From 2c2ee90bf71cdccef8c932bc571829ea094ada0a Mon Sep 17 00:00:00 2001 From: Chalith Desaman Date: Thu, 5 Jan 2023 11:40:03 +0530 Subject: [PATCH] Tls certificate fix when updating evernode (#223) --- installer/jshelper/package-lock.json | 14 +++++++------- installer/jshelper/package.json | 2 +- installer/sashimono-install.sh | 28 +++++++++++++++++++--------- mb-xrpl/lib/appenv.js | 2 +- mb-xrpl/package-lock.json | 14 +++++++------- mb-xrpl/package.json | 2 +- src/version.hpp | 2 +- 7 files changed, 37 insertions(+), 27 deletions(-) diff --git a/installer/jshelper/package-lock.json b/installer/jshelper/package-lock.json index 0b5a10f..8ba8ad2 100644 --- a/installer/jshelper/package-lock.json +++ b/installer/jshelper/package-lock.json @@ -6,7 +6,7 @@ "": { "name": "evernode-setup-helper", "dependencies": { - "evernode-js-client": "0.5.12" + "evernode-js-client": "0.5.14" } }, "node_modules/@types/node": { @@ -270,9 +270,9 @@ "integrity": "sha512-MEl9uirslVwqQU369iHNWZXsI8yaZYGg/D65aOgZkeyFJwHYSxilf7rQzXKI7DdDuBPrBXbfk3sl9hJhmd5AUw==" }, "node_modules/evernode-js-client": { - "version": "0.5.12", - "resolved": "https://registry.npmjs.org/evernode-js-client/-/evernode-js-client-0.5.12.tgz", - "integrity": "sha512-9PfJBy9Su2+cG7qt9BXUnI1v6/rZ07wwc1KkGi0Ov/5cZ2tlkpqXXtdROF2JFmmWi8kOkR8Zbi60qBdrVOepLA==", + "version": "0.5.14", + "resolved": "https://registry.npmjs.org/evernode-js-client/-/evernode-js-client-0.5.14.tgz", + "integrity": "sha512-VH/Pu9kELIXJ4vhtOIZGgcljsE+In4JpXsnuj89Rw7kt4vYRGOQWEJHxxmvGQQsfD9/pHPQFt6XR0gpnVoRi+A==", "dependencies": { "elliptic": "6.5.4", "libsodium-wrappers": "0.7.10", @@ -1109,9 +1109,9 @@ "integrity": "sha512-MEl9uirslVwqQU369iHNWZXsI8yaZYGg/D65aOgZkeyFJwHYSxilf7rQzXKI7DdDuBPrBXbfk3sl9hJhmd5AUw==" }, "evernode-js-client": { - "version": "0.5.12", - "resolved": "https://registry.npmjs.org/evernode-js-client/-/evernode-js-client-0.5.12.tgz", - "integrity": "sha512-9PfJBy9Su2+cG7qt9BXUnI1v6/rZ07wwc1KkGi0Ov/5cZ2tlkpqXXtdROF2JFmmWi8kOkR8Zbi60qBdrVOepLA==", + "version": "0.5.14", + "resolved": "https://registry.npmjs.org/evernode-js-client/-/evernode-js-client-0.5.14.tgz", + "integrity": "sha512-VH/Pu9kELIXJ4vhtOIZGgcljsE+In4JpXsnuj89Rw7kt4vYRGOQWEJHxxmvGQQsfD9/pHPQFt6XR0gpnVoRi+A==", "requires": { "elliptic": "6.5.4", "libsodium-wrappers": "0.7.10", diff --git a/installer/jshelper/package.json b/installer/jshelper/package.json index d477eb2..88662be 100644 --- a/installer/jshelper/package.json +++ b/installer/jshelper/package.json @@ -4,6 +4,6 @@ "build": "ncc build index.js --minify -o dist" }, "dependencies": { - "evernode-js-client": "0.5.12" + "evernode-js-client": "0.5.14" } } diff --git a/installer/sashimono-install.sh b/installer/sashimono-install.sh index 1977281..4636df3 100755 --- a/installer/sashimono-install.sh +++ b/installer/sashimono-install.sh @@ -25,7 +25,6 @@ description=${18} script_dir=$(dirname "$(realpath "$0")") - function stage() { echo "STAGE $1" # This is picked up by the setup console output filter. } @@ -113,7 +112,7 @@ function setup_certbot() { # We need to place our script in certbook deploy hooks dir. local deploy_hooks_dir="/etc/letsencrypt/renewal-hooks/deploy" ! [ -d $deploy_hooks_dir ] && echo "$deploy_hooks_dir not found" && return 1 - + # Setup deploy hook (update contract certs on certbot SSL auto-renewal) local deploy_hook="/etc/letsencrypt/renewal-hooks/deploy/sashimono-$inetaddr.sh" echo "Setting up certbot deploy hook $deploy_hook" @@ -128,26 +127,26 @@ certname=\$(basename \$RENEWED_LINEAGE) function setup_tls_certs() { mkdir -p $SASHIMONO_DATA/tls - if [ "$tls_key_file" == "letsencrypt" ] ; then + if [ "$tls_key_file" == "letsencrypt" ]; then ! setup_certbot && echo "Error when setting up letsencrypt SSL certificate." && rollback - elif [ "$tls_key_file" == "self" ] ; then + elif [ "$tls_key_file" == "self" ]; then # If user has not provided certs we generate self-signed ones. stage "Generating self-signed certificates" ! openssl req -newkey rsa:2048 -new -nodes -x509 -days 365 -keyout $SASHIMONO_DATA/contract_template/cfg/tlskey.pem \ - -out $SASHIMONO_DATA/contract_template/cfg/tlscert.pem -subj "/C=$countrycode/CN=$inetaddr" && \ + -out $SASHIMONO_DATA/contract_template/cfg/tlscert.pem -subj "/C=$countrycode/CN=$inetaddr" && echo "Error when generating self-signed certificate." && rollback - elif [ -f "$tls_key_file" ] && [ -f "$tls_cert_file" ] ; then + elif [ -f "$tls_key_file" ] && [ -f "$tls_cert_file" ]; then stage "Transfering certificate files" cp $tls_key_file $SASHIMONO_DATA/contract_template/cfg/tlskey.pem cp $tls_cert_file $SASHIMONO_DATA/contract_template/cfg/tlscert.pem # ca bundle is optional. - [ "$tls_cabundle_file" != "-" ] && [ -f "$tls_cabundle_file" ] && \ - cat $tls_cabundle_file >> $SASHIMONO_DATA/contract_template/cfg/tlscert.pem + [ "$tls_cabundle_file" != "-" ] && [ -f "$tls_cabundle_file" ] && + cat $tls_cabundle_file >>$SASHIMONO_DATA/contract_template/cfg/tlscert.pem else echo "Error when setting up SSL certificate." && rollback @@ -172,11 +171,22 @@ chmod +x $SASHIMONO_BIN/sashimono-uninstall.sh ! set_cpu_info && echo "Fetching CPU info failed" && rollback # Copy contract template and licence file (delete existing) +# Backup the ssl cert files if exists +tmp=$(mktemp -d) +cp $SASHIMONO_DATA/contract_template/cfg/{tlskey.pem,tlscert.pem} "$tmp"/ rm -r "$SASHIMONO_DATA"/{contract_template,licence.txt} >/dev/null 2>&1 cp -r "$script_dir"/{contract_template,licence.txt} $SASHIMONO_DATA +cp "$tmp"/{tlskey.pem,tlscert.pem} $SASHIMONO_DATA/contract_template/cfg/ +rm -r "$tmp" + +# Create self signed tls certs on update if not exists +# This is added to auto fix the hosts which got their ssl certificates removed in v0.5.20 +[ "$UPGRADE" != "0" ] && ( [ ! -f "$SASHIMONO_DATA/contract_template/cfg/tlskey.pem" ] || [ ! -f "$SASHIMONO_DATA/contract_template/cfg/tlscert.pem" ] ) && + openssl req -newkey rsa:2048 -new -nodes -x509 -days 365 -keyout $SASHIMONO_DATA/contract_template/cfg/tlskey.pem \ + -out $SASHIMONO_DATA/contract_template/cfg/tlscert.pem -subj "/C=HP/CN=$(jq -r '.hp.host_address' $SASHIMONO_DATA/sa.cfg)" # Setup tls certs used for contract instance websockets. -setup_tls_certs +[ "$UPGRADE" == "0" ] && setup_tls_certs # Install Sashimono agent binaries into sashimono bin dir. cp "$script_dir"/{sagent,hpfs,user-cgcreate.sh,user-install.sh,user-uninstall.sh,docker-registry-uninstall.sh} $SASHIMONO_BIN diff --git a/mb-xrpl/lib/appenv.js b/mb-xrpl/lib/appenv.js index 476a97d..1c4caa1 100644 --- a/mb-xrpl/lib/appenv.js +++ b/mb-xrpl/lib/appenv.js @@ -27,7 +27,7 @@ appenv = { ORPHAN_PRUNE_SCHEDULER_INTERVAL_HOURS: 4, EXPIRE_INSTANCES_SCHEDULER_INTERVAL_SECONDS: 2, SASHI_CLI_PATH: appenv.IS_DEV_MODE ? "../build/sashi" : "/usr/bin/sashi", - MB_VERSION: '0.5.20', + MB_VERSION: '0.5.21', TOS_HASH: '757A0237B44D8B2BBB04AE2BAD5813858E0AECD2F0B217075E27E0630BA74314' // This is the sha256 hash of TOS text. } Object.freeze(appenv); diff --git a/mb-xrpl/package-lock.json b/mb-xrpl/package-lock.json index 849ea75..17d219d 100644 --- a/mb-xrpl/package-lock.json +++ b/mb-xrpl/package-lock.json @@ -6,7 +6,7 @@ "": { "name": "mb-xrpl", "dependencies": { - "evernode-js-client": "0.5.12", + "evernode-js-client": "0.5.14", "sqlite3": "5.0.2" }, "devDependencies": { @@ -937,9 +937,9 @@ } }, "node_modules/evernode-js-client": { - "version": "0.5.12", - "resolved": "https://registry.npmjs.org/evernode-js-client/-/evernode-js-client-0.5.12.tgz", - "integrity": "sha512-9PfJBy9Su2+cG7qt9BXUnI1v6/rZ07wwc1KkGi0Ov/5cZ2tlkpqXXtdROF2JFmmWi8kOkR8Zbi60qBdrVOepLA==", + "version": "0.5.14", + "resolved": "https://registry.npmjs.org/evernode-js-client/-/evernode-js-client-0.5.14.tgz", + "integrity": "sha512-VH/Pu9kELIXJ4vhtOIZGgcljsE+In4JpXsnuj89Rw7kt4vYRGOQWEJHxxmvGQQsfD9/pHPQFt6XR0gpnVoRi+A==", "dependencies": { "elliptic": "6.5.4", "libsodium-wrappers": "0.7.10", @@ -3931,9 +3931,9 @@ "dev": true }, "evernode-js-client": { - "version": "0.5.12", - "resolved": "https://registry.npmjs.org/evernode-js-client/-/evernode-js-client-0.5.12.tgz", - "integrity": "sha512-9PfJBy9Su2+cG7qt9BXUnI1v6/rZ07wwc1KkGi0Ov/5cZ2tlkpqXXtdROF2JFmmWi8kOkR8Zbi60qBdrVOepLA==", + "version": "0.5.14", + "resolved": "https://registry.npmjs.org/evernode-js-client/-/evernode-js-client-0.5.14.tgz", + "integrity": "sha512-VH/Pu9kELIXJ4vhtOIZGgcljsE+In4JpXsnuj89Rw7kt4vYRGOQWEJHxxmvGQQsfD9/pHPQFt6XR0gpnVoRi+A==", "requires": { "elliptic": "6.5.4", "libsodium-wrappers": "0.7.10", diff --git a/mb-xrpl/package.json b/mb-xrpl/package.json index 7c5aa9e..0ed9c2b 100644 --- a/mb-xrpl/package.json +++ b/mb-xrpl/package.json @@ -5,7 +5,7 @@ "build": "npm run lint && ncc build app.js --minify -o dist" }, "dependencies": { - "evernode-js-client": "0.5.12", + "evernode-js-client": "0.5.14", "sqlite3": "5.0.2" }, "devDependencies": { diff --git a/src/version.hpp b/src/version.hpp index 9c68f80..fe418ad 100644 --- a/src/version.hpp +++ b/src/version.hpp @@ -6,7 +6,7 @@ namespace version { // Sashimono agent version. Written to new configs. - constexpr const char *AGENT_VERSION = "0.5.20"; + constexpr const char *AGENT_VERSION = "0.5.21"; // Minimum compatible config version (this will be used to validate configs). constexpr const char *MIN_CONFIG_VERSION = "0.5.0";