tyler.durden
/
icinga2
mirror of https://github.com/Icinga/icinga2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CSR Auto-signing: Add debug logging for skipped signing

This commit is contained in:
Michael Friedrich 2019-09-18 11:53:58 +02:00
parent 1bbb9c4373
commit eddb40a913
1 changed files with 22 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
lib/remote/jsonrpcconnection-pki.cpp
View File

@ -154,14 +154,32 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
ticket = params->Get("ticket"); ticket = params->Get("ticket");
/* Auto-signing is disabled by either a) no TicketSalt // Auto-signing is disabled: Client did not include a ticket in its request.
* or b) the client did not include a ticket in its request. if (ticket.IsEmpty()) {
*/ Log(LogNotice, "JsonRpcConnection")
if (salt.IsEmpty() || ticket.IsEmpty()) << "Certificate request for CN '" << cn
<< "': No ticket included, skipping auto-signing and waiting for on-demand signing approval.";
goto delayed_request; goto delayed_request;
}
// Auto-signing is disabled: no TicketSalt
if (salt.IsEmpty()) {
Log(LogNotice, "JsonRpcConnection")
<< "Certificate request for CN '" << cn
<< "': This instance is the signing master for the Icinga CA."
<< " The 'ticket_salt' attribute in the 'api' feature is not set."
<< " Not signing the request. Please check the docs.";
goto delayed_request;
}
String realTicket = PBKDF2_SHA1(cn, salt, 50000); String realTicket = PBKDF2_SHA1(cn, salt, 50000);
Log(LogDebug, "JsonRpcConnection")
<< "Certificate request for CN '" << cn << "': Comparing received ticket '"
<< ticket << "' with calculated ticket '" << realTicket << "'.";
if (ticket != realTicket) { if (ticket != realTicket) {
Log(LogWarning, "JsonRpcConnection") Log(LogWarning, "JsonRpcConnection")
<< "Ticket '" << ticket << "' for CN '" << cn << "' is invalid."; << "Ticket '" << ticket << "' for CN '" << cn << "' is invalid.";