From fae7020707dc38cb046fb517b8ae62b1f1711cc9 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Felix=20D=C3=B6rre?= Date: Mon, 23 Mar 2020 09:38:58 +0100 Subject: [PATCH] fix: use certificate authentication to request new gigi-certificates Change-Id: I27614f6731354a55bcc02b5d8f8ffbee48aa4dee --- manager/admin-manage-certificates | 18 ++++++++---------- manager/config | 7 +++++++ 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/manager/admin-manage-certificates b/manager/admin-manage-certificates index 634aa7f..1a42f9d 100755 --- a/manager/admin-manage-certificates +++ b/manager/admin-manage-certificates @@ -33,29 +33,27 @@ function csrf { [[ -f root.crt ]] || curl -s "http://www.$domain/roots?pem" > root.crt echo "Opening Gigi connection" rm -f $folder/cookie-jar -csrf=$(mcurl login -c $folder/cookie-jar|csrf) +curl -v --cacert root.crt -c "$folder/cookie-jar" -E gigi-key.pem "https://secure.$domain/login" if ! [[ -f $folder/cookie-jar ]]; then echo "Need cookies." >&2 exit 1; fi -mcurl login --data-urlencode "username=$admin_email" --data-urlencode "password=$admin_password" --data-urlencode "csrf=$csrf" -c $folder/cookie-jar > /dev/null - -csrf=$(mcurl account/details | csrf "tail -n 1") -mcurl account/details --data "orgaForm=orga&org%3A3=yes&csrf=$csrf" +csrf=$(mscurl account/details | csrf "tail -n 1") +mscurl account/details --data "orgaForm=orga&org%3A3=yes&csrf=$csrf" echo "Gigi is ready" function issue0 { options=$1 csr=$2 - csrf=$(mcurl "account/certs/new" | csrf "head -n 1") + csrf=$(mscurl "account/certs/new" | csrf "head -n 1") encoded=$(cat "$csr" | tr '\n' '?' | sed "s/=/%3D/g;s/+/%2B/g;s/\?/%0A/g") - mcurl account/certs/new -d "CSR=$encoded&process=Next&csrf=$csrf" > /dev/null + mscurl account/certs/new -d "CSR=$encoded&process=Next&csrf=$csrf" > /dev/null - serial=$(mcurl account/certs/new -d "$options&OU=&hash_alg=SHA256&validFrom=now&validity=2y&login=1&description=&process=Issue+Certificate&csrf=$csrf" -v 2>&1 | tee $folder/certlog | grep "< Location: " | sed "s_.*/\([a-f0-9]*\)[^0-9]*_\1_") + serial=$(mscurl account/certs/new -d "$options&OU=&hash_alg=SHA256&validFrom=now&validity=2y&login=1&description=&process=Issue+Certificate&csrf=$csrf" -v 2>&1 | tee $folder/certlog | grep "< Location: " | sed "s_.*/\([a-f0-9]*\)[^0-9]*_\1_") echo "Certificate: $serial" if [[ $serial != "" ]]; then - mcurl "account/certs/$serial.crt?chain&noAnchor" > $folder/cert.crt + mscurl "account/certs/$serial.crt?chain&noAnchor" > $folder/cert.crt return 0; else return 1; @@ -127,7 +125,7 @@ while true; do done echo "end process" >&${COPROC[1]} cat <&${COPROC[0]} -mcurl logout > /dev/null +mscurl logout > /dev/null if [[ "$updated" == "true" ]]; then admin_ssh -t "reload certs" diff --git a/manager/config b/manager/config index 3d7b25a..187b963 100755 --- a/manager/config +++ b/manager/config @@ -82,6 +82,13 @@ function mcurl { curl -s --cacert root.crt -b $folder/cookie-jar "https://www.$domain/$url" "$@" } +# See mcurl, but use client-certificate from 'gigi-key.pem' +function mscurl { + local url="$1" + shift + curl -s -E gigi-key.pem --cacert root.crt -b $folder/cookie-jar "https://secure.$domain/$url" "$@" | tee -a .weblog +} + # Connect via ssh into the "hop" container. function admin_ssh { ssh -i admin-key -p 2222 "admin@$to" "$@" -- 2.39.2