Rollout SSL
[ Up ]
Configuring Rollout and Rolloutd to support SSL encryption and authentication can be slightly tricky to get right, so there is a sample CA (Certificate Authority) makefile included which can make it easier to test. For proper production use, you should use real certificates, signed by a trusted authority.
-
Included in the source distribution is a directory rollout rolloutd.ca. Change to this directory and run:
# make ca server - This will create a CA certificate and a certificate for the server. This will be verified by the client to make sure it is connecting to a known server. If you have followed the installation instructions, These files will be in the correct place already. If not, you need to copy cacert.crt, certs/rolloutd.pem and certs/rolloutd.key into the correct place for your server.
- Edit the startup script so that SSL will be supported. This should be done by editing /etc/default/rollout and making sure LISTEN_SSL is defined. At this point you may be able to set ALLOW to something wider (perhaps 0.0.0.0/0) because authentication will be done by certificate from now on.
-
Restart rollout:
# /etc/init.d/rolloutd restart -
In the rolloutd.ca directory, create a client certificate for every client machine:
# make client HOSTNAME=<hostname> -
This will create two files in certs (hostname.key and hostname.pem) which you need to copy to each client machine along with cacert.crt, and place all three files in /etc/rollout:
# scp certs/hostname.pem hostname:/etc/rollout/cert.pem # scp certs/hostname.key hostname:/etc/rollout/cert.key # scp cacert.crt hostname:/etc/rollout/On the client you want to install the certificate, you can run something like this to pull the certificate with scp:
# SRC=root@rollout.domain:/usr/local/rollout/rolloutd.ca; H=`hostname`; mkdir -p /etc/rollout; cd /etc/rollout; scp $SRC/cacert.crt .; \ scp $SRC/certs/$H.key cert.key; scp $SRC/certs/$H.pem cert.pem -
Test the client by running rollout with a new https url:
# rollout -s -u https://rollout.domain:port -o setupIf you don't already have rollout installed on this client, you can run:
# URL=https://rollout.domain:port; wget -O- -S --no-check-certificate --certificate /etc/rollout/cert.pem \ --private-key /etc/rollout/cert.key --ca-certificate /etc/rollout/cacert.crt $URL/rollout | perl - -u $URL -o setup
If you want more debugging information, you can try using the openssl commandline tool to connect to the server and send a request. You should get output like this:
# openssl s_client -key /etc/rollout/cert.key -cert /etc/rollout/cert.pem -CAfile /etc/rollout/cacert.crt -connect localhost:8000
CONNECTED(00000003)
depth=1 /CN=Rollout CA/C=AU
verify return:1
depth=0 /CN=rolloutd/C=AU
verify return:1
---
Certificate chain
0 s:/CN=rolloutd/C=AU
i:/CN=Rollout CA/C=AU
1 s:/CN=Rollout CA/C=AU
i:/CN=Rollout CA/C=AU
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBuTCCASICCQC9mbYeh7ynKjANBgkqhkiG9w0BAQUFADAiMRMwEQYDVQQDEwpS
b2xsb3V0IENBMQswCQYDVQQGEwJBVTAeFw0xMDA4MjMwMTQ2NDZaFw0xMTA4MjMw
MTQ2NDZaMCAxETAPBgNVBAMTCHJvbGxvdXRkMQswCQYDVQQGEwJBVTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAzHfrMzY5m7Yz+GwBmieOXajN86l9IpCcvqfu
jCKklDAenVywRaRfqrmBUug4lYNlW1tfLgoA39pgtQn9L2ZGPIen17yKks3BXrw8
OOEl2IdZTuWCFYsbGw3+olkM+n3k+EUkfNpNtWnaGehOoNogWYayNPTu4hb0Hvo5
7EbWBk8CAwEAATANBgkqhkiG9w0BAQUFAAOBgQADtrMqTLPTk2ICCIw60Io+dn2G
xIq14Rcr/aGm+LETGAyfTqLWsvXZ4qh/XxqJ56sMnrwSKR4LgaWCKqdEhxGmopmB
oM8gmScGRz49Wz8lEFvA8jEUW0ToRfq+jGTvw2BQCMKmzWzIIOxzjoO/YLhBXGGk
qkIr10gBm7lSGiHc3g==
-----END CERTIFICATE-----
subject=/CN=rolloutd/C=AU
issuer=/CN=Rollout CA/C=AU
---
No client certificate CA names sent
---
SSL handshake has read 1207 bytes and written 1500 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: ADFFC8AABA8350FB98D6DC64E2B59BBF8E381C1835C560BACE5C926709C2E205
Session-ID-ctx:
Master-Key: E2E617E466DEB7D1B4D36EB80C3D79D1D6653DE387020A64CCF3A0EADA0990A57665157164003CBBA2B996430E9B27F8
Key-Arg : None
Start Time: 1283149374
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET / HTTP/1.0
HTTP/1.0 200 OK
Connection: close
Content-Length: 1739
Content-Type: text/html
Date: Mon, 30 Aug 2010 06:23:00 UTC
Server: Rolloutd/1.2.0
<h1>Rolloutd File Listing</h1>
<table width="100%">
<tbody><tr><th>filename</th><th>type</th><th>size</th><th>mtime</th><th>checksum</th></tr>
<tr><td>INSTALL</td><td>file</td><td>1176</td><td>1282700749</td><td></td></tr>
<tr><td>LICENSE</td><td>file</td><td>15123</td><td>1282521396</td><td></td></tr>
<tr><td>README</td><td>file</td><td>810</td><td>1282535000</td><td></td></tr>
<tr><td>RolloutConfigValidator.pm</td><td>file</td><td>7050</td><td>1282701014</td><td></td></tr>
<tr><td>complete.php</td><td>file</td><td>452</td><td>1282521396</td><td></td></tr>
<tr><td>conf</td><td>directory</td><td>4096</td><td>1283131204</td><td></td></tr>
<tr><td>files</td><td>directory</td><td>4096</td><td>1282627456</td><td></td></tr>
<tr><td>fragments</td><td>directory</td><td>4096</td><td>1283146205</td><td></td></tr>
<tr><td>rollout</td><td>file</td><td>52670</td><td>1283144307</td><td></td></tr>
<tr><td>rollout.cfg</td><td>file</td><td>11773</td><td>1282710541</td><td></td></tr>
<tr><td>rollout.default</td><td>file</td><td>840</td><td>1283145863</td><td></td></tr>
<tr><td>rollout.init</td><td>file</td><td>1564</td><td>1283145891</td><td></td></tr>
<tr><td>rolloutd</td><td>file</td><td>14388</td><td>1283149304</td><td></td></tr>
<tr><td>rolloutd.ca</td><td>directory</td><td>4096</td><td>1283148999</td><td></td></tr>
<tr><td>steps</td><td>directory</td><td>4096</td><td>1283146161</td><td></td></tr>
</tbody></table>
closedWarning
The default duration for the server key is 365 days. That means that after 365 days your clients won't be able to verify the server certificate and will fail to run. When this happens (or preferably before this happens) you need to regenerate the server key.
# make server