(*) defines new method locate_varname used by plc-config-tty
[myplc.git] / plc.d / ssl
1 #!/bin/bash
2 #
3 # priority: 400
4 #
5 # Generate SSL certificates
6 #
7 # Mark Huang <mlhuang@cs.princeton.edu>
8 # Copyright (C) 2006 The Trustees of Princeton University
9 #
10 # $Id: ssl,v 1.2 2006/04/07 03:36:04 mlhuang Exp $
11 #
12
13 # Source function library and configuration
14 . /etc/plc.d/functions
15
16 case "$1" in
17     start)
18         MESSAGE=$"Generating SSL certificates"
19         dialog "$MESSAGE"
20
21         # Generate self-signed SSL certificate(s). These nice
22         # commands come from the mod_ssl spec file for Fedora Core
23         # 2. We generate a certificate for each enabled server
24         # with a different hostname. These self-signed
25         # certificates may be overridden later.
26         for server in WWW API BOOT ; do
27             ssl_key=PLC_${server}_SSL_KEY
28             ssl_crt=PLC_${server}_SSL_CRT
29             hostname=PLC_${server}_HOST
30
31             # Check if we have already generated a certificate for
32             # the same hostname.
33             for previous_server in WWW API BOOT ; do
34                 if [ "$server" = "$previous_server" ] ; then
35                     break
36                 fi
37                 previous_ssl_key=PLC_${previous_server}_SSL_KEY
38                 previous_ssl_crt=PLC_${previous_server}_SSL_CRT
39                 previous_hostname=PLC_${previous_server}_HOST
40
41                 if [ -f ${!previous_ssl_crt} ] && \
42                     [ "$(ssl_cname ${!previous_ssl_crt})" = "${!hostname}" ] ; then
43                     cp -a ${!previous_ssl_key} ${!ssl_key}
44                     cp -a ${!previous_ssl_crt} ${!ssl_crt}
45                     break
46                 fi
47             done
48
49             # Check if self signed certificate is valid
50             if [ -f ${!ssl_crt} ] ; then
51                 verify=$(openssl verify ${!ssl_crt})
52                 # If self signed
53                 if grep -q "self signed certificate" <<<$verify ; then
54                     # Delete if expired or hostname changed
55                     if grep -q "expired" <<<$verify || \
56                         [ "$(ssl_cname ${!ssl_crt})" != "${!hostname}" ] ; then
57                         rm -f ${!ssl_crt}
58                     fi
59                 else
60                     echo "$verify" >&2
61                 fi
62             fi
63
64             # Generate new self signed certificate
65             if [ ! -f ${!ssl_crt} ] ; then
66                 mkdir -p $(dirname ${!ssl_crt})
67                 openssl req -new -x509 -days 365 -set_serial $RANDOM \
68                     -batch -subj "/CN=${!hostname}" \
69                     -nodes -keyout ${!ssl_key} -out ${!ssl_crt}
70                 check
71                 chmod 644 ${!ssl_crt}
72             fi
73         done
74
75         # API requires a public key for slice ticket verification
76         if [ ! -f $PLC_API_SSL_KEY_PUB ] ; then
77             openssl rsa -pubout <$PLC_API_SSL_KEY >$PLC_API_SSL_KEY_PUB
78             check
79         fi
80
81         # Install into both /etc/pki (Fedora Core 4) and
82         # /etc/httpd/conf (Fedora Core 2). If the API, boot, and
83         # web servers are all running on the same machine, the web
84         # server certificate takes precedence.
85         for server in API BOOT WWW ; do
86             enabled=PLC_${server}_ENABLED
87             if [ "${!enabled}" != "1" ] ; then
88                 continue
89             fi
90             ssl_key=PLC_${server}_SSL_KEY
91             ssl_crt=PLC_${server}_SSL_CRT
92
93             symlink ${!ssl_crt} /etc/pki/tls/certs/localhost.crt
94             symlink ${!ssl_key} /etc/pki/tls/private/localhost.key
95             symlink ${!ssl_crt} /etc/httpd/conf/ssl.crt/server.crt
96             symlink ${!ssl_key} /etc/httpd/conf/ssl.key/server.key
97         done
98
99         result "$MESSAGE"
100         ;;
101 esac
102
103 exit $ERRORS