Reorganize workspace structure with system-specific cert directories and DNS automation

2025-12-17 09:39:46 +01:00
parent 296948f07e
commit 99fcd122ea
14 changed files with 329 additions and 20 deletions
--- a/ca/ucs-ca-cert.der
+++ b/ca/ucs-ca-cert.der
--- a/docs/DNS_INTEGRATION.md
+++ b/docs/DNS_INTEGRATION.md
@@ -0,0 +1,77 @@
 # DNS Integration Feature
 ## Overview
 The certificate manager now automatically checks if hostnames in certificates are resolvable in DNS and can create missing DNS records on the UCS DNS server.
 ## How It Works
 ### 1. Certificate Analysis
 After signing a certificate, the tool extracts all DNS names from:
 - Common Name (CN) in the certificate Subject
 - Subject Alternative Names (SANs)
 ### 2. DNS Resolution Check
 For each hostname found, the tool checks if it resolves using standard DNS lookup.
 ### 3. Missing Record Detection
 If a hostname doesn't resolve, it's flagged as missing.
 ### 4. Automatic DNS Record Creation
 The tool offers to create missing DNS records on the UCS DNS server using:
 ```bash
 univention-directory-manager dns/host_record create
 ```
 ## Example Output
 ```
 ============================================================
 Step 4: Checking DNS Records
 ============================================================
 Checking 4 hostname(s) from certificate...
  ✓ vscode.egonetix.lan - resolves
  ✓ vscode - resolves
  ✓ srvdocker02.egonetix.lan - resolves
  ✗ newhost.egonetix.lan - NOT found in DNS
 ⚠ Found 1 hostname(s) not in DNS:
  - newhost.egonetix.lan
 Do you want to create missing DNS records on UCS? [Y/n]: y
 Creating DNS records on 10.0.0.21...
  ✓ Created DNS record: newhost.egonetix.lan → 10.0.0.48
 ✓ Successfully created 1 DNS record(s)
 Note: DNS changes may take a few seconds to propagate.
 ```
 ## Benefits
 ✅ **Prevents Configuration Errors** - Ensures all certificate hostnames are resolvable
 ✅ **Saves Time** - No need to manually create DNS records
 ✅ **Automatic Workflow** - Integrated into the certificate generation process
 ✅ **Safe** - Always asks for confirmation before creating records
 ✅ **Idempotent** - Detects existing records and skips them
 ## Requirements
 - SSH access to UCS DNS server (default: 10.0.0.21)
 - Root access or UDM permissions on UCS server
 - Target system must have an IP address for the A record
 ## Configuration
 The DNS server is automatically set to the same server as the CA (configured in cert-manager.py):
 ```python
 config['ca_server'] = '10.0.0.21'  # Default UCS server
 ```
 ## Limitations
 - Only creates A records (IPv4)
 - Requires the hostname to be part of an existing DNS zone on UCS
 - Short hostnames (without domain) are skipped
 - AAAA records (IPv6) not yet supported
--- a/docs/EXAMPLES.md
+++ b/docs/EXAMPLES.md
--- a/docs/README.md
+++ b/docs/README.md
@@ -4,8 +4,9 @@ Automated certificate generation and signing tools for UCS CA with intelligent s
 ## Features
- 🔍 **Automatic System Detection** - Detects target system type (Proxmox, pfSense, TrueNAS, UCS)
+- 🔍 **Automatic System Detection** - Detects target system type (Proxmox, Home Assistant, pfSense, TrueNAS, UCS)
 - 🤖 **Automated Deployment** - Fully automated certificate installation for supported systems
 - 🌐 **DNS Integration** - Automatically checks and creates DNS records for certificate hostnames
 - 💾 **Configuration Persistence** - Remembers your settings between runs
 - 🔐 **Proper Certificate Extensions** - Generates certificates with correct serverAuth extensions
 - 🎯 **Interactive & Scriptable** - Works both interactively and in automation scripts
@@ -46,34 +47,37 @@ The main interactive tool that handles the entire certificate lifecycle with sys
 **Usage:**
 ```bash
-./cert-manager.py
+./scripts/cert-manager.py
 ```
 **Workflow:**
 1. Detects target system type automatically
 2. Prompts for certificate details with smart defaults
 3. Generates CSR on remote host with proper extensions
-4. Signs certificate with UCS CA
+4. Signs certificate with UCS CA (outputs to `certs/<system-type>/` directory)
-5. Deploys automatically (Proxmox) or copies to target (others)
+5. **Checks DNS records and offers to create missing ones** 🌐
 6. Deploys automatically (Proxmox/Home Assistant) or copies to target (others)
 **Features:**
 - Interactive prompts with default values from previous runs
 - Automatic system type detection
 - **Automatic DNS record creation on UCS DNS server**
 - Intelligent deployment based on system capabilities
 - Configurable key length (default: 4096 bits)
 - Remembers last used values for quick reuse
 - Organized certificate storage by system type
 ### 2. generate-csr.sh (Standalone)
 Generates a certificate signing request on a remote host.
 **Usage:**
 ```bash
-./generate-csr.sh <hostname> <common-name> [country] [state] [locality] [org] [ou] [key-bits]
+./scripts/generate-csr.sh <hostname> <common-name> [country] [state] [locality] [org] [ou] [key-bits]
 ```
 **Example:**
 ```bash
-./generate-csr.sh 192.168.1.100 server.example.com DE berlin berlin egonetix it 4096
+./scripts/generate-csr.sh 192.168.1.100 server.example.com DE berlin berlin egonetix it 4096
 ```
 **Features:**
@@ -87,20 +91,22 @@ Signs a certificate request with the UCS CA.
 **Usage:**
 ```bash
-./sign-cert.sh <req-file> <hostname> [days]
+./scripts/sign-cert.sh <req-file> <hostname> [days]
 ```
 **Example:**
 ```bash
-./sign-cert.sh server.req server 3650
+./scripts/sign-cert.sh certs/proxmox/server.csr server 3650
 ```
 **Output:** Certificate is saved to the same directory as the CSR file.
 ### 4. detect-system.sh (Utility)
 Detects the type of system on a remote host.
 **Usage:**
 ```bash
-./detect-system.sh <hostname>
+./scripts/detect-system.sh <hostname>
 ```
 **Returns:** `proxmox`, `pfsense`, `truenas`, `ucs`, or `unknown`
--- a/docs/STRUCTURE.md
+++ b/docs/STRUCTURE.md
@@ -0,0 +1,57 @@
 # Folder Structure
 This directory is organized for efficient certificate management:
 ## 📁 Structure Overview
 ```
 zertifizierung/
 ├── ca/                  # Certificate Authority files
 │   └── ucs-ca-cert.*    # UCS CA certificates (crt, der, pem)
 │
 ├── certs/              # Generated certificates organized by system
 │   ├── fritzbox/       # Fritz!Box router certificates
 │   ├── vscode/         # VS Code server certificates
 │   ├── proxmox/        # Proxmox host certificates
 │   ├── homeassistant/  # Home Assistant certificates
 │   ├── gateway/        # Network gateway certificates
 │   └── ilo/            # iLO interface certificates
 │
 ├── scripts/            # Certificate management tools
 │   ├── cert-manager.py           # Main interactive tool
 │   ├── sign-cert.sh              # Sign certificates with UCS CA
 │   ├── generate-csr*.sh          # CSR generation scripts
 │   ├── deploy-*.sh               # Automated deployment scripts
 │   ├── install-ca-cert.sh        # CA certificate installation
 │   └── detect-system.sh          # System type detection
 │
 └── docs/               # Documentation
    ├── README.md                 # Main documentation
    ├── EXAMPLES.md               # Usage examples
    ├── DNS_INTEGRATION.md        # DNS automation feature
    └── STRUCTURE.md              # This file
 ```
 ## 🎯 Usage
 All scripts should be run from the workspace root or scripts directory:
 ```bash
 # Run interactive certificate manager
 ./scripts/cert-manager.py
 # Sign a certificate
 ./scripts/sign-cert.sh certs/fritzbox/fritzbox.csr fritzbox 3650
 # Deploy to Proxmox
 ./scripts/deploy-proxmox.sh certs/proxmox/srv-wmw-host01
 ```
 ## 📝 Certificate Files
 Each certificate directory (e.g., `certs/fritzbox/`) typically contains:
 - `*.key` - Private key
 - `*.csr` - Certificate signing request
 - `*.pem` - Signed certificate
 - `*-cert.pem` - Certificate only
 - `*-fullchain.pem` - Certificate + CA chain
--- a/scripts/cert-manager.py
+++ b/scripts/cert-manager.py
@@ -9,8 +9,14 @@ import sys
 import json
 import subprocess
 import getpass
 import socket
 import re
 from pathlib import Path
 # Get script directory and workspace root
 SCRIPT_DIR = Path(__file__).parent.resolve()
 WORKSPACE_ROOT = SCRIPT_DIR.parent
 # Configuration
 CONFIG_FILE = Path.home() / '.cert-manager-config.json'
 DEFAULT_CONFIG = {
@@ -32,7 +38,8 @@ SYSTEM_TYPES = {
        'deploy_script': 'deploy-proxmox.sh',
        'key_location': '/tmp/{short_name}.key',
        'default_port': '8006',
-        'ssh_user': 'root'
+        'ssh_user': 'root',
        'cert_dir': 'proxmox'
    },
    'homeassistant': {
        'name': 'Home Assistant',
@@ -40,35 +47,40 @@ SYSTEM_TYPES = {
        'key_location': '/tmp/{short_name}.key',
        'default_port': '8123',
        'ssh_user': 'icke',
-        'uses_local_csr': True
+        'uses_local_csr': True,
        'cert_dir': 'homeassistant'
    },
    'pfsense': {
        'name': 'pfSense',
        'deploy_script': None,  # Manual deployment via web interface
        'key_location': '/tmp/{short_name}.key',
        'default_port': '443',
-        'ssh_user': 'root'
+        'ssh_user': 'root',
        'cert_dir': 'pfsense'
    },
    'truenas': {
        'name': 'TrueNAS',
        'deploy_script': None,  # Manual deployment via web interface
        'key_location': '/tmp/{short_name}.key',
        'default_port': '443',
-        'ssh_user': 'root'
+        'ssh_user': 'root',
        'cert_dir': 'truenas'
    },
    'ucs': {
        'name': 'Univention Corporate Server',
        'deploy_script': None,
        'key_location': '/tmp/{short_name}.key',
        'default_port': '443',
-        'ssh_user': 'root'
+        'ssh_user': 'root',
        'cert_dir': 'ucs'
    },
    'unknown': {
        'name': 'Unknown System',
        'deploy_script': None,
        'key_location': '/tmp/{short_name}.key',
        'default_port': '443',
-        'ssh_user': 'root'
+        'ssh_user': 'root',
        'cert_dir': 'other'
    }
 }
@@ -158,6 +170,145 @@ def detect_system_type(target_host, script_dir, ssh_user=None, ssh_password=None
        print(f"Warning: Could not detect system type: {e}")
        return 'unknown', None
 def check_dns_resolution(hostname):
    """Check if a hostname resolves in DNS"""
    try:
        socket.gethostbyname(hostname)
        return True
    except socket.gaierror:
        return False
 def extract_hostnames_from_cert(cert_file):
    """Extract all DNS names from a certificate"""
    try:
        result = subprocess.run(
            ['openssl', 'x509', '-in', cert_file, '-text', '-noout'],
            capture_output=True,
            text=True,
            check=True
        )
        hostnames = []
        # Extract CN from Subject (not from Issuer!)
        subject_match = re.search(r'Subject:.*?CN\s*=\s*([^,\n]+)', result.stdout, re.DOTALL)
        if subject_match:
            cn = subject_match.group(1).strip()
            # Only add if it looks like a hostname (contains letters and possibly dots/dashes)
            if re.match(r'^[a-zA-Z0-9]([a-zA-Z0-9\-\.]*[a-zA-Z0-9])?$', cn):
                hostnames.append(cn)
        # Extract SANs
        san_match = re.search(r'X509v3 Subject Alternative Name:.*?DNS:([^\n]+)', result.stdout, re.DOTALL)
        if san_match:
            san_text = san_match.group(1)
            # Extract all DNS entries
            dns_entries = re.findall(r'DNS:([^,\s]+)', san_text)
            hostnames.extend(dns_entries)
        # Remove duplicates and filter out IP addresses
        unique_hostnames = []
        for h in hostnames:
            h = h.strip()
            # Skip if it looks like an IP address or contains special chars from CA names
            if not re.match(r'^\d+\.\d+\.\d+\.\d+$', h) and '(' not in h and ')' not in h:
                if h not in unique_hostnames and len(h) > 0:
                    unique_hostnames.append(h)
        return unique_hostnames
    except Exception as e:
        print(f"Warning: Could not extract hostnames from certificate: {e}")
        return []
 def create_dns_record(hostname, target_ip, dns_server='10.0.0.21'):
    """Create a DNS record on UCS server"""
    try:
        # Split hostname into name and domain
        parts = hostname.split('.', 1)
        if len(parts) == 1:
            # Short hostname without domain - skip it
            return False
        name = parts[0]
        domain = parts[1]
        # Construct the zone DN
        zone_parts = domain.split('.')
        zone_dn = f"zoneName={domain},cn=dns,dc={',dc='.join(zone_parts)}"
        # Create DNS record via SSH to UCS server
        cmd = [
            'ssh', f'root@{dns_server}',
            'univention-directory-manager', 'dns/host_record', 'create',
            '--superordinate', zone_dn,
            '--set', f'name={name}',
            '--set', f'a={target_ip}'
        ]
        result = subprocess.run(cmd, capture_output=True, text=True)
        if result.returncode == 0:
            print(f"  ✓ Created DNS record: {hostname} → {target_ip}")
            return True
        else:
            if 'already exists' in result.stderr.lower():
                print(f"  ℹ DNS record already exists: {hostname}")
                return True
            else:
                print(f"  ✗ Failed to create DNS record for {hostname}: {result.stderr.strip()}")
                return False
    except Exception as e:
        print(f"  ✗ Error creating DNS record for {hostname}: {e}")
        return False
 def check_and_create_dns_records(cert_file, target_ip, dns_server='10.0.0.21'):
    """Check DNS records for certificate hostnames and offer to create missing ones"""
    print("\n" + "=" * 60)
    print("Step 4: Checking DNS Records")
    print("=" * 60)
    hostnames = extract_hostnames_from_cert(cert_file)
    if not hostnames:
        print("No hostnames found in certificate to check.")
        return
    print(f"\nChecking {len(hostnames)} hostname(s) from certificate...")
    missing_hostnames = []
    for hostname in hostnames:
        if check_dns_resolution(hostname):
            print(f"  ✓ {hostname} - resolves")
        else:
            print(f"  ✗ {hostname} - NOT found in DNS")
            missing_hostnames.append(hostname)
    if not missing_hostnames:
        print("\n✓ All hostnames are resolvable in DNS!")
        return
    print(f"\n⚠ Found {len(missing_hostnames)} hostname(s) not in DNS:")
    for hostname in missing_hostnames:
        print(f"  - {hostname}")
    if yes_no_prompt("\nDo you want to create missing DNS records on UCS?", True):
        print(f"\nCreating DNS records on {dns_server}...")
        success_count = 0
        for hostname in missing_hostnames:
            if create_dns_record(hostname, target_ip, dns_server):
                success_count += 1
        if success_count > 0:
            print(f"\n✓ Successfully created {success_count} DNS record(s)")
            print("\nNote: DNS changes may take a few seconds to propagate.")
        else:
            print("\n⚠ No DNS records were created")
    else:
        print("\nSkipping DNS record creation.")
        print("You may need to create these records manually for the certificate to work properly.")
 def main():
    print("=" * 60)
    print("Interactive Certificate Manager")
@@ -271,6 +422,15 @@ def main():
        print("Cancelled.")
        sys.exit(0)
    # Create output directory for this system type
    cert_dir = WORKSPACE_ROOT / 'certs' / system_info.get('cert_dir', 'other')
    cert_dir.mkdir(parents=True, exist_ok=True)
    # Change to cert output directory
    original_dir = Path.cwd()
    os.chdir(cert_dir)
    print(f"\nOutput directory: {cert_dir}")
    # Save config for next run
    config['last_target_host'] = target_host
    config['last_common_name'] = common_name
@@ -280,6 +440,9 @@ def main():
    print("Step 1: Generating CSR")
    print("=" * 60)
    # Get script directory
    script_dir = SCRIPT_DIR
    # Check if system requires local CSR generation
    if system_info.get('uses_local_csr', False):
        # Generate CSR locally for Home Assistant and similar systems
@@ -359,12 +522,16 @@ def main():
        print(f"\nError: sign-cert.sh not found in {script_dir}")
        sys.exit(1)
-    print("\n" + "=" * 60)
+    # Certificate file path
    print("Step 3: Deploying certificate to target host")
    print("=" * 60)
    cert_file = f"{short_name}-cert.pem"
    # Check and create DNS records if needed
    check_and_create_dns_records(cert_file, target_host, config['ca_server'])
    print("\n" + "=" * 60)
    print("Step 5: Deploying certificate to target host")
    print("=" * 60)
    # Use system-specific deployment if available
    if system_info['deploy_script']:
        if yes_no_prompt(f"Deploy certificate to {system_info['name']} automatically?", True):
--- a/scripts/deploy-homeassistant.sh
+++ b/scripts/deploy-homeassistant.sh
--- a/scripts/deploy-proxmox.sh
+++ b/scripts/deploy-proxmox.sh
--- a/scripts/detect-system.sh
+++ b/scripts/detect-system.sh
--- a/scripts/generate-csr-ha.sh
+++ b/scripts/generate-csr-ha.sh
--- a/scripts/generate-csr-local.sh
+++ b/scripts/generate-csr-local.sh
--- a/scripts/generate-csr.sh
+++ b/scripts/generate-csr.sh
--- a/scripts/install-ca-cert.sh
+++ b/scripts/install-ca-cert.sh
--- a/scripts/sign-cert.sh
+++ b/scripts/sign-cert.sh
@@ -34,7 +34,9 @@ fi
 # Get absolute path of req file
 REQ_FILE=$(realpath "$REQ_FILE")
-OUTPUT_FILE="${HOSTNAME}-cert.pem"
+# Output to same directory as input CSR
 REQ_DIR=$(dirname "$REQ_FILE")
 OUTPUT_FILE="${REQ_DIR}/${HOSTNAME}-cert.pem"
 echo "=========================================="
 echo "UCS Certificate Signing Script"