summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-06-29 23:10:09 +0200
committerGitHub <noreply@github.com>2022-06-29 23:10:09 +0200
commit18a5f453459c92e88fddfed3523937892f7a2edd (patch)
tree2fc3dad86a5519afa0a3c3d41db81289bee69d74
parentb44a0f3ce9671894e9f3133a98d50757f9b32c74 (diff)
parent5a8785f0912004f55351beed61fa582017220745 (diff)
downloadvyos-build-18a5f453459c92e88fddfed3523937892f7a2edd.tar.gz
vyos-build-18a5f453459c92e88fddfed3523937892f7a2edd.zip
Merge pull request #246 from sarthurdev/ovpn_chain
openvpn: T4485: Add intermediate CA for smoketest
-rwxr-xr-xscripts/check-qemu-install20
1 files changed, 17 insertions, 3 deletions
diff --git a/scripts/check-qemu-install b/scripts/check-qemu-install
index 96587ce5..2488baf3 100755
--- a/scripts/check-qemu-install
+++ b/scripts/check-qemu-install
@@ -523,7 +523,15 @@ try:
log.info('Generating some OpenVPN keys')
subject = '/C=DE/ST=BY/O=VyOS/localityName=Cloud/commonName=vyos/' \
'organizationalUnitName=VyOS/emailAddress=maintainers@vyos.io/'
- ca_cert = '/config/auth/ovpn_test_ca.pem'
+ ca_subject = '/C=DE/ST=BY/O=VyOS/localityName=Cloud/commonName=vyos\ CA/' \
+ 'organizationalUnitName=VyOS/emailAddress=maintainers@vyos.io/'
+ subca_subject = '/C=DE/ST=BY/O=VyOS/localityName=Cloud/commonName=vyos\ SubCA/' \
+ 'organizationalUnitName=VyOS/emailAddress=maintainers@vyos.io/'
+ ca_cert = '/config/auth/ovpn_test_ca.pem'
+ ca_cert_chain = '/config/auth/ovpn_test_chain.pem'
+ subca_cert = '/config/auth/ovpn_test_subca.pem'
+ subca_csr = '/tmp/subca.csr'
+ subca_key = '/config/auth/ovpn_test_subca.key'
ssl_cert = '/config/auth/ovpn_test_server.pem'
ssl_key = '/config/auth/ovpn_test_server.key'
dh_pem = '/config/auth/ovpn_test_dh.pem'
@@ -533,7 +541,13 @@ try:
c.sendline(f'openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 '\
f'-keyout {ssl_key} -out {ssl_cert} -subj {subject}')
c.expect(op_mode_prompt, timeout=600)
- c.sendline(f'openssl req -new -x509 -key {ssl_key} -out {ca_cert} -subj {subject}')
+ c.sendline(f'openssl req -new -x509 -extensions v3_ca -key {ssl_key} -out {ca_cert} -subj {ca_subject}')
+ c.expect(op_mode_prompt, timeout=600)
+ c.sendline(f'openssl req -newkey rsa:2048 -new -nodes -keyout {subca_key} -out {subca_csr} -subj {subca_subject}')
+ c.expect(op_mode_prompt, timeout=600)
+ c.sendline(f'openssl x509 -req -CA {ca_cert} -CAkey {ssl_key} -set_serial 01 -extfile /etc/ssl/openssl.cnf -extensions v3_ca -days 3650 -out {subca_cert} -in {subca_csr}')
+ c.expect(op_mode_prompt, timeout=600)
+ c.sendline(f'cat {subca_cert} {ca_cert} > {ca_cert_chain}')
c.expect(op_mode_prompt, timeout=600)
c.sendline(f'openssl dhparam -out {dh_pem} 2048')
c.expect(op_mode_prompt, timeout=600)
@@ -546,7 +560,7 @@ try:
c.sendline(f'echo "#!/bin/sh" > {script_file}; chmod 775 {script_file}')
c.expect(op_mode_prompt)
- for file in [ca_cert, ssl_cert, ssl_key, dh_pem, s2s_key, auth_key]:
+ for file in [ca_cert, ca_cert_chain, ssl_cert, ssl_key, dh_pem, s2s_key, auth_key]:
c.sendline(f'sudo chown openvpn:openvpn {file}')
c.expect(op_mode_prompt)