf so it can be added to the trust store
-cp $X509_CA_CERT_FILE /usr/local/share/ca-certificates
+cp $X509_CA_CERT_FULL_CHAIN_FILE /usr/local/share/ca-certificates
update-ca-certificates
while ! to-ping 2>/dev/null; do
diff --git a/infrastructure/cdn-in-a-box/traffic_monitor/run.sh b/infrastructure/cdn-in-a-box/traffic_monitor/run.sh
index 5029eec95..4dfde17c3 100755
--- a/infrastructure/cdn-in-a-box/traffic_monitor/run.sh
+++ b/infrastructure/cdn-in-a-box/traffic_monitor/run.sh
@@ -51,7 +51,7 @@ done
source $X509_CA_ENV_FILE
# Trust the CIAB-CA at the System level
-cp $X509_CA_CERT_FILE /etc/pki/ca-trust/source/anchors
+cp $X509_CA_CERT_FULL_CHAIN_FILE /etc/pki/ca-trust/source/anchors
update-ca-trust extract
# Enroll with traffic ops
diff --git a/infrastructure/cdn-in-a-box/traffic_ops/config.sh b/infrastructure/cdn-in-a-box/traffic_ops/config.sh
index b310d0111..bbefc7e08 100755
--- a/infrastructure/cdn-in-a-box/traffic_ops/config.sh
+++ b/infrastructure/cdn-in-a-box/traffic_ops/config.sh
@@ -50,7 +50,7 @@ done
source "$X509_CA_ENV_FILE"
# Add the CA certificate to sysem TLS trust store
-cp $X509_CA_CERT_FILE /etc/pki/ca-trust/source/anchors
+cp $X509_CA_CERT_FULL_CHAIN_FILE /etc/pki/ca-trust/source/anchors
update-ca-trust extract
crt="$X509_INFRA_CERT_FILE"
diff --git a/infrastructure/cdn-in-a-box/traffic_ops/generate-certs.sh b/infrastructure/cdn-in-a-box/traffic_ops/generate-certs.sh
index 9c79ad798..790118cbb 100755
--- a/infrastructure/cdn-in-a-box/traffic_ops/generate-certs.sh
+++ b/infrastructure/cdn-in-a-box/traffic_ops/generate-certs.sh
@@ -16,36 +16,28 @@
# specific language governing permissions and limitations
# under the License.
-X509_CA_DEFAULT_NAME="ca"
-X509_CA_DEFAULT_COUNTRY="ZZ"
-X509_CA_DEFAULT_STATE="SomeState"
-X509_CA_DEFAULT_CITY="SomeCity"
-X509_CA_DEFAULT_COMPANY="SomeCompany"
-X509_CA_DEFAULT_ORG="SomeOrganization"
-X509_CA_DEFAULT_ORGUNIT="SomeOrgUnit"
-X509_CA_DEFAULT_EMAIL="no-reply@some.host.test"
-X509_CA_DEFAULT_DIGEST="sha256"
-X509_CA_DEFAULT_DURATION_DAYS="3650"
-X509_CA_DEFAULT_KEYTYPE="rsa"
-X509_CA_DEFAULT_KEYSIZE=4096
-X509_CA_DEFAULT_UMASK=0002
-X509_CA_DEFAULT_DIR="$PWD/ca-default"
-
-export X509_CA_INITIALIZED=0
+export X509_CA_DEFAULT_NAME="ca"
+export X509_CA_DEFAULT_COUNTRY="ZZ"
+export X509_CA_DEFAULT_STATE="SomeState"
+export X509_CA_DEFAULT_CITY="SomeCity"
+export X509_CA_DEFAULT_COMPANY="SomeCompany"
+export X509_CA_DEFAULT_ORG="SomeOrganization"
+export X509_CA_DEFAULT_ORGUNIT="SomeOrgUnit"
+export X509_CA_DEFAULT_EMAIL="no-reply@some.host.test"
+export X509_CA_DEFAULT_DIGEST="sha256"
+export X509_CA_DEFAULT_DURATION_DAYS="3650"
+export X509_CA_DEFAULT_KEYTYPE="rsa"
+export X509_CA_DEFAULT_KEYSIZE=4096
+export X509_CA_DEFAULT_UMASK=0002
+export X509_CA_DEFAULT_DIR="$PWD/ca-default"
x509v3_init()
{
- if [[ $X509_CA_INITIALIZED -eq 1 ]] ; then
+ if [[ $X509_CA_INITIALIZED = true ]] ; then
echo "ERROR: Already initialized."
return 2
fi
- # If no X509_CA directory exists, create it
- if [ -d "$X509_CA_DIR" ] ; then
- echo "ERROR: Previous X509v3 CA Directory Exists."
- return 3
- fi
-
export X509_CA_DIR="${X509_CA_DIR:-$X509_CA_DEFAULT_DIR}"
export X509_CA_NAME="${X509_CA_NAME:-$X509_CA_DEFAULT_NAME}"
export X509_CA_COUNTRY="${X509_CA_COUNTRY:-$X509_CA_DEFAULT_COUNTRY}"
@@ -60,49 +52,68 @@ x509v3_init()
export X509_CA_KEYTYPE="${X509_CA_KEYTYPE:-$X509_CA_DEFAULT_KEYTYPE}"
export X509_CA_KEYSIZE="${X509_CA_KEYSIZE:-$X509_CA_DEFAULT_KEYSIZE}"
export X509_CA_UMASK="${X509_CA_UMASK:-$X509_CA_DEFAULT_UMASK}"
+ export X509_CA_INITIALIZED=true
# Runtime
- export X509_CA_CERT_FILE="$X509_CA_DIR/${X509_CA_NAME}.crt"
- export X509_CA_KEY_FILE="$X509_CA_DIR/${X509_CA_NAME}.key"
- export X509_CA_CONFIG_FILE="$X509_CA_DIR/${X509_CA_NAME}.config"
- export X509_CA_DB_FILE="$X509_CA_DIR/${X509_CA_NAME}.db"
- export X509_CA_REVOKE_FILE="$X509_CA_DIR/${X509_CA_NAME}.crl"
- export X509_CA_SERIAL_FILE="$X509_CA_DIR/${X509_CA_NAME}.serial"
+ export X509_CA_ROOT_CERT_FILE="$X509_CA_DIR/${X509_CA_NAME}-root.crt"
+ export X509_CA_ROOT_KEY_FILE="$X509_CA_DIR/${X509_CA_NAME}-root.key"
+ export X509_CA_ROOT_CONFIG_FILE="$X509_CA_DIR/${X509_CA_NAME}-root.config"
+ export X509_CA_ROOT_DB_FILE="$X509_CA_DIR/${X509_CA_NAME}-root.db"
+ export X509_CA_ROOT_REVOKE_FILE="$X509_CA_DIR/${X509_CA_NAME}-root.crl"
+ export X509_CA_ROOT_SERIAL_FILE="$X509_CA_DIR/${X509_CA_NAME}-root.serial"
+
+ export X509_CA_INTR_REQUEST_FILE="$X509_CA_DIR/${X509_CA_NAME}-intr.csr"
+ export X509_CA_INTR_CERT_FILE="$X509_CA_DIR/${X509_CA_NAME}-intr.crt"
+ export X509_CA_INTR_KEY_FILE="$X509_CA_DIR/${X509_CA_NAME}-intr.key"
+ export X509_CA_INTR_CONFIG_FILE="$X509_CA_DIR/${X509_CA_NAME}-intr.config"
+ export X509_CA_INTR_DB_FILE="$X509_CA_DIR/${X509_CA_NAME}-intr.db"
+ export X509_CA_INTR_REVOKE_FILE="$X509_CA_DIR/${X509_CA_NAME}-intr.crl"
+ export X509_CA_INTR_SERIAL_FILE="$X509_CA_DIR/${X509_CA_NAME}-intr.serial"
+
+ export X509_CA_CERT_FULL_CHAIN_FILE="$X509_CA_DIR/${X509_CA_NAME}-fullchain.crt"
export X509_CA_ENV_FILE="$X509_CA_DIR/environment"
export X509_CA_DONE_FILE="$X509_CA_DIR/completed"
+ # If no X509_CA directory exists, create it
+ if [ -d "$X509_CA_DIR" ] ; then
+ echo "ERROR: Previous X509v3 CA Directory Exists."
+ return 3
+ fi
+
# Set the Umask
umask $X509_CA_UMASK
# Create CA Certificate
mkdir -p "$X509_CA_DIR"
- x509v3_create_ca
+ x509v3_create_root_ca
+ x509v3_create_intermediate_ca
+
+ # Create the CA environment file
+ x509v3_dump_env
return $?
}
-x509v3_create_ca()
+x509v3_create_root_ca()
{
# Use today's epoch date for the first serial number
- echo "$(date +%s)" > "$X509_CA_SERIAL_FILE"
+ echo "$(date +%s)" > "$X509_CA_ROOT_SERIAL_FILE"
# Create the CA index file
- touch "$X509_CA_DB_FILE"
-
- # Create the CA environment file
- touch "$X509_CA_ENV_FILE"
+ touch "$X509_CA_ROOT_DB_FILE"
- local cn="$X509_CA_ORG Root CA (CA)"
+ local cn="$X509_CA_ORG Root CA"
+ local ca_name="$X509_CA_NAME-root"
local ca_config=""`
`"[ca]\n"`
- `"default_ca = $X509_CA_NAME\n\n"`
- `"[$X509_CA_NAME]\n"`
+ `"default_ca = $ca_name\n\n"`
+ `"[$ca_name]\n"`
`"new_certs_dir = $X509_CA_DIR\n"`
- `"certificate = $X509_CA_CERT_FILE\n"`
- `"private_key = $X509_CA_KEY_FILE\n"`
- `"serial = $X509_CA_SERIAL_FILE\n"`
- `"database = $X509_CA_DB_FILE\n"`
+ `"certificate = $X509_CA_ROOT_CERT_FILE\n"`
+ `"private_key = $X509_CA_ROOT_KEY_FILE\n"`
+ `"serial = $X509_CA_ROOT_SERIAL_FILE\n"`
+ `"database = $X509_CA_ROOT_DB_FILE\n"`
`"default_md = $X509_CA_DIGEST\n"`
`"default_days = $X509_CA_DURATION_DAYS\n"`
`"prompt = no\n"`
@@ -148,29 +159,144 @@ x509v3_create_ca()
`"emailAddress_max = 64\n"`
`"emailAddress_default = $X509_CA_EMAIL\n\n"`
`"[v3_ca]\n"`
- `"basicConstraints = CA:TRUE\n"`
`"subjectKeyIdentifier = hash\n"`
- `"keyUsage = cRLSign, keyCertSign\n"`
- `"extendedKeyUsage = serverAuth, clientAuth\n\n"
+ `"authorityKeyIdentifier = keyid:always,issuer\n"`
+ `"basicConstraints = critical, CA:true\n"`
+ `"keyUsage = critical, digitalSignature, keyCertSign\n\n"`
+ `"[v3_intermediate_ca]\n"`
+ `"subjectKeyIdentifier = hash\n"`
+ `"authorityKeyIdentifier = keyid:always,issuer\n"`
+ `"basicConstraints = critical, CA:true, pathlen:0\n"`
+ `"keyUsage = critical, digitalSignature, keyCertSign\n"
- echo "Writing CA openssl CA Config File"
- echo -e "$ca_config" > "$X509_CA_CONFIG_FILE"
+ echo "Writing Root CA Config File"
+ echo -e "$ca_config" > "$X509_CA_ROOT_CONFIG_FILE"
- echo "Creating CA certificate for [$X509_CA_NAME]."
+ echo "Creating Root CA certificate for [$ca_name]."
# Create new CA Certificate and Key
openssl req -x509 -nodes -extensions v3_ca \
- -days "$((X509_CA_DURATION_DAYS+1))" \
- -config "$X509_CA_CONFIG_FILE" \
+ -days "$((X509_CA_DURATION_DAYS*2))" \
+ -config "$X509_CA_ROOT_CONFIG_FILE" \
-newkey "$X509_CA_KEYTYPE:$X509_CA_KEYSIZE" \
- -keyout "$X509_CA_KEY_FILE" \
- -out "$X509_CA_CERT_FILE" \
+ -keyout "$X509_CA_ROOT_KEY_FILE" \
+ -out "$X509_CA_ROOT_CERT_FILE" \
-subj "/C=$X509_CA_COUNTRY/ST=$X509_CA_STATE/L=$X509_CA_CITY/O=$X509_CA_ORG/OU=$X509_CA_ORG/CN=$cn/emailAddress=$X509_CA_EMAIL/" \
- > "$X509_CA_DIR/x509_create_ca.log" 2>&1
+ > "$X509_CA_DIR/x509_create_root_ca.log" 2>&1
+
+ retcode=$?
+
+ echo "CreateX509 Root CA RetCode=$retcode"
+
+ return $retcode
+}
+
+x509v3_create_intermediate_ca()
+{
+ # Use today's epoch date for the first serial number
+ echo "$(date +%s)" > "$X509_CA_INTR_SERIAL_FILE"
+
+ # Create the CA index file
+ touch "$X509_CA_INTR_DB_FILE"
+
+ local cn="$X509_CA_ORG Intermediate CA"
+ local ca_name="$X509_CA_NAME-intr"
+
+ local ca_config=""`
+ `"[ca]\n"`
+ `"default_ca = $ca_name\n\n"`
+ `"[$ca_name]\n"`
+ `"new_certs_dir = $X509_CA_DIR\n"`
+ `"certificate = $X509_CA_INTR_CERT_FILE\n"`
+ `"private_key = $X509_CA_INTR_KEY_FILE\n"`
+ `"serial = $X509_CA_INTR_SERIAL_FILE\n"`
+ `"database = $X509_CA_INTR_DB_FILE\n"`
+ `"default_md = $X509_CA_DIGEST\n"`
+ `"default_days = $X509_CA_DURATION_DAYS\n"`
+ `"prompt = no\n"`
+ `"preserve = no\n\n"`
+ `"[policy_match]\n"`
+ `"countryName = match\n"`
+ `"stateOrProvinceName = match\n"`
+ `"organizationName = match\n"`
+ `"organizationalUnitName = optional\n"`
+ `"commonName = supplied\n"`
+ `"emailAddress = optional\n\n"`
+ `"[policy_anything]\n"`
+ `"countryName = optional\n"`
+ `"stateOrProvinceName = optional\n"`
+ `"localityName = optional\n"`
+ `"organizationName = optional\n"`
+ `"organizationalUnitName = optional\n"`
+ `"commonName = supplied\n"`
+ `"emailAddress = optional\n\n"`
+ `"[req]\n"`
+ `"default_bits = $X509_CA_KEYSIZE\n"`
+ `"default_md = $X509_CA_DIGEST\n"`
+ `"default_days = $X509_CA_DURATION_DAYS\n"`
+ `"distinguished_name = req_dn\n"`
+ `"string_mask = nombstr\n"`
+ `"x509_extensions = v3_ca\n\n"`
+ `"[req_dn]\n"`
+ `"countryName = Country Name (2 letter code)\n"`
+ `"countryName_default = $X509_CA_COUNTRY\n"`
+ `"countryName_min = 2\n"`
+ `"countryName_max = 2\n"`
+ `"stateOrProvinceName = State or Province Name (full name)\n"`
+ `"stateOrProvinceName_default = $X509_CA_STATE\n"`
+ `"localityName = Locality Name (eg, city)\n"`
+ `"localityName_default = $X509_CA_CITY\n"`
+ `"0.organizationName = Organization Name (eg, company)\n"`
+ `"0.organizationName_default = $X509_CA_ORG\n"`
+ `"organizationalUnitName = Organizational Unit Name (eg, section)\n"`
+ `"organizationalUnitName_default = $X509_CA_ORGUNIT\n"`
+ `"commonName = Common Name (eg, YOUR name)\n"`
+ `"commonName_max = 64\n"`
+ `"emailAddress = Email Address\n"`
+ `"emailAddress_max = 64\n"`
+ `"emailAddress_default = $X509_CA_EMAIL\n\n"`
+ `"[v3_ca]\n"`
+ `"subjectKeyIdentifier = hash\n"`
+ `"authorityKeyIdentifier = keyid:always,issuer\n"`
+ `"basicConstraints = critical, CA:true\n"`
+ `"keyUsage = critical, digitalSignature, keyCertSign\n\n"`
+ `"[v3_intermediate_ca]\n"`
+ `"subjectKeyIdentifier = hash\n"`
+ `"authorityKeyIdentifier = keyid:always,issuer\n"`
+ `"basicConstraints = critical, CA:true, pathlen:0\n"`
+ `"keyUsage = critical, digitalSignature, keyCertSign\n"
+ echo "Writing Intemediate CA openssl CA Config File"
+ echo -e "$ca_config" > "$X509_CA_INTR_CONFIG_FILE"
+
+ echo "Creating Intermediate CA certificate request for [$ca_name]."
+ # Create new CA Certificate and Key
+ openssl req -new -nodes \
+ -days "$((X509_CA_DURATION_DAYS))" \
+ -config "$X509_CA_INTR_CONFIG_FILE" \
+ -newkey "$X509_CA_KEYTYPE:$X509_CA_KEYSIZE" \
+ -keyout "$X509_CA_INTR_KEY_FILE" \
+ -subj "/C=$X509_CA_COUNTRY/ST=$X509_CA_STATE/L=$X509_CA_CITY/O=$X509_CA_ORG/OU=$X509_CA_ORG/CN=$cn/emailAddress=$X509_CA_EMAIL/" \
+ -out "$X509_CA_INTR_REQUEST_FILE"
+ > "$X509_CA_DIR/x509_create_intermediate_csr.log" 2>&1
retcode=$?
+ echo "CreateX509 Intermediate CA RetCode=$retcode"
+
+ echo "Signing x509v3 Intermediate CA with Root CA Certificate..."
+ # Sign with the CA
+ openssl ca -config "$X509_CA_ROOT_CONFIG_FILE" \
+ -batch \
+ -extensions v3_intermediate_ca \
+ -policy policy_anything \
+ -out "$X509_CA_INTR_CERT_FILE" \
+ -infiles "$X509_CA_INTR_REQUEST_FILE" \
+ > "$X509_CA_DIR/x509_sign_intermediate_ca.log" 2>&1
- echo "CreateX509 Cert RetCode=$retcode"
+ retcode=$?
+ echo "Sign X509 Req RetCode=$retcode"
+ # Build X509 CA full chain
+ cat $X509_CA_INTR_CERT_FILE $X509_CA_ROOT_CERT_FILE > $X509_CA_CERT_FULL_CHAIN_FILE
+
return $retcode
}
@@ -224,24 +350,23 @@ x509v3_create_cert()
`"prompt = no\n"`
`"utf8 = yes\n"`
`"default_md = $X509_CA_DIGEST\n"`
- `"default_bits = $X509_CERT_KEYSIZE\n"`
+ `"default_bits = $X509_CA_KEYSIZE\n"`
`"distinguished_name = dn\n"`
- `"req_extensions = req_ext\n\n"`
`"[dn]\n"`
`"C = $X509_CA_COUNTRY\n"`
`"ST = $X509_CA_STATE\n"`
`"L = $X509_CA_CITY\n"`
`"O = $X509_CA_ORG\n"`
- `"CN = $cn\n\n"`
- `"[req_ext]\n"`
- `"basicConstraints=CA:FALSE\n"`
- `"subjectKeyIdentifier = hash\n"`
- `"subjectAltName=@alt_names\n\n"
+ `"CN = $cn\n\n"
local exten_config=""`
`"[v3_ext]\n"`
- `"basicConstraints=CA:FALSE\n"`
+ `"basicConstraints = CA:FALSE\n"`
+ `"nsCertType = server\n"`
`"subjectKeyIdentifier = hash\n"`
+ `"authorityKeyIdentifier = keyid,issuer:always\n"`
+ `"keyUsage = critical, digitalSignature, keyEncipherment\n"`
+ `"extendedKeyUsage = serverAuth\n"`
`"subjectAltName=@alt_names\n\n"
echo "Creating x509v3 request for cn=$cn type $type..."
@@ -265,7 +390,7 @@ x509v3_create_cert()
# Sign with the CA
openssl ca -batch \
-policy policy_anything \
- -config "$X509_CA_CONFIG_FILE" \
+ -config "$X509_CA_INTR_CONFIG_FILE" \
-out "$cert_file" \
-extensions v3_ext \
-extfile "$exten_file" \
@@ -282,8 +407,10 @@ x509v3_create_cert()
echo "X509_${env_name}_REQUEST_FILE=\"$request_file\"" >> "$X509_CA_ENV_FILE"
}
+
x509v3_dump_env()
{
+ touch "$X509_CA_ENV_FILE"
tmp_file="$(mktemp)"
cat "$X509_CA_ENV_FILE" > "$tmp_file"
env | grep -E '^X509_' >> "$tmp_file"
diff --git a/infrastructure/cdn-in-a-box/traffic_ops/run-go.sh b/infrastructure/cdn-in-a-box/traffic_ops/run-go.sh
index 5914cebff..cc589f496 100755
--- a/infrastructure/cdn-in-a-box/traffic_ops/run-go.sh
+++ b/infrastructure/cdn-in-a-box/traffic_ops/run-go.sh
@@ -90,6 +90,64 @@ while true; do
sleep 2
done
+### Add SSL keys for demo1 delivery service
+source "$X509_CA_ENV_FILE"
+demo1_sslkeys_verified=false
+demo1_version=1
+while [[ "$demo1_sslkeys_verified" = false ]]; do
+ while true; do
+ sslkeys_response=$(to-get "api/1.4/deliveryservices/xmlId/$ds_name/sslkeys?decode=true")
+ echo "CDN SSLKeys=$sslkeys_response"
+ [[ -n "$sslkeys_response" ]] && break
+ sleep 2
+ done
+ demo1_crt="$(sed -n -e '/-----BEGIN CERTIFICATE-----/,$p' $X509_DEMO1_CERT_FILE | jq -s -R '.')"
+ demo1_csr="$(sed -n -e '/-----BEGIN CERTIFICATE REQUEST-----/,$p' $X509_DEMO1_REQUEST_FILE | jq -s -R '.')"
+ demo1_key="$(sed -n -e '/-----BEGIN PRIVATE KEY-----/,$p' $X509_DEMO1_KEY_FILE | jq -s -R '.')"
+ demo1_json_request=$(jq -n \
+ --arg cdn "CDN-in-a-Box" \
+ --arg hostname "*.demo1.mycdn.ciab.test" \
+ --arg dsname "$ds_name" \
+ --argjson crt "$demo1_crt" \
+ --argjson csr "$demo1_csr" \
+ --argjson key "$demo1_key" \
+ --argjson version $demo1_version \
+ "{ cdn: \$cdn,
+ certificate: {
+ crt: \$crt,
+ csr: \$csr,
+ key: \$key
+ },
+ deliveryservice: \$dsname,
+ hostname: \$hostname,
+ key: \$dsname,
+ version: $demo1_version
+ }")
+
+ demo1_json_response=$(to-post 'api/1.4/deliveryservices/sslkeys/add' "$demo1_json_request")
+
+ if [[ -n "$demo1_json_response" ]] ; then
+ sleep 2
+ cdn_sslkeys_response=$(to-get 'api/1.3/cdns/name/CDN-in-a-Box/sslkeys.json' | jq '.response[] | length')
+ echo "cdn_sslkeys_response=$cdn_sslkeys_response"
+
+ if [ -n "$cdn_sslkeys_response" ] ; then
+ if ((cdn_sslkeys_response==0)); then
+ sleep 2 # Submit it again because the first time doesn't work !
+ demo1_json_response=$(to-post 'api/1.4/deliveryservices/sslkeys/add' "$demo1_json_request")
+
+ if [[ -n "$demo1_json_response" ]] ; then
+ demo1_sslkeys_verified=true
+ fi
+ elif ((cdn_sslkeys_response>0)); then
+ demo1_sslkeys_verified=true
+ fi
+ fi
+ fi
+
+ ((demo_version+=1))
+done
+
### Automatic Queue/Snapshot ###
while [[ "$AUTO_SNAPQUEUE_ENABLED" = true ]] ; do
# AUTO_SNAPQUEUE_SERVERS should be a comma delimited list of expected docker service names to be enrolled - see varibles.env
diff --git a/infrastructure/cdn-in-a-box/traffic_ops/to-access.sh b/infrastructure/cdn-in-a-box/traffic_ops/to-access.sh
index e06055738..e03c2f6ca 100644
--- a/infrastructure/cdn-in-a-box/traffic_ops/to-access.sh
+++ b/infrastructure/cdn-in-a-box/traffic_ops/to-access.sh
@@ -110,7 +110,7 @@ to-post() {
data="--data @$t"
fi
to-auth && \
- curl $CURLAUTH $CURLOPTS --cookie "$COOKIEJAR" -X POST $data "$TO_URL/$1"
+ curl $CURLAUTH $CURLOPTS -H 'Content-Type: application/json;charset=UTF-8' --cookie "$COOKIEJAR" -X POST $data "$TO_URL/$1"
[[ -n $t ]] && rm -f "$t"
}
diff --git a/infrastructure/cdn-in-a-box/traffic_ops_data/deliveryservices/010-ciab.json b/infrastructure/cdn-in-a-box/traffic_ops_data/deliveryservices/010-ciab.json
index 8cf57eb1d..2fa0fb0bd 100644
--- a/infrastructure/cdn-in-a-box/traffic_ops_data/deliveryservices/010-ciab.json
+++ b/infrastructure/cdn-in-a-box/traffic_ops_data/deliveryservices/010-ciab.json
@@ -2,7 +2,7 @@
"xmlId": "demo1",
"displayName": "Demo 1",
"tenant": "root",
- "protocol": 0,
+ "protocol": 2,
"orgServerFqdn": "http://origin.infra.ciab.test",
"cdnName": "CDN-in-a-Box",
"type": "HTTP",
diff --git a/infrastructure/cdn-in-a-box/traffic_portal/run.sh b/infrastructure/cdn-in-a-box/traffic_portal/run.sh
index 453225c5b..93f3d9caf 100755
--- a/infrastructure/cdn-in-a-box/traffic_portal/run.sh
+++ b/infrastructure/cdn-in-a-box/traffic_portal/run.sh
@@ -40,7 +40,7 @@ done
source $X509_CA_ENV_FILE
# Trust the CIAB-CA at the System level
-cp $X509_CA_CERT_FILE /etc/pki/ca-trust/source/anchors
+cp $X509_CA_CERT_FULL_CHAIN_FILE /etc/pki/ca-trust/source/anchors
update-ca-trust extract
# Configuration of Traffic Portal
diff --git a/infrastructure/cdn-in-a-box/traffic_router/Dockerfile b/infrastructure/cdn-in-a-box/traffic_router/Dockerfile
index 59a096d6f..ae58e695e 100644
--- a/infrastructure/cdn-in-a-box/traffic_router/Dockerfile
+++ b/infrastructure/cdn-in-a-box/traffic_router/Dockerfile
@@ -38,6 +38,8 @@ ADD $TOMCAT_RPM /tomcat.rpm
RUN yum -y install /traffic_router.rpm /tomcat.rpm
+RUN find /usr/lib* -name libtc\* -exec ln -sfv '{}' /opt/tomcat/lib \;
+
ADD enroller/server_template.json \
traffic_router/run.sh \
traffic_ops/to-access.sh \
diff --git a/infrastructure/cdn-in-a-box/traffic_router/run.sh b/infrastructure/cdn-in-a-box/traffic_router/run.sh
index e8112ac01..31a558d37 100755
--- a/infrastructure/cdn-in-a-box/traffic_router/run.sh
+++ b/infrastructure/cdn-in-a-box/traffic_router/run.sh
@@ -28,7 +28,7 @@ CATALINA_PID="$CATALINA_BASE/temp/tomcat.pid"
CATALINA_OPTS="\
-server -Xms2g -Xmx8g \
- -Djava.library.path=$CATALINA_HOME/lib \
+ -Djava.library.path=/usr/lib64:$CATALINA_BASE/lib:$CATALINA_HOME/lib \
-Dlog4j.configuration=file://$CATALINA_BASE/conf/log4j.properties \
-Dorg.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER=false \
-XX:+UseG1GC \
@@ -37,6 +37,7 @@ CATALINA_OPTS="\
JAVA_HOME=/opt/java
JAVA_OPTS="\
+ -Djava.library.path=/usr/lib64 \
-Dcache.config.json.refresh.period=5000 \
-Djava.awt.headless=true \
-Djava.security.egd=file:/dev/./urandom"
@@ -61,11 +62,11 @@ done
source $X509_CA_ENV_FILE
# Copy the CIAB-CA certificate to the traffic_router conf so it can be added to the trust store
-cp $X509_CA_CERT_FILE $CATALINA_BASE/conf
-cp $X509_CA_CERT_FILE /etc/pki/ca-trust/source/anchors
+cp $X509_CA_ROOT_CERT_FILE $CATALINA_BASE/conf
+cp $X509_CA_INTR_CERT_FILE $CATALINA_BASE/conf
+cp $X509_CA_CERT_FULL_CHAIN_FILE /etc/pki/ca-trust/source/anchors
update-ca-trust extract
-
# Add traffic
for crtfile in $(find $CATALINA_BASE/conf -name \*.crt -type f)
do
@@ -102,6 +103,6 @@ until nc $TM_FQDN $TM_PORT </dev/null >/dev/null 2>&1; do
done
touch $LOGFILE $ACCESSLOG
-tail -F $CATALINA_OUT $CATALINA_LOG $LOGFILE $ACCESSLOG &
+exec /opt/tomcat/bin/catalina.sh run &
-exec /opt/tomcat/bin/catalina.sh run
+tail -F $CATALINA_OUT $CATALINA_LOG $LOGFILE $ACCESSLOG
diff --git a/infrastructure/cdn-in-a-box/traffic_vault/prestart.d/00-config.sh b/infrastructure/cdn-in-a-box/traffic_vault/prestart.d/00-config.sh
index 980e3911f..94b6a1ed2 100644
--- a/infrastructure/cdn-in-a-box/traffic_vault/prestart.d/00-config.sh
+++ b/infrastructure/cdn-in-a-box/traffic_vault/prestart.d/00-config.sh
@@ -30,7 +30,7 @@ done
source "$X509_CA_ENV_FILE"
# Copy the CIAB-CA certificate to the traffic_router conf so it can be added to the trust store
-cp $X509_CA_CERT_FILE /usr/local/share/ca-certificates
+cp $X509_CA_CERT_FULL_CHAIN_FILE /usr/local/share/ca-certificates
update-ca-certificates
# Grep out the existing SSL and Socket listener config
With regards,
Apache Git Services