From 1e6e6b94e80bf085b139c6706754f66ab1356a55 Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 15 Dec 2012 23:35:35 -0800 Subject: fixed bug with certificate dates --- lib/leap_cli/commands/ca.rb | 66 ++++++++++++++++++++++++++------------------- 1 file changed, 38 insertions(+), 28 deletions(-) (limited to 'lib/leap_cli') diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb index 779fa30..bf55674 100644 --- a/lib/leap_cli/commands/ca.rb +++ b/lib/leap_cli/commands/ca.rb @@ -6,7 +6,6 @@ require 'digest/md5' module LeapCli; module Commands desc "Manage X.509 certificates" - #long_desc "" command :cert do |cert| cert.desc 'Creates a Certificate Authority (private key and CA certificate)' @@ -30,8 +29,8 @@ module LeapCli; module Commands end # set expiration - root.not_before = today - root.not_after = years_from_today(provider.ca.life_span.to_i) + root.not_before = yesterday + root.not_after = years_from_yesterday(provider.ca.life_span.to_i) # generate private key root.serial_number.number = 1 @@ -48,9 +47,15 @@ module LeapCli; module Commands end end - cert.desc 'Creates or renews a X.509 certificate/key pair for a single node or all nodes' - cert.arg_name 'node-name', :optional => false + cert.desc 'Creates or renews a X.509 certificate/key pair for a single node or all nodes, but only if needed' + cert.long_desc 'This command will a generate new certificate for a node if some value in the node has changed ' + + 'that is included in the certificate (like hostname or IP address), or if the old certificate will be expiring soon. ' + + 'Sometimes, you might want to force the generation of a new certificate, ' + + 'such as in the cases where you have changed a CA parameter for server certificates, like bit size or digest hash. ' + + 'In this case, use --force. If is empty, this command will apply to all nodes.' + cert.arg_name '' cert.command :update do |update| + update.switch 'force', :desc => 'Always generate new certificates', :negatable => false update.action do |global_options,options,args| assert_files_exist! :ca_cert, :ca_key, :msg => 'Run `leap cert ca` to create them' assert_config! 'provider.ca.server_certificates.bit_size' @@ -59,13 +64,12 @@ module LeapCli; module Commands assert_config! 'common.x509.use' nodes = manager.filter!(args) - if nodes.size == 1 - generate_cert_for_node(nodes.values.first) - else - nodes.each_node do |node| - if cert_needs_updating?(node) - generate_cert_for_node(node) - end + nodes.each_node do |node| + if options[:force] || cert_needs_updating?(node) + generate_cert_for_node(node) + elsif !node.x509.use + remove_file!([:node_x509_key, node.name]) + remove_file!([:node_x509_cert, node.name]) end end end @@ -146,8 +150,8 @@ module LeapCli; module Commands log :generating, "self-signed x509 server certificate for testing purposes" do cert = csr.to_cert cert.serial_number.number = cert_serial_number(manager.provider.domain) - cert.not_before = today - cert.not_after = years_from_today(1) + cert.not_before = yesterday + cert.not_after = years_from_yesterday(1) cert.parent = ca_root cert.sign! domain_test_signing_profile write_file! [:commercial_cert, manager.provider.domain], cert.to_pem @@ -165,7 +169,7 @@ module LeapCli; module Commands return true else cert = load_certificate_file([:node_x509_cert, node.name]) - if cert.not_after < months_from_today(1) + if cert.not_after < months_from_yesterday(1) log :updating, "cert for node '#{node.name}' because it will expire soon" return true end @@ -174,9 +178,6 @@ module LeapCli; module Commands return true end cert.openssl_body.extensions.each do |ext| - # - # TODO: currently this only works with a single IP or DNS. - # if ext.oid == "subjectAltName" ips = [] dns_names = [] @@ -208,8 +209,8 @@ module LeapCli; module Commands cert.serial_number.number = cert_serial_number(node.domain.full) # set expiration - cert.not_before = today - cert.not_after = years_from_today(manager.provider.ca.server_certificates.life_span.to_i) + cert.not_before = yesterday + cert.not_after = years_from_yesterday(manager.provider.ca.server_certificates.life_span.to_i) # generate key cert.key_material.generate_key(manager.provider.ca.server_certificates.bit_size) @@ -227,8 +228,8 @@ module LeapCli; module Commands cert = CertificateAuthority::Certificate.new cert.serial_number.number = cert_serial_number(manager.provider.domain) cert.subject.common_name = random_common_name(manager.provider.domain) - cert.not_before = today - cert.not_after = years_from_today(1) + cert.not_before = yesterday + cert.not_after = years_from_yesterday(1) cert.key_material.generate_key(1024) # just for testing, remember! cert.parent = ca_root cert.sign! client_test_signing_profile @@ -373,18 +374,27 @@ module LeapCli; module Commands cert_serial_number(domain_name).to_s(36) end - def today - t = Time.now + ## + ## TIME HELPERS + ## + ## note: we use 'yesterday' instead of 'today', because times are in UTC, and some people on the planet + ## are behind UTC. + ## + + def yesterday + t = Time.now - 24*24*60 Time.utc t.year, t.month, t.day end - def years_from_today(num) - t = Time.now + def years_from_yesterday(num) + t = yesterday Time.utc t.year + num, t.month, t.day end - def months_from_today(num) - date = Date.today >> num # >> is months in the future operator + def months_from_yesterday(num) + t = yesterday + date = Date.new t.year, t.month, t.day + date = date >> num # >> is months in the future operator Time.utc date.year, date.month, date.day end -- cgit v1.2.3