summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-05-29 23:25:15 +0200
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2024-05-30 11:48:13 +0000
commit5cfca2850ddbd9e2b594de1250d0064c1461ab59 (patch)
treec6d5e352bf884f816686ececa72b0afcc118d651
parent2ae1798316863299424a2ab83019c1efc77b6def (diff)
downloadvyos-1x-5cfca2850ddbd9e2b594de1250d0064c1461ab59.tar.gz
vyos-1x-5cfca2850ddbd9e2b594de1250d0064c1461ab59.zip
reverse-proxy: T6419: build full CA chain for frontend SSL certificate
(cherry picked from commit 4b189a76c0a9a28504aab6715658840b929fc243)
-rwxr-xr-xsrc/conf_mode/load-balancing_reverse-proxy.py23
1 files changed, 13 insertions, 10 deletions
diff --git a/src/conf_mode/load-balancing_reverse-proxy.py b/src/conf_mode/load-balancing_reverse-proxy.py
index a6fc407b0..1c1252df0 100755
--- a/src/conf_mode/load-balancing_reverse-proxy.py
+++ b/src/conf_mode/load-balancing_reverse-proxy.py
@@ -26,11 +26,11 @@ from vyos.utils.dict import dict_search
from vyos.utils.process import call
from vyos.utils.network import check_port_availability
from vyos.utils.network import is_listen_port_bind_service
-from vyos.pki import wrap_certificate
-from vyos.pki import wrap_private_key
from vyos.pki import find_chain
from vyos.pki import load_certificate
+from vyos.pki import load_private_key
from vyos.pki import encode_certificate
+from vyos.pki import encode_private_key
from vyos.template import render
from vyos.utils.file import write_file
from vyos import ConfigError
@@ -128,6 +128,9 @@ def generate(lb):
if not os.path.isdir(load_balancing_dir):
os.mkdir(load_balancing_dir)
+ loaded_ca_certs = {load_certificate(c['certificate'])
+ for c in lb['pki']['ca'].values()} if 'ca' in lb['pki'] else {}
+
# SSL Certificates for frontend
for front, front_config in lb['service'].items():
if 'ssl' not in front_config:
@@ -141,12 +144,16 @@ def generate(lb):
cert_file_path = os.path.join(load_balancing_dir, f'{cert_name}.pem')
cert_key_path = os.path.join(load_balancing_dir, f'{cert_name}.pem.key')
- with open(cert_file_path, 'w') as f:
- f.write(wrap_certificate(pki_cert['certificate']))
+ loaded_pki_cert = load_certificate(pki_cert['certificate'])
+ cert_full_chain = find_chain(loaded_pki_cert, loaded_ca_certs)
+
+ write_file(cert_file_path,
+ '\n'.join(encode_certificate(c) for c in cert_full_chain))
if 'private' in pki_cert and 'key' in pki_cert['private']:
- with open(cert_key_path, 'w') as f:
- f.write(wrap_private_key(pki_cert['private']['key']))
+ loaded_key = load_private_key(pki_cert['private']['key'], passphrase=None, wrap_tags=True)
+ key_pem = encode_private_key(loaded_key, passphrase=None)
+ write_file(cert_key_path, key_pem)
# SSL Certificates for backend
for back, back_config in lb['backend'].items():
@@ -158,9 +165,6 @@ def generate(lb):
ca_cert_file_path = os.path.join(load_balancing_dir, f'{ca_name}.pem')
ca_chains = []
- loaded_ca_certs = {load_certificate(c['certificate'])
- for c in lb['pki']['ca'].values()} if 'ca' in lb['pki'] else {}
-
pki_ca_cert = lb['pki']['ca'][ca_name]
loaded_ca_cert = load_certificate(pki_ca_cert['certificate'])
ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs)
@@ -172,7 +176,6 @@ def generate(lb):
return None
-
def apply(lb):
call('systemctl daemon-reload')
if not lb: