plc.d/ssl

   1 #!/bin/bash
   2 # $Id$
   3 # $URL$
   4 #
   5 # priority: 300
   6 #
   7 # Generate SSL certificates
   8 #
   9 # Mark Huang <mlhuang@cs.princeton.edu>
  10 # Copyright (C) 2006 The Trustees of Princeton University
  11 #
  12
  13 # Source function library and configuration
  14 . /etc/plc.d/functions
  15 . /etc/planetlab/plc_config
  16
  17 # Be verbose
  18 set -x
  19
  20 # Print the CNAME of an SSL certificate
  21 ssl_cname ()
  22 {
  23     openssl x509 -noout -in $1 -subject | \
  24         sed -n -e 's@.*/CN=\([^/]*\).*@\1@p' | \
  25         lower
  26 }
  27
  28 backup_file ()
  29 {
  30     filepath=$1
  31     filename=$(basename ${filepath})
  32     dir=$(dirname ${filepath})
  33     mv -f ${filepath} ${dir}/${filename}-`date +%Y-%m-%d-%H-%M-%S`.bak
  34 }
  35
  36 # Verify a certificate. If invalid, generate a new self-signed
  37 # certificate.
  38 verify_or_generate_certificate() {
  39     crt=$1
  40     key=$2
  41     ca=$3
  42     cname=$(lower $4)
  43
  44     # If the CA certificate does not exist, assume that the
  45     # certificate is self-signed.
  46     if [ ! -f $ca ] ; then
  47         cp -a $crt $ca
  48     fi
  49
  50     if [ -f $crt ] ; then
  51         # Check if certificate is valid
  52         verify=$(openssl verify -CAfile $ca $crt)
  53         # Backup if invalid or if the subject has changed
  54         if grep -q "error" <<<$verify || \
  55             [ "$(ssl_cname $crt)" != "$cname" ] ; then
  56             backup_file $crt
  57             backup_file $ca
  58             backup_file $key
  59         fi
  60     fi
  61
  62     if [ ! -f $crt ] ; then
  63         # Set subject
  64         subj=
  65         if [ -n "$cname" ] ; then
  66             subj="$subj/CN=$cname"
  67         fi
  68
  69         # Generate new self-signed certificate
  70         mkdir -p $(dirname $crt)
  71         openssl req -new -x509 -days 3650 -set_serial $RANDOM \
  72             -batch -subj "$subj" \
  73             -nodes -keyout $key -out $crt
  74         check
  75
  76         # The certificate it self-signed, so it is its own CA
  77         cp -a $crt $ca
  78     fi
  79
  80     # Fix permissions
  81     chmod 644 $crt $ca
  82 }
  83
  84 case "$1" in
  85     start)
  86
  87         # Generate HTTPS certificates if necessary. We generate a
  88         # certificate for each enabled server with a different
  89         # hostname. These self-signed certificates may be overridden
  90         # later.
  91         MESSAGE=$"Generating SSL certificates for"
  92         dialog "$MESSAGE"
  93
  94         for server in WWW API BOOT MONITOR; do
  95             eval "a=\$PLC_${server}_ENABLED"
  96             echo $a
  97             if [ "$a" -ne 1 ] ; then
  98                 echo "Skipping"
  99                 continue
 100             fi
 101             dialog "$server"
 102             ssl_key=PLC_${server}_SSL_KEY
 103             ssl_crt=PLC_${server}_SSL_CRT
 104             ca_ssl_crt=PLC_${server}_CA_SSL_CRT
 105             hostname=PLC_${server}_HOST
 106
 107             # Check if we have already generated a certificate for
 108             # the same hostname.
 109             for previous_server in WWW API BOOT MONITOR; do
 110                 if [ "$server" = "$previous_server" ] ; then
 111                     break
 112                 fi
 113                 previous_ssl_key=PLC_${previous_server}_SSL_KEY
 114                 previous_ssl_crt=PLC_${previous_server}_SSL_CRT
 115                 previous_ca_ssl_crt=PLC_${previous_server}_CA_SSL_CRT
 116                 previous_hostname=PLC_${previous_server}_HOST
 117
 118                 if [ -f ${!previous_ssl_crt} ] && \
 119                     [ "$(ssl_cname ${!previous_ssl_crt})" = "${!hostname}" ] ; then
 120                     cp -a ${!previous_ssl_key} ${!ssl_key}
 121                     cp -a ${!previous_ssl_crt} ${!ssl_crt}
 122                     cp -a ${!previous_ca_ssl_crt} ${!ca_ssl_crt}
 123                     break
 124                 fi
 125             done
 126
 127             verify_or_generate_certificate \
 128                 ${!ssl_crt} ${!ssl_key} ${!ca_ssl_crt} \
 129                 ${!hostname}
 130         done
 131
 132         # Install HTTPS certificates into both /etc/pki (Fedora Core
 133         # 4) and /etc/httpd/conf (Fedora Core 2). If the API, boot,
 134         # and web servers are all running on the same machine, the web
 135         # server certificate takes precedence.
 136         for server in API BOOT MONITOR WWW; do
 137             enabled=PLC_${server}_ENABLED
 138             if [ "${!enabled}" != "1" ] ; then
 139                 continue
 140             fi
 141             ssl_key=PLC_${server}_SSL_KEY
 142             ssl_crt=PLC_${server}_SSL_CRT
 143             ssl_ca_crt=PLC_${server}_CA_SSL_CRT
 144
 145             symlink ${!ssl_crt} /etc/pki/tls/certs/localhost.crt
 146             symlink ${!ssl_key} /etc/pki/tls/private/localhost.key
 147             symlink ${!ssl_ca_crt} /etc/pki/tls/certs/server-chain.crt
 148             symlink ${!ssl_crt} /etc/httpd/conf/ssl.crt/server.crt
 149             symlink ${!ssl_key} /etc/httpd/conf/ssl.key/server.key
 150         done
 151
 152         # Ensure that the server-chain gets used, as it is off by
 153         # default.
 154         sed -i -e 's/^#SSLCertificateChainFile /SSLCertificateChainFile /' \
 155             /etc/httpd/conf.d/ssl.conf
 156
 157         result "$MESSAGE"
 158         ;;
 159 esac
 160
 161 exit $ERRORS