From d5b07f18a184e82924a638005c2e87a723292848 Mon Sep 17 00:00:00 2001 From: Keagan McClelland Date: Mon, 30 Nov 2020 23:38:01 -0700 Subject: [PATCH 1/6] actually adds ecc sync to the list --- agent/src/Lib/Synchronizers.hs | 1 + 1 file changed, 1 insertion(+) diff --git a/agent/src/Lib/Synchronizers.hs b/agent/src/Lib/Synchronizers.hs index 7dfb6dbe0..b1a08c009 100644 --- a/agent/src/Lib/Synchronizers.hs +++ b/agent/src/Lib/Synchronizers.hs @@ -116,6 +116,7 @@ sync_0_2_6 = Synchronizer , syncPrepSslRootCaDir , syncPrepSslIntermediateCaDir , syncPersistLogs + , syncConvertEcdsaCerts ] syncCreateAgentTmp :: SyncOp From 38320e576ef58c4965e2b4327ae1c1a791b28395 Mon Sep 17 00:00:00 2001 From: Keagan McClelland Date: Tue, 1 Dec 2020 00:03:31 -0700 Subject: [PATCH 2/6] fix import cycle --- agent/src/Application.hs | 2 +- agent/src/Handler/Register/Nginx.hs | 71 ------------------------ agent/src/Lib/Error.hs | 57 ++++++++++---------- agent/src/Lib/Synchronizers.hs | 83 +++++++++++++++++++++++++++-- 4 files changed, 109 insertions(+), 104 deletions(-) diff --git a/agent/src/Application.hs b/agent/src/Application.hs index e13488b46..4f20c9937 100644 --- a/agent/src/Application.hs +++ b/agent/src/Application.hs @@ -206,7 +206,7 @@ startupSequence foundation = do waitForUpdateSignal foundation sleep :: Integer -> IO () -sleep n = let (full, r) = (n * 1_000_000) `divMod` (fromIntegral $ (maxBound :: Int)) in +sleep n = let (full, r) = (n * 1_000_000) `divMod` fromIntegral (maxBound :: Int) in replicateM_ (fromIntegral full) (threadDelay maxBound) *> threadDelay (fromIntegral r) -------------------------------------------------------------- diff --git a/agent/src/Handler/Register/Nginx.hs b/agent/src/Handler/Register/Nginx.hs index bc42bba91..4d38353db 100644 --- a/agent/src/Handler/Register/Nginx.hs +++ b/agent/src/Handler/Register/Nginx.hs @@ -22,7 +22,6 @@ import Lib.Synchronizers import Lib.SystemPaths import Lib.Tor import System.Posix ( removeLink ) -import Lib.SystemCtl -- Left error, Right CA cert for hmac signing bootupSslNginx :: (HasFilesystemBase sig m, Has (Error S9Error) sig m, Has (Lift IO) sig m, MonadIO m) @@ -157,73 +156,3 @@ writeSslKeyAndCert rsaKeyFileContents = do ExitFailure ec -> throwError $ OpenSslE "leaf" ec str1' str2' readSystemPath' rootCaCertPath - -replaceDerivativeCerts :: (HasFilesystemBase sig m, Has (Error S9Error) sig m, MonadIO m) => m () -replaceDerivativeCerts = do - hn <- getStart9AgentHostname - tor <- getAgentHiddenServiceUrl - - caKeyPath <- toS <$> getAbsoluteLocationFor rootCaKeyPath - caConfPath <- toS <$> getAbsoluteLocationFor rootCaOpenSslConfPath - caCertPath <- toS <$> getAbsoluteLocationFor rootCaCertPath - - intCaKeyPath <- toS <$> getAbsoluteLocationFor intermediateCaKeyPath - intCaConfPath <- toS <$> getAbsoluteLocationFor intermediateCaOpenSslConfPath - intCaCertPath <- toS <$> getAbsoluteLocationFor intermediateCaCertPath - - sslDirTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> sslDirectory) - entKeyPathTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> entityKeyPath hn) - entConfPathTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> entityConfPath hn) - entCertPathTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> entityCertPath hn) - liftIO $ createDirectoryIfMissing True sslDirTmp - liftIO $ BS.writeFile entConfPathTmp (domain_CSR_CONF hn) - - -- ensure duplicate certificates are acceptable - base <- Fused.ask @"filesystemBase" - liftIO $ BS.writeFile (toS $ (rootCaDirectory <> "index.txt.attr") `relativeTo` base) "unique_subject = no\n" - liftIO $ BS.writeFile (toS $ (intermediateCaDirectory <> "index.txt.attr") `relativeTo` base) - "unique_subject = no\n" - - (ec, out, err) <- writeIntermediateCert DeriveCertificate { applicantConfPath = intCaConfPath - , applicantKeyPath = intCaKeyPath - , applicantCertPath = intCaCertPath - , signingConfPath = caConfPath - , signingKeyPath = caKeyPath - , signingCertPath = caCertPath - , duration = 3650 - } - liftIO $ do - putStrLn @Text "openssl logs" - putStrLn @Text "exit code: " - print ec - putStrLn @String $ "stdout: " <> out - putStrLn @String $ "stderr: " <> err - case ec of - ExitSuccess -> pure () - ExitFailure n -> throwError $ OpenSslE "leaf" n out err - - (ec', out', err') <- writeLeafCert - DeriveCertificate { applicantConfPath = entConfPathTmp - , applicantKeyPath = entKeyPathTmp - , applicantCertPath = entCertPathTmp - , signingConfPath = intCaConfPath - , signingKeyPath = intCaKeyPath - , signingCertPath = intCaCertPath - , duration = 365 - } - hn - tor - liftIO $ do - putStrLn @Text "openssl logs" - putStrLn @Text "exit code: " - print ec - putStrLn @String $ "stdout: " <> out' - putStrLn @String $ "stderr: " <> err' - case ec' of - ExitSuccess -> pure () - ExitFailure n -> throwError $ OpenSslE "leaf" n out' err' - - sslDir <- toS <$> getAbsoluteLocationFor sslDirectory - liftIO $ removeDirectory sslDir - liftIO $ renameDirectory sslDirTmp sslDir - liftIO $ systemCtl RestartService "nginx" $> () diff --git a/agent/src/Lib/Error.hs b/agent/src/Lib/Error.hs index 6a687b5b7..b014a4c3f 100644 --- a/agent/src/Lib/Error.hs +++ b/agent/src/Lib/Error.hs @@ -198,7 +198,7 @@ toStatus = \case NoCompliantAgentE _ -> status404 PersistentE _ -> status500 WifiConnectionE -> status500 - AppMgrParseE _ _ _ -> status500 + AppMgrParseE{} -> status500 AppMgrInvalidConfigE _ -> status400 AppMgrE _ _ -> status500 AppMgrVersionE _ _ -> status500 @@ -220,28 +220,28 @@ toStatus = \case (AppStatusTmp NeedsConfig, Start) -> status403 (AppStatusTmp NeedsConfig, Stop ) -> status200 (AppStatusTmp _ , _ ) -> status403 - UpdateSelfE _ _ -> status500 - InvalidSshKeyE _ -> status400 - InvalidSsidE -> status400 - InvalidPskE -> status400 - InvalidRequestE _ _ -> status400 - NotFoundE _ _ -> status404 - UpdateInProgressE -> status403 - TemporarilyForbiddenE _ _ _ -> status403 - TorServiceTimeoutE -> status500 - NginxSslE _ -> status500 - WifiOrphaningE -> status403 - ManifestParseE _ _ -> status500 - NoPasswordExistsE -> status401 - MissingFileE _ -> status500 - ClientCryptographyE _ -> status401 - TTLExpirationE _ -> status403 - EnvironmentValE _ -> status500 - HostsParamsE _ -> status400 - BackupE _ _ -> status500 - BackupPassInvalidE -> status403 - InternalE _ -> status500 - OpenSslE _ _ _ _ -> status500 + UpdateSelfE _ _ -> status500 + InvalidSshKeyE _ -> status400 + InvalidSsidE -> status400 + InvalidPskE -> status400 + InvalidRequestE _ _ -> status400 + NotFoundE _ _ -> status404 + UpdateInProgressE -> status403 + TemporarilyForbiddenE{} -> status403 + TorServiceTimeoutE -> status500 + NginxSslE _ -> status500 + WifiOrphaningE -> status403 + ManifestParseE _ _ -> status500 + NoPasswordExistsE -> status401 + MissingFileE _ -> status500 + ClientCryptographyE _ -> status401 + TTLExpirationE _ -> status403 + EnvironmentValE _ -> status500 + HostsParamsE _ -> status400 + BackupE _ _ -> status500 + BackupPassInvalidE -> status403 + InternalE _ -> status500 + OpenSslE{} -> status500 handleS9ErrC :: (MonadHandler m, MonadLogger m) => ErrorC S9Error m a -> m a handleS9ErrC action = @@ -251,12 +251,11 @@ handleS9ErrC action = in runErrorC action handleIt pure handleS9ErrT :: (MonadHandler m, MonadLogger m) => S9ErrT m a -> m a -handleS9ErrT action = do - runExceptT action >>= \case - Left e -> do - $logError $ show e - toStatus >>= sendResponseStatus $ e - Right a -> pure a +handleS9ErrT action = runExceptT action >>= \case + Left e -> do + $logError $ show e + toStatus >>= sendResponseStatus $ e + Right a -> pure a runS9ErrT :: MonadIO m => S9ErrT m a -> m (Either S9Error a) runS9ErrT = runExceptT diff --git a/agent/src/Lib/Synchronizers.hs b/agent/src/Lib/Synchronizers.hs index b1a08c009..a22469676 100644 --- a/agent/src/Lib/Synchronizers.hs +++ b/agent/src/Lib/Synchronizers.hs @@ -5,7 +5,9 @@ {-# LANGUAGE TemplateHaskell #-} module Lib.Synchronizers where -import Startlude hiding ( check ) +import Startlude hiding ( check + , err + ) import qualified Startlude.ByteStream as ByteStream import qualified Startlude.ByteStream.Char8 as ByteStream @@ -62,7 +64,7 @@ import Util.File import qualified Lib.Algebra.Domain.AppMgr as AppMgr2 import Daemon.ZeroConf ( getStart9AgentHostname ) import qualified Data.Text as T -import Handler.Register.Nginx ( replaceDerivativeCerts ) +import Control.Effect.Error hiding ( run ) data Synchronizer = Synchronizer @@ -451,7 +453,82 @@ syncConvertEcdsaCerts = SyncOp "Convert Intermediate Cert to ECDSA P256" check m pure $ case header of Nothing -> False Just y -> "BEGIN RSA PRIVATE KEY" `T.isInfixOf` y - migrate = replaceDerivativeCerts + migrate = cantFail $ do + base <- asks $ appFilesystemBase . appSettings + (runM . runExceptT) (injectFilesystemBase base replaceDerivativeCerts) >>= \case + Left e -> failUpdate e + Right () -> pure () + + +replaceDerivativeCerts :: (HasFilesystemBase sig m, Fused.Has (Error S9Error) sig m, MonadIO m) => m () +replaceDerivativeCerts = do + hn <- getStart9AgentHostname + tor <- getAgentHiddenServiceUrl + + caKeyPath <- toS <$> getAbsoluteLocationFor rootCaKeyPath + caConfPath <- toS <$> getAbsoluteLocationFor rootCaOpenSslConfPath + caCertPath <- toS <$> getAbsoluteLocationFor rootCaCertPath + + intCaKeyPath <- toS <$> getAbsoluteLocationFor intermediateCaKeyPath + intCaConfPath <- toS <$> getAbsoluteLocationFor intermediateCaOpenSslConfPath + intCaCertPath <- toS <$> getAbsoluteLocationFor intermediateCaCertPath + + sslDirTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> sslDirectory) + entKeyPathTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> entityKeyPath hn) + entConfPathTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> entityConfPath hn) + entCertPathTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> entityCertPath hn) + liftIO $ createDirectoryIfMissing True sslDirTmp + liftIO $ BS.writeFile entConfPathTmp (domain_CSR_CONF hn) + + -- ensure duplicate certificates are acceptable + base <- Fused.ask @"filesystemBase" + liftIO $ BS.writeFile (toS $ (rootCaDirectory <> "index.txt.attr") `relativeTo` base) "unique_subject = no\n" + liftIO $ BS.writeFile (toS $ (intermediateCaDirectory <> "index.txt.attr") `relativeTo` base) + "unique_subject = no\n" + + (ec, out, err) <- writeIntermediateCert DeriveCertificate { applicantConfPath = intCaConfPath + , applicantKeyPath = intCaKeyPath + , applicantCertPath = intCaCertPath + , signingConfPath = caConfPath + , signingKeyPath = caKeyPath + , signingCertPath = caCertPath + , duration = 3650 + } + liftIO $ do + putStrLn @Text "openssl logs" + putStrLn @Text "exit code: " + print ec + putStrLn @String $ "stdout: " <> out + putStrLn @String $ "stderr: " <> err + case ec of + ExitSuccess -> pure () + ExitFailure n -> throwError $ OpenSslE "leaf" n out err + + (ec', out', err') <- writeLeafCert + DeriveCertificate { applicantConfPath = entConfPathTmp + , applicantKeyPath = entKeyPathTmp + , applicantCertPath = entCertPathTmp + , signingConfPath = intCaConfPath + , signingKeyPath = intCaKeyPath + , signingCertPath = intCaCertPath + , duration = 365 + } + hn + tor + liftIO $ do + putStrLn @Text "openssl logs" + putStrLn @Text "exit code: " + print ec + putStrLn @String $ "stdout: " <> out' + putStrLn @String $ "stderr: " <> err' + case ec' of + ExitSuccess -> pure () + ExitFailure n -> throwError $ OpenSslE "leaf" n out' err' + + sslDir <- toS <$> getAbsoluteLocationFor sslDirectory + liftIO $ removeDirectory sslDir + liftIO $ renameDirectory sslDirTmp sslDir + liftIO $ systemCtl RestartService "nginx" $> () failUpdate :: S9Error -> ExceptT Void (ReaderT AgentCtx IO) () failUpdate e = do From 06c6805b3f05a96216fe1baf24abea8c598d0a73 Mon Sep 17 00:00:00 2001 From: Keagan McClelland Date: Tue, 1 Dec 2020 01:32:56 -0700 Subject: [PATCH 3/6] fixes path removal --- agent/src/Daemon/SslRenew.hs | 6 +++--- agent/src/Lib/Synchronizers.hs | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/agent/src/Daemon/SslRenew.hs b/agent/src/Daemon/SslRenew.hs index a0b47c97a..dedeb477b 100644 --- a/agent/src/Daemon/SslRenew.hs +++ b/agent/src/Daemon/SslRenew.hs @@ -13,8 +13,8 @@ import Lib.Ssl import Daemon.ZeroConf ( getStart9AgentHostname ) import Lib.Tor import Control.Carrier.Lift -import System.Directory ( renameDirectory - , removeDirectory +import System.Directory ( removePathForcibly + , renameDirectory ) import Lib.SystemCtl import qualified Lib.Notifications as Notifications @@ -66,7 +66,7 @@ renewSslLeafCert ctx = do $ Notifications.emit (AppId "EmbassyOS") agentVersion $ Notifications.CertRenewFailed (ExitFailure n) out err let sslDir = toS $ sslDirectory `relativeTo` base - liftIO $ removeDirectory sslDir + liftIO $ removePathForcibly sslDir liftIO $ renameDirectory sslDirTmp sslDir liftIO $ systemCtl RestartService "nginx" $> () diff --git a/agent/src/Lib/Synchronizers.hs b/agent/src/Lib/Synchronizers.hs index a22469676..4f1a618e4 100644 --- a/agent/src/Lib/Synchronizers.hs +++ b/agent/src/Lib/Synchronizers.hs @@ -526,7 +526,7 @@ replaceDerivativeCerts = do ExitFailure n -> throwError $ OpenSslE "leaf" n out' err' sslDir <- toS <$> getAbsoluteLocationFor sslDirectory - liftIO $ removeDirectory sslDir + liftIO $ removePathForcibly sslDir liftIO $ renameDirectory sslDirTmp sslDir liftIO $ systemCtl RestartService "nginx" $> () From f14493a93cf1236242efa4b56fb216958e7017af Mon Sep 17 00:00:00 2001 From: Keagan McClelland Date: Tue, 1 Dec 2020 11:22:53 -0700 Subject: [PATCH 4/6] only run if ssl has been setup --- agent/src/Lib/Synchronizers.hs | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/agent/src/Lib/Synchronizers.hs b/agent/src/Lib/Synchronizers.hs index 4f1a618e4..0a05ac4df 100644 --- a/agent/src/Lib/Synchronizers.hs +++ b/agent/src/Lib/Synchronizers.hs @@ -448,11 +448,16 @@ syncConvertEcdsaCerts :: SyncOp syncConvertEcdsaCerts = SyncOp "Convert Intermediate Cert to ECDSA P256" check migrate False where check = do - fs <- asks $ appFilesystemBase . appSettings - header <- liftIO $ headMay . lines <$> readFile (toS $ intermediateCaKeyPath `relativeTo` fs) - pure $ case header of - Nothing -> False - Just y -> "BEGIN RSA PRIVATE KEY" `T.isInfixOf` y + fs <- asks $ appFilesystemBase . appSettings + let intCertKey = toS $ intermediateCaKeyPath `relativeTo` fs + exists <- liftIO $ doesPathExist intCertKey + if exists + then do + header <- liftIO $ headMay . lines <$> readFile intCertKey + pure $ case header of + Nothing -> False + Just y -> "BEGIN RSA PRIVATE KEY" `T.isInfixOf` y + else pure False migrate = cantFail $ do base <- asks $ appFilesystemBase . appSettings (runM . runExceptT) (injectFilesystemBase base replaceDerivativeCerts) >>= \case From b5b6afbeef0c30c081a67dfdc7cef4eb982791f5 Mon Sep 17 00:00:00 2001 From: Keagan McClelland Date: Tue, 1 Dec 2020 11:59:49 -0700 Subject: [PATCH 5/6] fix hostname vs server id delineation --- agent/src/Daemon/SslRenew.hs | 2 +- agent/src/Lib/Synchronizers.hs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/agent/src/Daemon/SslRenew.hs b/agent/src/Daemon/SslRenew.hs index dedeb477b..ed47d4527 100644 --- a/agent/src/Daemon/SslRenew.hs +++ b/agent/src/Daemon/SslRenew.hs @@ -25,7 +25,7 @@ import Constants renewSslLeafCert :: AgentCtx -> IO () renewSslLeafCert ctx = do let base = appFilesystemBase . appSettings $ ctx - hn <- injectFilesystemBase base getStart9AgentHostname + hn <- (<> ".local") <$> injectFilesystemBase base getStart9AgentHostname tor <- injectFilesystemBase base getAgentHiddenServiceUrl putStr @Text "SSL Renewal Required? " needsRenew <- doesSslNeedRenew (toS $ entityCertPath hn `relativeTo` base) diff --git a/agent/src/Lib/Synchronizers.hs b/agent/src/Lib/Synchronizers.hs index 0a05ac4df..af72e9fb0 100644 --- a/agent/src/Lib/Synchronizers.hs +++ b/agent/src/Lib/Synchronizers.hs @@ -467,7 +467,7 @@ syncConvertEcdsaCerts = SyncOp "Convert Intermediate Cert to ECDSA P256" check m replaceDerivativeCerts :: (HasFilesystemBase sig m, Fused.Has (Error S9Error) sig m, MonadIO m) => m () replaceDerivativeCerts = do - hn <- getStart9AgentHostname + hn <- (<> ".local") <$> getStart9AgentHostname tor <- getAgentHiddenServiceUrl caKeyPath <- toS <$> getAbsoluteLocationFor rootCaKeyPath From 45dbfc59e16d2d1afcfd17bad6474c938c686fec Mon Sep 17 00:00:00 2001 From: Keagan McClelland Date: Tue, 1 Dec 2020 12:33:18 -0700 Subject: [PATCH 6/6] fixes hostname vs sid delineation again --- agent/src/Daemon/SslRenew.hs | 13 +++++++------ agent/src/Lib/Synchronizers.hs | 13 +++++++------ 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/agent/src/Daemon/SslRenew.hs b/agent/src/Daemon/SslRenew.hs index ed47d4527..ee2efff38 100644 --- a/agent/src/Daemon/SslRenew.hs +++ b/agent/src/Daemon/SslRenew.hs @@ -25,10 +25,11 @@ import Constants renewSslLeafCert :: AgentCtx -> IO () renewSslLeafCert ctx = do let base = appFilesystemBase . appSettings $ ctx - hn <- (<> ".local") <$> injectFilesystemBase base getStart9AgentHostname + sid <- injectFilesystemBase base getStart9AgentHostname + let hostname = sid <> ".local" tor <- injectFilesystemBase base getAgentHiddenServiceUrl putStr @Text "SSL Renewal Required? " - needsRenew <- doesSslNeedRenew (toS $ entityCertPath hn `relativeTo` base) + needsRenew <- doesSslNeedRenew (toS $ entityCertPath sid `relativeTo` base) print needsRenew when needsRenew $ runM . injectFilesystemBase base $ do intCaKeyPath <- toS <$> getAbsoluteLocationFor intermediateCaKeyPath @@ -36,9 +37,9 @@ renewSslLeafCert ctx = do intCaCertPath <- toS <$> getAbsoluteLocationFor intermediateCaCertPath sslDirTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> sslDirectory) - entKeyPathTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> entityKeyPath hn) - entConfPathTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> entityConfPath hn) - entCertPathTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> entityCertPath hn) + entKeyPathTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> entityKeyPath sid) + entConfPathTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> entityConfPath sid) + entCertPathTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> entityCertPath sid) (ec, out, err) <- writeLeafCert DeriveCertificate { applicantConfPath = entConfPathTmp @@ -49,7 +50,7 @@ renewSslLeafCert ctx = do , signingCertPath = intCaCertPath , duration = 365 } - hn + hostname tor liftIO $ do putStrLn @Text "openssl logs" diff --git a/agent/src/Lib/Synchronizers.hs b/agent/src/Lib/Synchronizers.hs index af72e9fb0..d76fd4ce4 100644 --- a/agent/src/Lib/Synchronizers.hs +++ b/agent/src/Lib/Synchronizers.hs @@ -467,7 +467,8 @@ syncConvertEcdsaCerts = SyncOp "Convert Intermediate Cert to ECDSA P256" check m replaceDerivativeCerts :: (HasFilesystemBase sig m, Fused.Has (Error S9Error) sig m, MonadIO m) => m () replaceDerivativeCerts = do - hn <- (<> ".local") <$> getStart9AgentHostname + sid <- getStart9AgentHostname + let hostname = sid <> ".local" tor <- getAgentHiddenServiceUrl caKeyPath <- toS <$> getAbsoluteLocationFor rootCaKeyPath @@ -479,11 +480,11 @@ replaceDerivativeCerts = do intCaCertPath <- toS <$> getAbsoluteLocationFor intermediateCaCertPath sslDirTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> sslDirectory) - entKeyPathTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> entityKeyPath hn) - entConfPathTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> entityConfPath hn) - entCertPathTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> entityCertPath hn) + entKeyPathTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> entityKeyPath sid) + entConfPathTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> entityConfPath sid) + entCertPathTmp <- toS <$> getAbsoluteLocationFor (agentTmpDirectory <> entityCertPath sid) liftIO $ createDirectoryIfMissing True sslDirTmp - liftIO $ BS.writeFile entConfPathTmp (domain_CSR_CONF hn) + liftIO $ BS.writeFile entConfPathTmp (domain_CSR_CONF hostname) -- ensure duplicate certificates are acceptable base <- Fused.ask @"filesystemBase" @@ -518,7 +519,7 @@ replaceDerivativeCerts = do , signingCertPath = intCaCertPath , duration = 365 } - hn + hostname tor liftIO $ do putStrLn @Text "openssl logs"