Skip to content

Commit

Permalink
Replace ds-container-certs-import.sh with ds-certs-import.sh
Browse files Browse the repository at this point in the history
  • Loading branch information
edewata committed Sep 6, 2024
1 parent e813063 commit e0d2186
Show file tree
Hide file tree
Showing 4 changed files with 193 additions and 106 deletions.
24 changes: 18 additions & 6 deletions .github/workflows/ca-clone-secure-ds-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -91,11 +91,17 @@ jobs:
run: |
docker exec primary pk12util \
-d /root/.dogtag/nssdb \
-o ds_server.p12 \
-o $SHARED/primaryds_server.p12 \
-W Secret.123 \
-n Server-Cert
docker cp primary:ds_server.p12 primaryds_server.p12
tests/bin/ds-container-certs-import.sh primaryds primaryds_server.p12
sudo chmod go+r primaryds_server.p12
tests/bin/ds-certs-import.sh \
--image=pki-runner \
--input=primaryds_server.p12 \
--password=Secret.123 \
primaryds
tests/bin/ds-stop.sh \
--image=pki-runner \
Expand Down Expand Up @@ -203,11 +209,17 @@ jobs:
run: |
docker exec secondary pk12util \
-d /root/.dogtag/nssdb \
-o ds_server.p12 \
-o $SHARED/secondaryds_server.p12 \
-W Secret.123 \
-n Server-Cert
docker cp secondary:ds_server.p12 secondaryds_server.p12
tests/bin/ds-container-certs-import.sh secondaryds secondaryds_server.p12
sudo chmod go+r secondaryds_server.p12
tests/bin/ds-certs-import.sh \
--image=pki-runner \
--input=secondaryds_server.p12 \
--password=Secret.123 \
secondaryds
tests/bin/ds-stop.sh \
--image=pki-runner \
Expand Down
13 changes: 10 additions & 3 deletions .github/workflows/ca-secure-ds-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -90,11 +90,18 @@ jobs:
run: |
docker exec pki pk12util \
-d /root/.dogtag/nssdb \
-o ds_server.p12 \
-o $SHARED/ds_server.p12 \
-W Secret.123 \
-n Server-Cert
docker cp pki:ds_server.p12 ds_server.p12
tests/bin/ds-container-certs-import.sh ds ds_server.p12
sudo chmod go+r ds_server.p12
tests/bin/ds-certs-import.sh \
--image=pki-runner \
--input=ds_server.p12 \
--password=Secret.123 \
--debug \
ds
tests/bin/ds-stop.sh \
--image=pki-runner \
Expand Down
165 changes: 165 additions & 0 deletions tests/bin/ds-certs-import.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,165 @@
#!/bin/bash -e

# https://fy.blackhats.net.au/blog/html/2020/03/28/389ds_in_containers.html

SCRIPT_PATH=$(readlink -f "$0")
SCRIPT_NAME=$(basename "$SCRIPT_PATH")
SCRIPT_DIR=$(dirname "$SCRIPT_PATH")

VERBOSE=
DEBUG=

usage() {
echo "Usage: $SCRIPT_NAME [OPTIONS] <name>"
echo
echo "Options:"
echo " --image=<image> Container image (default: quay.io/389ds/dirsrv)"
echo " --input=<file> PKCS #12 file"
echo " --password=<password> PKCS #12 password"
echo " -v,--verbose Run in verbose mode."
echo " --debug Run in debug mode."
echo " --help Show help message."
}

while getopts v-: arg ; do
case $arg in
v)
VERBOSE=true
;;
-)
LONG_OPTARG="${OPTARG#*=}"

case $OPTARG in
image=?*)
IMAGE="$LONG_OPTARG"
;;
input=?*)
INPUT="$LONG_OPTARG"
;;
password=?*)
PASSWORD="$LONG_OPTARG"
;;
verbose)
VERBOSE=true
;;
debug)
VERBOSE=true
DEBUG=true
;;
help)
usage
exit
;;
'')
break # "--" terminates argument processing
;;
image* | input* | password*)
echo "ERROR: Missing argument for --$OPTARG option" >&2
exit 1
;;
*)
echo "ERROR: Illegal option --$OPTARG" >&2
exit 1
;;
esac
;;
\?)
exit 1 # getopts already reported the illegal option
;;
esac
done

# remove parsed options and args from $@ list
shift $((OPTIND-1))

NAME=$1

if [ "$NAME" == "" ]
then
echo "ERROR: Missing container name"
exit 1
fi

if [ "$INPUT" == "" ]
then
echo "ERROR: Missing PKCS #12 file"
exit 1
fi

if [ "$PASSWORD" == "" ]
then
echo "ERROR: Missing PKCS #12 password"
fi

if [ "$IMAGE" = "" ]
then
IMAGE=quay.io/389ds/dirsrv
fi

import_certs_into_server() {

echo "Importing DS certs into server"

docker cp $INPUT $NAME:certs.p12

docker exec $NAME pk12util \
-d /etc/dirsrv/slapd-localhost \
-k /etc/dirsrv/slapd-localhost/pwdfile.txt \
-i certs.p12 \
-W $PASSWORD

echo "Configuring trust flags"

docker exec $NAME certutil -M \
-d /etc/dirsrv/slapd-localhost \
-f /etc/dirsrv/slapd-localhost/pwdfile.txt \
-n Self-Signed-CA \
-t CT,C,C

echo "Enabling SSL connection"

docker exec $NAME dsconf localhost config replace nsslapd-security=on
}

import_certs_into_container() {

echo "Importing DS certs into container"

docker cp $INPUT $NAME:/tmp/certs.p12

echo "Exporting server cert into /data/tls/server.crt"

docker exec $NAME openssl pkcs12 \
-in /tmp/certs.p12 \
-passin pass:$PASSWORD \
-out /data/tls/server.crt \
-clcerts \
-nokeys

echo "Exporting server key into /data/tls/server.key"

docker exec $NAME openssl pkcs12 \
-in /tmp/certs.p12 \
-passin pass:$PASSWORD \
-out /data/tls/server.key \
-nodes \
-nocerts

echo "Exporting CA cert into /data/tls/ca/ca.crt"

docker exec $NAME openssl pkcs12 \
-in /tmp/certs.p12 \
-passin pass:$PASSWORD \
-out /data/tls/ca/ca.crt \
-cacerts \
-nokeys
}

if [ "$IMAGE" == "pki-runner" ]
then
import_certs_into_server
else
import_certs_into_container
fi

echo "DS certs imported"
97 changes: 0 additions & 97 deletions tests/bin/ds-container-certs-import.sh

This file was deleted.

0 comments on commit e0d2186

Please sign in to comment.