Automate SSL creation in Fabric (Python)

Question

I'm using Fabric to automate SSL creation, but when I run something like

local('openssl genrsa  -out /etc/ssl/'+hostname+'/'+hostname+'.key 2048')

it prompts me for country, state, an email address, etc. Is there anything I can do (possibly with an openssl.cnf?) to prevent the need for user input with those prompts, or do people usually just hack it using something like pexpect?

Update:

If I put prompt=no in my openssl.cnf, cd to /ssdhome/development/server, then run:

sudo openssl req -new -key './server.key' -out './server.csr' -config='./openssl.cnf'

openssl prints out help information instead of running the above command. Where have I gone wrong?

Update 2: -config should not have an '=' sign, but a space. Solved. Also linked to this copy of my openssl.cnf to get it working:

https://help.ubuntu.com/community/OpenSSL

I think this is relevant: http://stackoverflow.com/questions/8075274/is-it-possible-making-openssl-skipping-the-country-common-name-prompts — alecxe, Jul 21 '13 at 19:15

score 2 · Accepted Answer · edited May 23 '17 at 11:44

See How to answer to prompts automatically with python fabric?

from ilogue.fexpect import expect, expecting, run

def sample():

    private_key = "password"
    hostname = "ubuntu"
    output_dir = '/etc/ssl/' + hostname
    prompts = []
    prompts += expect('Enter pass phrase for private.key:',private_key)
    prompts += expect('Verifying - Enter pass phrase for private.key:private_key',private_key)
    prompts += expect('Enter pass phrase for %s/server.key:' % output_dir, private_key)
    prompts += expect('Country Name \(2 letter code\) \[AU\]:','AU')
    prompts += expect('State or Province Name \(full name\) \[Some-State\]:','State')
    prompts += expect('Locality Name \(eg, city\) \[\]:','City')
    prompts += expect('Organization Name \(eg, company\) \[Internet Widgits Pty Ltd\]:','Company')
    prompts += expect('Organizational Unit Name \(eg, section\) \[\]:','Section')
    prompts += expect('Common Name \(e.g. server FQDN or YOUR name\) \[\]:','FQDN')
    prompts += expect('Email Address \[\]:','email@foo.com')
    prompts += expect('A challenge password \[\]:','challenge_password')
    prompts += expect('An optional company name \[\]:','optional_company')

    with expecting(prompts):
        run('openssl genrsa -des3 -out %s/server.key 2048' % output_dir)
        run('openssl req -new -key %s/server.key -out %s/server.csr' % (output_dir, output_dir))

# fab sample -H localhost

the regular expression is applied to expect(), you need to escape [, ], (, ) ...

score 1 · Answer 2 · answered Jul 22 '13 at 00:47

1

Used https://help.ubuntu.com/community/OpenSSL to get prompt=no to stop throwing errors and -config ./openssl.cnf to automate the prompts thanks to user alecxe.

answered Jul 22 '13 at 00:47

mh00h

1,824
3
25
45

Automate SSL creation in Fabric (Python)

2 Answers2