diff --git a/lib/go-tc/deliveryservice_ssl_keys.go b/lib/go-tc/deliveryservice_ssl_keys.go index 32e26f2f14..9be758df67 100644 --- a/lib/go-tc/deliveryservice_ssl_keys.go +++ b/lib/go-tc/deliveryservice_ssl_keys.go @@ -132,7 +132,7 @@ func (r *DeliveryServiceAddSSLKeysReq) Validate(tx *sql.Tx) error { if r.Certificate.Crt == "" { errs = append(errs, "certificate.crt required") } - if r.Certificate.CSR == "" { + if r.Certificate.CSR == "" && *r.AuthType != LetsEncryptAuthType { errs = append(errs, "certificate.csr required") } } diff --git a/traffic_ops/etc/cron.d/autorenew_certs b/traffic_ops/etc/cron.d/autorenew_certs index a8a18ecca0..1008966c8e 100644 --- a/traffic_ops/etc/cron.d/autorenew_certs +++ b/traffic_ops/etc/cron.d/autorenew_certs @@ -1 +1 @@ -*/5 * * * * root export PERL5LIB=/opt/traffic_ops/app/local/lib/perl5:/opt/traffic_ops/app/lib; /opt/traffic_ops/app/bin/checks/ToAutorenewCerts.pl -c '{ "base_url": "https://127.0.0.1" }' -l 1 >> /var/log/traffic_ops/autorenew.log 2>&1 \ No newline at end of file +*/5 * * * * trafops export PERL5LIB=/opt/traffic_ops/app/local/lib/perl5:/opt/traffic_ops/app/lib; /opt/traffic_ops/app/bin/checks/ToAutorenewCerts.pl -c '{ "base_url": "https://127.0.0.1" }' -l 1 >> /var/log/traffic_ops/autorenew.log 2>&1 \ No newline at end of file diff --git a/traffic_ops/traffic_ops_golang/deliveryservice/letsencryptcert.go b/traffic_ops/traffic_ops_golang/deliveryservice/letsencryptcert.go index 92c82cdfa8..632311b407 100644 --- a/traffic_ops/traffic_ops_golang/deliveryservice/letsencryptcert.go +++ b/traffic_ops/traffic_ops_golang/deliveryservice/letsencryptcert.go @@ -203,9 +203,15 @@ func GetLetsEncryptCertificates(cfg *config.Config, req tc.DeliveryServiceLetsEn } myUser.Registration = reg + priv, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + log.Errorf(deliveryService + ": Error generating private key") + return err + } request := certificate.ObtainRequest{ - Domains: []string{domainName}, - Bundle: true, + Domains: []string{domainName}, + Bundle: true, + PrivateKey: priv, } certificates, err := client.Certificate.Obtain(request) if err != nil { @@ -238,21 +244,17 @@ func GetLetsEncryptCertificates(cfg *config.Config, req tc.DeliveryServiceLetsEn Expiration: expiration, } - crtBuf := bytes.Buffer{} - if err := pem.Encode(&crtBuf, &pem.Block{Type: "CERTIFICATE", Bytes: certificates.Certificate}); err != nil { - log.Errorf(deliveryService + ": pem-encoding certificate: " + err.Error()) - return errors.New(deliveryService + ": pem-encoding certificate: " + err.Error()) + keyDer := x509.MarshalPKCS1PrivateKey(priv) + if keyDer == nil { + return errors.New("marshalling private key: nil der") } - crtPem := crtBuf.Bytes() - keyBuf := bytes.Buffer{} - if err := pem.Encode(&keyBuf, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: certificates.PrivateKey}); err != nil { - log.Errorf(deliveryService + ": pem-encoding key: " + err.Error()) - return errors.New(deliveryService + ": pem-encoding key: " + err.Error()) + if err := pem.Encode(&keyBuf, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: keyDer}); err != nil { + return errors.New("pem-encoding private key: " + err.Error()) } keyPem := keyBuf.Bytes() - dsSSLKeys.Certificate = tc.DeliveryServiceSSLKeysCertificate{Crt: string(EncodePEMToLegacyPerlRiakFormat(crtPem)), Key: string(EncodePEMToLegacyPerlRiakFormat(keyPem)), CSR: "Not Applicable"} + dsSSLKeys.Certificate = tc.DeliveryServiceSSLKeysCertificate{Crt: string(EncodePEMToLegacyPerlRiakFormat(certificates.Certificate)), Key: string(EncodePEMToLegacyPerlRiakFormat(keyPem)), CSR: ""} if err := riaksvc.PutDeliveryServiceSSLKeysObj(dsSSLKeys, tx.Tx, cfg.RiakAuthOptions, cfg.RiakPort); err != nil { log.Errorf("Error posting lets encrypt certificate to riak: %s", err.Error()) return errors.New(deliveryService + ": putting riak keys: " + err.Error()) diff --git a/traffic_portal/app/src/common/modules/form/deliveryServiceSslKeys/FormDeliveryServiceSslKeysController.js b/traffic_portal/app/src/common/modules/form/deliveryServiceSslKeys/FormDeliveryServiceSslKeysController.js index 0cacbe33e2..bbba5fd29a 100644 --- a/traffic_portal/app/src/common/modules/form/deliveryServiceSslKeys/FormDeliveryServiceSslKeysController.js +++ b/traffic_portal/app/src/common/modules/form/deliveryServiceSslKeys/FormDeliveryServiceSslKeysController.js @@ -39,6 +39,19 @@ var FormDeliveryServiceSslKeysController = function(deliveryService, sslKeys, $s $scope.sslKeys.authType = 'Self Signed'; } + $scope.requiresCrs = function() { + return $scope.sslKeys.authType !== 'Lets Encrypt'; + }; + $scope.toggleCsrRequirement = function() { + if ($scope.requiresCrs() && document.getElementById('certificateSigningRequest') !== null) { + document.getElementById('certificateSigningRequest').setAttribute('required', ''); + } else if (document.getElementById('certificateSigningRequest') !== null) { + document.getElementById('certificateSigningRequest').removeAttribute('required'); + } + }; + + $scope.toggleCsrRequirement(); + $scope.hasError = formUtils.hasError; $scope.hasPropertyError = formUtils.hasPropertyError; $scope.navigateToPath = locationUtils.navigateToPath; diff --git a/traffic_portal/app/src/common/modules/form/deliveryServiceSslKeys/form.deliveryServiceSslKeys.tpl.html b/traffic_portal/app/src/common/modules/form/deliveryServiceSslKeys/form.deliveryServiceSslKeys.tpl.html index 276c727d80..ced4dc4f99 100644 --- a/traffic_portal/app/src/common/modules/form/deliveryServiceSslKeys/form.deliveryServiceSslKeys.tpl.html +++ b/traffic_portal/app/src/common/modules/form/deliveryServiceSslKeys/form.deliveryServiceSslKeys.tpl.html @@ -60,12 +60,12 @@ -
+
- - Required - + + Required +
@@ -76,12 +76,12 @@
-
+
- - Required - + + Required +