- don't source shell configuration in /etc/plc.d/functions, which is

[myplc.git] / plc.d / ssl

#!/bin/bash
#
# priority: 400
#
# Generate SSL certificates
#
# Mark Huang <mlhuang@cs.princeton.edu>
# Copyright (C) 2006 The Trustees of Princeton University
#
# $Id: ssl,v 1.3 2006/04/07 04:28:16 mlhuang Exp $
#

# Source function library and configuration
. /etc/plc.d/functions
. /etc/planetlab/plc_config

case "$1" in
    start)
        MESSAGE=$"Generating SSL certificates"
        dialog "$MESSAGE"

        # Generate self-signed SSL certificate(s). These nice
        # commands come from the mod_ssl spec file for Fedora Core
        # 2. We generate a certificate for each enabled server
        # with a different hostname. These self-signed
        # certificates may be overridden later.
        for server in WWW API BOOT ; do
            ssl_key=PLC_${server}_SSL_KEY
            ssl_crt=PLC_${server}_SSL_CRT
            hostname=PLC_${server}_HOST

            # Check if we have already generated a certificate for
            # the same hostname.
            for previous_server in WWW API BOOT ; do
                if [ "$server" = "$previous_server" ] ; then
                    break
                fi
                previous_ssl_key=PLC_${previous_server}_SSL_KEY
                previous_ssl_crt=PLC_${previous_server}_SSL_CRT
                previous_hostname=PLC_${previous_server}_HOST

                if [ -f ${!previous_ssl_crt} ] && \
                    [ "$(ssl_cname ${!previous_ssl_crt})" = "${!hostname}" ] ; then
                    cp -a ${!previous_ssl_key} ${!ssl_key}
                    cp -a ${!previous_ssl_crt} ${!ssl_crt}
                    break
                fi
            done

            # Check if self signed certificate is valid
            if [ -f ${!ssl_crt} ] ; then
                verify=$(openssl verify ${!ssl_crt})
                # If self signed
                if grep -q "self signed certificate" <<<$verify ; then
                    # Delete if expired or hostname changed
                    if grep -q "expired" <<<$verify || \
                        [ "$(ssl_cname ${!ssl_crt})" != "${!hostname}" ] ; then
                        rm -f ${!ssl_crt}
                    fi
                else
                    echo "$verify" >&2
                fi
            fi

            # Generate new self signed certificate
            if [ ! -f ${!ssl_crt} ] ; then
                mkdir -p $(dirname ${!ssl_crt})
                openssl req -new -x509 -days 365 -set_serial $RANDOM \
                    -batch -subj "/CN=${!hostname}" \
                    -nodes -keyout ${!ssl_key} -out ${!ssl_crt}
                check
                chmod 644 ${!ssl_crt}
            fi
        done

        # API requires a public key for slice ticket verification
        if [ ! -f $PLC_API_SSL_KEY_PUB ] ; then
            openssl rsa -pubout <$PLC_API_SSL_KEY >$PLC_API_SSL_KEY_PUB
            check
        fi

        # Install into both /etc/pki (Fedora Core 4) and
        # /etc/httpd/conf (Fedora Core 2). If the API, boot, and
        # web servers are all running on the same machine, the web
        # server certificate takes precedence.
        for server in API BOOT WWW ; do
            enabled=PLC_${server}_ENABLED
            if [ "${!enabled}" != "1" ] ; then
                continue
            fi
            ssl_key=PLC_${server}_SSL_KEY
            ssl_crt=PLC_${server}_SSL_CRT

            symlink ${!ssl_crt} /etc/pki/tls/certs/localhost.crt
            symlink ${!ssl_key} /etc/pki/tls/private/localhost.key
            symlink ${!ssl_crt} /etc/httpd/conf/ssl.crt/server.crt
            symlink ${!ssl_key} /etc/httpd/conf/ssl.key/server.key
        done

        result "$MESSAGE"
        ;;
esac

exit $ERRORS