From 4adc9a103554005a675fd018f965f34701777897 Mon Sep 17 00:00:00 2001 From: Piotr Parczewski Date: Mon, 22 Apr 2024 13:33:09 +0200 Subject: [PATCH] Add Let's Encrypt EAB support Needed-By: https://review.opendev.org/c/openstack/kolla-ansible/+/935656 Change-Id: I0b20d82a0061062f8aa9dfe179b1d02708ad610e --- .../letsencrypt-certificates.sh | 32 +++++++++++++++++-- ...sencrypt-eab-support-0ec1a60f1602662e.yaml | 4 +++ 2 files changed, 33 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/add-letsencrypt-eab-support-0ec1a60f1602662e.yaml diff --git a/docker/letsencrypt/letsencrypt-lego/letsencrypt-certificates.sh b/docker/letsencrypt/letsencrypt-lego/letsencrypt-certificates.sh index 055e5879ab..bf537e957f 100755 --- a/docker/letsencrypt/letsencrypt-lego/letsencrypt-certificates.sh +++ b/docker/letsencrypt/letsencrypt-lego/letsencrypt-certificates.sh @@ -20,6 +20,9 @@ function obtain_or_renew_certificate { local acme_url="${5}" local mail="${6}" local letsencrypt_ssh_port="${7}" + local eab="${8}" + local hmac="${9}" + local key_id="${10}" certificate_domain_opts=$(echo ${certificate_fqdns} | sed -r -e 's/^/,/g' -e 's/,/--domains=/g' -e 's/--/ --/g') certificate_fqdn=$(echo ${certificate_fqdns} | awk -F ',' '{print $1}') @@ -54,6 +57,10 @@ function obtain_or_renew_certificate { [ ! -e "/etc/letsencrypt/lego/${certificate_type}/certificates/${certificate_fqdn}.pem" ] && local lego_action="run" || local lego_action="renew" + if [ ${eab} ]; then + eab_opts="--eab --hmac ${hmac} --kid ${key_id}" + fi + log_info "[${certificate_fqdn} - cron] Obtaining certificate for domains ${certificate_fqdns}." mapfile -t cmd_output < <(/opt/lego --email="${mail}" \ ${certificate_domain_opts} \ @@ -64,6 +71,7 @@ function obtain_or_renew_certificate { --cert.timeout ${valid_days} \ --accept-tos \ --http \ + ${eab_opts} \ --pem ${lego_action} \ --${lego_action}-hook="/usr/bin/sync-and-update-certificate --${certificate_type} --fqdn ${certificate_fqdn} --haproxies-ssh ${letsencrypt_ssh_port}" 2>&1) @@ -98,10 +106,11 @@ function obtain_or_renew_certificate { INTERNAL_SET="false" EXTERNAL_SET="false" +EXTERNAL_ACCOUNT_BINDING="false" LOG_FILE="/var/log/kolla/letsencrypt/lesencrypt-lego.log" -VALID_ARGS=$(getopt -o ief:p:d:m:a:v:h: --long internal,external,fqdns:,port:,days:,mail:,acme:,vips:,haproxies-ssh: -- "$@") +VALID_ARGS=$(getopt -o ief:p:d:m:a:v:h: --long internal,external,fqdns:,port:,days:,mail:,acme:,vips:,haproxies-ssh:,eab,kid:,hmac: -- "$@") if [[ $? -ne 0 ]]; then exit 1; fi @@ -147,6 +156,18 @@ while [ : ]; do LETSENCRYPT_SSH_PORT="${2}" shift 2 ;; + --eab) + EXTERNAL_ACCOUNT_BINDING="true" + shift + ;; + --hmac) + HMAC="${2}" + shift 2 + ;; + --kid) + KEY_ID="${2}" + shift 2 + ;; --) shift; break ;; @@ -170,17 +191,22 @@ if [ "${INTERNAL_SET}" = "true" ] || [ "${EXTERNAL_SET}" = "true" ]; then LETSENCRYPT_EXTERNAL_FQDNS="${FQDNS}" fi + if [ "${EXTERNAL_ACCOUNT_BINDING}" = "true" ]; then + EXTERNAL_ACCOUNT_BINDING_OPTS="--eab ${HMAC} ${KEY_ID}" + else + EXTERNAL_ACCOUNT_BINDING_OPTS="" + fi if /usr/sbin/ip a | egrep -q "${LETSENCRYPT_VIP_ADDRESSES}"; then log_info "[${FQDN} - cron] This Letsencrypt-lego host is active..." if [ "${LETSENCRYPT_INTERNAL_FQDNS}" != "" ]; then log_info "[${FQDN} - cron] Processing domains ${LETSENCRYPT_INTERNAL_FQDNS}" - obtain_or_renew_certificate ${LETSENCRYPT_INTERNAL_FQDNS} internal ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT} + obtain_or_renew_certificate ${LETSENCRYPT_INTERNAL_FQDNS} internal ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT} ${EXTERNAL_ACCOUNT_BINDING_OPTS} fi if [ "${LETSENCRYPT_EXTERNAL_FQDNS}" != "" ]; then log_info "[${FQDN} - cron] Processing domains ${LETSENCRYPT_EXTERNAL_FQDNS}" - obtain_or_renew_certificate ${LETSENCRYPT_EXTERNAL_FQDNS} external ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT} + obtain_or_renew_certificate ${LETSENCRYPT_EXTERNAL_FQDNS} external ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT} ${EXTERNAL_ACCOUNT_BINDING_OPTS} fi else log_info "[${FQDN} - cron] This Letsencrypt-lego host is passive, nothing to do..." diff --git a/releasenotes/notes/add-letsencrypt-eab-support-0ec1a60f1602662e.yaml b/releasenotes/notes/add-letsencrypt-eab-support-0ec1a60f1602662e.yaml new file mode 100644 index 0000000000..96d24186ec --- /dev/null +++ b/releasenotes/notes/add-letsencrypt-eab-support-0ec1a60f1602662e.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Adds a support for external account binding (EAB) in Let's Encrypt.