tyler.durden/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2025-05-05 07:00:16 +02:00
Code Issues Packages Projects Releases Wiki Activity
14,033 Commits 430 Branches 120 Tags
Commit Graph

54 Commits

Author SHA1 Message Date
Yonas Habteab
25bbac1677 Don't abruptly close anonymous connections 
This was mistakenly introduced with PR #7686 due to too many open
connections (#7680). This was wrong in the sense that closing the
connection is simply out of place here and should have been handled
differently. After we revised the RPC connection disconnect procedure
with `v2.14.4`, it becomes clear why it is wrong, because the connection
is closed abruptly before the corresponding response (`result`) has
even been written. Now if you remove the disconnect here, shouldn't the
issue #7680 occur again, you ask? The answer is no, because we now also
have a maximum timeout of `10s` for anonymous connections, after which
they are automatically closed. Thanks to the introduction of this
timeout by @julianbrost in #8479, this `Disconnect()` call has become
superfluous.
 2025-01-30 17:45:27 +01:00
Alexander A. Klimov
966216f4ba RequestCertificateHandler(): also renew if CA needs a renewal 
and a newer one is available.
 2023-12-18 15:28:11 +01:00
Alexander A. Klimov
b92fe23469 Deduplicate and stabilize fragile filesystem transactions 
by using AtomicFile so they ensure all or nothing of a file gets replaced.
 2023-01-27 12:03:56 +01:00
Julian Brost
178aaaeca9
Merge pull request #9332 from Icinga/bugfix/compare-cluster-tickets-in-constant-time 
Compare cluster tickets in constant time
 2022-04-11 15:32:32 +02:00
Alexander A. Klimov
b15763bd86 Compare cluster tickets in constant time 
Just to be sure.
 2022-04-11 11:17:05 +02:00
Alexander A. Klimov
e490883577 Renew certificates also periodically 2022-04-11 11:02:39 +02:00
Alexander A. Klimov
6d470a3ca5 Introduce ApiListener#RenewCert() 2022-04-04 12:12:31 +02:00
Alexander A. Klimov
9be2eb8e5e Introduce IsCertUptodate() 2022-03-29 16:47:23 +02:00
Yonas Habteab
361807f7a9
Adjust incosistent pki log messages (#8965) 2021-11-22 16:06:55 +01:00
Julian Brost
e86bd24348 Verify certificates against CRL before renewing them 
When a CRL is specified in the ApiListener configuration, Icinga 2 only
used it when connections were established so far, but not when a
certificate is requested. This allows a node to automatically renew a
revoked certificate if it meets the other conditions for auto-renewal
(issued before 2017 or expires in less than 30 days).
 2020-12-09 12:10:59 +01:00
Noah Hilverling
d5d89b7f39
Merge pull request #7970 from Icinga/bugfix/reconnect-loop 
RequestCertificateHandler(): don't disconnect nodes already integrated into the cluster
 2020-04-27 13:05:22 +02:00
Alexander A. Klimov
5a5cf1a2eb RequestCertificateHandler(): don't disconnect nodes already integrated into the cluster 
... not to cause a reconnect loop.
 2020-04-08 13:29:55 +02:00
Michael Insel
51e534ff4c Fix CA verification regression 
Uninitialized bool values may evaluate to true while it should be false.
 2020-03-29 16:05:29 +02:00
Michael Friedrich
13d2416e29 Fix regression from JsonRPC PKI CA verification checks 
refs #7835
 2020-02-27 12:31:02 +01:00
Michael Friedrich
456b0779bb JsonRpcConnection PKI: Document swalled exception 2020-02-20 15:15:54 +01:00
Michael Friedrich
24397fbee8 CA Proxy: Catch exceptions from VerifyCertificate() 2020-02-17 17:43:11 +01:00
Michael Insel
9d55a8264d Fix open connections when agent waits for CA approval 
This closes the agent connection when the certificate sign requests
waits for CA approval.

refs #7680
 2019-12-03 21:19:39 +01:00
Michael Friedrich
eddb40a913 CSR Auto-signing: Add debug logging for skipped signing 2019-09-18 11:53:58 +02:00
Andrew Jaffie
429f1ed317 Ignore repeated requests from client after using ca remove command 2019-06-07 10:33:55 +02:00
Alexander A. Klimov
5afef1015d Replace unlink() with boost::filesystem::remove() 
refs #7101
 2019-04-25 09:53:02 +02:00
Alexander A. Klimov
5a17722c1f Replace _unlink() + rename() with boost::filesystem::rename() 
refs #7101
 2019-04-25 09:53:02 +02:00
Alexander A. Klimov
f2d9d91e83 Introduce UnbufferedAsioTlsStream#GetPeerCertificate() 2019-04-01 17:11:09 +02:00
Alexander A. Klimov
6c86c127f1 Port JsonRpcConnection to Boost ASIO 2019-04-01 11:40:14 +02:00
Michael Friedrich
d14a88235d Replace Copyright header with a short version, part I 
CLion -> replace in path
 2019-02-25 14:48:22 +01:00
Alexander A. Klimov
4a7960f21b pki::RequestCertificate: handle missing certificate/CSR 2019-01-08 11:49:44 +01:00
Michael Friedrich
dab53448bc icinga.com: Update *.{h,c}pp 2018-10-18 09:27:04 +02:00
Michael Friedrich
f788878f79 Update log message for skipped certificate renewal 
Users kept asking about it, still it is just an "information"
that this isn't needed yet.
 2018-05-18 17:04:03 +02:00
Michael Friedrich
ad31e0d118 Log which ticket was invalid on the master 
This helps debugging a lot, especially to reproduce the issue
why the ticket is invalid.
 2018-02-28 10:18:29 +01:00
Noah Hilverling
948333225d Fix nullptr deref in cluster events 2018-02-21 13:47:46 +01:00
Gunnar Beutner
c2fb9fe226 Use initializer lists for arrays and dictionaries 2018-01-16 12:27:44 +01:00
Michael Insel
158ae2188e Change copyright header for 2018 2018-01-02 12:08:55 +01:00
Jean Flach
2636e6a77a Whitespace fix 
What does this change?
* Remove use of spaces for formatting
These could be found by using `grep -r -l -P '^\t+ +[^*]'
* Removal of training whitespaces
* A few lines longer than 120 chars
 2017-12-20 14:53:52 +01:00
Gunnar Beutner
325e4a2fb9 Use nullptr instead of <Type>::Ptr() 2017-11-30 17:47:09 +01:00
Gunnar Beutner
6d09efc907 Use std::shared_ptr instead of boost::shared_ptr 2017-11-30 17:41:00 +01:00
Gunnar Beutner
f2d437e96c Implement support for migrating certificates to /var/lib/icinga2/certs 
This commit includes documentation too.

Signed-off-by: Michael Friedrich <michael.friedrich@icinga.com>
 2017-10-20 14:06:02 +02:00
Michael Friedrich
578dcbe861 Add some more verbose logging details 
refs #5450
 2017-09-12 12:52:50 +02:00
Michael Friedrich
501ade374c Remove debug logging, fix ticket path, enhance logging 
refs #5450
 2017-09-12 12:52:49 +02:00
Gunnar Beutner
88e57f7fd4 Implement support for cleaning up certificate requests 
refs #5450
 2017-09-12 12:52:49 +02:00
Michael Friedrich
181b91b759 Enhance logging for certificate requests 
Examples:
https://github.com/Icinga/icinga2/issues/5450#issuecomment-327479874

This also adds code comments where applicable.

refs #5450
 2017-09-12 12:52:49 +02:00
Michael Friedrich
ce88e89cc0 Fix wrong cert path for CLI commands 
refs #5450
 2017-09-12 12:52:49 +02:00
Michael Friedrich
8040bda2e1 Change directory layout to /var/lib/icinga2/{ca,certs,certificate_requests} 
refs #5450
 2017-09-12 12:52:49 +02:00
Michael Friedrich
88b4a54e6b Fix ticket hash calculation for indirectly connected clients 
refs #5450
 2017-09-12 12:52:49 +02:00
Michael Friedrich
1e7860f2b1 Implement ApiListener::Get*Dir() functions 
refs #5450
 2017-09-12 12:52:49 +02:00
Gunnar Beutner
6a533796e5 Update output format for the new CLI commands 
refs #5450
 2017-09-12 12:52:49 +02:00
Gunnar Beutner
774936bfe8 Implement support for pki::UpdateCertificate messages 
refs #5450
 2017-09-12 12:52:49 +02:00
Gunnar Beutner
623208d617 Implement support for forwarding certificate requests 
refs #5450
 2017-09-12 12:52:49 +02:00
Gunnar Beutner
cc43dc734b Refuse to sign certificate if it already has the correct chain and doesn’t expire soon 
refs #5450
 2017-09-12 12:52:49 +02:00
Gunnar Beutner
a8cc0a601b Add missing _unlink() calls for Windows 
refs #5450
 2017-09-12 12:52:49 +02:00
Gunnar Beutner
cb49ac1264 Delete ticket file once we have a signed certificate 
refs #5450
 2017-09-12 12:52:49 +02:00
Gunnar Beutner
439251532e Implement support for saving client tickets 
refs #5450
 2017-09-12 12:52:49 +02:00