Revision 60cc531d

b/lib/bootstrap.py
92 92

  
93 93

  
94 94
def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_spice_cert,
95
                          new_confd_hmac_key, new_cds,
95
                          new_confd_hmac_key, new_cds, new_node_client_cert,
96 96
                          rapi_cert_pem=None, spice_cert_pem=None,
97 97
                          spice_cacert_pem=None, cds=None,
98 98
                          nodecert_file=pathutils.NODED_CERT_FILE,
99
                          nodecert_client_file=pathutils.NODED_CLIENT_CERT_FILE,
99 100
                          rapicert_file=pathutils.RAPI_CERT_FILE,
100 101
                          spicecert_file=pathutils.SPICE_CERT_FILE,
101 102
                          spicecacert_file=pathutils.SPICE_CACERT_FILE,
......
113 114
  @param new_confd_hmac_key: Whether to generate a new HMAC key
114 115
  @type new_cds: bool
115 116
  @param new_cds: Whether to generate a new cluster domain secret
117
  @type new_node_client_cert: bool
118
  @param new_node_client_cert: Whether to generate a new node (SSL)
119
    client certificate
116 120
  @type rapi_cert_pem: string
117 121
  @param rapi_cert_pem: New RAPI certificate in PEM format
118 122
  @type spice_cert_pem: string
......
124 128
  @param cds: New cluster domain secret
125 129
  @type nodecert_file: string
126 130
  @param nodecert_file: optional override of the node cert file path
131
  @type nodecert_client_file: string
132
  @param nodecert_client_file: optional override of the node client certificate
133
    file path
127 134
  @type rapicert_file: string
128 135
  @param rapicert_file: optional override of the rapi cert file path
129 136
  @type spicecert_file: string
......
135 142

  
136 143
  """
137 144
  # noded SSL certificate
138
  cluster_cert_exists = os.path.exists(nodecert_file)
139
  if new_cluster_cert or not cluster_cert_exists:
140
    if cluster_cert_exists:
141
      utils.CreateBackup(nodecert_file)
145
  utils.GenerateNewSslCert(
146
    new_cluster_cert, nodecert_file,
147
    "Generating new cluster certificate at %s" % nodecert_file)
142 148

  
143
    logging.debug("Generating new cluster certificate at %s", nodecert_file)
144
    utils.GenerateSelfSignedSslCert(nodecert_file)
149
  # noded client SSL certificate (to be used only by this very node)
150
  utils.GenerateNewSslCert(
151
    new_node_client_cert, nodecert_client_file,
152
    "Generating new node client certificate at %s" % nodecert_client_file)
145 153

  
146 154
  # confd HMAC key
147 155
  if new_confd_hmac_key or not os.path.exists(hmackey_file):
148 156
    logging.debug("Writing new confd HMAC key to %s", hmackey_file)
149 157
    GenerateHmacKey(hmackey_file)
150 158

  
151
  # RAPI
152
  rapi_cert_exists = os.path.exists(rapicert_file)
153

  
154 159
  if rapi_cert_pem:
155 160
    # Assume rapi_pem contains a valid PEM-formatted certificate and key
156 161
    logging.debug("Writing RAPI certificate at %s", rapicert_file)
157 162
    utils.WriteFile(rapicert_file, data=rapi_cert_pem, backup=True)
158 163

  
159
  elif new_rapi_cert or not rapi_cert_exists:
160
    if rapi_cert_exists:
161
      utils.CreateBackup(rapicert_file)
162

  
163
    logging.debug("Generating new RAPI certificate at %s", rapicert_file)
164
    utils.GenerateSelfSignedSslCert(rapicert_file)
164
  else:
165
    utils.GenerateNewSslCert(
166
      new_rapi_cert, rapicert_file,
167
      "Generating new RAPI certificate at %s" % rapicert_file)
165 168

  
166 169
  # SPICE
167 170
  spice_cert_exists = os.path.exists(spicecert_file)
......
209 212

  
210 213
  """
211 214
  # Generate cluster secrets
212
  GenerateClusterCrypto(True, False, False, False, False)
215
  GenerateClusterCrypto(True, False, False, False, False, True)
213 216

  
214 217
  result = utils.RunCmd([pathutils.DAEMON_UTIL, "start", constants.NODED])
215 218
  if result.failed:
b/lib/client/gnt_cluster.py
961 961

  
962 962
  def _RenewCryptoInner(ctx):
963 963
    ctx.feedback_fn("Updating certificates and keys")
964
    # FIXME: add separate option for client certs
964 965
    bootstrap.GenerateClusterCrypto(new_cluster_cert,
965 966
                                    new_rapi_cert,
966 967
                                    new_spice_cert,
967 968
                                    new_confd_hmac_key,
968 969
                                    new_cds,
970
                                    new_cluster_cert,
969 971
                                    rapi_cert_pem=rapi_cert_pem,
970 972
                                    spice_cert_pem=spice_cert_pem,
971 973
                                    spice_cacert_pem=spice_cacert_pem,
b/lib/pathutils.py
106 106

  
107 107
#: Node daemon certificate path
108 108
NODED_CERT_FILE = DATA_DIR + "/server.pem"
109
NODED_CLIENT_CERT_FILE = DATA_DIR + "/client.pem"
109 110

  
110 111
#: Node daemon certificate file permissions
111 112
NODED_CERT_MODE = 0440
b/lib/utils/security.py
24 24

  
25 25
import logging
26 26
import OpenSSL
27
import os
27 28

  
28 29
from ganeti.utils import io
30
from ganeti.utils import x509
29 31
from ganeti import pathutils
30 32

  
31 33

  
......
92 94
  cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM,
93 95
                                         cert_plain)
94 96
  return cert.digest("sha1")
97

  
98

  
99
def GenerateNewSslCert(new_cert, cert_filename, log_msg):
100
  """Creates a new SSL certificate and backups the old one.
101

  
102
  @type new_cert: boolean
103
  @param new_cert: whether a new certificate should be created
104
  @type cert_filename: string
105
  @param cert_filename: filename of the certificate file
106
  @type log_msg: string
107
  @param log_msg: log message to be written on certificate creation
108

  
109
  """
110
  cert_exists = os.path.exists(cert_filename)
111
  if new_cert or not cert_exists:
112
    if cert_exists:
113
      io.CreateBackup(cert_filename)
114

  
115
    logging.debug(log_msg)
116
    x509.GenerateSelfSignedSslCert(cert_filename)
b/tools/cfgupgrade
571 571
                    backup=True)
572 572

  
573 573
    if not options.dry_run:
574
      # FIXME: fix node client certificate
574 575
      bootstrap.GenerateClusterCrypto(
575
        False, False, False, False, False,
576
        False, False, False, False, False, False,
576 577
        nodecert_file=options.SERVER_PEM_PATH,
577 578
        rapicert_file=options.RAPI_CERT_FILE,
578 579
        spicecert_file=options.SPICE_CERT_FILE,

Also available in: Unified diff