tls: Simplify cockpit-certificate-ensure

Drop support for merged certificate/key files. We deprecated this in
2021 with 76fc4cb ("tls: largely rewrite cockpit-certificate-ensure")
and have been warning about it ever since.

Turn the --for-cockpit-tls option into a no-op (with deprecation
warning): we can't use this tool with cockpit-ws anymore, so the only
other mode that makes sense is `--check`.

Assisted-by: Claude <noreply@anthropic.com>

Author: allisonkarlitskaya

containers/ws/label-run

@@ -119,7 +119,7 @@ with tcp_listener:
 
     else:
         subprocess.run(
-            ['/usr/libexec/cockpit-certificate-ensure', '--for-cockpit-tls'], env=env, cwd='/', check=True
+            ['/usr/libexec/cockpit-certificate-ensure'], env=env, cwd='/', check=True
         )
 
         os.mkdir(wsinstance_dir := "/run/cockpit/wsinstance")

src/systemd/cockpit.service.in

@@ -8,7 +8,7 @@ After=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
 
 [Service]
 RuntimeDirectory=cockpit/tls
-ExecStartPre=+@libexecdir@/cockpit-certificate-ensure --for-cockpit-tls
+ExecStartPre=+@libexecdir@/cockpit-certificate-ensure
 ExecStart=@libexecdir@/cockpit-tls
 DynamicUser=yes
 # otherwise systemd uses 'cockpit' even if it exists as a normal user account

src/tls/cockpit-certificate-ensure.c

@@ -52,8 +52,6 @@
 // of more than ~5 years from now was surely generated by the old code.
 #define MAX_EXPIRY (5 * 365 * 24 * 60 * 60)
 
-// We tolerate the deprecated merged cert/key files only for cockpit-tls.
-static bool tolerate_merged_cert_key;
 
 typedef struct
 {
@@ -284,26 +282,13 @@ certificate_and_key_read (CertificateKeyPair *self,
   read_file (self->certificate_filename, &self->certificate);
 
   if (certificate_and_key_split (self))
-    {
-      self->key_filename = strdupx (self->certificate_filename);
-      warnx ("%s: merged certificate and key files are %s. "
-             "Please use a separate .cert and .key file.\n",
-             certificate_filename,
-             tolerate_merged_cert_key ? "deprecated" : "unsupported");
-
-      if (!tolerate_merged_cert_key)
-        exit (EXIT_FAILURE);
-    }
-  else
-    {
-      self->key_filename = cockpit_certificate_key_path (self->certificate_filename);
-      read_file (self->key_filename, &self->key);
-    }
+    errx (EXIT_FAILURE, "%s: merged certificate and key files are no longer supported. "
+          "Please use a separate .cert and .key file.", certificate_filename);
 
-  if (self->key_filename)
-    asprintfx (&self->filename_for_errors, "%s/.key", self->certificate_filename);
-  else
-    self->filename_for_errors = strdupx (self->certificate_filename);
+  self->key_filename = cockpit_certificate_key_path (self->certificate_filename);
+  read_file (self->key_filename, &self->key);
+
+  asprintfx (&self->filename_for_errors, "%s + %s", self->certificate_filename, self->key_filename);
 }
 
 static gnutls_certificate_credentials_t
@@ -398,20 +383,16 @@ main (int argc, char **argv)
 {
   CertificateKeyPair result = { };
   bool check = false;
-  bool for_cockpit_tls = false;
 
   if (argc == 1)
     ;
   else if (argc == 2 && strcmp (argv[1], "--check") == 0)
     check = true;
   else if (argc == 2 && strcmp (argv[1], "--for-cockpit-tls") == 0)
-    for_cockpit_tls = true;
+    warnx ("--for-cockpit-tls is deprecated and now a no-op");
   else
     errx (EXIT_FAILURE, "usage: %s [--check]", argv[0]);
 
-  if (for_cockpit_tls)
-    tolerate_merged_cert_key = true;
-
   if (!cockpit_certificate_find (&result, check))
     {
       if (check)
@@ -424,13 +405,14 @@ main (int argc, char **argv)
     }
 
   if (check)
-    printf ("Would use certificate %s\n", result.certificate_filename);
-
-  if (for_cockpit_tls)
+    {
+      printf ("Would use certificate %s\n", result.certificate_filename);
+    }
+  else
     {
       const char *runtime_directory = getenv ("RUNTIME_DIRECTORY");
       if (runtime_directory == NULL)
-        errx (EXIT_FAILURE, "--for-cockpit-tls cannot be used unless RUNTIME_DIRECTORY is set");
+        errx (EXIT_FAILURE, "RUNTIME_DIRECTORY must be set");
 
       certificate_and_key_write (&result, runtime_directory);
     }

src/tls/test-cockpit-certificate-ensure.c

@@ -208,7 +208,7 @@ test_copy (Fixture *fixture,
   g_autoptr(GError) error = NULL;
 
   g_autoptr(GSubprocess) helper = g_subprocess_launcher_spawn (fixture->launcher, &error,
-                                                               CERTIFICATE_HELPER, "--for-cockpit-tls", NULL);
+                                                               CERTIFICATE_HELPER, NULL);
   g_assert_no_error (error);
 
   g_autofree gchar *stdout_str = NULL;
@@ -408,14 +408,14 @@ static const TestCase expired_combined = {
   .files = (const gchar *[]) { SRCDIR "/test/data/expired/combined.cert",
                                NULL },
   .check_stdout = "",
-  .check_stderr = "*merged certificate and key files are unsupported*",
+  .check_stderr = "*merged certificate and key files are no longer supported*",
   .check_exit = EXIT_FAILURE,
 
   .copy_stdout = "",
-  .copy_stderr = "*merged certificate and key files are deprecated*",
-  .copy_exit = EXIT_SUCCESS,
-  .key_source = "*/cockpit/ws-certs.d/combined.cert",
-  .cert_source = "*/cockpit/ws-certs.d/combined.cert"
+  .copy_stderr = "*merged certificate and key files are no longer supported*",
+  .copy_exit = EXIT_FAILURE,
+  .cert_source = "",
+  .key_source = "",
 };
 
 static const TestCase many_files = {
@@ -426,14 +426,14 @@ static const TestCase many_files = {
                                SRCDIR "/test/data/expired/combined.cert",
                                NULL },
   .check_stdout = "",
-  .check_stderr = "*merged certificate and key files are unsupported*",
+  .check_stderr = "*merged certificate and key files are no longer supported*",
   .check_exit = EXIT_FAILURE,
 
   .copy_stdout = "",
-  .copy_stderr = "*merged certificate and key files are deprecated*",
-  .copy_exit = EXIT_SUCCESS,
-  .key_source = "*/cockpit/ws-certs.d/combined.cert",
-  .cert_source = "*/cockpit/ws-certs.d/combined.cert"
+  .copy_stderr = "*merged certificate and key files are no longer supported*",
+  .copy_exit = EXIT_FAILURE,
+  .cert_source = "",
+  .key_source = "",
 };
 
 int