summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-05-29 23:25:15 +0200
committerChristian Breunig <christian@breunig.cc>2024-05-29 23:26:47 +0200
commit4b189a76c0a9a28504aab6715658840b929fc243 (patch)
treecb755537581b269734b120709045ef3123362f1e /src/conf_mode
parentd83a6e5c5dc7e97e773f08bec7ba377530baafc9 (diff)
downloadvyos-1x-4b189a76c0a9a28504aab6715658840b929fc243.tar.gz
vyos-1x-4b189a76c0a9a28504aab6715658840b929fc243.zip
reverse-proxy: T6419: build full CA chain for frontend SSL certificate
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/load-balancing_reverse-proxy.py23
1 files changed, 13 insertions, 10 deletions
diff --git a/src/conf_mode/load-balancing_reverse-proxy.py b/src/conf_mode/load-balancing_reverse-proxy.py
index a6fc407b0..1c1252df0 100755
--- a/src/conf_mode/load-balancing_reverse-proxy.py
+++ b/src/conf_mode/load-balancing_reverse-proxy.py
@@ -26,11 +26,11 @@ from vyos.utils.dict import dict_search
from vyos.utils.process import call
from vyos.utils.network import check_port_availability
from vyos.utils.network import is_listen_port_bind_service
-from vyos.pki import wrap_certificate
-from vyos.pki import wrap_private_key
from vyos.pki import find_chain
from vyos.pki import load_certificate
+from vyos.pki import load_private_key
from vyos.pki import encode_certificate
+from vyos.pki import encode_private_key
from vyos.template import render
from vyos.utils.file import write_file
from vyos import ConfigError
@@ -128,6 +128,9 @@ def generate(lb):
if not os.path.isdir(load_balancing_dir):
os.mkdir(load_balancing_dir)
+ loaded_ca_certs = {load_certificate(c['certificate'])
+ for c in lb['pki']['ca'].values()} if 'ca' in lb['pki'] else {}
+
# SSL Certificates for frontend
for front, front_config in lb['service'].items():
if 'ssl' not in front_config:
@@ -141,12 +144,16 @@ def generate(lb):
cert_file_path = os.path.join(load_balancing_dir, f'{cert_name}.pem')
cert_key_path = os.path.join(load_balancing_dir, f'{cert_name}.pem.key')
- with open(cert_file_path, 'w') as f:
- f.write(wrap_certificate(pki_cert['certificate']))
+ loaded_pki_cert = load_certificate(pki_cert['certificate'])
+ cert_full_chain = find_chain(loaded_pki_cert, loaded_ca_certs)
+
+ write_file(cert_file_path,
+ '\n'.join(encode_certificate(c) for c in cert_full_chain))
if 'private' in pki_cert and 'key' in pki_cert['private']:
- with open(cert_key_path, 'w') as f:
- f.write(wrap_private_key(pki_cert['private']['key']))
+ loaded_key = load_private_key(pki_cert['private']['key'], passphrase=None, wrap_tags=True)
+ key_pem = encode_private_key(loaded_key, passphrase=None)
+ write_file(cert_key_path, key_pem)
# SSL Certificates for backend
for back, back_config in lb['backend'].items():
@@ -158,9 +165,6 @@ def generate(lb):
ca_cert_file_path = os.path.join(load_balancing_dir, f'{ca_name}.pem')
ca_chains = []
- loaded_ca_certs = {load_certificate(c['certificate'])
- for c in lb['pki']['ca'].values()} if 'ca' in lb['pki'] else {}
-
pki_ca_cert = lb['pki']['ca'][ca_name]
loaded_ca_cert = load_certificate(pki_ca_cert['certificate'])
ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs)
@@ -172,7 +176,6 @@ def generate(lb):
return None
-
def apply(lb):
call('systemctl daemon-reload')
if not lb: