This patch series fixes Issue 1094. Unfortunately, this meant quite some changes in how Ganeti handles SSL certificates. The essence of the change is that the individual node certificates (client certifciates) are now no longer self-signed but signed by the cluster certificate (server certificate).
This comes with a few consequences: - Renew-crypto now uses SSH to renew the SSL certificates. There was no way to renew them with all daemons running. - When the cluster certificate gets renewed, all node certificates have to be renewed as well, because otherwise they are signed with the old certificate and won't be accepted when using them for an RPC connection. - Noded has to extend its validation procedure, considering both, the client certificates and the server certificate as that is part of the certificate chain of the client certficiate now. I did some refactorings on the way and many of the patches increase the logging and debugging options for something like this to be diagnosable easier in the future. This patch series will have some implication on 2.13, which is why I will do the next merge after submitting this series. Helga Velroyen (29): Add tools/common.py from 2.13 x509 function for creating signed certs Introduce ssl_update tool Back up old client.pem files Run functions while (some) daemons are stopped Renew client certs using ssl_update tool Init: create the master's client cert in bootstrap Renew cluster and client certificates together tools: Move (Re)GenerateClientCert to common node-daemon-setup: generate client certificate Noded: make "bootstrap" a constant Renew-crypto: rebuild digest map of all nodes Init: add master client certificate to configuration Renew-crypto: remove dead code Prepare-node-join: use common functions QA: reload rapi cert after renew crypto Noded: log the certificate and digest on noded startup Renew-crypto: propagate verbose and debug option Renew-crypto: remove superflous copying of node certs Clean up configuration of curl request Bootstrap: validate SSL setup before starting noded Verify: warn about self-signed client certs man: mention changes in renew-crypto NEWS: Mention issue 1094 UPGRADE: add note about 2.12.5 Backend: Use timestamp as serial no for server cert Cluster-keys-replacement: update documentation Noded: Consider certificate chain in callback Renew-crypto: start noded together with wconfd Makefile.am | 10 +- NEWS | 2 + UPGRADE | 8 + doc/cluster-keys-replacement.rst | 27 +++- lib/backend.py | 69 +++------ lib/bootstrap.py | 45 +++++- lib/cli.py | 62 +++++++- lib/client/gnt_cluster.py | 110 +++++++++++-- lib/cmdlib/cluster.py | 114 ++------------ lib/cmdlib/common.py | 9 +- lib/cmdlib/node.py | 4 +- lib/config.py | 10 ++ lib/http/__init__.py | 9 ++ lib/pathutils.py | 4 +- lib/rpc/node.py | 8 +- lib/server/noded.py | 52 +++++-- lib/tools/common.py | 172 +++++++++++++++++++++ lib/tools/node_daemon_setup.py | 3 + lib/tools/prepare_node_join.py | 41 +---- lib/tools/ssl_update.py | 105 +++++++++++++ lib/utils/security.py | 52 ++++++- lib/utils/x509.py | 64 ++++++++ man/gnt-cluster.rst | 22 ++- qa/ganeti-qa.py | 23 ++- src/Ganeti/Constants.hs | 29 ++-- src/Ganeti/OpCodes.hs | 4 +- src/Ganeti/OpParams.hs | 6 + test/hs/Test/Ganeti/OpCodes.hs | 3 +- test/py/cmdlib/cluster_unittest.py | 87 ++--------- test/py/ganeti.backend_unittest.py | 28 +--- test/py/ganeti.tools.common_unittest.py | 135 ++++++++++++++++ test/py/ganeti.tools.prepare_node_join_unittest.py | 48 ------ test/py/ganeti.utils.x509_unittest.py | 36 ++++- tools/cfgupgrade | 9 +- 34 files changed, 999 insertions(+), 411 deletions(-) create mode 100644 lib/tools/common.py create mode 100644 lib/tools/ssl_update.py create mode 100755 test/py/ganeti.tools.common_unittest.py -- 2.4.3.573.g4eafbef
