Skip to content

Commit 6dc515d

Browse files
committed
Add support for expansion of external sources for the sftp , davs and ftps
key/cert fingerprints in MiGserver.conf in order to get rid of tedious recurring manual fingerprint updates when relying on LetsEncrypt certificates, which come with frequent renewal. Allows the user_PROTO_key_sha256 configuration variables to e.g. be set to FILE::/path/to/fingerprint in order to always read the current fingerprint from that file. It also supports the usual FILE::/path/to/fingerprint$$/path/to/fast/cache/fingerprint for automatic caching in a fast memory-backed or similar cache location. Adjust the migcheckssl cron job helper to inform about it and automatically write the combined pem and pub sha256 fingerprints in the corresponding 'combined.pem.sha256' and 'combined.pub.sha256' files for complete automation of the flow in that case. The sftp key remains unchanged in that setup so one can keep that fingerprint static in MiGserver.conf, or use that combined.pub.sha256 if changes are ever expected. Such changes are typically rather inconvenient for clients as they have to find and update their local known hosts file unless also delivered e.g. on DNSSEC. Updated unit test templates to fit migcheckssl changes.
1 parent 46af52d commit 6dc515d

File tree

3 files changed

+44
-11
lines changed

3 files changed

+44
-11
lines changed

mig/install/migcheckssl-template.sh.cronjob

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,9 @@ server_crt="${domain_cert_path}/server.crt"
4040
server_crt_ca_pem="${domain_cert_path}/server.crt.ca.pem"
4141
server_key_crt_ca_pem="${domain_cert_path}/server.key.crt.ca.pem"
4242
combined_pem="${domain_cert_path}/combined.pem"
43+
combined_pem_sha256="${combined_pem}.sha256"
4344
combined_pub="${domain_cert_path}/combined.pub"
45+
combined_pub_sha256="${combined_pub}.sha256"
4446
dhparams_pem="${cert_base}/dhparams.pem"
4547
# use git latest or release version of getssl
4648
getssl_version="release"
@@ -279,10 +281,23 @@ if [[ ${org_mtime} -ne ${new_mtime} && "${org_chksum}" != "${new_chksum}" ]]; th
279281
fi
280282
done
281283
if [ -n "${migrid_subservices}" ]; then
282-
sha256_fingerprint=$(openssl x509 -noout -fingerprint -sha256 -in ${combined_pem})
283-
sha256_fingerprint=${sha256_fingerprint/SHA256 Fingerprint=/}
284-
echo "Please update ftps and davs sha256 fingerprint in MiGserver.conf to:"
285-
echo "${sha256_fingerprint}"
284+
pem_sha256_fp=$(openssl x509 -noout -fingerprint -sha256 -in ${combined_pem})
285+
pem_sha256_fp=${pem_sha256_fp/SHA256 Fingerprint=/}
286+
echo "Please manually update ftps/davs sha256 fingerprint in MiGserver.conf to:"
287+
echo "${pem_sha256_fp}"
288+
echo "or point those configuration values to the latest fingerprint file with:"
289+
echo "FILE::${combined_pem_sha256}"
290+
echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
291+
echo "${pem_sha256_fp}" > ${combined_pem_sha256}
292+
pub_sha256_fp=$(ssh-keygen -l -f ${combined_pub})
293+
pub_sha256_fp=${pub_sha256_fp/* SHA256:/}
294+
pub_sha256_fp=${pub_sha256_fp/ no comment */}
295+
echo "Please verify that sftp sha256 fingerprint in MiGserver.conf is:"
296+
echo "${pub_sha256_fp}"
297+
echo "or point that configuration value to the latest fingerprint file with:"
298+
echo "FILE::${combined_pub_sha256}"
299+
echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
300+
echo "${pub_sha256_fp}" > ${combined_pub_sha256}
286301
fi
287302
fi
288303

mig/shared/configuration.py

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1134,7 +1134,8 @@ def reload_config(self, verbose, skip_log=False, disable_auth_log=False,
11341134
fingerprint = config.get('GLOBAL', 'user_sftp_key_md5')
11351135
self.user_sftp_key_md5 = fingerprint
11361136
if config.has_option('GLOBAL', 'user_sftp_key_sha256'):
1137-
fingerprint = config.get('GLOBAL', 'user_sftp_key_sha256')
1137+
fingerprint = expand_external_sources(
1138+
logger, config.get('GLOBAL', 'user_sftp_key_sha256'))
11381139
self.user_sftp_key_sha256 = fingerprint
11391140
if config.has_option('GLOBAL', 'user_sftp_key_from_dns'):
11401141
self.user_sftp_key_from_dns = config.getboolean(
@@ -1228,7 +1229,8 @@ def reload_config(self, verbose, skip_log=False, disable_auth_log=False,
12281229
self.user_davs_key = config.get('GLOBAL',
12291230
'user_davs_key')
12301231
if config.has_option('GLOBAL', 'user_davs_key_sha256'):
1231-
fingerprint = config.get('GLOBAL', 'user_davs_key_sha256')
1232+
fingerprint = expand_external_sources(
1233+
logger, config.get('GLOBAL', 'user_davs_key_sha256'))
12321234
self.user_davs_key_sha256 = fingerprint
12331235
if config.has_option('GLOBAL', 'user_davs_auth'):
12341236
self.user_davs_auth = config.get('GLOBAL',
@@ -1274,7 +1276,8 @@ def reload_config(self, verbose, skip_log=False, disable_auth_log=False,
12741276
self.user_ftps_key = config.get('GLOBAL',
12751277
'user_ftps_key')
12761278
if config.has_option('GLOBAL', 'user_ftps_key_sha256'):
1277-
fingerprint = config.get('GLOBAL', 'user_ftps_key_sha256')
1279+
fingerprint = expand_external_sources(
1280+
logger, config.get('GLOBAL', 'user_ftps_key_sha256'))
12781281
self.user_ftps_key_sha256 = fingerprint
12791282
if config.has_option('GLOBAL', 'user_ftps_auth'):
12801283
self.user_ftps_auth = config.get('GLOBAL',

tests/fixture/confs-stdlocal/migcheckssl

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,9 @@ server_crt="${domain_cert_path}/server.crt"
4040
server_crt_ca_pem="${domain_cert_path}/server.crt.ca.pem"
4141
server_key_crt_ca_pem="${domain_cert_path}/server.key.crt.ca.pem"
4242
combined_pem="${domain_cert_path}/combined.pem"
43+
combined_pem_sha256="${combined_pem}.sha256"
4344
combined_pub="${domain_cert_path}/combined.pub"
45+
combined_pub_sha256="${combined_pub}.sha256"
4446
dhparams_pem="${cert_base}/dhparams.pem"
4547
# use git latest or release version of getssl
4648
getssl_version="release"
@@ -279,10 +281,23 @@ if [[ ${org_mtime} -ne ${new_mtime} && "${org_chksum}" != "${new_chksum}" ]]; th
279281
fi
280282
done
281283
if [ -n "${migrid_subservices}" ]; then
282-
sha256_fingerprint=$(openssl x509 -noout -fingerprint -sha256 -in ${combined_pem})
283-
sha256_fingerprint=${sha256_fingerprint/SHA256 Fingerprint=/}
284-
echo "Please update ftps and davs sha256 fingerprint in MiGserver.conf to:"
285-
echo "${sha256_fingerprint}"
284+
pem_sha256_fp=$(openssl x509 -noout -fingerprint -sha256 -in ${combined_pem})
285+
pem_sha256_fp=${pem_sha256_fp/SHA256 Fingerprint=/}
286+
echo "Please manually update ftps/davs sha256 fingerprint in MiGserver.conf to:"
287+
echo "${pem_sha256_fp}"
288+
echo "or point those configuration values to the latest fingerprint file with:"
289+
echo "FILE::${combined_pem_sha256}"
290+
echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
291+
echo "${pem_sha256_fp}" > ${combined_pem_sha256}
292+
pub_sha256_fp=$(ssh-keygen -l -f ${combined_pub})
293+
pub_sha256_fp=${pub_sha256_fp/* SHA256:/}
294+
pub_sha256_fp=${pub_sha256_fp/ no comment */}
295+
echo "Please verify that sftp sha256 fingerprint in MiGserver.conf is:"
296+
echo "${pub_sha256_fp}"
297+
echo "or point that configuration value to the latest fingerprint file with:"
298+
echo "FILE::${combined_pub_sha256}"
299+
echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
300+
echo "${pub_sha256_fp}" > ${combined_pub_sha256}
286301
fi
287302
fi
288303

0 commit comments

Comments
 (0)