#!/bin/bash
#
-# priority: 400
+# priority: 300
#
# Generate SSL certificates
#
# Mark Huang <mlhuang@cs.princeton.edu>
# Copyright (C) 2006 The Trustees of Princeton University
#
-# $Id: ssl,v 1.7 2006/06/28 21:34:18 mlhuang Exp $
-#
# Source function library and configuration
. /etc/plc.d/functions
ssl_cname ()
{
openssl x509 -noout -in $1 -subject | \
- sed -n -e 's@.*/CN=\([^/]*\).*@\1@p'
+ sed -e 's|.*CN *= *\([-_a-zA-Z0-9.]*\).*|\1|' | \
+ lower
}
-# Print the emailAddress of an SSL certificate
-ssl_email ()
+backup_file ()
{
- openssl x509 -noout -in $1 -subject | \
- sed -n -e 's@.*/emailAddress=\([^/]*\).*@\1@p'
+ filepath=$1
+ filename=$(basename ${filepath})
+ dir=$(dirname ${filepath})
+ mv -f ${filepath} ${dir}/${filename}-`date +%Y-%m-%d-%H-%M-%S`.bak
}
# Verify a certificate. If invalid, generate a new self-signed
crt=$1
key=$2
ca=$3
- cname=$4
- email=$5
+ cname=$(lower $4)
+
+ # If the CA certificate does not exist, assume that the
+ # certificate is self-signed.
+ if [ ! -f $ca ] ; then
+ cp -a $crt $ca
+ fi
if [ -f $crt ] ; then
# Check if certificate is valid
- verify=$(openssl verify -CAfile $ca $crt)
- # Delete if invalid or if the subject has changed
- if grep -q "error" <<<$verify || \
- [ "$(ssl_cname $crt)" != "$cname" ] || \
- [ "$(ssl_email $crt)" != "$email" ] ; then
- rm -f $crt $ca
+ # Backup if invalid or if the subject has changed
+ if openssl verify -CAfile $ca $crt | grep -q "error" || \
+ [ "$(ssl_cname $crt)" != "$cname" ] ; then
+ backup_file $crt
+ backup_file $ca
+ backup_file $key
fi
fi
if [ -n "$cname" ] ; then
subj="$subj/CN=$cname"
fi
- if [ -n "$email" ] ; then
- subj="$subj/emailAddress=$email"
- fi
# Generate new self-signed certificate
mkdir -p $(dirname $crt)
-batch -subj "$subj" \
-nodes -keyout $key -out $crt
check
- chmod 644 $crt
- fi
- if [ ! -f $ca ] ; then
- # The certificate it self-signed, so it is its own CA
+ # The certificate it self-signed, so it is its own CA
cp -a $crt $ca
fi
+
+ # Fix permissions
+ chmod 644 $crt $ca
}
case "$1" in
start)
- MESSAGE=$"Generating SSL certificates"
- dialog "$MESSAGE"
-
- # Verify or generate MA/SA certificate if necessary. This
- # self-signed certificate may be overridden later.
- verify_or_generate_certificate \
- $PLC_MA_SA_SSL_CRT $PLC_MA_SA_SSL_KEY $PLC_MA_SA_CA_SSL_CRT \
- "$PLC_NAME Management and Slice Authority" \
- $PLC_MAIL_SUPPORT_ADDRESS
-
- # Make MA/SA key readable by apache so that the API can sign
- # certificates
- chown apache $PLC_MA_SA_SSL_KEY
- chmod 600 $PLC_MA_SA_SSL_KEY
-
- # Extract the public key of the root CA (if any) that signed
- # the MA/SA certificate.
- openssl x509 -in $PLC_MA_SA_CA_SSL_CRT -noout -pubkey >$PLC_MA_SA_CA_SSL_KEY_PUB
- check
- chmod 644 $PLC_MA_SA_CA_SSL_KEY_PUB
# Generate HTTPS certificates if necessary. We generate a
# certificate for each enabled server with a different
# hostname. These self-signed certificates may be overridden
# later.
- for server in WWW API BOOT ; do
- ssl_key=PLC_${server}_SSL_KEY
+ MESSAGE=$"Generating SSL certificates for"
+ dialog "$MESSAGE"
+
+ for server in WWW API BOOT MONITOR; do
+ eval "a=\$PLC_${server}_ENABLED"
+ echo $a
+ if [ "$a" -ne 1 ] ; then
+ echo "Skipping"
+ continue
+ fi
+ dialog "$server"
+ ssl_key=PLC_${server}_SSL_KEY
ssl_crt=PLC_${server}_SSL_CRT
ca_ssl_crt=PLC_${server}_CA_SSL_CRT
hostname=PLC_${server}_HOST
# Check if we have already generated a certificate for
# the same hostname.
- for previous_server in WWW API BOOT ; do
+ for previous_server in WWW API BOOT MONITOR; do
if [ "$server" = "$previous_server" ] ; then
break
fi
verify_or_generate_certificate \
${!ssl_crt} ${!ssl_key} ${!ca_ssl_crt} \
- ${!hostname} $PLC_MAIL_SUPPORT_ADDRESS
-
+ ${!hostname}
done
# Install HTTPS certificates into both /etc/pki (Fedora Core
# 4) and /etc/httpd/conf (Fedora Core 2). If the API, boot,
# and web servers are all running on the same machine, the web
# server certificate takes precedence.
- for server in API BOOT WWW ; do
+ for server in API BOOT MONITOR WWW; do
enabled=PLC_${server}_ENABLED
if [ "${!enabled}" != "1" ] ; then
continue
fi
ssl_key=PLC_${server}_SSL_KEY
ssl_crt=PLC_${server}_SSL_CRT
+ ssl_ca_crt=PLC_${server}_CA_SSL_CRT
symlink ${!ssl_crt} /etc/pki/tls/certs/localhost.crt
symlink ${!ssl_key} /etc/pki/tls/private/localhost.key
+ symlink ${!ssl_ca_crt} /etc/pki/tls/certs/server-chain.crt
symlink ${!ssl_crt} /etc/httpd/conf/ssl.crt/server.crt
symlink ${!ssl_key} /etc/httpd/conf/ssl.key/server.key
done
+ # Ensure that the server-chain gets used, as it is off by
+ # default.
+ sed -i -e 's/^#SSLCertificateChainFile /SSLCertificateChainFile /' \
+ /etc/httpd/conf.d/ssl.conf
+
result "$MESSAGE"
;;
esac
git://git.onelab.eu / myplc.git / blobdiff