diff --git a/main.go b/main.go index f70a9ded..cc303277 100644 --- a/main.go +++ b/main.go @@ -3,9 +3,6 @@ package main import ( "context" - "crypto/ed25519" - "crypto/rand" - "errors" "flag" "fmt" "os" @@ -14,7 +11,6 @@ import ( "strconv" "sync" "syscall" - "time" "github.com/gravitl/netmaker/auth" "github.com/gravitl/netmaker/config" @@ -29,7 +25,6 @@ import ( "github.com/gravitl/netmaker/netclient/ncutils" "github.com/gravitl/netmaker/servercfg" "github.com/gravitl/netmaker/serverctl" - "github.com/gravitl/netmaker/tls" ) var version = "dev" @@ -208,142 +203,3 @@ func setGarbageCollection() { debug.SetGCPercent(ncutils.DEFAULT_GC_PERCENT) } } - -func genCerts() error { - logger.Log(0, "checking keys and certificates") - var private *ed25519.PrivateKey - var err error - - // == ROOT key handling == - - private, err = serverctl.ReadKeyFromDB(tls.ROOT_KEY_NAME) - if errors.Is(err, os.ErrNotExist) || database.IsEmptyRecord(err) { - logger.Log(0, "generating new root key") - _, newKey, err := ed25519.GenerateKey(rand.Reader) - if err != nil { - return err - } - private = &newKey - } else if err != nil { - return err - } - logger.Log(2, "saving root.key") - if err := serverctl.SaveKey(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.ROOT_KEY_NAME, *private); err != nil { - return err - } - - // == ROOT cert handling == - - ca, err := serverctl.ReadCertFromDB(tls.ROOT_PEM_NAME) - //if cert doesn't exist or will expire within 10 days --- but can't do this as clients won't be able to connect - //if errors.Is(err, os.ErrNotExist) || cert.NotAfter.Before(time.Now().Add(time.Hour*24*10)) { - if errors.Is(err, os.ErrNotExist) || database.IsEmptyRecord(err) || ca.NotAfter.Before(time.Now().Add(time.Hour*24*10)) { - logger.Log(0, "generating new root CA") - caName := tls.NewName("CA Root", "US", "Gravitl") - csr, err := tls.NewCSR(*private, caName) - if err != nil { - return err - } - rootCA, err := tls.SelfSignedCA(*private, csr, tls.CERTIFICATE_VALIDITY) - if err != nil { - return err - } - ca = rootCA - } else if err != nil { - return err - } - logger.Log(2, "saving root.pem") - if err := serverctl.SaveCert(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.ROOT_PEM_NAME, ca); err != nil { - return err - } - - // == SERVER cert handling == - - cert, err := serverctl.ReadCertFromDB(tls.SERVER_PEM_NAME) - if errors.Is(err, os.ErrNotExist) || database.IsEmptyRecord(err) || cert.NotAfter.Before(time.Now().Add(time.Hour*24*10)) { - //gen new key - logger.Log(0, "generating new server key/certificate") - _, key, err := ed25519.GenerateKey(rand.Reader) - if err != nil { - return err - } - serverName := tls.NewCName(servercfg.GetServer()) - csr, err := tls.NewCSR(key, serverName) - if err != nil { - return err - } - newCert, err := tls.NewEndEntityCert(*private, csr, ca, tls.CERTIFICATE_VALIDITY) - if err != nil { - return err - } - if err := serverctl.SaveKey(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_KEY_NAME, key); err != nil { - return err - } - cert = newCert - } else if err != nil { - return err - } else if err == nil { - if serverKey, err := serverctl.ReadKeyFromDB(tls.SERVER_KEY_NAME); err == nil { - logger.Log(2, "saving server.key") - if err := serverctl.SaveKey(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_KEY_NAME, *serverKey); err != nil { - return err - } - } else { - return err - } - } - logger.Log(2, "saving server.pem") - if err := serverctl.SaveCert(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_PEM_NAME, cert); err != nil { - return err - } - - // == SERVER-CLIENT connection cert handling == - - serverClientCert, err := serverctl.ReadCertFromDB(tls.SERVER_CLIENT_PEM) - if errors.Is(err, os.ErrNotExist) || database.IsEmptyRecord(err) || serverClientCert.NotAfter.Before(time.Now().Add(time.Hour*24*10)) { - //gen new key - logger.Log(0, "generating new server client key/certificate") - _, key, err := ed25519.GenerateKey(rand.Reader) - if err != nil { - return err - } - serverName := tls.NewCName(tls.SERVER_CLIENT_ENTRY) - csr, err := tls.NewCSR(key, serverName) - if err != nil { - return err - } - newServerClientCert, err := tls.NewEndEntityCert(*private, csr, ca, tls.CERTIFICATE_VALIDITY) - if err != nil { - return err - } - - if err := serverctl.SaveKey(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_CLIENT_KEY, key); err != nil { - return err - } - serverClientCert = newServerClientCert - } else if err != nil { - return err - } else if err == nil { - logger.Log(2, "saving serverclient.key") - if serverClientKey, err := serverctl.ReadKeyFromDB(tls.SERVER_CLIENT_KEY); err == nil { - if err := serverctl.SaveKey(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_CLIENT_KEY, *serverClientKey); err != nil { - return err - } - } else { - return err - } - } - - logger.Log(2, "saving serverclient.pem") - if err := serverctl.SaveCert(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_CLIENT_PEM, serverClientCert); err != nil { - return err - } - - logger.Log(1, "ensure the root.pem, root.key, server.pem, and server.key files are updated on your broker") - - return serverctl.SetClientTLSConf( - functions.GetNetmakerPath()+ncutils.GetSeparator()+tls.SERVER_CLIENT_PEM, - functions.GetNetmakerPath()+ncutils.GetSeparator()+tls.SERVER_CLIENT_KEY, - ca, - ) -}