Ylianst/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2024-08-15 19:50:44 +03:00
Code Issues Packages Projects Releases Wiki Activity

Added 'keepcerts' option to force keeping HTTPS/MPS cert.

Browse Source
This commit is contained in:
Ylian Saint-Hilaire 2022-08-26 15:43:12 -07:00
parent 15ee1feca5
commit f7dc1d749b
3 changed files with 17 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
certoperations.js
View File

@ -742,12 +742,15 @@ module.exports.CertificateOperations = function (parent) {
// Return true if the name is found in the certificates names, we support wildcard certificates
obj.compareCertificateNames = function(certNames, name) {
if (certNames == null) return false;
if (certNames.indexOf(name.toLowerCase()) >= 0) return true;
for (var i in certNames) {
if ((certNames[i].startsWith('*.') == true) && (name.endsWith(certNames[i].substring(1)) == true)) { return true; }
if (certNames[i].startsWith('http://*.') == true) {
if (name.endsWith(certNames[i].substring(8)) == true) { return true; }
if ((certNames[i].endsWith('/') == true) && (name.endsWith(certNames[i].substring(8, certNames[i].length - 1)) == true)) { return true; }
name = name.toLowerCase();
var xcertNames = [];
for (var i in certNames) { xcertNames.push(certNames[i].toLowerCase()); }
if (xcertNames.indexOf(name) >= 0) return true;
for (var i in xcertNames) {
if ((xcertNames[i].startsWith('*.') == true) && (name.endsWith(xcertNames[i].substring(1)) == true)) { return true; }
if (xcertNames[i].startsWith('http://*.') == true) {
if (name.endsWith(xcertNames[i].substring(8)) == true) { return true; }
if ((xcertNames[i].endsWith('/') == true) && (name.endsWith(xcertNames[i].substring(8, xcertNames[i].length - 1)) == true)) { return true; }
}
}
return false;
@ -992,12 +995,13 @@ module.exports.CertificateOperations = function (parent) {
if (certargs == null) { commonName = r.CommonName; country = xcountry; organization = xorganization; }
// Check if we have correct certificates.
if (obj.compareCertificateNames(r.CommonNames, commonName) == false) { forceWebCertGen = 1; } else { r.CommonName = commonName; }
if (obj.compareCertificateNames(r.CommonNames, commonName) == false) { console.log("Error: " + commonName + " does not match name in TLS certificate: " + r.CommonNames.join(', ')); forceWebCertGen = 1; } else { r.CommonName = commonName; }
if (r.AmtMpsName != mpsCommonName) { forceMpsCertGen = 1; }
if (args.keepcerts == true) { forceWebCertGen = 0; forceMpsCertGen = 0; r.CommonName = commonName; }
// If the certificates matches what we want, use them.
if ((forceWebCertGen == 0) && (forceMpsCertGen == 0)) {
if (func !== undefined) { func(r); }
if (func !== null) { func(r); }
return r;
}
}
@ -1051,7 +1055,7 @@ module.exports.CertificateOperations = function (parent) {
// If the web certificate does not exist, create one
var webCertAndKey, webCertificate, webPrivateKey;
if ((r.web == null) || (forceWebCertGen == 1)) {
if ((r.web == null) || (forceWebCertGen === 1)) {
console.log("Generating HTTPS certificate...");
webCertAndKey = obj.IssueWebServerCertificate(rootCertAndKey, false, commonName, country, organization, null, strongCertificate);
webCertificate = obj.pki.certificateToPem(webCertAndKey.cert);
@ -1108,7 +1112,7 @@ module.exports.CertificateOperations = function (parent) {
// If the Intel AMT MPS certificate does not exist, create one
var mpsCertAndKey, mpsCertificate, mpsPrivateKey;
if ((r.mps == null) || (forceMpsCertGen == 1)) {
if ((r.mps == null) || (forceMpsCertGen === 1)) {
console.log("Generating Intel AMT MPS certificate...");
mpsCertAndKey = obj.IssueWebServerCertificate(rootCertAndKey, false, mpsCommonName, mpsCountry, mpsOrganization, null, false);
mpsCertificate = obj.pki.certificateToPem(mpsCertAndKey.cert);

1
meshcentral-config-schema.json
View File

@ -8,6 +8,7 @@
"type": "object",
"properties": {
"cert": { "type": "string", "description": "Set this to the primary DNS name of this MeshCentral server." },
"keepCerts": { "type": "boolean", "default": false, "description": "Force MeshCentral to use the HTTPS and MPS certificates even if the name does not match the expected DNS value." },
"mongoDb": { "type": "string", "default": null },
"mongoDbName": { "type": "string" },
"mongoDbChangeStream": { "type": "boolean", "default": false },

4
webserver.js
View File

@ -144,8 +144,8 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
obj.agentCertificateHashHex = parent.certificateOperations.getPublicKeyHash(obj.certificates.agent.cert);
obj.agentCertificateHashBase64 = Buffer.from(obj.agentCertificateHashHex, 'hex').toString('base64').replace(/\+/g, '@').replace(/\//g, '$');
obj.agentCertificateAsn1 = parent.certificateOperations.forge.asn1.toDer(parent.certificateOperations.forge.pki.certificateToAsn1(parent.certificateOperations.forge.pki.certificateFromPem(parent.certificates.agent.cert))).getBytes();
obj.defaultWebCertificateHash = parent.certificateOperations.getPublicKeyHashBinary(obj.certificates.webdefault.cert);
obj.defaultWebCertificateFullHash = parent.certificateOperations.getCertHashBinary(obj.certificates.webdefault.cert);
obj.defaultWebCertificateHash = obj.certificates.webdefault ? parent.certificateOperations.getPublicKeyHashBinary(obj.certificates.webdefault.cert) : null;
obj.defaultWebCertificateFullHash = obj.certificates.webdefault ? parent.certificateOperations.getCertHashBinary(obj.certificates.webdefault.cert) : null;
// Compute the hash of all of the web certificates for each domain
for (var i in obj.parent.config.domains) {