mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-01-25 09:23:28 +01:00
Merge pull request #6706 from Security-Onion-Solutions/fix/ub1804ssl
Fix/ub1804ssl
This commit is contained in:
Josh Patterson
GitHub
4
salt/ca/dirs.sls
Normal file
4
salt/ca/dirs.sls
Normal file
@@ -0,0 +1,4 @@
|
||||
pki_issued_certs:
|
||||
file.directory:
|
||||
- name: /etc/pki/issued_certs
|
||||
- makedirs: True
|
||||
@@ -1,17 +1,14 @@
|
||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||
{% if sls in allowed_states %}
|
||||
|
||||
include:
|
||||
- ca.dirs
|
||||
|
||||
{% set manager = salt['grains.get']('master') %}
|
||||
/etc/salt/minion.d/signing_policies.conf:
|
||||
file.managed:
|
||||
- source: salt://ca/files/signing_policies.conf
|
||||
|
||||
/etc/pki:
|
||||
file.directory: []
|
||||
|
||||
/etc/pki/issued_certs:
|
||||
file.directory: []
|
||||
|
||||
pki_private_key:
|
||||
x509.private_key_managed:
|
||||
- name: /etc/pki/ca.key
|
||||
@@ -42,7 +39,7 @@ pki_public_ca_crt:
|
||||
- backup: True
|
||||
- replace: False
|
||||
- require:
|
||||
- file: /etc/pki
|
||||
- sls: ca.dirs
|
||||
- timeout: 30
|
||||
- retry:
|
||||
attempts: 5
|
||||
|
||||
@@ -16,12 +16,14 @@
|
||||
{% endif %}
|
||||
|
||||
{% if grains.id.split('_')|last in ['manager', 'managersearch', 'eval', 'standalone', 'import', 'helixsensor'] %}
|
||||
{% set trusttheca_text = salt['cp.get_file_str']('/etc/pki/ca.crt')|replace('\n', '') %}
|
||||
{% set ca_server = grains.id %}
|
||||
include:
|
||||
- ca
|
||||
{% set trusttheca_text = salt['cp.get_file_str']('/etc/pki/ca.crt')|replace('\n', '') %}
|
||||
{% set ca_server = grains.id %}
|
||||
{% else %}
|
||||
{% set x509dict = salt['mine.get']('*', 'x509.get_pem_entries') %}
|
||||
include:
|
||||
- ca.dirs
|
||||
{% set x509dict = salt['mine.get'](manager~'*', 'x509.get_pem_entries') %}
|
||||
{% for host in x509dict %}
|
||||
{% if 'manager' in host.split('_')|last or host.split('_')|last == 'standalone' %}
|
||||
{% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %}
|
||||
|
||||
@@ -1429,6 +1429,32 @@ fleet_pillar() {
|
||||
"" > "$pillar_file"
|
||||
}
|
||||
|
||||
generate_ca() {
|
||||
{
|
||||
echo "Building Certificate Authority";
|
||||
salt-call state.apply ca;
|
||||
|
||||
echo " Confirming existence of the CA certificate"
|
||||
openssl x509 -in /etc/pki/ca.crt -noout -subject -issuer -dates
|
||||
|
||||
echo "Confirming salt mine now contains the certificate";
|
||||
salt-call mine.get "$MINION_ID" x509.get_pem_entries | grep -E 'BEGIN CERTIFICATE|END CERTIFICATE';
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "CA in mine"
|
||||
else
|
||||
echo "CA not in mine"
|
||||
fi
|
||||
} >> "$setup_log" 2>&1
|
||||
}
|
||||
|
||||
generate_ssl() {
|
||||
{
|
||||
echo "Applying SSL state";
|
||||
salt-call state.apply ssl;
|
||||
salt-call saltutil.sync_modules;
|
||||
} >> "$setup_log" 2>&1
|
||||
}
|
||||
|
||||
generate_passwords(){
|
||||
# Generate Random Passwords for Things
|
||||
MYSQLPASS=$(get_random_value)
|
||||
@@ -2261,107 +2287,6 @@ saltify() {
|
||||
fi
|
||||
}
|
||||
|
||||
salt_checkin() {
|
||||
case "$install_type" in
|
||||
'MANAGER' | 'EVAL' | 'HELIXSENSOR' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') # Fix Mine usage
|
||||
{
|
||||
echo "Building Certificate Authority";
|
||||
salt-call state.apply ca;
|
||||
echo " *** Restarting Salt to fix any SSL errors. ***";
|
||||
|
||||
local SALT_SERVICES=(\
|
||||
"salt-master" \
|
||||
"salt-minion"
|
||||
)
|
||||
local count=0
|
||||
|
||||
for service in "${SALT_SERVICES[@]}"; do
|
||||
{
|
||||
echo "Restarting service $service"
|
||||
systemctl restart "$service" &
|
||||
local pid=$!
|
||||
} >> "$setup_log" 2>&1
|
||||
|
||||
count=0
|
||||
while ! (check_service_status "$service"); do
|
||||
# On final loop, kill the pid trying to restart service and try to manually kill then start it
|
||||
if [ $count -eq 12 ]; then
|
||||
{
|
||||
kill -9 "$pid"
|
||||
systemctl kill "$service"
|
||||
systemctl start "$service" &
|
||||
local pid=$!
|
||||
} >> "$setup_log" 2>&1
|
||||
fi
|
||||
|
||||
if [ $count -gt 12 ]; then
|
||||
echo "$service could not be restarted in 120 seconds, exiting" >> "$setup_log" 2>&1
|
||||
kill -9 "$pid"
|
||||
exit 1
|
||||
fi
|
||||
sleep 10;
|
||||
((count++))
|
||||
done
|
||||
done
|
||||
|
||||
count=1
|
||||
timeout=60
|
||||
while ! (check_salt_master_status $timeout); do
|
||||
echo "salt minion cannot talk to salt master after $timeout seconds" >> "$setup_log" 2>&1
|
||||
if [ $count -gt 2 ]; then
|
||||
echo "salt minion could not talk to salt master after $count attempts, exiting" >> "$setup_log" 2>&1
|
||||
exit 1
|
||||
fi
|
||||
sleep 1;
|
||||
((count++))
|
||||
((timeout+=30)) # add 30s to the timeout each attempt
|
||||
done
|
||||
|
||||
count=1
|
||||
timeout=60
|
||||
while ! (check_salt_minion_status $timeout) ; do
|
||||
echo "salt master did not get a job response from salt minion after $timeout seconds" >> "$setup_log" 2>&1
|
||||
if [ $count -gt 2 ]; then
|
||||
echo "salt master did not get a job response from salt minion after $count attempts, exiting" >> "$setup_log" 2>&1
|
||||
exit 1
|
||||
fi
|
||||
systemctl kill salt-minion
|
||||
systemctl start salt-minion
|
||||
sleep 1;
|
||||
((count++))
|
||||
((timeout+=30)) # add 30s to the timeout each attempt
|
||||
done
|
||||
|
||||
echo " Confirming existence of the CA certificate"
|
||||
openssl x509 -in /etc/pki/ca.crt -noout -subject -issuer -dates
|
||||
echo " Applyng a mine hack";
|
||||
salt "$MINION_ID" mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt;
|
||||
salt "$MINION_ID" mine.update;
|
||||
echo "Confirming salt mine now contains the certificate";
|
||||
salt "$MINION_ID" mine.get '*' x509.get_pem_entries | grep -E 'BEGIN CERTIFICATE|END CERTIFICATE';
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "CA in mine"
|
||||
else
|
||||
echo "CA not in mine"
|
||||
fi
|
||||
echo " Applying SSL state";
|
||||
salt-call state.apply ssl;
|
||||
} >> "$setup_log" 2>&1
|
||||
;;
|
||||
*)
|
||||
{
|
||||
#salt-call state.apply ca;
|
||||
salt-call state.apply ssl;
|
||||
} >> "$setup_log" 2>&1
|
||||
;;
|
||||
esac
|
||||
{
|
||||
#salt-call state.apply ca;
|
||||
salt-call state.apply ssl;
|
||||
salt-call saltutil.sync_modules;
|
||||
} >> "$setup_log" 2>&1
|
||||
}
|
||||
|
||||
# Run a salt command to generate the minion key
|
||||
salt_firstcheckin() {
|
||||
salt-call state.show_top >> /dev/null 2>&1 # send output to /dev/null because we don't actually care about the ouput
|
||||
|
||||
@@ -761,8 +761,15 @@ echo "1" > /root/accept_changes
|
||||
salt-call state.apply -l info salt.minion >> $setup_log 2>&1
|
||||
fi
|
||||
|
||||
set_progress_str 23 'Generating CA and checking in'
|
||||
salt_checkin >> $setup_log 2>&1
|
||||
if [[ $is_manager || $is_helix || $is_import ]]; then
|
||||
set_progress_str 23 'Generating CA'
|
||||
generate_ca >> $setup_log 2>&1
|
||||
fi
|
||||
|
||||
if [[ $is_minion ]]; then
|
||||
set_progress_str 24 'Generating SSL'
|
||||
generate_ssl >> $setup_log 2>&1
|
||||
fi
|
||||
|
||||
if [[ $is_manager || $is_helix || $is_import ]]; then
|
||||
set_progress_str 25 'Configuring firewall'
|
||||
|
||||
Reference in New Issue
Block a user