wip automation of the certificate signing

nsg-ethz · Jul 12, 2024 · c26b9dc · c26b9dc
1 parent 0d359d6
commit c26b9dc
Show file tree

Hide file tree

Showing 4 changed files with 76 additions and 5 deletions.
diff --git a/client/.gitignore b/client/.gitignore
@@ -1 +1,2 @@
-cmake/
+cmake/
+capassphrase.sh
diff --git a/client/README.md b/client/README.md
@@ -1,5 +1,23 @@
 # Autopower client
 
+## My deployment process
+
+- We need the IP of the PI, which means 
+  - first flashing the OS
+  - boot and plug in a monitor to get the MAC
+  - Get the MAC registered on the ETH network and get a static IP
+- Once the IP is knonw, add it to my SSH config 
+- then
+```
+scp -r -P 22 client/ autopowerX:/tmp/
+ssh autopowerX -p 22
+cd /tmp/client
+sudo chmod +x deploy.sh && sudo ./deploy.sh
+sudo chmod +x signCerts.sh && ./signCerts.sh
+```
+Currently the last step will not work the first time because the Pi won't know the fingerprint of the server and I don't know how to accept fingerprint automatically (to resolve)
+
+
 ## Folder content
 
 This folder contains files needed for the client side of the autopower project:
@@ -76,4 +94,4 @@ Now check if you can access the Pi as described in the next section.
 
 ### Accessing the Pi
 
-The Pi is configured to get an IP address via DHCP. To connect via SSH, after setup, use port 21092 (not 22) and the ethditet user: `ssh ethditet@<autopowerip> -p 21092`
+The Pi is configured to get an IP address via DHCP. To connect via SSH, after setup, use port 21092 (not 22) and the ethditet user: `ssh ethditet@<autopowerip> -p 21092`
diff --git a/client/deploy.sh b/client/deploy.sh
@@ -3,7 +3,10 @@
 # Deploy an autopower device should only be run on the Raspberry Pi
 
 source serverIpConfig.sh
-read -p "Enter name of device to deploy: " DEVICENAME
+
+# > we use the hostname configured on OS install
+#read -p "Enter name of device to deploy: " DEVICENAME
+DEVICENAME=$(hostname)
 
 # install needed services (including adding zabbix)
 pushd /tmp
@@ -13,15 +16,15 @@ rm zabbix-release_6.0-5+debian12_all.deb
 popd
 apt update
 apt upgrade -y
-apt install libjsoncpp-dev libpqxx-dev fail2ban ufw postgresql unattended-upgrades zabbix-agent2 zabbix-agent2-plugin-postgresql -y
+apt install libjsoncpp-dev libpqxx-dev fail2ban ufw postgresql unattended-upgrades zabbix-agent2 zabbix-agent2-plugin-postgresql tmux -y
 
 # install mmclient and pinpoint
 cp bin/mmclient /usr/bin/mmclient
 chmod +x /usr/bin/mmclient
 cp bin/pinpoint /usr/bin/pinpoint
 chmod +x /usr/bin/pinpoint
 # set hostname
-hostnamectl set-hostname "${DEVICENAME}"
+# hostnamectl set-hostname "${DEVICENAME}"
 
 # Add hostname to /etc/hosts
 echo "::1 ${DEVICENAME}" >> /etc/hosts
@@ -102,3 +105,4 @@ ufw logging off
 ufw --force enable
 
 echo "Please copy /etc/mmclient/client_${DEVICENAME}.csr to the server and sign the certificate request. Afterwards setup zabbix monitoring with the psk in ./zabbix_psk.psk"
+
diff --git a/client/signCerts.sh b/client/signCerts.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+# Romain Jacob
+
+# do NOT run as root
+
+source capassphrase.sh
+source serverIpConfig.sh
+DEVICENAME=$(hostname)
+
+# ssh into the server (which works thanks to agent forwarding) 
+tmux kill-session -t certs      # clean up if session already exists
+tmux new-session -d -s certs    # create a tmux session
+tmux send-keys -t certs '' C-m  # wait a bit
+tmux send-keys -t certs '' C-m
+tmux send-keys -t certs '' C-m
+tmux send-keys -t certs "ssh autopower@${REMOTEHOST}" C-m
+
+# clean existing read-only files
+echo "cleaning existing files on the server..."
+tmux send-keys -t certs 'cd /usr/autopower/zabbix/' C-m
+tmux send-keys -t certs "rm -f zabbix_client_${DEVICENAME}.psk" C-m
+tmux send-keys -t certs 'cd /usr/autopower/certs/' C-m
+tmux send-keys -t certs "rm -f /usr/autopower/certs/client_${DEVICENAME}.csr" C-m
+sleep 2 # wait a bit to give time to the tmux command to run
+
+
+# copy the certificate to the server with scp
+echo "copying the new files..."
+sudo cp /etc/mmclient/client_${DEVICENAME}.csr .
+scp client_${DEVICENAME}.csr autopower@${REMOTEHOST}:/usr/autopower/certs/client_${DEVICENAME}.csr
+# copy the psk to wherever (probably the server as well, I should make a directory for that)
+scp zabbix_psk.psk autopower@${REMOTEHOST}:/usr/autopower/zabbix/zabbix_client_${DEVICENAME}.psk
+
+# sign the certificate on the server  
+echo "signing the new certificate..."
+SIGN_CMD="openssl x509 -req -in client_${DEVICENAME}.csr -CA ca.cer -CAkey ca.key -CAcreateserial -out client_${DEVICENAME}.cer -days 365 -sha512 -passin pass:'${PASSPHRASE}'"
+tmux send-keys -t certs "${SIGN_CMD}" C-m
+sleep 2 # wait a bit to give time to the tmux command to run
+
+# copy back client.cer and ca.cer (can be done via scp from the PI)
+# > scp-ing directly would require to make the mmclient directory globally writable
+echo "copying the signed certificate back on the client..."
+scp autopower@${REMOTEHOST}:/usr/autopower/certs/client_${DEVICENAME}.cer ~/client.cer
+scp autopower@${REMOTEHOST}:/usr/autopower/certs/ca.cer ~/ca.cer
+sudo mv ~/*.cer /etc/mmclient/
+sudo chown mmclient: /etc/mmclient/client.cer
+sudo chown mmclient: /etc/mmclient/ca.cer
+