sys.exit(0)
os.chdir("/")
os.setsid()
- os.umask(0)
+ os.umask(077)
pid = os.fork()
os.close(0)
up the hostname for that.
"""
# FIXME: this code ignores http proxies (which granted, we don't
- # support elsewhere either. It also hardcodes the port number
- # for the certmaster for now
+ # support elsewhere either.
hostname = None
hostname = socket.gethostname()
# print "DEBUG: HOSTNAME TRY1: %s" % hostname
try:
ip = socket.gethostbyname(hostname)
- # print "DEBUG: IP TRY2: %s" % ip
except:
- # print "DEBUG: ERROR: returning"
return hostname
if ip != "127.0.0.1":
- # print "DEBUG: ERROR: returning 2"
return hostname
- if talk_to_certmaster:
- config_file = '/etc/certmaster/minion.conf'
- config = read_config(config_file, MinionConfig)
-
- server = config.certmaster
- port = 51235
-
- try:
- s = socket.socket()
- s.settimeout(5)
- s.connect((server, port))
- (intf, port) = s.getsockname()
- remote_hostname = socket.gethostbyaddr(intf)[0]
- if remote_hostname != "localhost":
- hostname = remote_hostname
- # print "DEBUG: HOSTNAME FROM CERTMASTER == %s" % hostname
- s.close()
- except:
- s.close()
- raise
-
- # print "DEBUG: final hostname=%s" % hostname
- return hostname
-
# FIXME: move to requestor module and also create a verbose mode
# prints to the screen for usage by /usr/bin/certmaster-request
-def create_minion_keys():
+def create_minion_keys(hostname=None):
+ log = logger.Logger().logger
+
# FIXME: paths should not be hard coded here, move to settings universally
config_file = '/etc/certmaster/minion.conf'
config = read_config(config_file, MinionConfig)
cert_dir = config.cert_dir
- master_uri = 'http://%s:51235/' % config.certmaster
- # print "DEBUG: acquiring hostname"
- hn = get_hostname()
- # print "DEBUG: hostname = %s\n" % hn
+ master_uri = 'http://%s:%s/' % (config.certmaster, config.certmaster_port)
+
+ hn = hostname
+ if hn is None:
+ hn = get_hostname()
if hn is None:
raise codes.CMException("Could not determine a hostname other than localhost")
+ else:
+ # use lowercase letters for hostnames
+ hostname = hostname.lower()
key_file = '%s/%s.pem' % (cert_dir, hn)
csr_file = '%s/%s.csr' % (cert_dir, hn)
if not os.path.exists(csr_file):
if not keypair:
keypair = certs.retrieve_key_from_file(key_file)
- csr = certs.make_csr(keypair, dest=csr_file)
+ csr = certs.make_csr(keypair, dest=csr_file, hostname=hn)
except Exception, e:
traceback.print_exc()
raise codes.CMException, "Could not create local keypair or csr for session"
result = False
- log = logger.Logger().logger
+
while not result:
try:
# print "DEBUG: submitting CSR to certmaster: %s" % master_uri
- log.debug("submitting CSR to certmaster %s" % master_uri)
+ log.debug("submitting CSR: %s to certmaster %s" % (csr_file, master_uri))
result, cert_string, ca_cert_string = submit_csr_to_master(csr_file, master_uri)
- except socket.gaierror, e:
- raise codes.CMException, "Could not locate certmaster at %s" % master_uri
+ except socket.error, e:
+ log.warning("Could not locate certmaster at %s" % master_uri)
# logging here would be nice
if not result:
if result:
# print "DEBUG: recieved certificate from certmaster"
log.debug("received certificate from certmaster %s, storing to %s" % (master_uri, cert_file))
+ if not keypair:
+ keypair = certs.retrieve_key_from_file(key_file)
+ valid = certs.check_cert_key_match(cert_string, keypair)
+ if not valid:
+ log.info("certificate does not match key (run certmaster-ca --clean first?)")
+ sys.stderr.write("certificate does not match key (run certmaster-ca --clean first?)\n")
+ return
cert_fd = os.open(cert_file, os.O_RDWR|os.O_CREAT, 0644)
os.write(cert_fd, cert_string)
os.close(cert_fd)