Added 'keepcerts' option to force keeping HTTPS/MPS cert.
This commit is contained in:
Ylian Saint-Hilaire
parent
15ee1feca5
commit
f7dc1d749b
|
|
@ -742,12 +742,15 @@ module.exports.CertificateOperations = function (parent) {
|
|||
// Return true if the name is found in the certificates names, we support wildcard certificates
|
||||
obj.compareCertificateNames = function(certNames, name) {
|
||||
if (certNames == null) return false;
|
||||
if (certNames.indexOf(name.toLowerCase()) >= 0) return true;
|
||||
for (var i in certNames) {
|
||||
if ((certNames[i].startsWith('*.') == true) && (name.endsWith(certNames[i].substring(1)) == true)) { return true; }
|
||||
if (certNames[i].startsWith('http://*.') == true) {
|
||||
if (name.endsWith(certNames[i].substring(8)) == true) { return true; }
|
||||
if ((certNames[i].endsWith('/') == true) && (name.endsWith(certNames[i].substring(8, certNames[i].length - 1)) == true)) { return true; }
|
||||
name = name.toLowerCase();
|
||||
var xcertNames = [];
|
||||
for (var i in certNames) { xcertNames.push(certNames[i].toLowerCase()); }
|
||||
if (xcertNames.indexOf(name) >= 0) return true;
|
||||
for (var i in xcertNames) {
|
||||
if ((xcertNames[i].startsWith('*.') == true) && (name.endsWith(xcertNames[i].substring(1)) == true)) { return true; }
|
||||
if (xcertNames[i].startsWith('http://*.') == true) {
|
||||
if (name.endsWith(xcertNames[i].substring(8)) == true) { return true; }
|
||||
if ((xcertNames[i].endsWith('/') == true) && (name.endsWith(xcertNames[i].substring(8, xcertNames[i].length - 1)) == true)) { return true; }
|
||||
}
|
||||
}
|
||||
return false;
|
||||
|
|
@ -992,12 +995,13 @@ module.exports.CertificateOperations = function (parent) {
|
|||
if (certargs == null) { commonName = r.CommonName; country = xcountry; organization = xorganization; }
|
||||
|
||||
// Check if we have correct certificates.
|
||||
if (obj.compareCertificateNames(r.CommonNames, commonName) == false) { forceWebCertGen = 1; } else { r.CommonName = commonName; }
|
||||
if (obj.compareCertificateNames(r.CommonNames, commonName) == false) { console.log("Error: " + commonName + " does not match name in TLS certificate: " + r.CommonNames.join(', ')); forceWebCertGen = 1; } else { r.CommonName = commonName; }
|
||||
if (r.AmtMpsName != mpsCommonName) { forceMpsCertGen = 1; }
|
||||
if (args.keepcerts == true) { forceWebCertGen = 0; forceMpsCertGen = 0; r.CommonName = commonName; }
|
||||
|
||||
// If the certificates matches what we want, use them.
|
||||
if ((forceWebCertGen == 0) && (forceMpsCertGen == 0)) {
|
||||
if (func !== undefined) { func(r); }
|
||||
if (func !== null) { func(r); }
|
||||
return r;
|
||||
}
|
||||
}
|
||||
|
|
@ -1051,7 +1055,7 @@ module.exports.CertificateOperations = function (parent) {
|
|||
|
||||
// If the web certificate does not exist, create one
|
||||
var webCertAndKey, webCertificate, webPrivateKey;
|
||||
if ((r.web == null) || (forceWebCertGen == 1)) {
|
||||
if ((r.web == null) || (forceWebCertGen === 1)) {
|
||||
console.log("Generating HTTPS certificate...");
|
||||
webCertAndKey = obj.IssueWebServerCertificate(rootCertAndKey, false, commonName, country, organization, null, strongCertificate);
|
||||
webCertificate = obj.pki.certificateToPem(webCertAndKey.cert);
|
||||
|
|
@ -1108,7 +1112,7 @@ module.exports.CertificateOperations = function (parent) {
|
|||
|
||||
// If the Intel AMT MPS certificate does not exist, create one
|
||||
var mpsCertAndKey, mpsCertificate, mpsPrivateKey;
|
||||
if ((r.mps == null) || (forceMpsCertGen == 1)) {
|
||||
if ((r.mps == null) || (forceMpsCertGen === 1)) {
|
||||
console.log("Generating Intel AMT MPS certificate...");
|
||||
mpsCertAndKey = obj.IssueWebServerCertificate(rootCertAndKey, false, mpsCommonName, mpsCountry, mpsOrganization, null, false);
|
||||
mpsCertificate = obj.pki.certificateToPem(mpsCertAndKey.cert);
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@
|
|||
"type": "object",
|
||||
"properties": {
|
||||
"cert": { "type": "string", "description": "Set this to the primary DNS name of this MeshCentral server." },
|
||||
"keepCerts": { "type": "boolean", "default": false, "description": "Force MeshCentral to use the HTTPS and MPS certificates even if the name does not match the expected DNS value." },
|
||||
"mongoDb": { "type": "string", "default": null },
|
||||
"mongoDbName": { "type": "string" },
|
||||
"mongoDbChangeStream": { "type": "boolean", "default": false },
|
||||
|
|
|
|||
|
|
@ -144,8 +144,8 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
|
|||
obj.agentCertificateHashHex = parent.certificateOperations.getPublicKeyHash(obj.certificates.agent.cert);
|
||||
obj.agentCertificateHashBase64 = Buffer.from(obj.agentCertificateHashHex, 'hex').toString('base64').replace(/\+/g, '@').replace(/\//g, '$');
|
||||
obj.agentCertificateAsn1 = parent.certificateOperations.forge.asn1.toDer(parent.certificateOperations.forge.pki.certificateToAsn1(parent.certificateOperations.forge.pki.certificateFromPem(parent.certificates.agent.cert))).getBytes();
|
||||
obj.defaultWebCertificateHash = parent.certificateOperations.getPublicKeyHashBinary(obj.certificates.webdefault.cert);
|
||||
obj.defaultWebCertificateFullHash = parent.certificateOperations.getCertHashBinary(obj.certificates.webdefault.cert);
|
||||
obj.defaultWebCertificateHash = obj.certificates.webdefault ? parent.certificateOperations.getPublicKeyHashBinary(obj.certificates.webdefault.cert) : null;
|
||||
obj.defaultWebCertificateFullHash = obj.certificates.webdefault ? parent.certificateOperations.getCertHashBinary(obj.certificates.webdefault.cert) : null;
|
||||
|
||||
// Compute the hash of all of the web certificates for each domain
|
||||
for (var i in obj.parent.config.domains) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue