Fixes

certidude/api.py

@@ -235,7 +235,7 @@ class RequestListResource(CertificateAuthorityBase):
             url_template = os.getenv("CERTIDUDE_EVENT_SUBSCRIBE")
             if url_template:
                 # Redirect to nginx pub/sub
-                url = url_template % request.fingerprint()
+                url = url_template % dict(channel=request.fingerprint())
                 click.echo("Redirecting to: %s"  % url)
                 resp.status = falcon.HTTP_FOUND
                 resp.append_header("Location", url)

certidude/cli.py

@@ -15,6 +15,7 @@ import logging
 import signal
 import netifaces
 import urllib.request
+import subprocess
 from humanize import naturaltime
 from ipaddress import ip_network
 from time import sleep
@@ -320,11 +321,12 @@ def certidude_setup_client(quiet, **kwargs):
     type=click.File(mode="w", atomic=True, lazy=True),
     help="OpenVPN configuration file")
 @click.option("--directory", "-d", default="/etc/openvpn/keys", help="Directory for keys, /etc/openvpn/keys by default")
-@click.option("--key-path", "-k", default=HOSTNAME + ".key", help="Key path, %s.key relative to --directory by default" % HOSTNAME)
-@click.option("--request-path", "-r", default=HOSTNAME + ".csr", help="Request path, %s.csr relative to --directory by default" % HOSTNAME)
-@click.option("--certificate-path", "-c", default=HOSTNAME + ".crt", help="Certificate path, %s.crt relative to --directory by default" % HOSTNAME)
-@click.option("--authority-path", "-a", default="ca.crt", help="Certificate authority certificate path, ca.crt relative to --dir by default")
-def certidude_setup_openvpn_server(url, config, subnet, email_address, common_name, org_unit, directory, key_path, request_path, certificate_path, authority_path, local, proto, port):
+@click.option("--key-path", "-key", default=HOSTNAME + ".key", help="Key path, %s.key relative to --directory by default" % HOSTNAME)
+@click.option("--request-path", "-csr", default=HOSTNAME + ".csr", help="Request path, %s.csr relative to --directory by default" % HOSTNAME)
+@click.option("--certificate-path", "-crt", default=HOSTNAME + ".crt", help="Certificate path, %s.crt relative to --directory by default" % HOSTNAME)
+@click.option("--dhparam-path", "-dh", default="dhparam2048.pem", help="Diffie/Hellman parameters path, dhparam2048.pem relative to --directory by default")
+@click.option("--authority-path", "-ca", default="ca.crt", help="Certificate authority certificate path, ca.crt relative to --dir by default")
+def certidude_setup_openvpn_server(url, config, subnet, email_address, common_name, org_unit, directory, key_path, request_path, certificate_path, authority_path, dhparam_path, local, proto, port):
     # TODO: Intelligent way of getting last IP address in the subnet
     subnet_first = None
     subnet_last = None
@@ -345,6 +347,7 @@ def certidude_setup_openvpn_server(url, config, subnet, email_address, common_na
         certificate_path = os.path.join(directory, certificate_path)
         request_path = os.path.join(directory, request_path)
         authority_path = os.path.join(directory, authority_path)
+        dhparam_path = os.path.join(directory, dhparam_path)
 
     if not os.path.exists(certificate_path):
         click.echo("As OpenVPN server certificate needs specific key usage extensions please")
@@ -365,6 +368,10 @@ def certidude_setup_openvpn_server(url, config, subnet, email_address, common_na
         extended_key_usage="serverAuth",
         wait=True)
 
+    if not os.path.exists(dhparam_path):
+        cmd = "openssl", "dhparam", "-out", dhparam_path, "2048"
+        subprocess.check_call(cmd)
+
     if retval:
         return retval
 

certidude/signer.py

@@ -35,9 +35,12 @@ def raw_sign(private_key, ca_cert, request, basic_constraints, lifetime, key_usa
 
         cert = crypto.X509()
 
-
+        # Set public key
         cert.set_pubkey(request.get_pubkey())
 
+        # Set issuer
+        cert.set_issuer(ca_cert.get_subject())
+
         # TODO: Assert openssl.cnf policy for subject attributes
 #        if request.get_subject().O != ca_cert.get_subject().O:
 #            raise ValueError("Orgnization name mismatch!")

certidude/templates/client-to-site.ovpn

@@ -1,5 +1,6 @@
 client
 remote {{remote}}
+remote-cert-tls server
 proto {{proto}}
 dev tap0
 nobind

certidude/templates/site-to-client.ovpn

@@ -7,6 +7,7 @@ local {{local}}
 key {{key_path}}
 cert {{certificate_path}}
 ca {{authority_path}}
+dh {{dhparam_path}}
 comp-lzo
 user nobody
 group nogroup

certidude/wrappers.py

@@ -28,7 +28,7 @@ def notify(func):
         assert isinstance(cert, Certificate), "notify wrapped function %s returned %s" % (func, type(cert))
         url_template = os.getenv("CERTIDUDE_EVENT_PUBLISH")
         if url_template:
-            url = url_template % csr.fingerprint()
+            url = url_template % dict(channel=csr.fingerprint())
             notification = urllib.request.Request(url, cert.dump().encode("ascii"))
             notification.add_header("User-Agent", "Certidude API")
             notification.add_header("Content-Type", "application/x-x509-user-cert")

certidude/wsgi.py

@@ -1,5 +1,5 @@
 
-
+import os
 import falcon
 from certidude.wrappers import CertificateAuthorityConfig
 from certidude.api import CertificateAuthorityResource, \
@@ -13,6 +13,9 @@ from certidude.api import CertificateAuthorityResource, \
 
 config = CertificateAuthorityConfig("/etc/ssl/openssl.cnf")
 
+assert os.getenv("CERTIDUDE_EVENT_SUBSCRIBE"), "Please set CERTIDUDE_EVENT_SUBSCRIBE to your web server's subscribe URL"
+assert os.getenv("CERTIDUDE_EVENT_PUBLISH"), "Please set CERTIDUDE_EVENT_SUBSCRIBE to your web server's subscribe URL"
+
 app = falcon.API()
 app.add_route("/api/{ca}/ocsp/", CertificateStatusResource(config))
 app.add_route("/api/{ca}/signed/{cn}/openvpn", ApplicationConfigurationResource(config))