Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rename Server.TLSCertificate to Server.TLSCertificateChain #1825

Merged
merged 2 commits into from
Dec 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .goreleaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -93,15 +93,15 @@ archives:
{{- else }}{{ .Arch }}{{ end }}
wrap_in_directory: '{{ .ProjectName }}-server-{{ trimsuffix .Version "-next" }}'
checksum:
name_template: 'checksums.txt'
name_template: "checksums.txt"
snapshot:
name_template: "{{ incpatch .Version }}-next"
changelog:
sort: asc
filters:
exclude:
- '^docs:'
- '^test:'
- "^docs:"
- "^test:"
- Merge pull request
- Merge branch

Expand Down
2 changes: 1 addition & 1 deletion config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -1023,7 +1023,7 @@ func SetServerDefaults(v *viper.Viper) error {
v.SetConfigType("yaml")

v.SetDefault(param.Server_WebConfigFile.GetName(), filepath.Join(configDir, "web-config.yaml"))
v.SetDefault(param.Server_TLSCertificate.GetName(), filepath.Join(configDir, "certificates", "tls.crt"))
v.SetDefault(param.Server_TLSCertificateChain.GetName(), filepath.Join(configDir, "certificates", "tls.crt"))
v.SetDefault(param.Server_TLSKey.GetName(), filepath.Join(configDir, "certificates", "tls.key"))
v.SetDefault(param.Server_TLSCAKey.GetName(), filepath.Join(configDir, "certificates", "tlsca.key"))
v.SetDefault(param.Server_SessionSecretFile.GetName(), filepath.Join(configDir, "session-secret"))
Expand Down
2 changes: 1 addition & 1 deletion config/config_default.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ import (
func InitServerOSDefaults(v *viper.Viper) error {
// Windows / Mac don't have a default set of CAs installed at
// a well-known location as is expected by XRootD. We want to always generate our own CA
// if Server_TLSCertificate (host certificate) is not explicitly set so that
// if Server_TLSCertificateChain (host certificate chain) is not explicitly set so that
// we can sign our host cert by our CA instead of self-signing
tlscaFile := filepath.Join(v.GetString("ConfigDir"), "certificates", "tlsca.pem")
v.SetDefault(param.Server_TLSCACertificateFile.GetName(), tlscaFile)
Expand Down
2 changes: 1 addition & 1 deletion config/config_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ import (

func InitServerOSDefaults(v *viper.Viper) error {
// For Linux, even if we have well-known system CAs, we don't want to
// use them, because we want to always generate our own CA if Server_TLSCertificate (host certificate)
// use them, because we want to always generate our own CA if Server_TLSCertificateChain (host certificate chain)
// is not explicitly set so that we can sign our host cert by our CA instead of self-signing
configDir := v.GetString("ConfigDir")
v.SetDefault(param.Server_TLSCACertificateFile.GetName(), filepath.Join(configDir, "certificates", "tlsca.pem"))
Expand Down
4 changes: 2 additions & 2 deletions config/init_server_creds.go
Original file line number Diff line number Diff line change
Expand Up @@ -360,7 +360,7 @@ func GenerateCert() error {

tlsCertPrivateKeyExists := false

tlsCert := param.Server_TLSCertificate.GetString()
tlsCert := param.Server_TLSCertificateChain.GetString()
if file, err := os.Open(tlsCert); err == nil {
file.Close()
// Check that the matched-pair private key is present
Expand Down Expand Up @@ -443,7 +443,7 @@ func GenerateCert() error {
return errors.Errorf("unsupported private key type: %T", key)
}

log.Debugln("Server.TLSCertificate and/or Server.TLSKey do not exist. Will generate a new host certificate and its private key for the server")
log.Debugln("Server.TLSCertificateChain and/or Server.TLSKey do not exist. Will generate a new host certificate and its private key for the server")
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
Expand Down
4 changes: 2 additions & 2 deletions docs/pages/federating-your-data.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,8 @@ You need to contact a Certificate Authority (CA) who owns the root certificate f

Once you go through the process, locate your credential files and set the following parameters to the file locations or copy the credential files to the default locations of the parameters:

- `Server.TLSCertificate`
- The certificate file from Let's Encrypt (or another CA), usually named as `example.com.crt` or `example.com.pem`
- `Server.TLSCertificateChain`
- The certificate chain file from Let's Encrypt (or another CA), usually named example.com.crt or example.com.pem, containing the host certificate followed by any required intermediate certificates.
- Default location: `~/.config/pelican/certificates/tls.crt` for non-root users or `/etc/pelican/certificates/tls.crt` for root users.

- `Server.TLSKey`
Expand Down
41 changes: 28 additions & 13 deletions docs/parameters.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -975,31 +975,31 @@ components: ["origin"]
---
name: Origin.XRootServiceUrl
description: |+
When the origin is configured to export another XRootD storage backend by setting `Origin.StorageType = xroot`, the `XRootServiceUrl`
is used as the base for `root` protocol requests and should point at the upstream XRootD server.
When the origin is configured to export another XRootD storage backend by setting `Origin.StorageType = xroot`, the `XRootServiceUrl`
is used as the base for `root` protocol requests and should point at the upstream XRootD server.
type: string
default: none
components: ["origin"]
---
name: Origin.GlobusCollectionID
description: |+
**Note**: This value is only for setting up an origin that exports **one** Globus collection. For multiple exports, use `Origin.Exports`
**Note**: This value is only for setting up an origin that exports **one** Globus collection. For multiple exports, use `Origin.Exports`

Required if `Origin.StorageType == "globus"` AND `Origin.Exports` is not set.
Required if `Origin.StorageType == "globus"` AND `Origin.Exports` is not set.

Globus stores objects in [Collections](https://docs.globus.org/guides/overviews/collections-and-endpoints/#collection).
The unique identifier of a Collection is the Collection UUID.
You can find the Collection UUID at the bottom of your Collection's overview page.
Globus stores objects in [Collections](https://docs.globus.org/guides/overviews/collections-and-endpoints/#collection).
The unique identifier of a Collection is the Collection UUID.
You can find the Collection UUID at the bottom of your Collection's overview page.
type: string
default: none
components: ["origin"]
---
name: Origin.GlobusCollectionName
description: |+
**Note**: This value is only for setting up an origin that exports **one** storage prefix. For multiple exports, use `Origin.Exports`
**Note**: This value is only for setting up an origin that exports **one** storage prefix. For multiple exports, use `Origin.Exports`

An optional human-readable name to describe the Collection. This should set to the "Display Name" of your Collection in Globus.
It is recommended to set this name; otherwise the UUID will be used as the Collection name.
An optional human-readable name to describe the Collection. This should set to the "Display Name" of your Collection in Globus.
It is recommended to set this name; otherwise the UUID will be used as the Collection name.
type: string
default: none
components: ["origin"]
Expand Down Expand Up @@ -1149,7 +1149,7 @@ description: |+
WARNING: It's important that any values for `Cache.DataLocations` and `Cache.MetaLocations` are NOT subdirectories of `Cache.NamespaceLocation`,
as this will make the raw data/meta files accessible through the cache's namespace structure, which is undefined behavior.
type: string
default: ${Cache.StorageLocation}/namespace
default: ${Cache.StorageLocation}/namespace

components: ["cache"]
---
Expand Down Expand Up @@ -1796,6 +1796,20 @@ description: |+
type: filename
root_default: /etc/pelican/certificates/tls.crt
default: "$ConfigBase/certificates/tls.crt"
deprecated: true
replacedby: "Server.TLSCertificateChain"
components: ["origin", "registry", "director"]
---
name: Server.TLSCertificateChain
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of renaming this, please create a separate parameter and deprecate this one while labeling Server.TLSCertificateChain as the replacement. Then ensure that our deprecated assignment function in the config does the reassignment properly.

description: |+
A filepath to a file containing the full X.509 certificate chain, including the host certificate followed
by any intermediate certificates, to use for TLS authentication when running server components of Pelican.

If you override this filepath, you need to provide the matched-pair private key
via Server.TLSKey and a Certificate Authority (CA) certificate via Server.TLSCACertificateFile.
type: filename
root_default: /etc/pelican/certificates/tls.crt
default: "$ConfigBase/certificates/tls.crt"
components: ["origin", "registry", "director"]
---
name: Server.TLSCACertificateFile
Expand Down Expand Up @@ -1831,7 +1845,8 @@ components: ["origin", "registry", "director"]
---
name: Server.TLSKey
description: |+
The name of a file containing a private key corresponding to the TLSCertificate.
The name of a file containing the private key corresponding to the host certificate
in the TLSCertificateChain.
Used when running server components of Pelican.
type: filename
root_default: /etc/pelican/certificates/tls.key
Expand Down Expand Up @@ -1970,7 +1985,7 @@ description: |+
The "subject" claim should be the "CILogon User Identifier" from CILogon user page: https://cilogon.org/
type: stringSlice
default: []
components: ["registry","origin","cache"]
components: ["registry", "origin", "cache"]
---
name: Server.StartupTimeout
description: |+
Expand Down
4 changes: 2 additions & 2 deletions launcher_utils/xrootd_servers.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ func checkConfigFileReadable(fileName string, errMsg string) error {
}

func CheckDefaults(server server_structs.XRootDServer) error {
requiredConfigs := []param.StringParam{param.Server_TLSCertificate, param.Server_TLSKey, param.Xrootd_RobotsTxtFile}
requiredConfigs := []param.StringParam{param.Server_TLSCertificateChain, param.Server_TLSKey, param.Xrootd_RobotsTxtFile}
for _, configName := range requiredConfigs {
mgr := configName.GetString()
if mgr == "" {
Expand Down Expand Up @@ -75,7 +75,7 @@ func CheckDefaults(server server_structs.XRootDServer) error {
}

// TODO: Could upgrade this to a check for a cert in the file...
if err := checkConfigFileReadable(param.Server_TLSCertificate.GetString(),
if err := checkConfigFileReadable(param.Server_TLSCertificateChain.GetString(),
"A TLS certificate is required to serve HTTPS"); err != nil {
return err
}
Expand Down
2 changes: 2 additions & 0 deletions param/parameters.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions param/parameters_struct.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion systemd/10-osdf-defaults.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,6 @@ Federation:
DiscoveryUrl: "https://osg-htc.org"

Server:
TLSCertificate: /etc/pki/tls/certs/pelican.crt
TLSCertificateChain: /etc/pki/tls/certs/pelican.crt
TLSKey: /etc/pki/tls/private/pelican.key
TLSCACertificateFile: /etc/pki/tls/certs/ca-bundle.crt
2 changes: 1 addition & 1 deletion web_ui/engine_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,7 @@ func TestUpdateCert(t *testing.T) {
// First, compare the current fingerprint against that on disk
currentFingerprint := getCurrentFingerprint()

certFile := param.Server_TLSCertificate.GetString()
certFile := param.Server_TLSCertificateChain.GetString()
keyFile := param.Server_TLSKey.GetString()
getDiskFingerprint := func() [sha256.Size]byte {
diskCert, err := tls.LoadX509KeyPair(certFile, keyFile)
Expand Down
4 changes: 2 additions & 2 deletions web_ui/ui.go
Original file line number Diff line number Diff line change
Expand Up @@ -619,7 +619,7 @@ func RunEngineRoutineWithListener(ctx context.Context, engine *gin.Engine, egrp
// This was split out from RunEngine to allow unit tests to provide a Unix domain socket'
// as a listener.
func runEngineWithListener(ctx context.Context, ln net.Listener, engine *gin.Engine, egrp *errgroup.Group) error {
certFile := param.Server_TLSCertificate.GetString()
certFile := param.Server_TLSCertificateChain.GetString()
keyFile := param.Server_TLSKey.GetString()

port := param.Server_WebPort.GetInt()
Expand All @@ -635,7 +635,7 @@ func runEngineWithListener(ctx context.Context, ln net.Listener, engine *gin.Eng

server_utils.LaunchWatcherMaintenance(
ctx,
[]string{filepath.Dir(param.Server_TLSCertificate.GetString())},
[]string{filepath.Dir(param.Server_TLSCertificateChain.GetString())},
"server TLS maintenance",
2*time.Minute,
func(notifyEvent bool) error {
Expand Down
8 changes: 4 additions & 4 deletions xrootd/xrootd_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ type (
}

ServerConfig struct {
TLSCertificate string
TLSCertificateChain string
TLSKey string
TLSCACertificateDirectory string
TLSCACertificateFile string
Expand Down Expand Up @@ -519,7 +519,7 @@ func CopyXrootdCertificates(server server_structs.XRootDServer) error {
return errors.Wrap(err, "Unable to copy certificates to xrootd runtime directory; failed xrootd user lookup")
}

certFile := param.Server_TLSCertificate.GetString()
certFile := param.Server_TLSCertificateChain.GetString()
certKey := param.Server_TLSKey.GetString()
if _, err = tls.LoadX509KeyPair(certFile, certKey); err != nil {
return builtin_errors.Join(err, errBadKeyPair)
Expand All @@ -540,7 +540,7 @@ func CopyXrootdCertificates(server server_structs.XRootDServer) error {
return errors.Wrap(err, "Failure when chown'ing certificate key pair file for xrootd")
}

srcFile, err := os.Open(param.Server_TLSCertificate.GetString())
srcFile, err := os.Open(param.Server_TLSCertificateChain.GetString())
if err != nil {
return errors.Wrap(err, "Failure when opening source certificate for xrootd")
}
Expand Down Expand Up @@ -577,7 +577,7 @@ func LaunchXrootdMaintenance(ctx context.Context, server server_structs.XRootDSe
server_utils.LaunchWatcherMaintenance(
ctx,
[]string{
filepath.Dir(param.Server_TLSCertificate.GetString()),
filepath.Dir(param.Server_TLSCertificateChain.GetString()),
filepath.Dir(param.Xrootd_Authfile.GetString()),
filepath.Dir(param.Xrootd_ScitokensConfig.GetString()),
},
Expand Down
2 changes: 1 addition & 1 deletion xrootd/xrootd_config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -735,7 +735,7 @@ func TestCopyCertificates(t *testing.T) {

keyPairContents, err := os.ReadFile(destKeyPairName)
require.NoError(t, err)
certName := param.Server_TLSCertificate.GetString()
certName := param.Server_TLSCertificateChain.GetString()
firstCertContents, err := os.ReadFile(certName)
require.NoError(t, err)
keyName := param.Server_TLSKey.GetString()
Expand Down
Loading