Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wazuh-certs-tool.sh support for multiple IPs in server nodes #1770

Merged
merged 7 commits into from
Sep 1, 2022
Merged

wazuh-certs-tool.sh support for multiple IPs in server nodes #1770

merged 7 commits into from
Sep 1, 2022

Conversation

miguelfdez99
Copy link
Contributor

Related issue
closes #1573

Description

We could only have one IP per node, in order to allow multiple IPs I had to change the cert_parseYaml function. This function treated every server IP as if it were from the same node. Changing this function also meant changing the way the variables were generated. Once this was completed I made the changes necessary to allow the wazuh-certs-tool.sh script to create certificates with multiple IPs in a server node.

Logs example

Certificates generated with this config.yml file.

nodes:
  indexer:
    - name: indexer
      ip: 127.0.0.1
  server:
    - name: server
      ip: 127.0.0.1
      ip: 127.0.0.2
      ip: google.com
      ip: 127.0.0.4
      ip: wazuh.com
      node_type: master
    - name: server2
      ip: 127.0.0.10
      ip: 127.0.0.11
      node_type: worker
    - name: server3
      ip: 192.168.1.1
      node_type: worker
  dashboard:
    - name: dashboard
      ip: 127.0.0.1

root@ubuntu2004:/home/vagrant# ./wazuh-certs-tool.sh -A
05/08/2022 07:24:59 INFO: Admin certificates created.
05/08/2022 07:24:59 INFO: Wazuh indexer certificates created.
05/08/2022 07:24:59 INFO: Wazuh server certificates created.
05/08/2022 07:24:59 INFO: Wazuh dashboard certificates created.

root@ubuntu2004:/home/vagrant/wazuh-certificates# ls
admin-key.pem      indexer-key.pem  server2-key.pem  server-key.pem
admin.pem          indexer.pem      server2.pem      server.pem
dashboard-key.pem  root-ca.key      server3-key.pem
dashboard.pem      root-ca.pem      server3.pem

root@ubuntu2004:/home/vagrant/wazuh-certificates# openssl x509 -in server.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            XX-XX-XX
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: OU = Wazuh, O = Wazuh, L = California
        Validity
            Not Before: Aug  5 07:24:59 2022 GMT
            Not After : Aug  2 07:24:59 2032 GMT
        Subject: C = US, L = California, O = Wazuh, OU = Wazuh, CN = server
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:95:XX-XX-XX

            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Subject Alternative Name: 
                IP Address:127.0.0.1, IP Address:127.0.0.2, DNS:google.com, IP Address:127.0.0.4, DNS:wazuh.com

root@ubuntu2004:/home/vagrant/wazuh-certificates# openssl x509 -in server2.pem -noout -text

...
        Subject: C = US, L = California, O = Wazuh, OU = Wazuh, CN = server2
 ...
 X509v3 Subject Alternative Name: 
                IP Address:127.0.0.10, IP Address:127.0.0.11

root@ubuntu2004:/home/vagrant/wazuh-certificates# openssl x509 -in server3.pem -noout -text

...
        Issuer: OU = Wazuh, O = Wazuh, L = California
        Validity
            Not Before: Aug  5 07:24:59 2022 GMT
            Not After : Aug  2 07:24:59 2032 GMT
        Subject: C = US, L = California, O = Wazuh, OU = Wazuh, CN = server
...
X509v3 Subject Alternative Name: 
              IP Address:192.168.1.1

@miguelfdez99 miguelfdez99 changed the title wazuh-certs-tool.sh support for multiple IP in server nodes wazuh-certs-tool.sh support for multiple IPs in server nodes Aug 5, 2022
DFolchA
DFolchA suggested changes Aug 30, 2022
View reviewed changes
unattended_installer/cert_tool/certFunctions.sh
elif [ "${isDNS}" ]; then
printf '%s\n' " DNS.${j} = ${!i}" >> "${cert_tmp_path}/${1}.conf"
else
common_logger -e "Invalid IP or DNS ${!i}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why use 2 different messages for the same error?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done 4ea226d

unattended_installer/cert_tool/certFunctions.sh

if [ "${#@}" -gt 2 ]; then
sed -i '/IP.1/d' "${cert_tmp_path}/${1}.conf"
for (( i=2; i<=${#@}; i++ )); do
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couldn't you use this same loop for all cases instead of testing it separately when there is only one IP.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done 4ea226d

unattended_installer/cert_tool/certFunctions.sh Outdated
@@ -168,29 +188,122 @@ function cert_generateRootCAcertificate() {

}

function cert_parseYaml() {
function cert_parseYaml {
Copy link
Contributor

@DFolchA DFolchA Aug 30, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GJ, could you add the result of the new function when evaluating a config.yml?

Also maintain the style of the script function declarations must end with ().

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done 4ea226d

@miguelfdez99
Copy link
Contributor Author

miguelfdez99 commented Sep 1, 2022
edited by DFolchA
Loading

TESTS

#1573 (comment)

@DFolchA DFolchA linked an issue Sep 1, 2022 that may be closed by this pull request
The wazuh-cert-tool does not admit multiple IPs #1573
Closed
DFolchA
DFolchA approved these changes Sep 1, 2022
View reviewed changes
Copy link
Contributor

@DFolchA DFolchA left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@okynos okynos merged commit fdddbf0 into 4.4 Sep 1, 2022
@okynos okynos deleted the 1573-multiple-ip-cert-tool branch September 1, 2022 07:47
@davidcr01 davidcr01 mentioned this pull request Aug 24, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@okynos okynos okynos approved these changes

@DFolchA DFolchA DFolchA approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The wazuh-cert-tool does not admit multiple IPs
3 participants
@miguelfdez99 @okynos @DFolchA