confluent/confluent_server/bin/confluentcertutil.py

import os
import confluent.collective.manager as collective
from os.path import exists
import shutil
import socket
import eventlet.green.subprocess as subprocess
import tempfile

def get_openssl_conf_location():
    if exists('/etc/pki/tls/openssl.cnf'):
        return '/etc/pki/tls/openssl.cnf'
    elif exists('/etc/ssl/openssl.cnf'):
        return '/etc/ssl/openssl.cnf'
    else:
        raise Exception("Cannot find openssl config file")

def get_ip_addresses():
    lines = subprocess.check_output('ip addr'.split(' '))
    if not isinstance(lines, str):
        lines = lines.decode('utf8')
    for line in lines.split('\n'):
        if line.startswith('    inet6 '):
            line = line.replace('    inet6 ', '').split('/')[0]
            if line == '::1':
                continue
        elif line.startswith('    inet '):
            line = line.replace('    inet ', '').split('/')[0]
            if line == '127.0.0.1':
                continue
            if line.startswith('169.254.'):
                continue
        else:
            continue
        yield line

def create_certificate(outdir):
    keyout = os.path.join(outdir, 'key.pem')
    certout = os.path.join(outdir, 'cert.pem')
    shortname = socket.gethostname().split('.')[0]
    longname = socket.getfqdn()
    subprocess.check_call(
        ['openssl', 'ecparam', '-name', 'secp384r1', '-genkey', '-out',
         keyout])
    san = ['IP:{0}'.format(x) for x in get_ip_addresses()]
    # It is incorrect to put IP addresses as DNS type.  However
    # there exists non-compliant clients that fail with them as IP
    san.extend(['DNS:{0}'.format(x) for x in get_ip_addresses()])
    san.append('DNS:{0}'.format(shortname))
    san.append('DNS:{0}'.format(longname))
    san = ','.join(san)
    sslcfg = get_openssl_conf_location()
    tmpconfig = tempfile.mktemp()
    shutil.copy2(sslcfg, tmpconfig)
    try:
        with open(tmpconfig, 'a') as cfgfile:
            cfgfile.write('\n[SAN]\nsubjectAltName={0}'.format(san))
        subprocess.check_call([
            'openssl', 'req', '-new', '-x509', '-key', keyout, '-days',
            '7300', '-out', certout, '-subj', '/CN={0}'.format(longname),
            '-extensions', 'SAN', '-config', tmpconfig
        ])
    finally:
        os.remove(tmpconfig)
    fname = '/var/lib/confluent/public/site/tls/{0}.cert'.format(
        collective.get_myname())
    shutil.copy2(certout, fname)
    hv = subprocess.check_output(
        ['openssl', 'x509', '-in', certout, '-hash', '-noout'])
    if not isinstance(hv, str):
        hv = hv.decode('utf8')
    hv = hv.strip()
    hashname = '/var/lib/confluent/public/site/tls/{0}.0'.format(hv)
    certname = '{0}.cert'.format(collective.get_myname())
    for currname in os.listdir('/var/lib/confluent/public/site/tls/'):
        currname = os.path.join('/var/lib/confluent/public/site/tls/', currname)
        if currname.endswith('.0'):
            try:
                realname = os.readlink(currname)
                if realname == certname:
                    os.unlink(currname)
            except OSError:
                pass
    os.symlink(certname, hashname)

if __name__ == '__main__':
    create_certificate(os.getcwd())
Workaround incorrect TLS clients Standards compliant TLS clients require that IP addresses be compared against IP type SAN fields. However, some firmware ignores IP fields and only checks DNS fields. Workaround and provide compatibility by duplicating the IP as DNS and IP fields. Also, clean up the temporary config file when done. 2020-03-12 23:06:05 +00:00			`import os`
Update certutil to update site tls This puts the certificate in a location to be picked up by installers, complete with subject_hash so that SuSE can easily pull them in. 2020-04-22 17:33:31 +00:00			`import confluent.collective.manager as collective`
Adapt to RHEL or Debian openssl config locations 2019-08-05 20:16:42 +00:00			`from os.path import exists`
Tentatively store certutil Commit to repository, even though not yet used. It is likely to be renamed. The purpose is to help generate an appropriate self signed cert for https including all the ip addresses as subject alternative names so that names or addresses may be used with installers that have had the cert injected. 2018-12-11 18:51:46 +00:00			`import shutil`
			`import socket`
Update certutil to update site tls This puts the certificate in a location to be picked up by installers, complete with subject_hash so that SuSE can easily pull them in. 2020-04-22 17:33:31 +00:00			`import eventlet.green.subprocess as subprocess`
Tentatively store certutil Commit to repository, even though not yet used. It is likely to be renamed. The purpose is to help generate an appropriate self signed cert for https including all the ip addresses as subject alternative names so that names or addresses may be used with installers that have had the cert injected. 2018-12-11 18:51:46 +00:00			`import tempfile`

			`def get_openssl_conf_location():`
Adapt to RHEL or Debian openssl config locations 2019-08-05 20:16:42 +00:00			`if exists('/etc/pki/tls/openssl.cnf'):`
			`return '/etc/pki/tls/openssl.cnf'`
Fix mistake in the cert util 2020-02-03 20:37:20 +00:00			`elif exists('/etc/ssl/openssl.cnf'):`
Adapt to RHEL or Debian openssl config locations 2019-08-05 20:16:42 +00:00			`return '/etc/ssl/openssl.cnf'`
			`else:`
			`raise Exception("Cannot find openssl config file")`
Tentatively store certutil Commit to repository, even though not yet used. It is likely to be renamed. The purpose is to help generate an appropriate self signed cert for https including all the ip addresses as subject alternative names so that names or addresses may be used with installers that have had the cert injected. 2018-12-11 18:51:46 +00:00
			`def get_ip_addresses():`
			`lines = subprocess.check_output('ip addr'.split(' '))`
Fix cert util on pythoen3 python 3 had bytes and not str and need to be decoded before string operations. 2020-03-16 13:27:34 +00:00			`if not isinstance(lines, str):`
			`lines = lines.decode('utf8')`
Tentatively store certutil Commit to repository, even though not yet used. It is likely to be renamed. The purpose is to help generate an appropriate self signed cert for https including all the ip addresses as subject alternative names so that names or addresses may be used with installers that have had the cert injected. 2018-12-11 18:51:46 +00:00			`for line in lines.split('\n'):`
			`if line.startswith(' inet6 '):`
			`line = line.replace(' inet6 ', '').split('/')[0]`
			`if line == '::1':`
			`continue`
			`elif line.startswith(' inet '):`
			`line = line.replace(' inet ', '').split('/')[0]`
			`if line == '127.0.0.1':`
			`continue`
			`if line.startswith('169.254.'):`
			`continue`
			`else:`
			`continue`
			`yield line`

Update certutil to update site tls This puts the certificate in a location to be picked up by installers, complete with subject_hash so that SuSE can easily pull them in. 2020-04-22 17:33:31 +00:00			`def create_certificate(outdir):`
			`keyout = os.path.join(outdir, 'key.pem')`
			`certout = os.path.join(outdir, 'cert.pem')`
Tentatively store certutil Commit to repository, even though not yet used. It is likely to be renamed. The purpose is to help generate an appropriate self signed cert for https including all the ip addresses as subject alternative names so that names or addresses may be used with installers that have had the cert injected. 2018-12-11 18:51:46 +00:00			`shortname = socket.gethostname().split('.')[0]`
			`longname = socket.getfqdn()`
			`subprocess.check_call(`
Update certutil to update site tls This puts the certificate in a location to be picked up by installers, complete with subject_hash so that SuSE can easily pull them in. 2020-04-22 17:33:31 +00:00			`['openssl', 'ecparam', '-name', 'secp384r1', '-genkey', '-out',`
			`keyout])`
Tentatively store certutil Commit to repository, even though not yet used. It is likely to be renamed. The purpose is to help generate an appropriate self signed cert for https including all the ip addresses as subject alternative names so that names or addresses may be used with installers that have had the cert injected. 2018-12-11 18:51:46 +00:00			`san = ['IP:{0}'.format(x) for x in get_ip_addresses()]`
Workaround incorrect TLS clients Standards compliant TLS clients require that IP addresses be compared against IP type SAN fields. However, some firmware ignores IP fields and only checks DNS fields. Workaround and provide compatibility by duplicating the IP as DNS and IP fields. Also, clean up the temporary config file when done. 2020-03-12 23:06:05 +00:00			`# It is incorrect to put IP addresses as DNS type. However`
			`# there exists non-compliant clients that fail with them as IP`
			`san.extend(['DNS:{0}'.format(x) for x in get_ip_addresses()])`
Tentatively store certutil Commit to repository, even though not yet used. It is likely to be renamed. The purpose is to help generate an appropriate self signed cert for https including all the ip addresses as subject alternative names so that names or addresses may be used with installers that have had the cert injected. 2018-12-11 18:51:46 +00:00			`san.append('DNS:{0}'.format(shortname))`
			`san.append('DNS:{0}'.format(longname))`
			`san = ','.join(san)`
			`sslcfg = get_openssl_conf_location()`
			`tmpconfig = tempfile.mktemp()`
			`shutil.copy2(sslcfg, tmpconfig)`
Workaround incorrect TLS clients Standards compliant TLS clients require that IP addresses be compared against IP type SAN fields. However, some firmware ignores IP fields and only checks DNS fields. Workaround and provide compatibility by duplicating the IP as DNS and IP fields. Also, clean up the temporary config file when done. 2020-03-12 23:06:05 +00:00			`try:`
			`with open(tmpconfig, 'a') as cfgfile:`
			`cfgfile.write('\n[SAN]\nsubjectAltName={0}'.format(san))`
Update certutil to update site tls This puts the certificate in a location to be picked up by installers, complete with subject_hash so that SuSE can easily pull them in. 2020-04-22 17:33:31 +00:00			`subprocess.check_call([`
			`'openssl', 'req', '-new', '-x509', '-key', keyout, '-days',`
			`'7300', '-out', certout, '-subj', '/CN={0}'.format(longname),`
			`'-extensions', 'SAN', '-config', tmpconfig`
			`])`
Workaround incorrect TLS clients Standards compliant TLS clients require that IP addresses be compared against IP type SAN fields. However, some firmware ignores IP fields and only checks DNS fields. Workaround and provide compatibility by duplicating the IP as DNS and IP fields. Also, clean up the temporary config file when done. 2020-03-12 23:06:05 +00:00			`finally:`
			`os.remove(tmpconfig)`
Update certutil to update site tls This puts the certificate in a location to be picked up by installers, complete with subject_hash so that SuSE can easily pull them in. 2020-04-22 17:33:31 +00:00			`fname = '/var/lib/confluent/public/site/tls/{0}.cert'.format(`
			`collective.get_myname())`
			`shutil.copy2(certout, fname)`
			`hv = subprocess.check_output(`
			`['openssl', 'x509', '-in', certout, '-hash', '-noout'])`
			`if not isinstance(hv, str):`
			`hv = hv.decode('utf8')`
			`hv = hv.strip()`
			`hashname = '/var/lib/confluent/public/site/tls/{0}.0'.format(hv)`
			`certname = '{0}.cert'.format(collective.get_myname())`
			`for currname in os.listdir('/var/lib/confluent/public/site/tls/'):`
			`currname = os.path.join('/var/lib/confluent/public/site/tls/', currname)`
			`if currname.endswith('.0'):`
			`try:`
			`realname = os.readlink(currname)`
			`if realname == certname:`
			`os.unlink(currname)`
			`except OSError:`
			`pass`
			`os.symlink(certname, hashname)`
Tentatively store certutil Commit to repository, even though not yet used. It is likely to be renamed. The purpose is to help generate an appropriate self signed cert for https including all the ip addresses as subject alternative names so that names or addresses may be used with installers that have had the cert injected. 2018-12-11 18:51:46 +00:00
			`if __name__ == '__main__':`
Update certutil to update site tls This puts the certificate in a location to be picked up by installers, complete with subject_hash so that SuSE can easily pull them in. 2020-04-22 17:33:31 +00:00			`create_certificate(os.getcwd())`