Skip to content

Commit 29def51

Browse files
VagabondVagabond
committed
Merge pull request #601 from basho/adt-use-make_certs
Switch all the selfsigned certificates to be generated on demand
2 parents 97a3905 + 6c4afcb commit 29def51

File tree

5 files changed

+117
-90
lines changed

5 files changed

+117
-90
lines changed

tests/http_security.erl

Lines changed: 17 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -18,16 +18,23 @@ confirm() ->
1818
io:format("turning on tracing"),
1919
ibrowse:trace_on(),
2020

21+
CertDir = rt_config:get(rt_scratch_dir) ++ "/certs",
22+
23+
%% make a bunch of crypto keys
24+
make_certs:rootCA(CertDir, "rootCA"),
25+
make_certs:endusers(CertDir, "rootCA", ["site3.basho.com", "site4.basho.com"]),
26+
27+
2128
lager:info("Deploy some nodes"),
2229
PrivDir = rt:priv_dir(),
2330
Conf = [
2431
{riak_core, [
2532
{default_bucket_props, [{allow_mult, true}]},
2633
{ssl, [
27-
{certfile, filename:join([PrivDir,
28-
"certs/selfsigned/site3-cert.pem"])},
29-
{keyfile, filename:join([PrivDir,
30-
"certs/selfsigned/site3-key.pem"])}
34+
{certfile, filename:join([CertDir,
35+
"site3.basho.com/cert.pem"])},
36+
{keyfile, filename:join([CertDir,
37+
"site3.basho.com/key.pem"])}
3138
]}
3239
]},
3340
{riak_search, [
@@ -128,8 +135,8 @@ confirm() ->
128135
C7 = rhc:create("127.0.0.1", Port, "riak", [{is_ssl, true},
129136
{credentials, Username, "password"},
130137
{ssl_options, [
131-
{cacertfile, filename:join([PrivDir,
132-
"certs/selfsigned/ca/rootcert.pem"])},
138+
{cacertfile, filename:join([CertDir,
139+
"rootCA/cert.pem"])},
133140
{verify, verify_peer},
134141
{reuse_sessions, false}
135142
]}
@@ -423,8 +430,8 @@ confirm() ->
423430
ibrowse:send_req(URL ++ "/riak/hb/first/_,_,_", [], get,
424431
[], [{response_format, binary}, {is_ssl, true},
425432
{ssl_options, [
426-
{cacertfile, filename:join([PrivDir,
427-
"certs/selfsigned/ca/rootcert.pem"])},
433+
{cacertfile, filename:join([CertDir,
434+
"rootCA/cert.pem"])},
428435
{verify, verify_peer},
429436
{reuse_sessions, false}]}])),
430437

@@ -435,8 +442,8 @@ confirm() ->
435442
ibrowse:send_req(URL ++ "/solr/index/select?q=foo:bar&wt=json", [], get,
436443
[], [{response_format, binary}, {is_ssl, true},
437444
{ssl_options, [
438-
{cacertfile, filename:join([PrivDir,
439-
"certs/selfsigned/ca/rootcert.pem"])},
445+
{cacertfile, filename:join([CertDir,
446+
"rootCA/cert.pem"])},
440447
{verify, verify_peer},
441448
{reuse_sessions, false}]}])),
442449
ok.

tests/repl_util.erl

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -254,7 +254,6 @@ wait_for_connection(Node, Name) ->
254254
case rpc:call(Node, riak_core_cluster_mgr,
255255
get_connections, []) of
256256
{ok, Connections} ->
257-
lager:info("Connections: ~p", [Connections]),
258257
Conn = [P || {{cluster_by_name, N}, P} <- Connections, N == Name],
259258
case Conn of
260259
[] ->

tests/replication2_pg.erl

Lines changed: 24 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -20,45 +20,50 @@ setup_repl_clusters(Conf, SSL) ->
2020
NumNodes = 6,
2121
lager:info("Deploy ~p nodes", [NumNodes]),
2222

23+
CertDir = rt_config:get(rt_scratch_dir) ++ "/certs",
2324

24-
PrivDir = rt:priv_dir(),
25+
%% make a bunch of crypto keys
26+
make_certs:rootCA(CertDir, "rootCA"),
27+
make_certs:intermediateCA(CertDir, "intCA", "rootCA"),
28+
make_certs:endusers(CertDir, "rootCA", ["site3.basho.com", "site4.basho.com"]),
29+
make_certs:endusers(CertDir, "intCA", ["site1.basho.com", "site2.basho.com"]),
2530

2631
SSLConfig1 = [
2732
{riak_core,
2833
[
2934
{ssl_enabled, true},
30-
{certfile, filename:join([PrivDir,
31-
"certs/selfsigned/site1-cert.pem"])},
32-
{keyfile, filename:join([PrivDir,
33-
"certs/selfsigned/site1-key.pem"])},
34-
{cacertdir, filename:join([PrivDir,
35-
"certs/selfsigned/ca"])}
35+
{certfile, filename:join([CertDir,
36+
"site1.basho.com/cert.pem"])},
37+
{keyfile, filename:join([CertDir,
38+
"site1.basho.com/key.pem"])},
39+
{cacertdir, filename:join([CertDir,
40+
"site1.basho.com/cacerts.pem"])}
3641
]}
3742
],
3843

3944
SSLConfig2 = [
4045
{riak_core,
4146
[
4247
{ssl_enabled, true},
43-
{certfile, filename:join([PrivDir,
44-
"certs/selfsigned/site2-cert.pem"])},
45-
{keyfile, filename:join([PrivDir,
46-
"certs/selfsigned/site2-key.pem"])},
47-
{cacertdir, filename:join([PrivDir,
48-
"certs/selfsigned/ca"])}
48+
{certfile, filename:join([CertDir,
49+
"site2.basho.com/cert.pem"])},
50+
{keyfile, filename:join([CertDir,
51+
"site2.basho.com/key.pem"])},
52+
{cacertdir, filename:join([CertDir,
53+
"site2.basho.com/cacerts.pem"])}
4954
]}
5055
],
5156

5257
SSLConfig3 = [
5358
{riak_core,
5459
[
5560
{ssl_enabled, true},
56-
{certfile, filename:join([PrivDir,
57-
"certs/selfsigned/site3-cert.pem"])},
58-
{keyfile, filename:join([PrivDir,
59-
"certs/selfsigned/site3-key.pem"])},
60-
{cacertdir, filename:join([PrivDir,
61-
"certs/selfsigned/ca"])}
61+
{certfile, filename:join([CertDir,
62+
"site3.basho.com/cert.pem"])},
63+
{keyfile, filename:join([CertDir,
64+
"site3.basho.com/key.pem"])},
65+
{cacertdir, filename:join([CertDir,
66+
"site3.basho.com/cacerts.pem"])}
6267
]}
6368
],
6469

tests/replication2_ssl.erl

Lines changed: 38 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,14 @@ confirm() ->
1212
NumNodes = rt_config:get(num_nodes, 6),
1313
ClusterASize = rt_config:get(cluster_a_size, 3),
1414

15+
CertDir = rt_config:get(rt_scratch_dir) ++ "/certs",
16+
17+
%% make a bunch of crypto keys
18+
make_certs:rootCA(CertDir, "rootCA"),
19+
make_certs:intermediateCA(CertDir, "intCA", "rootCA"),
20+
make_certs:endusers(CertDir, "rootCA", ["site3.basho.com", "site4.basho.com"]),
21+
make_certs:endusers(CertDir, "intCA", ["site1.basho.com", "site2.basho.com"]),
22+
1523
lager:info("Deploy ~p nodes", [NumNodes]),
1624
BaseConf = [
1725
{riak_core,
@@ -36,12 +44,12 @@ confirm() ->
3644
{riak_core,
3745
[
3846
{ssl_enabled, true},
39-
{certfile, filename:join([PrivDir,
40-
"certs/selfsigned/site1-cert.pem"])},
41-
{keyfile, filename:join([PrivDir,
42-
"certs/selfsigned/site1-key.pem"])},
43-
{cacertdir, filename:join([PrivDir,
44-
"certs/selfsigned/ca"])}
47+
{certfile, filename:join([CertDir,
48+
"site1.basho.com/cert.pem"])},
49+
{keyfile, filename:join([CertDir,
50+
"site1.basho.com/key.pem"])},
51+
{cacertdir, filename:join([CertDir,
52+
"site1.basho.com/cacerts.pem"])}
4553
]}
4654
],
4755

@@ -54,12 +62,12 @@ confirm() ->
5462
{riak_core,
5563
[
5664
{ssl_enabled, true},
57-
{certfile, filename:join([PrivDir,
58-
"certs/selfsigned/site2-cert.pem"])},
59-
{keyfile, filename:join([PrivDir,
60-
"certs/selfsigned/site2-key.pem"])},
61-
{cacertdir, filename:join([PrivDir,
62-
"certs/selfsigned/ca"])}
65+
{certfile, filename:join([CertDir,
66+
"site2.basho.com/cert.pem"])},
67+
{keyfile, filename:join([CertDir,
68+
"site2.basho.com/key.pem"])},
69+
{cacertdir, filename:join([CertDir,
70+
"site2.basho.com/cacerts.pem"])}
6371
]}
6472
],
6573

@@ -72,12 +80,12 @@ confirm() ->
7280
{riak_core,
7381
[
7482
{ssl_enabled, true},
75-
{certfile, filename:join([PrivDir,
76-
"certs/selfsigned/site3-cert.pem"])},
77-
{keyfile, filename:join([PrivDir,
78-
"certs/selfsigned/site3-key.pem"])},
79-
{cacertdir, filename:join([PrivDir,
80-
"certs/selfsigned/ca"])}
83+
{certfile, filename:join([CertDir,
84+
"site3.basho.com/cert.pem"])},
85+
{keyfile, filename:join([CertDir,
86+
"site3.basho.com/key.pem"])},
87+
{cacertdir, filename:join([CertDir,
88+
"site3.basho.com/cacerts.pem"])}
8189
]}
8290
],
8391

@@ -93,12 +101,12 @@ confirm() ->
93101

94102
{ssl_enabled, true},
95103
{ssl_depth, 0},
96-
{certfile, filename:join([PrivDir,
97-
"certs/selfsigned/site3-cert.pem"])},
98-
{keyfile, filename:join([PrivDir,
99-
"certs/selfsigned/site3-key.pem"])},
100-
{cacertdir, filename:join([PrivDir,
101-
"certs/selfsigned/ca"])}
104+
{certfile, filename:join([CertDir,
105+
"site3.basho.com/cert.pem"])},
106+
{keyfile, filename:join([CertDir,
107+
"site3.basho.com/key.pem"])},
108+
{cacertdir, filename:join([CertDir,
109+
"site3.basho.com/cacerts.pem"])}
102110
]}
103111
],
104112

@@ -112,12 +120,12 @@ confirm() ->
112120
[
113121
{ssl_enabled, true},
114122
{ssl_depth, 0},
115-
{certfile, filename:join([PrivDir,
116-
"certs/selfsigned/site4-cert.pem"])},
117-
{keyfile, filename:join([PrivDir,
118-
"certs/selfsigned/site4-key.pem"])},
119-
{cacertdir, filename:join([PrivDir,
120-
"certs/selfsigned/ca"])}
123+
{certfile, filename:join([CertDir,
124+
"site4.basho.com/cert.pem"])},
125+
{keyfile, filename:join([CertDir,
126+
"site4.basho.com/key.pem"])},
127+
{cacertdir, filename:join([CertDir,
128+
"site4.basho.com/cacerts.pem"])}
121129
]}
122130
],
123131

tests/replication_ssl.erl

Lines changed: 38 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,14 @@ confirm() ->
1111
NumNodes = rt_config:get(num_nodes, 6),
1212
ClusterASize = rt_config:get(cluster_a_size, 3),
1313

14+
CertDir = rt_config:get(rt_scratch_dir) ++ "/certs",
15+
16+
%% make a bunch of crypto keys
17+
make_certs:rootCA(CertDir, "rootCA"),
18+
make_certs:intermediateCA(CertDir, "intCA", "rootCA"),
19+
make_certs:endusers(CertDir, "rootCA", ["site3.basho.com", "site4.basho.com"]),
20+
make_certs:endusers(CertDir, "intCA", ["site1.basho.com", "site2.basho.com"]),
21+
1422
lager:info("Deploy ~p nodes", [NumNodes]),
1523
BaseConf = [
1624
{riak_repl,
@@ -31,12 +39,12 @@ confirm() ->
3139
{fullsync_on_connect, false},
3240
{fullsync_interval, disabled},
3341
{ssl_enabled, true},
34-
{certfile, filename:join([PrivDir,
35-
"certs/selfsigned/site1-cert.pem"])},
36-
{keyfile, filename:join([PrivDir,
37-
"certs/selfsigned/site1-key.pem"])},
38-
{cacertdir, filename:join([PrivDir,
39-
"certs/selfsigned/ca"])}
42+
{certfile, filename:join([CertDir,
43+
"site1/basho.com/cert.pem"])},
44+
{keyfile, filename:join([CertDir,
45+
"site1.basho.com/key.pem"])},
46+
{cacertdir, filename:join([CertDir,
47+
"site1.basho.com/cacerts.pem"])}
4048
]}
4149
],
4250

@@ -46,12 +54,12 @@ confirm() ->
4654
{fullsync_on_connect, false},
4755
{fullsync_interval, disabled},
4856
{ssl_enabled, true},
49-
{certfile, filename:join([PrivDir,
50-
"certs/selfsigned/site2-cert.pem"])},
51-
{keyfile, filename:join([PrivDir,
52-
"certs/selfsigned/site2-key.pem"])},
53-
{cacertdir, filename:join([PrivDir,
54-
"certs/selfsigned/ca"])}
57+
{certfile, filename:join([CertDir,
58+
"site2.basho.com/cert.pem"])},
59+
{keyfile, filename:join([CertDir,
60+
"site2.basho.com/key.pem"])},
61+
{cacertdir, filename:join([CertDir,
62+
"site2.basho.com/cacerts.pem"])}
5563
]}
5664
],
5765

@@ -61,12 +69,12 @@ confirm() ->
6169
{fullsync_on_connect, false},
6270
{fullsync_interval, disabled},
6371
{ssl_enabled, true},
64-
{certfile, filename:join([PrivDir,
65-
"certs/selfsigned/site3-cert.pem"])},
66-
{keyfile, filename:join([PrivDir,
67-
"certs/selfsigned/site3-key.pem"])},
68-
{cacertdir, filename:join([PrivDir,
69-
"certs/selfsigned/ca"])}
72+
{certfile, filename:join([CertDir,
73+
"site3.basho.com/cert.pem"])},
74+
{keyfile, filename:join([CertDir,
75+
"site3.basho.com/key.pem"])},
76+
{cacertdir, filename:join([CertDir,
77+
"site3.basho.com/cacerts.pem"])}
7078
]}
7179
],
7280

@@ -78,12 +86,12 @@ confirm() ->
7886
{fullsync_interval, disabled},
7987
{ssl_enabled, true},
8088
{ssl_depth, 0},
81-
{certfile, filename:join([PrivDir,
82-
"certs/selfsigned/site3-cert.pem"])},
83-
{keyfile, filename:join([PrivDir,
84-
"certs/selfsigned/site3-key.pem"])},
85-
{cacertdir, filename:join([PrivDir,
86-
"certs/selfsigned/ca"])}
89+
{certfile, filename:join([CertDir,
90+
"site3.basho.com/cert.pem"])},
91+
{keyfile, filename:join([CertDir,
92+
"site3.basho.com/key.pem"])},
93+
{cacertdir, filename:join([CertDir,
94+
"site3.basho.com/cacerts.pem"])}
8795
]}
8896
],
8997

@@ -94,12 +102,12 @@ confirm() ->
94102
{fullsync_interval, disabled},
95103
{ssl_enabled, true},
96104
{ssl_depth, 0},
97-
{certfile, filename:join([PrivDir,
98-
"certs/selfsigned/site4-cert.pem"])},
99-
{keyfile, filename:join([PrivDir,
100-
"certs/selfsigned/site4-key.pem"])},
101-
{cacertdir, filename:join([PrivDir,
102-
"certs/selfsigned/ca"])}
105+
{certfile, filename:join([CertDir,
106+
"site4.basho.com/cert.pem"])},
107+
{keyfile, filename:join([CertDir,
108+
"site4.basho.com/key.pem"])},
109+
{cacertdir, filename:join([CertDir,
110+
"site4.basho.com/cacerts.pem"])}
103111
]}
104112
],
105113

0 commit comments

Comments
 (0)