plc.d/ssl

   1 #!/bin/bash
   2 #
   3 # priority: 400
   4 #
   5 # Generate SSL certificates
   6 #
   7 # Mark Huang <mlhuang@cs.princeton.edu>
   8 # Copyright (C) 2006 The Trustees of Princeton University
   9 #
  10 # $Id: guest.init,v 1.12 2006/04/04 22:09:47 mlhuang Exp $
  11 #
  12
  13 # Source function library and configuration
  14 . /etc/plc.d/functions
  15
  16 case "$1" in
  17     start)
  18         MESSAGE=$"Generating SSL certificates"
  19         dialog "$MESSAGE"
  20
  21         # Generate self-signed SSL certificate(s). These nice
  22         # commands come from the mod_ssl spec file for Fedora Core
  23         # 2. We generate a certificate for each enabled server
  24         # with a different hostname. These self-signed
  25         # certificates may be overridden later.
  26         for server in WWW API BOOT ; do
  27             ssl_key=PLC_${server}_SSL_KEY
  28             ssl_crt=PLC_${server}_SSL_CRT
  29             hostname=PLC_${server}_HOST
  30
  31             # Check if we have already generated a certificate for
  32             # the same hostname.
  33             for previous_server in WWW API BOOT ; do
  34                 if [ "$server" = "$previous_server" ] ; then
  35                     break
  36                 fi
  37                 previous_ssl_key=PLC_${previous_server}_SSL_KEY
  38                 previous_ssl_crt=PLC_${previous_server}_SSL_CRT
  39                 previous_hostname=PLC_${previous_server}_HOST
  40
  41                 if [ -f ${!previous_ssl_crt} ] && \
  42                     [ "$(ssl_cname ${!previous_ssl_crt})" = "${!hostname}" ] ; then
  43                     cp -a ${!previous_ssl_key} ${!ssl_key}
  44                     cp -a ${!previous_ssl_crt} ${!ssl_crt}
  45                     break
  46                 fi
  47             done
  48
  49             # Generate new SSL private key
  50             if [ ! -f ${!ssl_key} ] ; then
  51                 mkdir -p $(dirname ${!ssl_key})
  52                 openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 1024 >${!ssl_key}
  53                 check
  54                 chmod 600 ${!ssl_key}
  55             fi
  56
  57             # Check if self signed certificate is valid
  58             if [ -f ${!ssl_crt} ] ; then
  59                 verify=$(openssl verify ${!ssl_crt})
  60                 # If self signed
  61                 if grep -q "self signed certificate" <<<$verify ; then
  62                     # Delete if expired or hostname changed
  63                     if grep -q "expired" <<<$verify || \
  64                         [ "$(ssl_cname ${!ssl_crt})" != "${!hostname}" ] ; then
  65                         rm -f ${!ssl_crt}
  66                     fi
  67                 else
  68                     echo "$verify" >&2
  69                 fi
  70             fi
  71
  72             # Generate new self signed certificate
  73             if [ ! -f ${!ssl_crt} ] ; then
  74                 mkdir -p $(dirname ${!ssl_crt})
  75                 openssl req -new -x509 -days 365 -set_serial $RANDOM \
  76                     -key ${!ssl_key} -out ${!ssl_crt} <<EOF
  77 --
  78 State
  79 City
  80 Organization
  81 $PLC_NAME Central
  82 ${!hostname}
  83 $PLC_MAIL_SUPPORT_ADDRESS
  84 EOF
  85                 check
  86                 chmod 644 ${!ssl_crt}
  87             fi
  88         done
  89
  90         # API requires a public key for slice ticket verification
  91         if [ ! -f $PLC_API_SSL_KEY_PUB ] ; then
  92             openssl rsa -pubout <$PLC_API_SSL_KEY >$PLC_API_SSL_KEY_PUB
  93             check
  94         fi
  95
  96         # Install into both /etc/pki (Fedora Core 4) and
  97         # /etc/httpd/conf (Fedora Core 2). If the API, boot, and
  98         # web servers are all running on the same machine, the web
  99         # server certificate takes precedence.
 100         for server in API BOOT WWW ; do
 101             enabled=PLC_${server}_ENABLED
 102             if [ "${!enabled}" != "1" ] ; then
 103                 continue
 104             fi
 105             ssl_key=PLC_${server}_SSL_KEY
 106             ssl_crt=PLC_${server}_SSL_CRT
 107
 108             symlink ${!ssl_crt} /etc/pki/tls/certs/localhost.crt
 109             symlink ${!ssl_key} /etc/pki/tls/private/localhost.key
 110             symlink ${!ssl_crt} /etc/httpd/conf/ssl.crt/server.crt
 111             symlink ${!ssl_key} /etc/httpd/conf/ssl.key/server.key
 112         done
 113
 114         result "$MESSAGE"
 115         ;;
 116 esac
 117
 118 exit $ERRORS