From c7beea20327199846365b1fd2310e881efdfd521 Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Mon, 19 Sep 2016 17:55:08 -0400 Subject: [PATCH] Fix handling of custom LDAP cert This change moves the LDAP cert installation into a common script and reorganizes the startup scripts for creating and installing these certs Fixes #1846 --- Dockerfile | 3 ++- conf/init/{create_certs.sh => certs_create.sh} | 7 ------- conf/init/certs_install.sh | 15 +++++++++++++++ conf/init/install_custom_certs.sh | 8 -------- util/config/validator.py | 2 +- 5 files changed, 18 insertions(+), 17 deletions(-) rename conf/init/{create_certs.sh => certs_create.sh} (63%) create mode 100755 conf/init/certs_install.sh delete mode 100755 conf/init/install_custom_certs.sh diff --git a/Dockerfile b/Dockerfile index 58246f710..632455b90 100644 --- a/Dockerfile +++ b/Dockerfile @@ -89,7 +89,8 @@ RUN rm -rf grunt ADD conf/init/copy_config_files.sh /etc/my_init.d/ ADD conf/init/doupdatelimits.sh /etc/my_init.d/ ADD conf/init/copy_syslog_config.sh /etc/my_init.d/ -ADD conf/init/create_certs.sh /etc/my_init.d/ +ADD conf/init/certs_create.sh /etc/my_init.d/ +ADD conf/init/certs_install.sh /etc/my_init.d/ ADD conf/init/runmigration.sh /etc/my_init.d/ ADD conf/init/syslog-ng.conf /etc/syslog-ng/ ADD conf/init/zz_boot.sh /etc/my_init.d/ diff --git a/conf/init/create_certs.sh b/conf/init/certs_create.sh similarity index 63% rename from conf/init/create_certs.sh rename to conf/init/certs_create.sh index 37b528ee3..d03b9da4d 100755 --- a/conf/init/create_certs.sh +++ b/conf/init/certs_create.sh @@ -6,10 +6,3 @@ echo '{"CN":"CA","key":{"algo":"rsa","size":2048}}' | cfssl gencert -initca - | cp mitm-key.pem /conf/mitm.key cp mitm.pem /conf/mitm.cert cp mitm.pem /usr/local/share/ca-certificates/mitm.crt - -# Add extra trusted certificates -if [ -d /conf/stack/extra_ca_certs ]; then - cp /conf/stack/extra_ca_certs/* /usr/local/share/ca-certificates/ -fi - -update-ca-certificates diff --git a/conf/init/certs_install.sh b/conf/init/certs_install.sh new file mode 100755 index 000000000..ba7e46b22 --- /dev/null +++ b/conf/init/certs_install.sh @@ -0,0 +1,15 @@ +#! /bin/bash +set -e + +# Add the custom LDAP certificate +if [ -e /conf/stack/ldap.crt ] +then + cp /conf/stack/ldap.crt /usr/local/share/ca-certificates/ldap.crt +fi + +# Add extra trusted certificates +if [ -d /conf/stack/extra_ca_certs ]; then + cp /conf/stack/extra_ca_certs/* /usr/local/share/ca-certificates/ +fi + +update-ca-certificates diff --git a/conf/init/install_custom_certs.sh b/conf/init/install_custom_certs.sh deleted file mode 100755 index ed60227b8..000000000 --- a/conf/init/install_custom_certs.sh +++ /dev/null @@ -1,8 +0,0 @@ -#! /bin/bash -set -e - -if [ -e /conf/stack/ldap.crt ] -then - cp /conf/stack/ldap.crt /usr/local/share/ca-certificates/ldap.crt - /usr/sbin/update-ca-certificates -fi \ No newline at end of file diff --git a/util/config/validator.py b/util/config/validator.py index 274963a0c..dfe356d19 100644 --- a/util/config/validator.py +++ b/util/config/validator.py @@ -312,7 +312,7 @@ def _validate_ldap(config, password): # If there is a custom LDAP certificate, then reinstall the certificates for the container. if config_provider.volume_file_exists(LDAP_CERT_FILENAME): - subprocess.check_call(['/conf/init/install_custom_certs.sh']) + subprocess.check_call(['/conf/init/certs_install.sh']) # Note: raises ldap.INVALID_CREDENTIALS on failure admin_dn = config.get('LDAP_ADMIN_DN')