X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=plc.d%2Fssl;h=ddbfe8166640263ed201115ed3e1f1aa6673745a;hb=0780b094a2f0b24ec24f8156e0e3548f3c05373b;hp=e2c8c027f207b56759eb8a4f9d753afc85a0a042;hpb=629366505c7022d019a714c66affc9e1f10e9b55;p=myplc.git

diff --git a/plc.d/ssl b/plc.d/ssl
index e2c8c02..ddbfe81 100755
--- a/plc.d/ssl
+++ b/plc.d/ssl
@@ -1,14 +1,12 @@
 #!/bin/bash
 #
-# priority: 400
+# priority: 300
 #
 # Generate SSL certificates
 #
 # Mark Huang <mlhuang@cs.princeton.edu>
 # Copyright (C) 2006 The Trustees of Princeton University
 #
-# $Id: ssl,v 1.10 2006/07/24 19:30:45 mlhuang Exp $
-#
 
 # Source function library and configuration
 . /etc/plc.d/functions
@@ -21,14 +19,16 @@ set -x
 ssl_cname ()
 {
     openssl x509 -noout -in $1 -subject | \
-	sed -n -e 's@.*/CN=\([^/]*\).*@\1@p'
+	sed -n -e 's@.*/CN=\([^/]*\).*@\1@p' | \
+	lower
 }
 
-# Print the emailAddress of an SSL certificate
-ssl_email ()
+backup_file ()
 {
-    openssl x509 -noout -in $1 -subject | \
-	sed -n -e 's@.*/emailAddress=\([^/]*\).*@\1@p'
+    filepath=$1
+    filename=$(basename ${filepath})
+    dir=$(dirname ${filepath})
+    mv -f ${filepath} ${dir}/${filename}-`date +%Y-%m-%d-%H-%M-%S`.bak
 }
 
 # Verify a certificate. If invalid, generate a new self-signed
@@ -37,8 +37,7 @@ verify_or_generate_certificate() {
     crt=$1
     key=$2
     ca=$3
-    cname=$4
-    email=$5
+    cname=$(lower $4)
 
     # If the CA certificate does not exist, assume that the
     # certificate is self-signed.
@@ -48,12 +47,12 @@ verify_or_generate_certificate() {
 
     if [ -f $crt ] ; then
 	# Check if certificate is valid
-	verify=$(openssl verify -CAfile $ca $crt)
-	# Delete if invalid or if the subject has changed
-	if grep -q "error" <<<$verify || \
-	    [ "$(ssl_cname $crt)" != "$cname" ] || \
-	    [ "$(ssl_email $crt)" != "$email" ] ; then
-	    rm -f $crt $ca
+	# Backup if invalid or if the subject has changed
+	if openssl verify -CAfile $ca $crt | grep -q "error" || \
+	    [ "$(ssl_cname $crt)" != "$cname" ] ; then
+            backup_file $crt
+            backup_file $ca
+            backup_file $key
 	fi
     fi
 
@@ -63,9 +62,6 @@ verify_or_generate_certificate() {
 	if [ -n "$cname" ] ; then
 	    subj="$subj/CN=$cname"
 	fi
-	if [ -n "$email" ] ; then
-	    subj="$subj/emailAddress=$email"
-	fi
 
 	# Generate new self-signed certificate
 	mkdir -p $(dirname $crt)
@@ -73,31 +69,41 @@ verify_or_generate_certificate() {
 	    -batch -subj "$subj" \
 	    -nodes -keyout $key -out $crt
 	check
-	chmod 644 $crt
 
 	# The certificate it self-signed, so it is its own CA
 	cp -a $crt $ca
     fi
+
+    # Fix permissions
+    chmod 644 $crt $ca
 }
 
 case "$1" in
     start)
-	MESSAGE=$"Generating SSL certificates"
-	dialog "$MESSAGE"
 
 	# Generate HTTPS certificates if necessary. We generate a
 	# certificate for each enabled server with a different
 	# hostname. These self-signed certificates may be overridden
 	# later.
-	for server in WWW API BOOT ; do
-	    ssl_key=PLC_${server}_SSL_KEY
+        MESSAGE=$"Generating SSL certificates for"
+        dialog "$MESSAGE"
+
+	for server in WWW API BOOT MONITOR; do
+	    eval "a=\$PLC_${server}_ENABLED"
+            echo $a
+            if [ "$a" -ne 1 ] ; then
+		echo "Skipping"
+                continue
+            fi
+	    dialog "$server"
+            ssl_key=PLC_${server}_SSL_KEY
 	    ssl_crt=PLC_${server}_SSL_CRT
 	    ca_ssl_crt=PLC_${server}_CA_SSL_CRT
 	    hostname=PLC_${server}_HOST
 
 	    # Check if we have already generated a certificate for
 	    # the same hostname.
-	    for previous_server in WWW API BOOT ; do
+	    for previous_server in WWW API BOOT MONITOR; do
 		if [ "$server" = "$previous_server" ] ; then
 		    break
 		fi
@@ -124,20 +130,27 @@ case "$1" in
 	# 4) and /etc/httpd/conf (Fedora Core 2). If the API, boot,
 	# and web servers are all running on the same machine, the web
 	# server certificate takes precedence.
-	for server in API BOOT WWW ; do
+	for server in API BOOT MONITOR WWW; do
 	    enabled=PLC_${server}_ENABLED
 	    if [ "${!enabled}" != "1" ] ; then
 		continue
 	    fi
 	    ssl_key=PLC_${server}_SSL_KEY
 	    ssl_crt=PLC_${server}_SSL_CRT
+	    ssl_ca_crt=PLC_${server}_CA_SSL_CRT
 
 	    symlink ${!ssl_crt} /etc/pki/tls/certs/localhost.crt
 	    symlink ${!ssl_key} /etc/pki/tls/private/localhost.key
+	    symlink ${!ssl_ca_crt} /etc/pki/tls/certs/server-chain.crt
 	    symlink ${!ssl_crt} /etc/httpd/conf/ssl.crt/server.crt
 	    symlink ${!ssl_key} /etc/httpd/conf/ssl.key/server.key
 	done
 
+	# Ensure that the server-chain gets used, as it is off by
+	# default.
+	sed -i -e 's/^#SSLCertificateChainFile /SSLCertificateChainFile /' \
+	    /etc/httpd/conf.d/ssl.conf
+
 	result "$MESSAGE"
 	;;
 esac