mc_ssl / ssl registry¶
If you alter this module and want to test it, do not forget to deploy it on minion using:
salt '*' saltutil.sync_modules
Documentation of this module is available with:
salt '*' sys.doc mc_ssl
-
mc_states.modules.mc_ssl.ca_ssl_certs(domains, **kwargs)¶ Wrapper to ssl_certs to also return the cacert information Return a triple (ert, key, ca) if ca is none: ca==’‘
-
mc_states.modules.mc_ssl.domain_match(domain, cert_domain, wildcard_match=False)¶ Test if a domain exactly match other domain the other domain can be a wildcard, and this only match top level wildcards as per openssl spec
>>> from mc_states.modules.mc_ssl import domain_match >>> domain_match('a.com', 'a.com') True >>> domain_match('a.a.com', '*.a.com') True >>> domain_match('a.a.a.com', '*.a.com') False >>> domain_match('aaa.a.com', '*.a.com') True >>> domain_match('a', '*') False >>> domain_match('a.a', '*.a') False >>> domain_match('a.com', '*.a.com') True >>> domain_match('a.com', '*.a.a.com') False
-
mc_states.modules.mc_ssl.domain_match_wildcard(domain, wildcard_or_domain)¶ Test if a common name matches a wild card
>>> from mc_states.modules.mc_ssl \ ... import domain_match_wildcard as match_wildcard >>> match_wildcard('foo.dom.net', '*.foo.dom.net') True >>> match_wildcard('www.foo.dom.net', '*.foo.dom.net') True >>> match_wildcard('foo.dom.net', 'foo.dom.net') True >>> match_wildcard('www.foo.dom.net', 'foo.dom.net') True >>> match_wildcard('dom.net', '*.dom.net') True >>> match_wildcard('www.dom.net', '*.dom.net') True >>> match_wildcard('dom.net', 'dom.net') True >>> match_wildcard('www.dom.net', 'dom.net') True
-
mc_states.modules.mc_ssl.get_cert_for(domain, gen=False, domain_csr_data=None)¶ Generate or return certificate for domain
The certificates are stored inside <pillar_root>/cloud-controller/ssl
Search order precedence:
- ./custom/<subdomain>.<domain>.<tld>
- wildcard certificate: ./custom/*.<domain>.<tld>
- signed by the controller: ./<cloudctlr>/certs/*.<domain>.<tld>
- signed by the controller: ./<cloudctlr>/certs/<sub>.<domain>.<tld>
-
mc_states.modules.mc_ssl.get_configured_cert(domain, gen=False, ttl=60)¶ Return any configured ssl cert for domain or the wildward domain matching the precise domain. It will prefer to use any real signed certificate over a self signed certificate
-
mc_states.modules.mc_ssl.get_custom_cert_for(domain)¶ Seach for certificate and key file inside pillar folder
pillarroot/cloud-controller/ssl/custom:
- <domain>.key
- contain private ,key
- <domain>.crt
- contain cert
- <domain>.auth.crt
- contain auth chain
- <domain>.bundle.crt
- <generated if not present> contain cert + auth chain
- <domain>.full.crt
- <generated if not present> contain cert + auth chain + key
-
mc_states.modules.mc_ssl.get_installed_cert_for(domain)¶ Seach for certificate and key file inside pillar folder
pillarroot/cloud-controller/ssl/custom:
- <domain>.key
- contain private ,key
- <domain>.crt
- contain cert
- <domain>.auth.crt
- contain auth chain
- <domain>.bundle.crt
- <generated if not present> contain cert + auth chain
- <domain>.full.crt
- <generated if not present> contain cert + auth chain + key
-
mc_states.modules.mc_ssl.get_selfsigned_cert_for(domain, gen=False, domain_csr_data=None)¶ Generate or return certificate for domain
The certificates are stored inside <pillar_root>/cloud-controller/ssl
Search precedence:
- ./custom/<subdomain>.<domain>.<tld>
- wildcard certificate: ./custom/*.<domain>.<tld>
- selfsigned: ./selfsigned/certs/*.<domain>.<tld>
- selfsigned: ./selfsigned/certs/<subdomain>.<domain>.<tld>
-
mc_states.modules.mc_ssl.load_certs(path)¶ Load certificates from a directory (certs must be suffixed with .crt) return 2 dictionnary:
- one contains certs with common name as indexes
- one contains certs with subjectaltnames as indexes
-
mc_states.modules.mc_ssl.load_selfsigned_certs(path)¶ Load certificates from a directory (certs must be suffixed with .crt) return 2 dictionnary:
- one contains certs with common name as indexes
- one contains certs with subjectaltnames as indexes
-
mc_states.modules.mc_ssl.search_matching_certificate(domain, as_text=False, selfsigned=True)¶ Search in the pillar certificate directory the certificate belonging to a particular domain
-
mc_states.modules.mc_ssl.search_matching_selfsigned_certificate(domain, gen=False, as_text=False)¶ Search in the pillar certificate directory the certificate belonging to a particular domain
-
mc_states.modules.mc_ssl.selfsigned_last(ctuple)¶ Certificate tuple containing in first element the text of the PEM certificate
-
mc_states.modules.mc_ssl.selfsigned_ssl_certs(domains, gen=False, as_text=False)¶ Maybe Generate and Return SSL certificate and key paths for domain Certicates are generated inside pillar/cloudcontroller/<minionid>. this generates a signed certificate with a generated certificate authority with the name of the current minion.
-
mc_states.modules.mc_ssl.settings()¶ ssl registry
- country
- country
- st
- st
- l
- l
- o
- organization
- cn
- common name
- certs
mapping of COMMON_NAME: (cert_text, key_text, cacert_chain_txt)
- cert_text and cacert_chain_txt contain x509 certs, concatenated
- chain_txt is an empty string if selfsigned or not found
- key we will validated to be a valid private key
- all certs will be validated to be x509 certs
-
mc_states.modules.mc_ssl.ssl_certs(domains, **kw)¶ Maybe Generate and Return SSL certificate and key paths for domain Certicates are generated inside pillar/cloudcontroller/<minionid>. this generates a signed certificate with a generated certificate authority with the name of the current minion.
Return a xtuple (cert, key) Cert can contain multiple certs (full chain of certification)
-
mc_states.modules.mc_ssl.ssl_chain(common_name, cert_string)¶ Extract the cerfificate and auth chain for a certificate file or string containing one or multiple certificates
Return a tuble:
- The certificate maching the common name If not found, assume the first of the given certs
- The rest of certificates as the ssl chain authentication
-
mc_states.modules.mc_ssl.ssl_infos(cert_text, **kw)¶ Get some infos out of a PEM certificates kw can contain default values
- issuer
- cert issuer
- subject
- cert subject
-
mc_states.modules.mc_ssl.ssl_key(cert_string)¶ Extract valid ssl keys from a string or a file & return the first
-
mc_states.modules.mc_ssl.ssl_keys(cert_string)¶ Extract valid ssl keys from a string or a file