Improve cert renewal scripts

scripts/master.sh

@@ -12,8 +12,16 @@ rm -f dist/.master-ready
 git config --global --add safe.directory /repo
 git pull
 
+# Bootstrap all configuration files
+export TESTBED_BOOTSTRAP=1
 python3 framework/main.py --dry
 
+# Check and reissue certificates
+bash dist/ndncert/renew.sh
+bash dist/nlsr/renew.sh
+
+# End bootstrapping
+unset TESTBED_BOOTSTRAP
 date > dist/.master-ready
 
 # Wait for 2 minutes before starting cron,

templates/ndncert/keygen.sh.j2 → templates/ndncert/renew.sh.j2

@@ -14,27 +14,36 @@ KEY_NAME="{{ default_prefix }}"
 ROOT_CA_HTTPS="{{ root_ca_https }}"
 ROOT_CA_SECRET="{{ ROOT_CA_SECRET }}"
 
-# Home and keys directories
+# Directories
 PRIVATE_DIR="$(pwd)/private"
-
-# Make sure the private directory exists
 mkdir -p "${PRIVATE_DIR}"
 
+# Output file names
+NDNCERT_CERT_PATH="${PRIVATE_DIR}/site.ndncert"
+
+# If set then only continue if certs don't exist
+if [ -n "${TESTBED_BOOTSTRAP}" ]; then
+  if [ -f "${NDNCERT_CERT_PATH}" ]; then
+    echo -e "NDNCERT certificate already exists, skipping generation"
+    exit 0
+  fi
+fi
+
 # Create new keypair if it does not exist
 export HOME="${PRIVATE_DIR}"
-allow_fail ndnsec sign-req "${KEY_NAME}" > "${PRIVATE_DIR}/ndncert.csr"
+allow_fail ndnsec sign-req "${KEY_NAME}" > "${NDNCERT_CERT_PATH}.csr"
 if [ $allow_fail_status -ne 0 ]
 then
   echo -e "Generating new operator keypair"
-  ndnsec key-gen -n "${KEY_NAME}" > "${PRIVATE_DIR}/ndncert.csr"
+  ndnsec key-gen -n "${KEY_NAME}" > "${NDNCERT_CERT_PATH}.csr"
 fi
 
 # Get certificate from root certificate authority
-curl -s -X POST --upload-file "${PRIVATE_DIR}/ndncert.csr" -o "${PRIVATE_DIR}/site.ndncert" \
+curl -s -X POST --upload-file "${NDNCERT_CERT_PATH}.csr" -o "${NDNCERT_CERT_PATH}" \
     "${ROOT_CA_HTTPS}/sign?secret=${ROOT_CA_SECRET}"
 
 # Install certificate to keychain
-ndnsec cert-install -f "${PRIVATE_DIR}/site.ndncert"
+ndnsec cert-install -f "${NDNCERT_CERT_PATH}"
 
 # Clear intermediate files
 rm -f "${PRIVATE_DIR}/*.csr"

templates/nlsr/keygen.sh.j2 → templates/nlsr/renew.sh.j2

@@ -15,46 +15,56 @@ OPERATOR="{{ operator_user }}"
 HOSTNAME="{{ inventory_hostname }}"
 ROUTER="{{ router_name }}"
 
-# Home and keys directories
+# Directories
 PRIVATE_DIR="$(pwd)/private"
 NDNCERT_DIR="$(pwd)/../ndncert/private"
+mkdir -p "${PRIVATE_DIR}"
+
+# Output file names
+OPERATOR_CERTFILE="${PRIVATE_DIR}/operator.cert"
+ROUTER_CERTFILE="${PRIVATE_DIR}/router.cert"
 
 # Key names
 OPERATOR_KEY="${PREFIX}/%C1.Operator/${OPERATOR}"
 ROUTER_KEY="${PREFIX}/%C1.Router/${ROUTER}"
 
-# Make sure the private directory exists
-mkdir -p "${PRIVATE_DIR}"
+# If set then only continue if certs don't exist
+if [ -n "${TESTBED_BOOTSTRAP}" ]; then
+  if [ -f "${OPERATOR_CERTFILE}" ] && [ -f "${ROUTER_CERTFILE}" ]; then
+    echo -e "NLSR certificates already exist, skipping generation"
+    exit 0
+  fi
+fi
 
 # Issue operator cert
 export HOME="${PRIVATE_DIR}"
-allow_fail ndnsec sign-req "${OPERATOR_KEY}" > "${PRIVATE_DIR}/unsigned_operator.csr"
+allow_fail ndnsec sign-req "${OPERATOR_KEY}" > "${OPERATOR_CERTFILE}.csr"
 if [ $allow_fail_status -ne 0 ]
 then
   echo -e "Generating new operator keypair"
-  ndnsec key-gen -n "${OPERATOR_KEY}" > "${PRIVATE_DIR}/unsigned_operator.csr"
+  ndnsec key-gen -n "${OPERATOR_KEY}" > "${OPERATOR_CERTFILE}.csr"
 fi
 
 export HOME="${NDNCERT_DIR}"
 ndnsec cert-gen -S 202204010000 -E 20320401000 -s "${PREFIX}" \
-  -r "${PRIVATE_DIR}/unsigned_operator.csr" > "${PRIVATE_DIR}/operator.cert"
+  -r "${OPERATOR_CERTFILE}.csr" > "${OPERATOR_CERTFILE}"
 
 export HOME="${PRIVATE_DIR}"
-ndnsec cert-install -f "${PRIVATE_DIR}/operator.cert"
+ndnsec cert-install -f "${OPERATOR_CERTFILE}"
 
 # Issue router cert
 export HOME="${PRIVATE_DIR}"
-allow_fail ndnsec sign-req "${ROUTER_KEY}" > "${PRIVATE_DIR}/unsigned_router.csr"
+allow_fail ndnsec sign-req "${ROUTER_KEY}" > "${ROUTER_CERTFILE}.csr"
 if [ $allow_fail_status -ne 0 ]
 then
   echo -e "Generating new router keypair"
-  ndnsec key-gen -n "${ROUTER_KEY}" > "${PRIVATE_DIR}/unsigned_router.csr"
+  ndnsec key-gen -n "${ROUTER_KEY}" > "${ROUTER_CERTFILE}.csr"
 fi
 
 ndnsec cert-gen -S 201802010000 -E 202802010000 -s "${OPERATOR_KEY}" \
-  -r "${PRIVATE_DIR}/unsigned_router.csr" > "${PRIVATE_DIR}/router.cert"
+  -r "${PRIVATE_DIR}/unsigned_router.csr" > "${ROUTER_CERTFILE}"
 
-ndnsec cert-install -f "${PRIVATE_DIR}/router.cert"
+ndnsec cert-install -f "${ROUTER_CERTFILE}"
 
 # Clear intermediate files
 rm -f "${PRIVATE_DIR}/*.csr"