mirror of
https://github.com/Icinga/icinga2.git
synced 2025-07-23 13:45:04 +02:00
Renew certificates also periodically
This commit is contained in:
parent
ed3862782f
commit
f63b364d91
@ -623,7 +623,7 @@ std::shared_ptr<X509> CreateCert(EVP_PKEY *pubkey, X509_NAME *subject, X509_NAME
|
|||||||
X509 *cert = X509_new();
|
X509 *cert = X509_new();
|
||||||
X509_set_version(cert, 2);
|
X509_set_version(cert, 2);
|
||||||
X509_gmtime_adj(X509_get_notBefore(cert), 0);
|
X509_gmtime_adj(X509_get_notBefore(cert), 0);
|
||||||
X509_gmtime_adj(X509_get_notAfter(cert), (ca ? 15 * 365 : 397) * 24 * 60 * 60);
|
X509_gmtime_adj(X509_get_notAfter(cert), ca ? ROOT_VALID_FOR : LEAF_VALID_FOR);
|
||||||
X509_set_pubkey(cert, pubkey);
|
X509_set_pubkey(cert, pubkey);
|
||||||
|
|
||||||
X509_set_subject_name(cert, subject);
|
X509_set_subject_name(cert, subject);
|
||||||
@ -761,7 +761,7 @@ bool IsCertUptodate(const std::shared_ptr<X509>& cert)
|
|||||||
* because Icinga versions older than 2.4 sometimes create certificates with an invalid
|
* because Icinga versions older than 2.4 sometimes create certificates with an invalid
|
||||||
* serial number. */
|
* serial number. */
|
||||||
time_t forceRenewalEnd = 1483228800; /* January 1st, 2017 */
|
time_t forceRenewalEnd = 1483228800; /* January 1st, 2017 */
|
||||||
time_t renewalStart = now + 30 * 24 * 60 * 60;
|
time_t renewalStart = now + RENEW_THRESHOLD;
|
||||||
|
|
||||||
return X509_cmp_time(X509_get_notBefore(cert.get()), &forceRenewalEnd) != -1 && X509_cmp_time(X509_get_notAfter(cert.get()), &renewalStart) != -1;
|
return X509_cmp_time(X509_get_notBefore(cert.get()), &forceRenewalEnd) != -1 && X509_cmp_time(X509_get_notAfter(cert.get()), &renewalStart) != -1;
|
||||||
}
|
}
|
||||||
|
@ -30,6 +30,11 @@ const char * const DEFAULT_TLS_CIPHERS = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RS
|
|||||||
const char * const DEFAULT_TLS_PROTOCOLMIN = "TLSv1.2";
|
const char * const DEFAULT_TLS_PROTOCOLMIN = "TLSv1.2";
|
||||||
const unsigned int DEFAULT_CONNECT_TIMEOUT = 15;
|
const unsigned int DEFAULT_CONNECT_TIMEOUT = 15;
|
||||||
|
|
||||||
|
const auto ROOT_VALID_FOR = 60 * 60 * 24 * 365 * 15;
|
||||||
|
const auto LEAF_VALID_FOR = 60 * 60 * 24 * 397;
|
||||||
|
const auto RENEW_THRESHOLD = 60 * 60 * 24 * 30;
|
||||||
|
const auto RENEW_INTERVAL = 60 * 60 * 24;
|
||||||
|
|
||||||
void InitializeOpenSSL();
|
void InitializeOpenSSL();
|
||||||
|
|
||||||
String GetOpenSSLVersion();
|
String GetOpenSSLVersion();
|
||||||
|
@ -235,7 +235,20 @@ void ApiListener::Start(bool runtimeCreated)
|
|||||||
<< "'" << GetName() << "' started.";
|
<< "'" << GetName() << "' started.";
|
||||||
|
|
||||||
SyncLocalZoneDirs();
|
SyncLocalZoneDirs();
|
||||||
RenewOwnCert();
|
|
||||||
|
m_RenewOwnCertTimer = new Timer();
|
||||||
|
|
||||||
|
if (Utility::PathExists(GetIcingaCADir() + "/ca.key")) {
|
||||||
|
RenewOwnCert();
|
||||||
|
m_RenewOwnCertTimer->OnTimerExpired.connect([this](const Timer * const&) { RenewOwnCert(); });
|
||||||
|
} else {
|
||||||
|
m_RenewOwnCertTimer->OnTimerExpired.connect([this](const Timer * const&) {
|
||||||
|
JsonRpcConnection::SendCertificateRequest(nullptr, nullptr, String());
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
m_RenewOwnCertTimer->SetInterval(RENEW_INTERVAL);
|
||||||
|
m_RenewOwnCertTimer->Start();
|
||||||
|
|
||||||
ObjectImpl<ApiListener>::Start(runtimeCreated);
|
ObjectImpl<ApiListener>::Start(runtimeCreated);
|
||||||
|
|
||||||
@ -288,10 +301,6 @@ void ApiListener::Start(bool runtimeCreated)
|
|||||||
|
|
||||||
void ApiListener::RenewOwnCert()
|
void ApiListener::RenewOwnCert()
|
||||||
{
|
{
|
||||||
if (!Utility::PathExists(GetIcingaCADir() + "/ca.key")) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
auto certPath (GetDefaultCertPath());
|
auto certPath (GetDefaultCertPath());
|
||||||
auto cert (GetX509Certificate(certPath));
|
auto cert (GetX509Certificate(certPath));
|
||||||
|
|
||||||
@ -832,9 +841,6 @@ void ApiListener::SyncClient(const JsonRpcConnection::Ptr& aclient, const Endpoi
|
|||||||
auto parent (myZone->GetParent());
|
auto parent (myZone->GetParent());
|
||||||
|
|
||||||
if (parent == eZone || !parent && eZone == myZone) {
|
if (parent == eZone || !parent && eZone == myZone) {
|
||||||
Log(LogInformation, "ApiListener")
|
|
||||||
<< "Requesting new certificate for this Icinga instance from endpoint '" << endpoint->GetName() << "'.";
|
|
||||||
|
|
||||||
JsonRpcConnection::SendCertificateRequest(aclient, nullptr, String());
|
JsonRpcConnection::SendCertificateRequest(aclient, nullptr, String());
|
||||||
|
|
||||||
if (Utility::PathExists(ApiListener::GetCertificateRequestsDir())) {
|
if (Utility::PathExists(ApiListener::GetCertificateRequestsDir())) {
|
||||||
|
@ -171,6 +171,7 @@ private:
|
|||||||
Timer::Ptr m_AuthorityTimer;
|
Timer::Ptr m_AuthorityTimer;
|
||||||
Timer::Ptr m_CleanupCertificateRequestsTimer;
|
Timer::Ptr m_CleanupCertificateRequestsTimer;
|
||||||
Timer::Ptr m_ApiPackageIntegrityTimer;
|
Timer::Ptr m_ApiPackageIntegrityTimer;
|
||||||
|
Timer::Ptr m_RenewOwnCertTimer;
|
||||||
|
|
||||||
Endpoint::Ptr m_LocalEndpoint;
|
Endpoint::Ptr m_LocalEndpoint;
|
||||||
|
|
||||||
|
@ -265,6 +265,17 @@ void JsonRpcConnection::SendCertificateRequest(const JsonRpcConnection::Ptr& acl
|
|||||||
|
|
||||||
/* Path is empty if this is our own request. */
|
/* Path is empty if this is our own request. */
|
||||||
if (path.IsEmpty()) {
|
if (path.IsEmpty()) {
|
||||||
|
{
|
||||||
|
Log msg (LogInformation, "JsonRpcConnection");
|
||||||
|
msg << "Requesting new certificate for this Icinga instance";
|
||||||
|
|
||||||
|
if (aclient) {
|
||||||
|
msg << " from endpoint '" << aclient->GetIdentity() << "'";
|
||||||
|
}
|
||||||
|
|
||||||
|
msg << ".";
|
||||||
|
}
|
||||||
|
|
||||||
String ticketPath = ApiListener::GetCertsDir() + "/ticket";
|
String ticketPath = ApiListener::GetCertsDir() + "/ticket";
|
||||||
|
|
||||||
std::ifstream fp(ticketPath.CStr());
|
std::ifstream fp(ticketPath.CStr());
|
||||||
|
Loading…
x
Reference in New Issue
Block a user