Skip to content

Commit 5cfca28

Browse files
c-pomergify[bot]
authored andcommitted
reverse-proxy: T6419: build full CA chain for frontend SSL certificate
(cherry picked from commit 4b189a7)
1 parent 2ae1798 commit 5cfca28

File tree

1 file changed

+13
-10
lines changed

1 file changed

+13
-10
lines changed

src/conf_mode/load-balancing_reverse-proxy.py

Lines changed: 13 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -26,11 +26,11 @@
2626
from vyos.utils.process import call
2727
from vyos.utils.network import check_port_availability
2828
from vyos.utils.network import is_listen_port_bind_service
29-
from vyos.pki import wrap_certificate
30-
from vyos.pki import wrap_private_key
3129
from vyos.pki import find_chain
3230
from vyos.pki import load_certificate
31+
from vyos.pki import load_private_key
3332
from vyos.pki import encode_certificate
33+
from vyos.pki import encode_private_key
3434
from vyos.template import render
3535
from vyos.utils.file import write_file
3636
from vyos import ConfigError
@@ -128,6 +128,9 @@ def generate(lb):
128128
if not os.path.isdir(load_balancing_dir):
129129
os.mkdir(load_balancing_dir)
130130

131+
loaded_ca_certs = {load_certificate(c['certificate'])
132+
for c in lb['pki']['ca'].values()} if 'ca' in lb['pki'] else {}
133+
131134
# SSL Certificates for frontend
132135
for front, front_config in lb['service'].items():
133136
if 'ssl' not in front_config:
@@ -141,12 +144,16 @@ def generate(lb):
141144
cert_file_path = os.path.join(load_balancing_dir, f'{cert_name}.pem')
142145
cert_key_path = os.path.join(load_balancing_dir, f'{cert_name}.pem.key')
143146

144-
with open(cert_file_path, 'w') as f:
145-
f.write(wrap_certificate(pki_cert['certificate']))
147+
loaded_pki_cert = load_certificate(pki_cert['certificate'])
148+
cert_full_chain = find_chain(loaded_pki_cert, loaded_ca_certs)
149+
150+
write_file(cert_file_path,
151+
'\n'.join(encode_certificate(c) for c in cert_full_chain))
146152

147153
if 'private' in pki_cert and 'key' in pki_cert['private']:
148-
with open(cert_key_path, 'w') as f:
149-
f.write(wrap_private_key(pki_cert['private']['key']))
154+
loaded_key = load_private_key(pki_cert['private']['key'], passphrase=None, wrap_tags=True)
155+
key_pem = encode_private_key(loaded_key, passphrase=None)
156+
write_file(cert_key_path, key_pem)
150157

151158
# SSL Certificates for backend
152159
for back, back_config in lb['backend'].items():
@@ -158,9 +165,6 @@ def generate(lb):
158165
ca_cert_file_path = os.path.join(load_balancing_dir, f'{ca_name}.pem')
159166
ca_chains = []
160167

161-
loaded_ca_certs = {load_certificate(c['certificate'])
162-
for c in lb['pki']['ca'].values()} if 'ca' in lb['pki'] else {}
163-
164168
pki_ca_cert = lb['pki']['ca'][ca_name]
165169
loaded_ca_cert = load_certificate(pki_ca_cert['certificate'])
166170
ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs)
@@ -172,7 +176,6 @@ def generate(lb):
172176

173177
return None
174178

175-
176179
def apply(lb):
177180
call('systemctl daemon-reload')
178181
if not lb:

0 commit comments

Comments
 (0)