icinga2 node wizard: Create backups of certificates

fixes #8260
This commit is contained in:
Michael Friedrich 2015-02-07 20:44:25 +01:00
parent 1d4065ba94
commit d67679c0ec
1 changed files with 39 additions and 27 deletions

View File

@ -242,6 +242,11 @@ wizard_master_host:
<< "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << pki_path << "'. Verify it yourself!"; << "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << pki_path << "'. Verify it yourself!";
} }
if (Utility::PathExists(node_key))
NodeUtility::CreateBackupFile(node_key, 0600);
if (Utility::PathExists(node_cert))
NodeUtility::CreateBackupFile(node_cert, 0640);
if (PkiUtility::NewCert(cn, node_key, Empty, node_cert) > 0) { if (PkiUtility::NewCert(cn, node_key, Empty, node_cert) > 0) {
Log(LogCritical, "cli") Log(LogCritical, "cli")
<< "Failed to create new self-signed certificate for CN '" << cn << "'. Please try again."; << "Failed to create new self-signed certificate for CN '" << cn << "'. Please try again.";
@ -264,6 +269,9 @@ wizard_master_host:
String trusted_cert = PkiUtility::GetPkiPath() + "/trusted-master.crt"; String trusted_cert = PkiUtility::GetPkiPath() + "/trusted-master.crt";
if (Utility::PathExists(trusted_cert))
NodeUtility::CreateBackupFile(trusted_cert, 0640);
if (PkiUtility::SaveCert(master_host, master_port, node_key, node_cert, trusted_cert) > 0) { if (PkiUtility::SaveCert(master_host, master_port, node_key, node_cert, trusted_cert) > 0) {
Log(LogCritical, "cli") Log(LogCritical, "cli")
<< "Failed to fetch trusted master certificate. Please try again."; << "Failed to fetch trusted master certificate. Please try again.";
@ -291,6 +299,11 @@ wizard_ticket:
String target_ca = pki_path + "/ca.crt"; String target_ca = pki_path + "/ca.crt";
if (Utility::PathExists(target_ca))
NodeUtility::CreateBackupFile(target_ca, 0640);
if (Utility::PathExists(node_cert))
NodeUtility::CreateBackupFile(node_cert, 0640);
if (PkiUtility::RequestCertificate(master_host, master_port, node_key, node_cert, target_ca, trusted_cert, ticket) > 0) { if (PkiUtility::RequestCertificate(master_host, master_port, node_key, node_cert, target_ca, trusted_cert, ticket) > 0) {
Log(LogCritical, "cli") Log(LogCritical, "cli")
<< "Failed to fetch signed certificate from master '" << master_host << ", " << "Failed to fetch signed certificate from master '" << master_host << ", "
@ -433,6 +446,11 @@ wizard_ticket:
Log(LogInformation, "cli") Log(LogInformation, "cli")
<< "Generating new CSR in '" << csr << "'."; << "Generating new CSR in '" << csr << "'.";
if (Utility::PathExists(key))
NodeUtility::CreateBackupFile(key, 0600);
if (Utility::PathExists(csr))
NodeUtility::CreateBackupFile(csr, 0640);
if (PkiUtility::NewCert(cn, key, csr, "") > 0) { if (PkiUtility::NewCert(cn, key, csr, "") > 0) {
Log(LogCritical, "cli", "Failed to create certificate signing request."); Log(LogCritical, "cli", "Failed to create certificate signing request.");
return 1; return 1;
@ -444,6 +462,9 @@ wizard_ticket:
Log(LogInformation, "cli") Log(LogInformation, "cli")
<< "Signing CSR with CA and writing certificate to '" << cert << "'."; << "Signing CSR with CA and writing certificate to '" << cert << "'.";
if (Utility::PathExists(cert))
NodeUtility::CreateBackupFile(cert, 0640);
if (PkiUtility::SignCsr(csr, cert) != 0) { if (PkiUtility::SignCsr(csr, cert) != 0) {
Log(LogCritical, "cli", "Could not sign CSR."); Log(LogCritical, "cli", "Could not sign CSR.");
return 1; return 1;
@ -460,37 +481,28 @@ wizard_ticket:
Log(LogInformation, "cli") Log(LogInformation, "cli")
<< "Copying CA certificate to '" << target_ca << "'."; << "Copying CA certificate to '" << target_ca << "'.";
if (Utility::PathExists(target_ca))
NodeUtility::CreateBackupFile(target_ca);
/* does not overwrite existing files! */ /* does not overwrite existing files! */
Utility::CopyFile(ca, target_ca); Utility::CopyFile(ca, target_ca);
/* fix permissions: root -> icinga daemon user */ /* fix permissions: root -> icinga daemon user */
if (!Utility::SetFileOwnership(ca_path, user, group)) { std::vector<String> files;
Log(LogWarning, "cli") files.push_back(ca_path);
<< "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << ca_path << "'. Verify it yourself!"; files.push_back(ca);
} files.push_back(ca_key);
if (!Utility::SetFileOwnership(ca, user, group)) { files.push_back(serial);
Log(LogWarning, "cli") files.push_back(target_ca);
<< "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << ca << "'. Verify it yourself!"; files.push_back(key);
} files.push_back(csr);
if (!Utility::SetFileOwnership(ca_key, user, group)) { files.push_back(cert);
Log(LogWarning, "cli")
<< "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << ca_key << "'. Verify it yourself!"; BOOST_FOREACH(const String& file, files) {
} if (!Utility::SetFileOwnership(file, user, group)) {
if (!Utility::SetFileOwnership(serial, user, group)) { Log(LogWarning, "cli")
Log(LogWarning, "cli") << "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << file << "'. Verify it yourself!";
<< "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << serial << "'. Verify it yourself!"; }
}
if (!Utility::SetFileOwnership(target_ca, user, group)) {
Log(LogWarning, "cli")
<< "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << target_ca << "'. Verify it yourself!";
}
if (!Utility::SetFileOwnership(key, user, group)) {
Log(LogWarning, "cli")
<< "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << key << "'. Verify it yourself!";
}
if (!Utility::SetFileOwnership(csr, user, group)) {
Log(LogWarning, "cli")
<< "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << csr << "'. Verify it yourself!";
} }
NodeUtility::GenerateNodeMasterIcingaConfig(cn); NodeUtility::GenerateNodeMasterIcingaConfig(cn);