reverseproxy: rework cert logic
9c8f78a059 already fixed many of the cert issues.
However, some issues were caught in the CI:
* The TLS addon has to be rebuilt and not just restarted. For this reason, we now
move things to a directory instead of mounting files. This way the container is just restarted.
* Cleanups must be driven by the database and not the filesystem . Deleting files on disk or after a restore,
the certs are left dangling forever in the db.
* Separate the db cert logic and disk cert logic. This way we can sync as many times as we want and whenever we want.This commit is contained in:
Girish Ramakrishnan
@@ -14,10 +14,7 @@ const assert = require('assert'),
|
||||
BoxError = require('./boxerror.js'),
|
||||
constants = require('./constants.js'),
|
||||
debug = require('debug')('box:directoryserver'),
|
||||
dns = require('./dns.js'),
|
||||
domains = require('./domains.js'),
|
||||
eventlog = require('./eventlog.js'),
|
||||
fs = require('fs'),
|
||||
groups = require('./groups.js'),
|
||||
ldap = require('ldapjs'),
|
||||
path = require('path'),
|
||||
@@ -31,7 +28,7 @@ const assert = require('assert'),
|
||||
util = require('util'),
|
||||
validator = require('validator');
|
||||
|
||||
let gServer = null;
|
||||
let gServer = null, gCertificate = null;
|
||||
|
||||
const NOOP = function () {};
|
||||
|
||||
@@ -298,7 +295,6 @@ async function userAuth(req, res, next) {
|
||||
next();
|
||||
}
|
||||
|
||||
// FIXME this needs to be restarted if settings changes or dashboard cert got renewed
|
||||
async function start() {
|
||||
if (gServer) return; // already running
|
||||
|
||||
@@ -311,13 +307,11 @@ async function start() {
|
||||
fatal: debug
|
||||
};
|
||||
|
||||
const domainObject = await domains.get(settings.dashboardDomain());
|
||||
const dashboardFqdn = dns.fqdn(constants.DASHBOARD_SUBDOMAIN, settings.dashboardDomain());
|
||||
const certificatePath = await reverseProxy.getCertificatePath(dashboardFqdn, domainObject.domain);
|
||||
gCertificate = await reverseProxy.getDirectoryServerCertificate();
|
||||
|
||||
gServer = ldap.createServer({
|
||||
certificate: fs.readFileSync(certificatePath.certFilePath, 'utf8'),
|
||||
key: fs.readFileSync(certificatePath.keyFilePath, 'utf8'),
|
||||
certificate: gCertificate.cert,
|
||||
key: gCertificate.key,
|
||||
log: logger
|
||||
});
|
||||
|
||||
@@ -373,6 +367,13 @@ async function stop() {
|
||||
}
|
||||
|
||||
async function handleCertChanged() {
|
||||
const certificate = await reverseProxy.getDirectoryServerCertificate();
|
||||
if (certificate.cert.equals(gCertificate.cert)) {
|
||||
debug('handleCertChanged: certificate has not changed');
|
||||
return;
|
||||
}
|
||||
|
||||
debug('handleCertChanged: certificate changed. restarting');
|
||||
await stop();
|
||||
await start();
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user