X-Git-Url: https://pwan.org/git/?a=blobdiff_plain;f=certmaster%2Futils.py;h=6b79ce74c3b5fd5c5cfcc76682c01f69b0f3f917;hb=73e598e357c28782bb3d13cfd7b62c20dbab1d9c;hp=76d5b4d579b64ca0d647aa37f6e7481d57f8bfdc;hpb=919c9c3a4f5418b55108c1ec903160f0400900df;p=certmaster.git

diff --git a/certmaster/utils.py b/certmaster/utils.py
index 76d5b4d..6b79ce7 100644
--- a/certmaster/utils.py
+++ b/certmaster/utils.py
@@ -57,7 +57,7 @@ def daemonize(pidfile=None):
         sys.exit(0)
     os.chdir("/")
     os.setsid()
-    os.umask(0)
+    os.umask(077)
     pid = os.fork()
 
     os.close(0)
@@ -122,18 +122,24 @@ def get_hostname(talk_to_certmaster=True):
 # FIXME: move to requestor module and also create a verbose mode
 # prints to the screen for usage by /usr/bin/certmaster-request
 
-def create_minion_keys():
+def create_minion_keys(hostname=None):
+    log = logger.Logger().logger
+
     # FIXME: paths should not be hard coded here, move to settings universally
     config_file = '/etc/certmaster/minion.conf'
     config = read_config(config_file, MinionConfig)
     cert_dir = config.cert_dir
     master_uri = 'http://%s:%s/' % (config.certmaster, config.certmaster_port)
-    # print "DEBUG: acquiring hostname"
-    hn = get_hostname()
-    # print "DEBUG: hostname = %s\n" % hn
+
+    hn = hostname
+    if hn is None:
+        hn = get_hostname()
 
     if hn is None:
         raise codes.CMException("Could not determine a hostname other than localhost")
+    else:
+        # use lowercase letters for hostnames
+        hostname = hostname.lower()
 
     key_file = '%s/%s.pem' % (cert_dir, hn)
     csr_file = '%s/%s.csr' % (cert_dir, hn)
@@ -154,17 +160,17 @@ def create_minion_keys():
         if not os.path.exists(csr_file):
             if not keypair:
                 keypair = certs.retrieve_key_from_file(key_file)
-            csr = certs.make_csr(keypair, dest=csr_file)
+            csr = certs.make_csr(keypair, dest=csr_file, hostname=hn)
     except Exception, e:
         traceback.print_exc()
         raise codes.CMException, "Could not create local keypair or csr for session"
 
     result = False
-    log = logger.Logger().logger
+   
     while not result:
         try:
             # print "DEBUG: submitting CSR to certmaster: %s" % master_uri
-            log.debug("submitting CSR to certmaster %s" % master_uri)
+            log.debug("submitting CSR: %s  to certmaster %s" % (csr_file, master_uri))
             result, cert_string, ca_cert_string = submit_csr_to_master(csr_file, master_uri)
         except socket.gaierror, e:
             raise codes.CMException, "Could not locate certmaster at %s" % master_uri
@@ -179,6 +185,13 @@ def create_minion_keys():
     if result:
         # print "DEBUG: recieved certificate from certmaster"
         log.debug("received certificate from certmaster %s, storing to %s" % (master_uri, cert_file))
+        if not keypair:
+            keypair = certs.retrieve_key_from_file(key_file)
+        valid = certs.check_cert_key_match(cert_string, keypair)
+        if not valid:
+            log.info("certificate does not match key (run certmaster-ca --clean first?)")
+            sys.stderr.write("certificate does not match key (run certmaster-ca --clean first?)\n")
+            return
         cert_fd = os.open(cert_file, os.O_RDWR|os.O_CREAT, 0644)
         os.write(cert_fd, cert_string)
         os.close(cert_fd)