1
0
mirror of https://github.com/laurivosandi/certidude synced 2024-12-23 00:25:18 +00:00

Fixed strongswan server setup helper

This commit is contained in:
Lauri Võsandi 2015-10-16 18:44:42 +03:00
parent 34823d6739
commit fcb770aa7c

View File

@ -17,7 +17,7 @@ from certidude.signer import SignServer
from certidude.wrappers import CertificateAuthorityConfig, subject2dn from certidude.wrappers import CertificateAuthorityConfig, subject2dn
from datetime import datetime from datetime import datetime
from humanize import naturaltime from humanize import naturaltime
from ipaddress import ip_network from ipaddress import ip_network, ip_address
from jinja2 import Environment, PackageLoader from jinja2 import Environment, PackageLoader
from time import sleep from time import sleep
from setproctitle import setproctitle from setproctitle import setproctitle
@ -293,7 +293,7 @@ def certidude_setup_openvpn_client(url, config, email_address, common_name, org_
@click.option("--fqdn", "-f", default=HOSTNAME, help="Fully qualified hostname, %s by default" % HOSTNAME) @click.option("--fqdn", "-f", default=HOSTNAME, help="Fully qualified hostname, %s by default" % HOSTNAME)
@click.option("--email-address", "-m", default=EMAIL, help="E-mail associated with the request, %s by default" % EMAIL) @click.option("--email-address", "-m", default=EMAIL, help="E-mail associated with the request, %s by default" % EMAIL)
@click.option("--subnet", "-s", default="192.168.33.0/24", type=ip_network, help="IPsec virtual subnet, 192.168.33.0/24 by default") @click.option("--subnet", "-s", default="192.168.33.0/24", type=ip_network, help="IPsec virtual subnet, 192.168.33.0/24 by default")
@click.option("--local", "-l", default="127.0.0.1", help="IPsec gateway address, defaults to 127.0.0.1") @click.option("--local", "-l", default="127.0.0.1", type=ip_address, help="IPsec gateway address, defaults to 127.0.0.1")
@click.option("--route", "-r", type=ip_network, multiple=True, help="Subnets to advertise via this connection, multiple allowed") @click.option("--route", "-r", type=ip_network, multiple=True, help="Subnets to advertise via this connection, multiple allowed")
@click.option("--config", "-o", @click.option("--config", "-o",
default="/etc/ipsec.conf", default="/etc/ipsec.conf",
@ -309,7 +309,7 @@ def certidude_setup_openvpn_client(url, config, email_address, common_name, org_
@click.option("--certificate-path", "-crt", default="certs/%s.pem" % HOSTNAME, help="Certificate path, certs/%s.pem by default" % HOSTNAME) @click.option("--certificate-path", "-crt", default="certs/%s.pem" % HOSTNAME, help="Certificate path, certs/%s.pem by default" % HOSTNAME)
@click.option("--authority-path", "-ca", default="cacerts/ca.pem", help="Certificate authority certificate path, cacerts/ca.pem by default") @click.option("--authority-path", "-ca", default="cacerts/ca.pem", help="Certificate authority certificate path, cacerts/ca.pem by default")
@expand_paths() @expand_paths()
def certidude_setup_strongswan_server(url, config, secrets, subnet, route, email_address, common_name, org_unit, directory, key_path, request_path, certificate_path, authority_path, local, ip_address, fqdn): def certidude_setup_strongswan_server(url, config, secrets, subnet, route, email_address, common_name, org_unit, directory, key_path, request_path, certificate_path, authority_path, local, fqdn):
config.write(env.get_template("strongswan-site-to-client.conf").render(locals())) config.write(env.get_template("strongswan-site-to-client.conf").render(locals()))
@ -329,8 +329,8 @@ def certidude_setup_strongswan_server(url, config, secrets, subnet, route, email
org_unit, org_unit,
email_address, email_address,
key_usage="nonRepudiation,digitalSignature,keyEncipherment", key_usage="nonRepudiation,digitalSignature,keyEncipherment",
extended_key_usage="serverAuth,ikeIntermediate", extended_key_usage="serverAuth",
ipv4_address=None if local.is_private else local, ip_address=None if local.is_private else local,
dns=None if local.is_private or "." not in fdqn else fdqn, dns=None if local.is_private or "." not in fdqn else fdqn,
wait=True) wait=True)