Merge branch 'dev-BetterCertsGeneration' into 'dev'

Adding Subject Alt Names in certificate

See merge request crafty-controller/crafty-commander!209
This commit is contained in:
Iain Powrie 2022-03-16 09:49:17 +00:00
commit ccd0bc8e8f

View File

@ -596,20 +596,20 @@ class Helpers:
def create_self_signed_cert(self, cert_dir=None): def create_self_signed_cert(self, cert_dir=None):
if cert_dir is None: if cert_dir is None:
cert_dir = os.path.join(self.config_dir, 'web', 'certs') cert_dir = os.path.join(self.config_dir, "web", "certs")
# create a directory if needed # create a directory if needed
self.ensure_dir_exists(cert_dir) self.ensure_dir_exists(cert_dir)
cert_file = os.path.join(cert_dir, 'commander.cert.pem') cert_file = os.path.join(cert_dir, "commander.cert.pem")
key_file = os.path.join(cert_dir, 'commander.key.pem') key_file = os.path.join(cert_dir, "commander.key.pem")
logger.info(f"SSL Cert File is set to: {cert_file}") logger.info(f"SSL Cert File is set to: {cert_file}")
logger.info(f"SSL Key File is set to: {key_file}") logger.info(f"SSL Key File is set to: {key_file}")
# don't create new files if we already have them. # don't create new files if we already have them.
if self.check_file_exists(cert_file) and self.check_file_exists(key_file): if self.check_file_exists(cert_file) and self.check_file_exists(key_file):
logger.info('Cert and Key files already exists, not creating them.') logger.info("Cert and Key files already exists, not creating them.")
return True return True
console.info("Generating a self signed SSL") console.info("Generating a self signed SSL")
@ -629,18 +629,33 @@ class Helpers:
cert.get_subject().O = "Crafty Controller" cert.get_subject().O = "Crafty Controller"
cert.get_subject().OU = "Server Ops" cert.get_subject().OU = "Server Ops"
cert.get_subject().CN = gethostname() cert.get_subject().CN = gethostname()
cert.set_serial_number(random.randint(1,255)) alt_names = ",".join(
[
f"DNS:{socket.gethostname()}",
f"DNS:*.{socket.gethostname()}",
"DNS:localhost",
"DNS:*.localhost",
"DNS:127.0.0.1",
]
).encode()
subjectAltNames_Ext = crypto.X509Extension(b"subjectAltName", False, alt_names)
basicConstraints_Ext = crypto.X509Extension(
b"basicConstraints", True, b"CA:false"
)
cert.add_extensions([subjectAltNames_Ext, basicConstraints_Ext])
cert.set_serial_number(random.randint(1, 255))
cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(365 * 24 * 60 * 60) cert.gmtime_adj_notAfter(365 * 24 * 60 * 60)
cert.set_issuer(cert.get_subject()) cert.set_issuer(cert.get_subject())
cert.set_pubkey(k) cert.set_pubkey(k)
cert.sign(k, 'sha256') cert.set_version(2)
cert.sign(k, "sha256")
f = open(cert_file, "w", encoding='utf-8') f = open(cert_file, "w", encoding="utf-8")
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode()) f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode())
f.close() f.close()
f = open(key_file, "w", encoding='utf-8') f = open(key_file, "w", encoding="utf-8")
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode()) f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode())
f.close() f.close()