diff --git a/qa/tasks/openssl_keys.py b/qa/tasks/openssl_keys.py index 3cc4ed8a5ec..f9a7f7edecc 100644 --- a/qa/tasks/openssl_keys.py +++ b/qa/tasks/openssl_keys.py @@ -108,11 +108,21 @@ class OpenSSLKeys(Task): cert.remote.run(args=['mkdir', '-p', self.cadir]) - cert.key = '{}/{}.key'.format(self.cadir, cert.name) - cert.certificate = '{}/{}.crt'.format(self.cadir, cert.name) + cert.key = f'{self.cadir}/{cert.name}.key' + cert.certificate = f'{self.cadir}/{cert.name}.crt' + + san_ext = [] + add_san_default = False + cn = config.get('cn', '') + if cn == '': + cn = cert.remote.hostname + add_san_default = True + if config.get('add-san', add_san_default): + ext = f'{self.cadir}/{cert.name}.ext' + san_ext = ['-extfile', ext] # provide the common name in -subj to avoid the openssl command prompts - subject = '/CN={}'.format(config.get('cn', cert.remote.hostname)) + subject = f'/CN={cn}' # if a ca certificate is provided, use it to sign the new certificate ca = config.get('ca', None) @@ -120,25 +130,33 @@ class OpenSSLKeys(Task): # the ca certificate must have been created by a prior ssl task ca_cert = self.ctx.ssl_certificates.get(ca, None) if not ca_cert: - raise ConfigError('ssl: ca {} not found for certificate {}' - .format(ca, cert.name)) + raise ConfigError(f'ssl: ca {ca} not found for certificate {cert.name}') + + csr = f'{self.cadir}/{cert.name}.csr' + srl = f'{self.cadir}/{ca_cert.name}.srl' + remove_files = ['rm', csr, srl] # these commands are run on the ca certificate's client because # they need access to its private key and cert # generate a private key and signing request - csr = '{}/{}.csr'.format(self.cadir, cert.name) ca_cert.remote.run(args=['openssl', 'req', '-nodes', '-newkey', cert.key_type, '-keyout', cert.key, '-out', csr, '-subj', subject]) + if san_ext: + remove_files.append(ext) + ca_cert.remote.write_file(path=ext, + data='subjectAltName = DNS:{},IP:{}'.format( + cn, + config.get('ip', cert.remote.ip_address))) + # create the signed certificate ca_cert.remote.run(args=['openssl', 'x509', '-req', '-in', csr, '-CA', ca_cert.certificate, '-CAkey', ca_cert.key, '-CAcreateserial', - '-out', cert.certificate, '-days', '365', '-sha256']) + '-out', cert.certificate, '-days', '365', '-sha256'] + san_ext) - srl = '{}/{}.srl'.format(self.cadir, ca_cert.name) - ca_cert.remote.run(args=['rm', csr, srl]) # clean up the signing request and serial + ca_cert.remote.run(args=remove_files) # clean up the signing request and serial # verify the new certificate against its ca cert ca_cert.remote.run(args=['openssl', 'verify',