net/ plumbing to manage LetsEncrypt TLS certificates (#4985)

automerge
This commit is contained in:
Michael Vines
2019-07-09 15:45:46 -07:00
committed by Grimes
parent f777a1a74c
commit 0a949677f0
8 changed files with 138 additions and 11 deletions

View File

@@ -25,6 +25,7 @@ entrypointIp=
publicNetwork=
netBasename=
sshPrivateKey=
letsEncryptDomainName=
externalNodeSshKey=
sshOptions=()
fullnodeIpList=()

View File

@@ -67,6 +67,7 @@ externalNodes=false
failOnValidatorBootupFailure=true
publicNetwork=false
letsEncryptDomainName=
enableGpu=false
customAddress=
zones=()
@@ -122,6 +123,9 @@ Manage testnet instances
* For EC2, [address] is the "allocation ID" of the desired
Elastic IP.
-d [disk-type] - Specify a boot disk type (default None) Use pd-ssd to get ssd on GCE.
--letsencrypt [dns name] - Attempt to generate a TLS certificate using this
DNS name (useful only when the -a and -P options
are also provided)
config-specific options:
-P - Use public network IP addresses (default: $publicNetwork)
@@ -136,14 +140,28 @@ EOF
exit $exitcode
}
command=$1
[[ -n $command ]] || usage
shift
[[ $command = create || $command = config || $command = info || $command = delete ]] ||
usage "Invalid command: $command"
while getopts "h?p:Pn:c:r:z:gG:a:d:uxf" opt; do
shortArgs=()
while [[ -n $1 ]]; do
if [[ ${1:0:2} = -- ]]; then
if [[ $1 = --letsencrypt ]]; then
letsEncryptDomainName="$2"
shift 2
else
usage "Unknown long option: $1"
fi
else
shortArgs+=("$1")
shift
fi
done
while getopts "h?p:Pn:c:r:z:gG:a:d:uxf" opt "${shortArgs[@]}"; do
case $opt in
h | \?)
usage
@@ -199,7 +217,6 @@ while getopts "h?p:Pn:c:r:z:gG:a:d:uxf" opt; do
;;
esac
done
shift $((OPTIND - 1))
[[ ${#zones[@]} -gt 0 ]] || zones+=("$(cloud_DefaultZone)")
@@ -328,6 +345,7 @@ prepareInstancesAndWriteConfigFile() {
netBasename=$prefix
publicNetwork=$publicNetwork
sshPrivateKey=$sshPrivateKey
letsEncryptDomainName=$letsEncryptDomainName
EOF
fi
touch "$geoipConfigFile"
@@ -598,6 +616,7 @@ $(
disable-background-upgrades.sh \
create-solana-user.sh \
add-solana-user-authorized_keys.sh \
install-certbot.sh \
install-earlyoom.sh \
install-libssl-compatability.sh \
install-nodejs.sh \

View File

@@ -372,6 +372,23 @@ startNode() {
(
set -x
startCommon "$ipAddress"
if [[ $nodeType = blockstreamer ]] && [[ -n $letsEncryptDomainName ]]; then
#
# Create/renew TLS certificate
#
declare localArchive=~/letsencrypt-"$letsEncryptDomainName".tgz
if [[ -r "$localArchive" ]]; then
timeout 30s scp "${sshOptions[@]}" "$localArchive" "$ipAddress:letsencrypt.tgz"
fi
ssh "${sshOptions[@]}" -n "$ipAddress" \
"sudo -H /certbot-restore.sh $letsEncryptDomainName maintainers@solana.com"
rm -f letsencrypt.tgz
timeout 30s scp "${sshOptions[@]}" "$ipAddress:/letsencrypt.tgz" letsencrypt.tgz
test -s letsencrypt.tgz # Ensure non-empty before overwriting $localArchive
cp letsencrypt.tgz "$localArchive"
fi
ssh "${sshOptions[@]}" -n "$ipAddress" \
"./solana/net/remote/remote-node.sh \
$deployMethod \

View File

@@ -223,6 +223,13 @@ local|tar)
if [[ -z $stakeNodesInGenesisBlock ]]; then
./multinode-demo/drone.sh > drone.log 2>&1 &
fi
# Grab the TLS cert generated by /certbot-restore.sh
if [[ -f /.cert.pem ]]; then
sudo install -o $UID -m 400 /.cert.pem /.key.pem .
ls -l .cert.pem .key.pem
fi
export BLOCKEXPLORER_GEOIP_WHITELIST=$PWD/net/config/geoip.yml
npm install @solana/blockexplorer@1
npx solana-blockexplorer > blockexplorer.log 2>&1 &

View File

@@ -81,7 +81,7 @@
"FromPort": 3001,
"IpRanges": [
{
"Description": "blockexplorer API port",
"Description": "blockexplorer http API port",
"CidrIp": "0.0.0.0/0"
}
],
@@ -91,7 +91,26 @@
"Ipv6Ranges": [
{
"CidrIpv6": "::/0",
"Description": "blockexplorer API port"
"Description": "blockexplorer http API port"
}
]
},
{
"PrefixListIds": [],
"FromPort": 3443,
"IpRanges": [
{
"Description": "blockexplorer https API port",
"CidrIp": "0.0.0.0/0"
}
],
"ToPort": 3443,
"IpProtocol": "tcp",
"UserIdGroupPairs": [],
"Ipv6Ranges": [
{
"CidrIpv6": "::/0",
"Description": "blockexplorer https API port"
}
]
},

51
net/scripts/install-certbot.sh Executable file
View File

@@ -0,0 +1,51 @@
#!/usr/bin/env bash
set -ex
[[ $(uname) = Linux ]] || exit 1
[[ $USER = root ]] || exit 1
add-apt-repository --yes ppa:certbot/certbot
apt-get --assume-yes install certbot
cat > /certbot-restore.sh <<'EOF'
#!/usr/bin/env bash
set -e
domain=$1
email=$2
if [[ $USER != root ]]; then
echo "Run as root"
exit 1
fi
if [[ -f /.cert.pem ]]; then
echo "Certificate already initialized"
exit 0
fi
set -x
if [[ -r letsencrypt.tgz ]]; then
tar -C / -zxf letsencrypt.tgz
fi
cd /
rm -f letsencrypt.tgz
maybeDryRun=
# Uncomment during testing to avoid hitting LetsEncrypt API limits while iterating
#maybeDryRun="--dry-run"
certbot certonly --standalone -d "$domain" --email "$email" --agree-tos -n $maybeDryRun
tar zcf letsencrypt.tgz /etc/letsencrypt
ls -l letsencrypt.tgz
# Copy certificates to / for easy access without knowing the value of "$domain"
rm -f /.key.pem /.cert.pem
cp /etc/letsencrypt/live/$domain/privkey.pem /.key.pem
cp /etc/letsencrypt/live/$domain/cert.pem /.cert.pem
EOF
chmod +x /certbot-restore.sh