From 62244637bbd621a7dfb948e3974a6ead444b3440 Mon Sep 17 00:00:00 2001 From: Silversthorn Date: Mon, 14 Mar 2022 20:30:24 +0100 Subject: [PATCH 1/6] Adding Subject Alt Names in certificate --- app/classes/shared/helpers.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/app/classes/shared/helpers.py b/app/classes/shared/helpers.py index ee5accda..f0b619b1 100644 --- a/app/classes/shared/helpers.py +++ b/app/classes/shared/helpers.py @@ -629,11 +629,15 @@ class Helpers: cert.get_subject().O = "Crafty Controller" cert.get_subject().OU = "Server Ops" cert.get_subject().CN = gethostname() + cert.add_extensions([ + crypto.X509Extension(b'subjectAltName', False, ','.join([ 'DNS:%s' % socket.gethostname(), 'DNS:*.%s' % socket.gethostname(), 'DNS:localhost', 'DNS:*.localhost', 'DNS:127.0.0.1']).encode()), + crypto.X509Extension(b"basicConstraints", True, b"CA:false")]), cert.set_serial_number(random.randint(1,255)) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(365 * 24 * 60 * 60) cert.set_issuer(cert.get_subject()) cert.set_pubkey(k) + cert.set_version(2) cert.sign(k, 'sha256') f = open(cert_file, "w", encoding='utf-8') From 466d71db36f10d6e8d03dddd9c2607bec0095ee1 Mon Sep 17 00:00:00 2001 From: Silversthorn Date: Tue, 15 Mar 2022 07:32:08 +0000 Subject: [PATCH 2/6] Try to be cool with pylint (resolving Major issue ?) --- app/classes/shared/helpers.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/classes/shared/helpers.py b/app/classes/shared/helpers.py index f0b619b1..6116780b 100644 --- a/app/classes/shared/helpers.py +++ b/app/classes/shared/helpers.py @@ -629,8 +629,9 @@ class Helpers: cert.get_subject().O = "Crafty Controller" cert.get_subject().OU = "Server Ops" cert.get_subject().CN = gethostname() + alt_names = ','.join([ 'DNS:%s' % socket.gethostname(), 'DNS:*.%s' % socket.gethostname(), 'DNS:localhost', 'DNS:*.localhost', 'DNS:127.0.0.1']).encode() cert.add_extensions([ - crypto.X509Extension(b'subjectAltName', False, ','.join([ 'DNS:%s' % socket.gethostname(), 'DNS:*.%s' % socket.gethostname(), 'DNS:localhost', 'DNS:*.localhost', 'DNS:127.0.0.1']).encode()), + crypto.X509Extension(b'subjectAltName', False, alt_names), crypto.X509Extension(b"basicConstraints", True, b"CA:false")]), cert.set_serial_number(random.randint(1,255)) cert.gmtime_adj_notBefore(0) From 7e6d34de0f1dc3bb37406e7038baa3ff8cc90359 Mon Sep 17 00:00:00 2001 From: Silversthorn Date: Tue, 15 Mar 2022 07:43:36 +0000 Subject: [PATCH 3/6] 2nd Try --- app/classes/shared/helpers.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/classes/shared/helpers.py b/app/classes/shared/helpers.py index 6116780b..c6fa32cf 100644 --- a/app/classes/shared/helpers.py +++ b/app/classes/shared/helpers.py @@ -630,9 +630,9 @@ class Helpers: cert.get_subject().OU = "Server Ops" cert.get_subject().CN = gethostname() alt_names = ','.join([ 'DNS:%s' % socket.gethostname(), 'DNS:*.%s' % socket.gethostname(), 'DNS:localhost', 'DNS:*.localhost', 'DNS:127.0.0.1']).encode() - cert.add_extensions([ - crypto.X509Extension(b'subjectAltName', False, alt_names), - crypto.X509Extension(b"basicConstraints", True, b"CA:false")]), + subjectAltNames_Ext = crypto.X509Extension(b'subjectAltName', False, ','.join([ 'DNS:%s' % socket.gethostname(), 'DNS:*.%s' % socket.gethostname(), 'DNS:localhost', 'DNS:*.localhost', 'DNS:127.0.0.1']).encode()) + basicConstraints_Ext = crypto.X509Extension(b"basicConstraints", True, b"CA:false") + cert.add_extensions([subjectAltNames_Ext, basicConstraints_Ext]), cert.set_serial_number(random.randint(1,255)) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(365 * 24 * 60 * 60) From 2f89c3a93d9f89e343db5ebabdea2265fad5d53e Mon Sep 17 00:00:00 2001 From: Silversthorn Date: Tue, 15 Mar 2022 18:12:56 +0000 Subject: [PATCH 4/6] It was a comma !!! --- app/classes/shared/helpers.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/classes/shared/helpers.py b/app/classes/shared/helpers.py index c6fa32cf..9b5c8137 100644 --- a/app/classes/shared/helpers.py +++ b/app/classes/shared/helpers.py @@ -632,7 +632,7 @@ class Helpers: alt_names = ','.join([ 'DNS:%s' % socket.gethostname(), 'DNS:*.%s' % socket.gethostname(), 'DNS:localhost', 'DNS:*.localhost', 'DNS:127.0.0.1']).encode() subjectAltNames_Ext = crypto.X509Extension(b'subjectAltName', False, ','.join([ 'DNS:%s' % socket.gethostname(), 'DNS:*.%s' % socket.gethostname(), 'DNS:localhost', 'DNS:*.localhost', 'DNS:127.0.0.1']).encode()) basicConstraints_Ext = crypto.X509Extension(b"basicConstraints", True, b"CA:false") - cert.add_extensions([subjectAltNames_Ext, basicConstraints_Ext]), + cert.add_extensions([subjectAltNames_Ext, basicConstraints_Ext]) cert.set_serial_number(random.randint(1,255)) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(365 * 24 * 60 * 60) From 83c692beb5b97c3e47be974e1cc30fbe7a7dc75c Mon Sep 17 00:00:00 2001 From: Silversthorn Date: Tue, 15 Mar 2022 19:17:20 +0100 Subject: [PATCH 5/6] pylint happy !! --- app/classes/shared/helpers.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/classes/shared/helpers.py b/app/classes/shared/helpers.py index 9b5c8137..86bfe501 100644 --- a/app/classes/shared/helpers.py +++ b/app/classes/shared/helpers.py @@ -629,8 +629,8 @@ class Helpers: cert.get_subject().O = "Crafty Controller" cert.get_subject().OU = "Server Ops" cert.get_subject().CN = gethostname() - alt_names = ','.join([ 'DNS:%s' % socket.gethostname(), 'DNS:*.%s' % socket.gethostname(), 'DNS:localhost', 'DNS:*.localhost', 'DNS:127.0.0.1']).encode() - subjectAltNames_Ext = crypto.X509Extension(b'subjectAltName', False, ','.join([ 'DNS:%s' % socket.gethostname(), 'DNS:*.%s' % socket.gethostname(), 'DNS:localhost', 'DNS:*.localhost', 'DNS:127.0.0.1']).encode()) + alt_names = ','.join([ f'DNS:{socket.gethostname()}', f'DNS:*.{socket.gethostname()}', 'DNS:localhost', 'DNS:*.localhost', 'DNS:127.0.0.1']).encode() + subjectAltNames_Ext = crypto.X509Extension(b'subjectAltName', False, alt_names) basicConstraints_Ext = crypto.X509Extension(b"basicConstraints", True, b"CA:false") cert.add_extensions([subjectAltNames_Ext, basicConstraints_Ext]) cert.set_serial_number(random.randint(1,255)) From a6e99347af715f33f9999ba50617ec1db676610d Mon Sep 17 00:00:00 2001 From: Zedifus Date: Tue, 15 Mar 2022 18:47:49 +0000 Subject: [PATCH 6/6] Format the cert gen helper Use black to format this function and appease lint. We should really use black on the full project --- app/classes/shared/helpers.py | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/app/classes/shared/helpers.py b/app/classes/shared/helpers.py index 86bfe501..4af17478 100644 --- a/app/classes/shared/helpers.py +++ b/app/classes/shared/helpers.py @@ -596,20 +596,20 @@ class Helpers: def create_self_signed_cert(self, cert_dir=None): if cert_dir is None: - cert_dir = os.path.join(self.config_dir, 'web', 'certs') + cert_dir = os.path.join(self.config_dir, "web", "certs") # create a directory if needed self.ensure_dir_exists(cert_dir) - cert_file = os.path.join(cert_dir, 'commander.cert.pem') - key_file = os.path.join(cert_dir, 'commander.key.pem') + cert_file = os.path.join(cert_dir, "commander.cert.pem") + key_file = os.path.join(cert_dir, "commander.key.pem") logger.info(f"SSL Cert File is set to: {cert_file}") logger.info(f"SSL Key File is set to: {key_file}") # don't create new files if we already have them. if self.check_file_exists(cert_file) and self.check_file_exists(key_file): - logger.info('Cert and Key files already exists, not creating them.') + logger.info("Cert and Key files already exists, not creating them.") return True console.info("Generating a self signed SSL") @@ -629,23 +629,33 @@ class Helpers: cert.get_subject().O = "Crafty Controller" cert.get_subject().OU = "Server Ops" cert.get_subject().CN = gethostname() - alt_names = ','.join([ f'DNS:{socket.gethostname()}', f'DNS:*.{socket.gethostname()}', 'DNS:localhost', 'DNS:*.localhost', 'DNS:127.0.0.1']).encode() - subjectAltNames_Ext = crypto.X509Extension(b'subjectAltName', False, alt_names) - basicConstraints_Ext = crypto.X509Extension(b"basicConstraints", True, b"CA:false") + alt_names = ",".join( + [ + f"DNS:{socket.gethostname()}", + f"DNS:*.{socket.gethostname()}", + "DNS:localhost", + "DNS:*.localhost", + "DNS:127.0.0.1", + ] + ).encode() + subjectAltNames_Ext = crypto.X509Extension(b"subjectAltName", False, alt_names) + basicConstraints_Ext = crypto.X509Extension( + b"basicConstraints", True, b"CA:false" + ) cert.add_extensions([subjectAltNames_Ext, basicConstraints_Ext]) - cert.set_serial_number(random.randint(1,255)) + cert.set_serial_number(random.randint(1, 255)) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(365 * 24 * 60 * 60) cert.set_issuer(cert.get_subject()) cert.set_pubkey(k) cert.set_version(2) - cert.sign(k, 'sha256') + cert.sign(k, "sha256") - f = open(cert_file, "w", encoding='utf-8') + f = open(cert_file, "w", encoding="utf-8") f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode()) f.close() - f = open(key_file, "w", encoding='utf-8') + f = open(key_file, "w", encoding="utf-8") f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode()) f.close()