fix: use certificate authentication to request new gigi-certificates

Change-Id: I27614f6731354a55bcc02b5d8f8ffbee48aa4dee

diff --git a/manager/admin-manage-certificates b/manager/admin-manage-certificates
index 634aa7f641fca686933cd6debfe731665f5c4bba..1a42f9d7dbee1402d3522e48d0bd4ed26b93fb30 100755 (executable)
--- a/manager/admin-manage-certificates
+++ b/manager/admin-manage-certificates
@@ -33,29 +33,27 @@ function csrf {
 [[ -f root.crt ]] || curl -s "http://www.$domain/roots?pem" > root.crt
 echo "Opening Gigi connection"
 rm -f $folder/cookie-jar
-csrf=$(mcurl login -c $folder/cookie-jar|csrf)
+curl -v --cacert root.crt -c "$folder/cookie-jar" -E gigi-key.pem "https://secure.$domain/login"
 if ! [[ -f $folder/cookie-jar ]]; then
     echo "Need cookies." >&2
     exit 1;
 fi
-mcurl login --data-urlencode "username=$admin_email" --data-urlencode "password=$admin_password" --data-urlencode "csrf=$csrf" -c $folder/cookie-jar > /dev/null
-
-csrf=$(mcurl account/details | csrf "tail -n 1")
-mcurl account/details --data "orgaForm=orga&org%3A3=yes&csrf=$csrf"
+csrf=$(mscurl account/details | csrf "tail -n 1")
+mscurl account/details --data "orgaForm=orga&org%3A3=yes&csrf=$csrf"
 echo "Gigi is ready"
 function issue0 {
     options=$1
     csr=$2
-    csrf=$(mcurl "account/certs/new" | csrf "head -n 1")
+    csrf=$(mscurl "account/certs/new" | csrf "head -n 1")
 
     encoded=$(cat "$csr" | tr '\n' '?' | sed "s/=/%3D/g;s/+/%2B/g;s/\?/%0A/g")
 
-    mcurl account/certs/new -d "CSR=$encoded&process=Next&csrf=$csrf" > /dev/null
+    mscurl account/certs/new -d "CSR=$encoded&process=Next&csrf=$csrf" > /dev/null
 
-    serial=$(mcurl account/certs/new -d "$options&OU=&hash_alg=SHA256&validFrom=now&validity=2y&login=1&description=&process=Issue+Certificate&csrf=$csrf" -v 2>&1 | tee $folder/certlog | grep "< Location: " | sed "s_.*/\([a-f0-9]*\)[^0-9]*_\1_")
+    serial=$(mscurl account/certs/new -d "$options&OU=&hash_alg=SHA256&validFrom=now&validity=2y&login=1&description=&process=Issue+Certificate&csrf=$csrf" -v 2>&1 | tee $folder/certlog | grep "< Location: " | sed "s_.*/\([a-f0-9]*\)[^0-9]*_\1_")
     echo "Certificate: $serial"
     if [[ $serial != "" ]]; then
-        mcurl "account/certs/$serial.crt?chain&noAnchor" > $folder/cert.crt
+        mscurl "account/certs/$serial.crt?chain&noAnchor" > $folder/cert.crt
         return 0;
     else
         return 1;
@@ -127,7 +125,7 @@ while true; do
 done
 echo "end process" >&${COPROC[1]}
 cat <&${COPROC[0]}
-mcurl logout > /dev/null
+mscurl logout > /dev/null
 
 if [[ "$updated" == "true" ]]; then
     admin_ssh -t "reload certs"

diff --git a/manager/config b/manager/config
index 3d7b25a323c5be165d15857e4aebaf6051ac2cee..187b963ae0eff49ed34196a5907be6e179933d0e 100755 (executable)
--- a/manager/config
+++ b/manager/config
@@ -82,6 +82,13 @@ function mcurl {
     curl -s --cacert root.crt -b $folder/cookie-jar "https://www.$domain/$url" "$@"
 }
 
+# See mcurl, but use client-certificate from 'gigi-key.pem'
+function mscurl {
+    local url="$1"
+    shift
+    curl -s -E gigi-key.pem --cacert root.crt -b $folder/cookie-jar "https://secure.$domain/$url" "$@" | tee -a .weblog
+}
+
 # Connect via ssh into the "hop" container.
 function admin_ssh {
     ssh -i admin-key -p 2222 "admin@$to" "$@"