summaryrefslogtreecommitdiff
path: root/src/conf_mode/pki.py
AgeCommit message (Collapse)Author
2024-06-24pki: T6241: remove debug print statement about updated subsystems (#3670)mergify[bot]
Commit 9f9891a2099 ("pki: T6241: Fix dependency updates on PKI changes") added a print() statement which notified the users about the subsystems which got supplied with an updated certificate. Example: > PKI: Updating config: interfaces openvpn vtun0 tls certificate openvpn_vtun0 > PKI: Updating config: interfaces openvpn vtun0 tls ca_certificate openvpn_vtun0_1 This is an informational message which should maybe (if needed) be sent to syslog. But the main issue is that CLI paths are mangled (- to _) which makes the about print output wrong and could potentially confuse users. Statement has been commented to be re-enabled for debugging. (cherry picked from commit a4d49a96918c0f0dac3d17f9cf3a5b8f3a9505c0) Co-authored-by: Christian Breunig <christian@breunig.cc>
2024-06-10pki: T6463: reverse-proxy service not reloaded when updating SSL certificate(s)Christian Breunig
The haproxy reverse proxy was not reloaded/restarted with the new SSL certificate(s) after a change in the PKI subsystem. This was due to missing dependencies. (cherry picked from commit 6ce8efdc8dafef67541bed89fc7dc7cd83335bf4)
2024-04-18pki: T6241: do not call dependency before its initializationJohn Estabrook
(cherry picked from commit a88b3bd344cc4a682d16681ef536c1d20e2c2c42)
2024-04-15pki: T6241: Fix dependency updates on PKI changessarthurdev
(cherry picked from commit 9f9891a209957403dfa3ae9ec2cd56d8d9eedb86)
2024-02-13pki: T6034: add dependencies to trigger rpki re-run on openssh key updateChristian Breunig
(cherry picked from commit 0f8bf6bd0fb29cfd638e9920674e7ad1d1d25350)
2024-02-13pki: T6034: add OpenSSH key supportChristian Breunig
set pki openssh rpki private key ... set pki openssh rpki public key ... set pki openssh rpki public type 'ssh-rsa' (cherry picked from commit 8c78ef0879f22ffd4a5f7fdb175e9109b46e9d7b)
2024-01-10pki: T5911: fix service update algorithm if certificate name contains a ↵Christian Breunig
hyphen (-) When testing for changed PKI certificates using node_changed(), we should not use key_mangling=('-', '_'), as this will make certificate updates with a hypen not possible. (cherry picked from commit fc6926fdf32a7bdf9f943c7818ee6ea4a8131fba)
2024-01-08pki: T5905: do not use expand_nodes=Diff.ADD|Diff.DELETE) in node_changed()Christian Breunig
This fixes a priority inversion when doing initial certificate commits. * pki subsystem is executed with priority 300 * vti uses priority 381 * ipsec uses priority 901 On commit pki.py will be executed first, detecting a change in dependencies for vpn_ipsec.py which will be executed second. The VTI interface was yet not created leading to ConfigError('VTI interface XX for site-to-site peer YY does not exist!') The issue is caused by this new line of code in commit b8db1a9d7ba ("pki: T5886: add support for ACME protocol (LetsEncrypt)") file src/conf_mode/pki.py line 139 which triggers the dependency update even if a key is newly added. This commit changes the "detection" based on the cerbot configuration on disk. (cherry picked from commit 9162631f12ade65392ea2fa53642ea4af39627c7)
2024-01-08pki: T5886: add support for ACME protocol (LetsEncrypt)Christian Breunig
The "idea" of this PR is to add new CLI nodes under the pki subsystem to activate ACME for any given certificate. vyos@vyos# set pki certificate NAME acme Possible completions: + domain-name Domain Name email Email address to associate with certificate listen-address Local IPv4 addresses to listen on rsa-key-size Size of the RSA key (default: 2048) url Remote URL (default: https://acme-v02.api.letsencrypt.org/directory) Users choose if the CLI based custom certificates are used set pki certificate EXAMPLE acme certificate <base64> or if it should be generated via ACME. The ACME server URL defaults to LetsEncrypt but can be changed to their staging API for testing to not get blacklisted. set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory Certificate retrieval has a certbot --dry-run stage in verify() to see if it can be generated. After successful generation, the certificate is stored in under /config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set interfaces ethernet eth0 eapol certificate EXAMPLE) we call vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the base64 encoded certificate into the JSON data structure normally used when using a certificate set by the CLI. Using this "design" does not need any change to any other code referencing the PKI system, as the base64 encoded certificate is already there. certbot renewal will call the PKI python script to trigger dependency updates. (cherry picked from commit b8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a) # Conflicts: # debian/control
2024-01-01T5474: establish common file name pattern for XML conf mode commandsChristian Breunig
We will use _ as CLI level divider. The XML definition filename and also the Python helper should match the CLI node. Example: set interfaces ethernet -> interfaces_ethernet.xml.in set interfaces bond -> interfaces_bond.xml.in set service dhcp-server -> service_dhcp-server-xml.in (cherry picked from commit 4ef110fd2c501b718344c72d495ad7e16d2bd465)
2023-08-07T5434: use merge_defaults instead of defaults in pki.pyJohn Estabrook
2023-07-14T5195: vyos.util -> vyos.utils package refactoring (#2093)Christian Breunig
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process * T5195: use read_file and write_file implementation from vyos.utils.file Changed code automatically using: find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} + find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} + * T5195: move chmod* helpers to vyos.utils.permission * T5195: use colon_separated_to_dict from vyos.utils.dict * T5195: move is_systemd_service_* to vyos.utils.process * T5195: fix boot issues with missing imports * T5195: move dict_search_* helpers to vyos.utils.dict * T5195: move network helpers to vyos.utils.network * T5195: move commit_* helpers to vyos.utils.commit * T5195: move user I/O helpers to vyos.utils.io
2022-12-23pki: T4847: extend dependency on sstpc client interfaceChristian Poessinger
2022-11-30pki: T4847: set and call dependent scriptsJohn Estabrook
2022-11-29pki: T4847: fix typosJohn Estabrook
2022-05-31pki: T3642: Update conf scripts using changed PKI objectssarthurdev
2021-09-06pki: T3642: verify() that we can not delete certificates still referenced in CLIChristian Poessinger
2021-06-29pki: T3642: New PKI config and managementsarthurdev