Support multiple ca certificates

Split the ca file into two files if there are two ca certificates Change-Id: I2bdef4ab4a2c6f24a28a4f41d7f58657c3e31bee
2022-04-26 16:10:04 +08:00 · 2022-04-26 16:10:04 +08:00 · baa50d5c88
parent 778dd72e86
commit baa50d5c88
1 changed files with 47 additions and 0 deletions
--- a/vmware_nsxlib/v3/cluster.py
+++ b/vmware_nsxlib/v3/cluster.py
@ -370,10 +370,55 @@ class Provider(object):
        self.password = password
        self.ca_file = ca_file
        self.thumbprint = thumbprint
+        self._config_ca_file = ca_file

    def __str__(self):
        return str(self.url)

+    def select_cert(self):
+        # If two ca certs in one file which only 'Serial Number' are different,
+        # ssl verify process will break if the first cert is not enabled in
+        # the nsxt. Put only one ca cert in one file and verify it by GET
+        # operation
+        if not self._config_ca_file:
+            return
+
+        try:
+            ca_content = self._get_ca_files(self._config_ca_file)
+        except Exception as e:
+            LOG.error('read ca file %s error %s', self._config_ca_file, e)
+            return
+
+        if len(ca_content) <= 1:
+            return
+
+        base_file = '/tmp/ca_cert.pem'
+        for index, buff in enumerate(ca_content):
+            session = TimeoutSession(60, 60)
+            ca_file = base_file + self.id + '.' + str(index)
+            try:
+                with open(ca_file, 'w') as fname:
+                    fname.writelines(buff)
+                session.verify = ca_file
+                session.get(self.url + '/api/v1/node/version')
+                self.ca_file = ca_file
+                break
+            except Exception as e:
+                LOG.debug("verify cert error %s, ca file %s", e, ca_file)
+                continue
+
+    def _get_ca_files(self, ca_file):
+        files = []
+        with open(ca_file) as fname:
+            lines = fname.readlines()
+            buff = []
+            for line in lines:
+                buff.append(line)
+                if 'END CERTIFICATE' in line:
+                    files.append(buff)
+                    buff = []
+        return files
+

 class Endpoint(object):
    """A single NSX manager endpoint (host).
@ -900,4 +945,6 @@ class NSXClusteredAPI(ClusteredAPI):
                    self.nsxlib_config.password(provider_index),
                    self.nsxlib_config.ca_file(provider_index),
                    self.nsxlib_config.thumbprint(provider_index)))
+        for provider in providers:
+            provider.select_cert()
        return providers