From 5cfca2850ddbd9e2b594de1250d0064c1461ab59 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Wed, 29 May 2024 23:25:15 +0200
Subject: reverse-proxy: T6419: build full CA chain for frontend SSL
 certificate

(cherry picked from commit 4b189a76c0a9a28504aab6715658840b929fc243)
---
 src/conf_mode/load-balancing_reverse-proxy.py | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/src/conf_mode/load-balancing_reverse-proxy.py b/src/conf_mode/load-balancing_reverse-proxy.py
index a6fc407b0..1c1252df0 100755
--- a/src/conf_mode/load-balancing_reverse-proxy.py
+++ b/src/conf_mode/load-balancing_reverse-proxy.py
@@ -26,11 +26,11 @@ from vyos.utils.dict import dict_search
 from vyos.utils.process import call
 from vyos.utils.network import check_port_availability
 from vyos.utils.network import is_listen_port_bind_service
-from vyos.pki import wrap_certificate
-from vyos.pki import wrap_private_key
 from vyos.pki import find_chain
 from vyos.pki import load_certificate
+from vyos.pki import load_private_key
 from vyos.pki import encode_certificate
+from vyos.pki import encode_private_key
 from vyos.template import render
 from vyos.utils.file import write_file
 from vyos import ConfigError
@@ -128,6 +128,9 @@ def generate(lb):
     if not os.path.isdir(load_balancing_dir):
         os.mkdir(load_balancing_dir)
 
+    loaded_ca_certs = {load_certificate(c['certificate'])
+        for c in lb['pki']['ca'].values()} if 'ca' in lb['pki'] else {}
+
     # SSL Certificates for frontend
     for front, front_config in lb['service'].items():
         if 'ssl' not in front_config:
@@ -141,12 +144,16 @@ def generate(lb):
                 cert_file_path = os.path.join(load_balancing_dir, f'{cert_name}.pem')
                 cert_key_path = os.path.join(load_balancing_dir, f'{cert_name}.pem.key')
 
-                with open(cert_file_path, 'w') as f:
-                    f.write(wrap_certificate(pki_cert['certificate']))
+                loaded_pki_cert = load_certificate(pki_cert['certificate'])
+                cert_full_chain = find_chain(loaded_pki_cert, loaded_ca_certs)
+
+                write_file(cert_file_path,
+                   '\n'.join(encode_certificate(c) for c in cert_full_chain))
 
                 if 'private' in pki_cert and 'key' in pki_cert['private']:
-                    with open(cert_key_path, 'w') as f:
-                        f.write(wrap_private_key(pki_cert['private']['key']))
+                    loaded_key = load_private_key(pki_cert['private']['key'], passphrase=None, wrap_tags=True)
+                    key_pem = encode_private_key(loaded_key, passphrase=None)
+                    write_file(cert_key_path, key_pem)
 
     # SSL Certificates for backend
     for back, back_config in lb['backend'].items():
@@ -158,9 +165,6 @@ def generate(lb):
             ca_cert_file_path = os.path.join(load_balancing_dir, f'{ca_name}.pem')
             ca_chains = []
 
-            loaded_ca_certs = {load_certificate(c['certificate'])
-                for c in lb['pki']['ca'].values()} if 'ca' in lb['pki'] else {}
-
             pki_ca_cert = lb['pki']['ca'][ca_name]
             loaded_ca_cert = load_certificate(pki_ca_cert['certificate'])
             ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs)
@@ -172,7 +176,6 @@ def generate(lb):
 
     return None
 
-
 def apply(lb):
     call('systemctl daemon-reload')
     if not lb:
-- 
cgit v1.2.3