[debian-edu-commits] debian-edu/ 01/02: Use trusted SSL/TLS secured connections in the internal network.
Wolfgang Schweer
schweer-guest at moszumanska.debian.org
Tue Nov 28 20:41:22 UTC 2017
This is an automated email from the git hooks/post-receive script.
schweer-guest pushed a commit to branch master
in repository debian-edu-config.
commit fa9506be933dc897929323b94d56529f2ae116f7
Author: Wolfgang Schweer <wschweer at arcor.de>
Date: Tue Nov 28 21:30:01 2017 +0100
Use trusted SSL/TLS secured connections in the internal network.
Create a Debian Edu rootCA certificate and a signed certificate that can
be used for Apache, Cups, Exim and Dovecot. Firefox ESR, Chromium, Konqueror
and Thunderbird will be configured accordingly so that users will no longer be
bothered with certificate issues.
- Add 'share/debian-edu-config/tools/create-debian-edu-certs'
along with the configuration files for the rootCA certificate:
+ share/debian-edu-config/sslCA.cnf
+ share/debian-edu-config/v3CA.cnf
and the server certificate:
+ share/debian-edu-config/ssl.cnf
+ share/debian-edu-config/v3.cnf
- Add 'share/debian-edu-config/tools/update-cert-dbs', a tool allowing
to create/update nssdb files in the users' home directories (old style
dbm ones for Firefox/Thunderbird and newer sql ones for Chromium,
Konqueror and maybe other applications).
- Add empty directories to /etc/skel as required places for the nssdb
files in the users' home directories (via debian/dirs):
+ etc/skel/.pki/nssdb
+ etc/skel/.thunderbird/debian-edu.default
- Add cfengine configuration files to configure the skeleton directories:
+ cf/cf.pki
+ cf/cf.thunderbird
- Adjust related cfengine configuration files:
+ cf/cf.apache2
+ cf/cf.chromium
+ cf/cf.cups
+ cf/cf.exim
+ cf/cf.firefox-esr
+ cf/cf.imap
+ cf/cf.ldapserver
+ cf/cfengine.conf
- Adjust related configuration files resp. tools:
+ etc/apache2/sites-available/debian-edu-ssl-default.conf
+ etc/exim4/exim-ldap-server-v4.conf
+ share/debian-edu-config/tools/update-firefox-homepage
+ share/debian-edu-config/tools/update-chromium-homepage
- Remove no longer needed tools:
+ share/debian-edu-config/tools/exim4-create-cert
+ sbin/snakeoil-on-ice (now that cert_override.txt is obsolete)
- Make sure user accounts created using GOsa² get the nssdb files:
+ Adjust the 'share/debian-edu-config/tools/gosa-create' tool.
- Make sure the special first user account is generated with trusted
certificates configured:
+ Adjust the 'ldap-tools/ldap-debian-edu-install' script.
- Adjust debian/debian-edu-config.postinst and Makefile.
---
Makefile | 11 ++-
cf/cf.apache2 | 5 +-
cf/cf.chromium | 11 ++-
cf/cf.cups | 4 ++
cf/cf.exim | 1 -
cf/cf.firefox-esr | 9 ---
cf/cf.imap | 9 +++
cf/cf.ldapserver | 3 +-
cf/cf.pki | 8 +++
cf/cf.thunderbird | 23 ++++++
cf/cfengine.conf | 3 +
debian/debian-edu-config.postinst | 9 +++
debian/dirs | 2 +
.../sites-available/debian-edu-ssl-default.conf | 4 +-
etc/exim4/exim-ldap-server-v4.conf | 5 +-
ldap-tools/ldap-debian-edu-install | 9 +++
sbin/snakeoil-on-ice | 83 ----------------------
share/debian-edu-config/ssl.cnf | 13 ++++
share/debian-edu-config/sslCA.cnf | 13 ++++
.../tools/create-debian-edu-certs | 71 ++++++++++++++++++
share/debian-edu-config/tools/exim4-create-cert | 23 ------
share/debian-edu-config/tools/gosa-create | 15 ++--
share/debian-edu-config/tools/update-cert-dbs | 21 ++++++
.../tools/update-chromium-homepage | 6 +-
.../tools/update-firefox-homepage | 2 +-
share/debian-edu-config/v3.cnf | 19 +++++
share/debian-edu-config/v3CA.cnf | 9 +++
27 files changed, 249 insertions(+), 142 deletions(-)
diff --git a/Makefile b/Makefile
index c4b3b4d..ab54b16 100644
--- a/Makefile
+++ b/Makefile
@@ -12,7 +12,6 @@ SPROGS = cfengine-debian-edu \
debian-edu-restart-services \
debian-edu-test-install \
debian-edu-update-netblock \
- snakeoil-on-ice \
update-hostname-from-ip
INSTALL = install -D -p -m 755
@@ -42,6 +41,7 @@ CFFILES = \
cf.apache2 \
cf.apt \
cf.cfengine \
+ cf.chromium \
cf.cups \
cf.dhcpserver \
cf.exim \
@@ -59,11 +59,13 @@ CFFILES = \
cf.fstab \
cf.nagios3 \
cf.ntp \
+ cf.pki \
cf.samba \
cf.squid \
cf.syslog \
cf.sysstat \
cf.testsetup \
+ cf.thunderbird \
cfd.conf \
cfengine.conf
@@ -344,6 +346,7 @@ install: install-testsuite
share/debian-edu-config/d-i/finish-install \
share/debian-edu-config/d-i/pre-pkgsel \
share/debian-edu-config/tools/passwd \
+ share/debian-edu-config/tools/create-debian-edu-certs \
share/debian-edu-config/tools/cups-queue-autoflush \
share/debian-edu-config/tools/cups-queue-autoreenable \
share/debian-edu-config/tools/debian-edu-bless \
@@ -385,12 +388,12 @@ install: install-testsuite
share/debian-edu-config/tools/sssd-generate-config \
share/debian-edu-config/tools/squid-update-cachedir \
share/debian-edu-config/tools/subnet-change \
+ share/debian-edu-config/tools/update-cert-dbs \
share/debian-edu-config/tools/update-firefox-homepage \
share/debian-edu-config/tools/update-chromium-homepage \
share/debian-edu-config/tools/update-proxy-from-wpad \
share/debian-edu-config/tools/wpad-extract \
share/debian-edu-config/tools/ldap-server-getcert \
- share/debian-edu-config/tools/exim4-create-cert \
share/debian-edu-config/tools/exim4-create-environment \
share/debian-edu-config/ltspfs-mounter-kde \
share/ltsp/get-ldap-ltsp-config \
@@ -445,6 +448,10 @@ install: install-testsuite
share/debian-edu-config/rsyslog-collector \
share/debian-edu-config/firefox-networked-prefs.js \
share/debian-edu-config/squid.conf \
+ share/debian-edu-config/ssl.cnf \
+ share/debian-edu-config/sslCA.cnf \
+ share/debian-edu-config/v3.cnf \
+ share/debian-edu-config/v3CA.cnf \
share/pam-configs/edu-group \
share/pam-configs/edu-umask \
share/perl5/Debian/Edu.pm \
diff --git a/cf/cf.apache2 b/cf/cf.apache2
index 9b5191a..8e83052 100644
--- a/cf/cf.apache2
+++ b/cf/cf.apache2
@@ -5,8 +5,9 @@ links:
shellcommands:
debian.server.installation::
- # Generate the snakeoil selfsigned certificate using the make-ssl-cert tool
- "/usr/sbin/make-ssl-cert generate-default-snakeoil"
+ # Generate certificates and keys (rootCA and multipurpose server) using
+ # the create-debian-edu-certs tool.
+ "/usr/share/debian-edu-config/tools/create-debian-edu-certs"
# Disable default userdir.
"/usr/sbin/a2dismod userdir"
# Enabling debian-edu-userdir; create a directory ~/public_html
diff --git a/cf/cf.chromium b/cf/cf.chromium
index 11d1903..1b484df 100644
--- a/cf/cf.chromium
+++ b/cf/cf.chromium
@@ -1,9 +1,8 @@
-#
-# Change default Chromium homepage. Standalone machines get our project page,
-# while school machines get the school start page from LDAP.
-# The clients using LDAP also update the pages at boot.
-
-debian.installation.standalone::
+shellcommands:
+ # Change default Chromium homepage. Standalone machines get our project page,
+ # while school machines get the school start page from LDAP.
+ # The clients using LDAP also update the pages at boot.
+ debian.installation.standalone::
"/usr/share/debian-edu-config/tools/update-chromium-homepage http\://www.skolelinux.org/"
debian.installation.!standalone::
"/usr/share/debian-edu-config/tools/update-chromium-homepage ldap\:homepage"
diff --git a/cf/cf.cups b/cf/cf.cups
index 612c699..33a31c2 100644
--- a/cf/cf.cups
+++ b/cf/cf.cups
@@ -4,3 +4,7 @@ links:
/etc/cups/cupsd.conf ->! /etc/cups/cupsd-debian-edu.conf
/etc/cups/cups-files.conf ->! /etc/cups/cups-files-debian-edu.conf
+ /etc/cups/ssl/tjener.intern.crt ->! /etc/ssl/certs/debian-edu-server.crt
+ nofile=force
+ /etc/cups/ssl/tjener.intern.key ->! /etc/ssl/private/debian-edu-server.key
+ nofile=force
diff --git a/cf/cf.exim b/cf/cf.exim
index 25f278a..7ac5a7b 100644
--- a/cf/cf.exim
+++ b/cf/cf.exim
@@ -18,7 +18,6 @@ shellcommands:
debian.server.installation.fifthpass::
- "/usr/share/debian-edu-config/tools/exim4-create-cert"
"/usr/share/debian-edu-config/tools/exim4-create-environment"
debian.installation::
diff --git a/cf/cf.firefox-esr b/cf/cf.firefox-esr
index cd70a4e..dff63ea 100644
--- a/cf/cf.firefox-esr
+++ b/cf/cf.firefox-esr
@@ -16,15 +16,6 @@ shellcommands:
"/usr/bin/update-ini-file /etc/skel/.mozilla/firefox/profiles.ini Profile0 IsRelative 1"
"/usr/bin/update-ini-file /etc/skel/.mozilla/firefox/profiles.ini Profile0 Path debian-edu.default"
- # On main server try to assure this is envoked after apache is
- # configured and the new certificate is created by mkslapdcert
- # (firstpass).
- debian.installation.(!standalone.!server.!ltspclient|server.secondpass)::
- # Under certain conditions if ssl server doesn't reply
- # it may wait forever, so limit the time it allowed to
- # run.
- '/usr/sbin/snakeoil-on-ice' timeout=5
-
# Change default start page. Standalone machines get our project page,
# while school machines get the school start page from LDAP.
# The clients using LDAP also update the pages at boot.
diff --git a/cf/cf.imap b/cf/cf.imap
index 56fd94a..f7dd92e 100644
--- a/cf/cf.imap
+++ b/cf/cf.imap
@@ -6,3 +6,12 @@ shellcommands:
# warning message: ,,This message goes away after the first successful login.''
"/usr/bin/touch /var/lib/dovecot/auth-success"
+links:
+
+ debian.installation::
+
+ /etc/dovecot/private/dovecot.pem ->! /etc/ssl/certs/debian-edu-server.crt
+ nofile=force
+ /etc/dovecot/private/dovecot.key ->! /etc/ssl/private/debian-edu-server.key
+ nofile=force
+
diff --git a/cf/cf.ldapserver b/cf/cf.ldapserver
index 948278d..3fe1775 100644
--- a/cf/cf.ldapserver
+++ b/cf/cf.ldapserver
@@ -53,6 +53,5 @@ shellcommands:
"/bin/chown openldap\:openldap /etc/ldap/ssl/slapd-cert.cnf"
# Need load the initial LDAP database, using the new slapd.conf.
# The Kerberos KDC is set up within this script too. Need to
- # run after the apache ssl certs are copied to /etc/skel/ to
- # make sure the new LDAP user have the certificate overrides.
+ # run after the ssl certs are made available (cf.apache2).
"/usr/bin/ldap-debian-edu-install"
diff --git a/cf/cf.pki b/cf/cf.pki
new file mode 100644
index 0000000..0ea3a7f
--- /dev/null
+++ b/cf/cf.pki
@@ -0,0 +1,8 @@
+#
+# Make sure the pki store directory has proper rights.
+#
+directories:
+ # Check file system is prepared for inclusion in new users home directories.
+ debian.installation.server::
+ /etc/skel/.pki/nssdb mode=700 owner=root group=root
+
diff --git a/cf/cf.thunderbird b/cf/cf.thunderbird
new file mode 100644
index 0000000..a5c0ef5
--- /dev/null
+++ b/cf/cf.thunderbird
@@ -0,0 +1,23 @@
+#
+# Allow create/update certificate and key dbs for Thunderbird.
+#
+# On main server use /etc/skel/ to create a default profile for new
+# users in case they start Thunderbird the first time.
+directories:
+ # Check file system is prepared for inclusion in new users home directories.
+ debian.installation.server::
+ /etc/skel/.thunderbird/debian-edu.default mode=755 owner=root group=root
+
+shellcommands:
+ # Enable the default profile.
+ debian.installation.server::
+ "/usr/bin/update-ini-file /etc/skel/.thunderbird/profiles.ini General StartWithLastProfile 1"
+ "/usr/bin/update-ini-file /etc/skel/.thunderbird/profiles.ini Profile0 Name default"
+ "/usr/bin/update-ini-file /etc/skel/.thunderbird/profiles.ini Profile0 IsRelative 1"
+ "/usr/bin/update-ini-file /etc/skel/.thunderbird/profiles.ini Profile0 Path debian-edu.default"
+
+files:
+ # Ensure the profiles file is readable.
+ debian.installation.server.secondpass::
+ /etc/skel/.thunderbird/profiles.ini mode=a+r act=fixall
+
diff --git a/cf/cfengine.conf b/cf/cfengine.conf
index 14149a9..50b1be1 100644
--- a/cf/cfengine.conf
+++ b/cf/cfengine.conf
@@ -97,6 +97,7 @@ import:
debian.installation::
cf.apt
+ cf.chromium
cf.cups
cf.dhcpserver
cf.exim
@@ -118,9 +119,11 @@ import:
cf.apache2
cf.nagios3
cf.bind
+ cf.pki
cf.samba
cf.squid
cf.sysstat
+ cf.thunderbird
debian.ltspserver.installation::
cf.ltsp
diff --git a/debian/debian-edu-config.postinst b/debian/debian-edu-config.postinst
index 928b402..ea32648 100644
--- a/debian/debian-edu-config.postinst
+++ b/debian/debian-edu-config.postinst
@@ -136,6 +136,15 @@ configure)
rm /usr/share/debian-edu-config/tools/debian-edu-dovecot-create-cert
fi
+ if dpkg --compare-versions "$2" le "1.939" ; then
+ if [ -f /usr/share/debian-edu-config/tools/exim4-create-cert ] ; then
+ rm /usr/share/debian-edu-config/tools/exim4-create-cert
+ fi
+ if [ -f /usr/sbin/snakeoil-on-ice ] ; then
+ rm /usr/sbin/snakeoil-on-ice
+ fi
+ fi
+
if dpkg --compare-versions "$2" le "1.929" && dpkg --compare-versions "$2" ge "1.926" && \
egrep -q "(Main-Server)" /etc/debian-edu/config ; then
rm /etc/apache2/mods-available/userdir.load
diff --git a/debian/dirs b/debian/dirs
index bc51f75..65bb07d 100644
--- a/debian/dirs
+++ b/debian/dirs
@@ -19,6 +19,8 @@ etc/samba/netlogon
etc/slbackup/pre.d
etc/slbackup-php
etc/skel/.local/share
+etc/skel/.pki/nssdb
+etc/skel/.thunderbird/debian-edu.default
etc/X11/Xsession.d
usr/bin
usr/share/debian-edu-config/tools
diff --git a/etc/apache2/sites-available/debian-edu-ssl-default.conf b/etc/apache2/sites-available/debian-edu-ssl-default.conf
index cfcd0a8..8ad51f5 100644
--- a/etc/apache2/sites-available/debian-edu-ssl-default.conf
+++ b/etc/apache2/sites-available/debian-edu-ssl-default.conf
@@ -1,8 +1,8 @@
<VirtualHost *:443>
SSLEngine on
- SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
- SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+ SSLCertificateFile /etc/ssl/certs/debian-edu-server.crt
+ SSLCertificateKeyFile /etc/ssl/private/debian-edu-server.key
ServerName www
ServerAdmin webmaster at postoffice.intern
diff --git a/etc/exim4/exim-ldap-server-v4.conf b/etc/exim4/exim-ldap-server-v4.conf
index e98b932..65967c8 100644
--- a/etc/exim4/exim-ldap-server-v4.conf
+++ b/etc/exim4/exim-ldap-server-v4.conf
@@ -15,8 +15,9 @@
##
keep_environment = KRB5_KTNAME : PWD : ^LDAP
tls_advertise_hosts = *
-tls_certificate = /etc/exim4/exim.crt
-tls_privatekey = /etc/exim4/exim.key
+tls_certificate = /etc/ssl/certs/debian-edu-server.crt
+tls_privatekey = /etc/ssl/private/debian-edu-server.key
+
daemon_smtp_ports = 25 : 587
KRB5_KTNAME= /etc/krb5.keytab.smtp
diff --git a/ldap-tools/ldap-debian-edu-install b/ldap-tools/ldap-debian-edu-install
index ec27aed..80cd54a 100755
--- a/ldap-tools/ldap-debian-edu-install
+++ b/ldap-tools/ldap-debian-edu-install
@@ -587,6 +587,15 @@ if [ true = "$RESTARTSLAPD" ] && [ -z "$SLAPPIDS" ] ; then
service slapd start
fi
+# Create both dbm and sql nssdb files for first user.
+if [ -x /usr/bin/certutil ] ; then
+ certutil -A -d dbm:/skole/tjener/home0/"$FIRSTUSERNAME"/.mozilla/firefox/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
+ certutil -A -d dbm:/skole/tjener/home0/"$FIRSTUSERNAME"/.thunderbird/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
+ certutil -A -d sql:/skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
+ chown -R 1000:1000 /skole/tjener/home0/"$FIRSTUSERNAME"/
+ echo "info: created dbm and sql nssdb files for first-user"
+fi
+
#$MTAINIT start
## restart Kerberos KDC and admin server:
diff --git a/sbin/snakeoil-on-ice b/sbin/snakeoil-on-ice
deleted file mode 100755
index bc8529a..0000000
--- a/sbin/snakeoil-on-ice
+++ /dev/null
@@ -1,83 +0,0 @@
-#!/bin/bash
-#
-# Set up Firefox to accept the default ssl certificate created by debian-edu-config
-# for new users.
-#
-# Author: Oded Naveh
-# Date: 03-06-2009
-#
-# TODO:
-# Update existing profiles and users?
-# Figure out how to calculate the last field of the override string.
-# (hint: the database key obtained from NSS).
-
-
-set -e
-. /etc/debian-edu/config # get Debian-Edu PROFILE
-
-echo "info: Running $0"
-
-
-# On main server read local certificate
-
-if [[ $PROFILE =~ Main-Server ]]; then
- :
-else
- echo 'Not running on main server; exiting'
- exit 1;
-fi
-
-CERT=/etc/ssl/certs/ssl-cert-snakeoil.pem;
-SERVERS='www:443 www:631 backup:443'
-
-# The override entries will go into cert_override.txt in the skel directory.
-# This override file will be copied to the firefox profile for new users.
-# If users create another profile they'll have to do it themselves.
-
-OVERRIDE_FILE=/tmp/cert_override.txt
-SED_SERVERS=$(echo $SERVERS | sed 's/ /\\|/g')
-FINGERPRINT=$(openssl x509 -in $CERT -noout -sha256 -fingerprint | sed 's/SHA256 Fingerprint=//')
-OVERRIDE_STRING="OID.2.16.840.1.101.3.4.2.1 $FINGERPRINT MU AAAAAAAAAAAAAAAJAAAAGgDgwHd5q3rzhTAYMRYwFAYDVQQDEw10amVuZXIuaW50 ZXJu" # Bogus database key (A.*Ju)
-
-echo -e '# PSM Certificate Override Settings file\n# This is a generated file! Do not edit.\n' > $OVERRIDE_FILE;
-
-for server in $SERVERS ; do
- echo "$server $OVERRIDE_STRING" >> $OVERRIDE_FILE;
-done
-
-chmod a+r $OVERRIDE_FILE
-
-if [[ $PROFILE =~ Main-Server ]]; then
- TEMPLATE_DIR=/etc/skel/.mozilla/firefox
- TEMPLATE_PROF=$TEMPLATE_DIR/debian-edu.default
-
-# Check/copy the override file.
-
-[ -d $TEMPLATE_PROF ] || mkdir -p $TEMPLATE_PROF
-rm -f $TEMPLATE_PROF/cert_override.txt
-cp $OVERRIDE_FILE $TEMPLATE_PROF/cert_override.txt
-chmod a+r $TEMPLATE_PROF/cert_override.txt
-echo "info: $TEMPLATE_PROF/cert_override.txt generated"
-
-# Check/make access to the profile enabled in profiles.ini.
-
- if ! (grep -q 'Path=debian-edu.default' $TEMPLATE_DIR/profiles.ini); then
- if [ -f $TEMPLATE_DIR/profiles.ini ]; then
- cp --backup=numbered $TEMPLATE_DIR/profiles.ini /var/backups/profiles.ini
- echo -e "Found old $TEMPLATE_DIR/profiles.ini,"\
- "\n\tcreated versioned backup in /var/backups/profiles.ini.x.";
- else
- echo -e '[General]\nStartWithLastProfile=1' > $TEMPLATE_DIR/profiles.ini;
- fi
-
- echo -e '[ProfileX]\nName=DebEdu\nIsRelative=1\nPath=debian-edu.default\n' \
- | awk '/^\[Profile.*]$/{sub(/e.*/,"e"i++"]")} {print}' $TEMPLATE_DIR/profiles.ini - \
- > $TEMPLATE_DIR/profiles.tmp;
-
- mv -f $TEMPLATE_DIR/profiles.tmp $TEMPLATE_DIR/profiles.ini;
-
- fi;
-fi
-
-# Cleanup
-rm $OVERRIDE_FILE
diff --git a/share/debian-edu-config/ssl.cnf b/share/debian-edu-config/ssl.cnf
new file mode 100644
index 0000000..db1ceb5
--- /dev/null
+++ b/share/debian-edu-config/ssl.cnf
@@ -0,0 +1,13 @@
+[req]
+default_bits = 2048
+prompt = no
+distinguished_name = dn
+
+[dn]
+countryName = NO
+stateOrProvinceName = Intern
+localityName = Debian Edu Network
+0.organizationName = Debian Edu
+organizationalUnitName = Administration
+commonName = www.intern
+emailAddress = postmaster at postoffice.intern
diff --git a/share/debian-edu-config/sslCA.cnf b/share/debian-edu-config/sslCA.cnf
new file mode 100644
index 0000000..c96f00a
--- /dev/null
+++ b/share/debian-edu-config/sslCA.cnf
@@ -0,0 +1,13 @@
+[req]
+default_bits = 2048
+prompt = no
+distinguished_name = dn
+
+[dn]
+countryName = NO
+stateOrProvinceName = Intern
+localityName = Debian Edu Network
+0.organizationName = Debian Edu
+organizationalUnitName = Debian Edu RootCA
+commonName = www.intern
+emailAddress = postmaster at postoffice.intern
diff --git a/share/debian-edu-config/tools/create-debian-edu-certs b/share/debian-edu-config/tools/create-debian-edu-certs
new file mode 100755
index 0000000..ebfa328
--- /dev/null
+++ b/share/debian-edu-config/tools/create-debian-edu-certs
@@ -0,0 +1,71 @@
+#!/bin/bash
+#
+# Create Debian Edu CA key and certificate as well as
+# multi-purpose server (web, mail, cups) key and certificate.
+#
+
+set -e
+
+# usage
+if [ "$1" = "-h" ] || [ "$1" = "--help" ] ; then
+cat <<EOF
+
+Usage information:
+Call $0 with param '--force-overwrite' to generate new keys
+and certificates.
+Used configuration files: /usr/share-debian-edu-config/*.cnf
+
+EOF
+ exit 0
+fi
+
+TMP=$(mktemp -d)
+SSL_CA_CONF="/usr/share/debian-edu-config/sslCA.cnf"
+V3_CA_CONF="/usr/share/debian-edu-config/v3CA.cnf"
+SSL_CONF="/usr/share/debian-edu-config/ssl.cnf"
+V3_CONF="/usr/share/debian-edu-config/v3.cnf"
+CERT_DIR="/etc/ssl/certs"
+KEY_DIR="/etc/ssl/private"
+CA_CERT="$CERT_DIR/Debian-Edu_rootCA.crt"
+CA_KEY="$KEY_DIR/Debian-Edu_rootCA.key"
+SERVER_CERT="$CERT_DIR/debian-edu-server.crt"
+SERVER_KEY="$KEY_DIR/debian-edu-server.key"
+
+generate() {
+ # Generate Debian Edu root CA private key.
+ openssl genrsa -out $CA_KEY 2048
+ # Request rootCA certificate.
+ openssl req -x509 -new -nodes -key $CA_KEY -days 3650 -out $CA_CERT -config $SSL_CA_CONF
+ # Request web server key.
+ openssl req -new -nodes -out $TMP/server.csr -newkey rsa:2048 -keyout $SERVER_KEY -config $SSL_CA_CONF
+ # Request web server certificate.
+ openssl x509 -req -in $TMP/server.csr -CA $CA_CERT -CAkey $CA_KEY -CAcreateserial -out $SERVER_CERT -days 3650 -extfile $V3_CONF
+ # Adjust owner and rights.
+ chown root.ssl-cert /etc/ssl/private/Debian-Edu_rootCA.key
+ chown root.ssl-cert /etc/ssl/private/debian-edu-server.key
+ chmod 644 /etc/ssl/certs/debian-edu-server.crt
+ chmod 644 /etc/ssl/certs/Debian-Edu_rootCA.crt
+ chmod 640 /etc/ssl/private/debian-edu-server.key
+ chmod 640 /etc/ssl/private/Debian-Edu_rootCA.key
+ logger -t create-debian-edu-certs "rootCA and server certs generated"
+ # Enable Debian-exim to read key file.
+ usermod -a -G ssl-cert Debian-exim
+ # Add local trust for the created certificates.
+ /usr/sbin/update-ca-certificates
+ # Update dbm and sql certificate and key databases in homedirs.
+ /usr/share/debian-edu-config/tools/update-cert-dbs
+}
+
+if [ "$1" = "--force-overwrite" ] ; then
+ generate
+ service apache2 reload
+ service exim4 reload
+ service dovecot reload
+else
+ if [ ! -f $CA_CERT ] || [ ! -f $CA_KEY ]; then
+ generate
+ else
+ echo "Certificates and keys already exist, nothing to do!"
+ echo "Call $0 with param '--force-overwrite' if new ones should be generated."
+ fi
+fi
diff --git a/share/debian-edu-config/tools/exim4-create-cert b/share/debian-edu-config/tools/exim4-create-cert
deleted file mode 100755
index 2fc1555..0000000
--- a/share/debian-edu-config/tools/exim4-create-cert
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/bin/bash
-#
-# Create a self-signed certificate.
-# Taken in parts from a script by Andreas B. Mundt <andi at debian.org>.
-
-set -e
-
-TEMPLATE="/usr/share/ssl-cert/ssleay.cnf"
-CONF=$(mktemp)
-CERT="/etc/exim4/exim.crt"
-KEY="/etc/exim4/exim.key"
-
-if [ ! -f $CERT ] || [ ! -f $KEY ]; then
- sed -e s#@HostName@#"postoffice.intern"# $TEMPLATE > $CONF
- echo "subjectAltName=DNS:postoffice.intern,DNS:postoffice.intern" >> $CONF
- openssl req -config $CONF -new -x509 -days 7000 -nodes -out $CERT -keyout $KEY
- chmod 640 $KEY $CERT $CONF
- chown root:Debian-exim $KEY $CERT
-else
- echo "$CERT and $KEY already exist, skipping!"
-fi
-
-rm $CONF
diff --git a/share/debian-edu-config/tools/gosa-create b/share/debian-edu-config/tools/gosa-create
index e8aba8e..9ea7073 100755
--- a/share/debian-edu-config/tools/gosa-create
+++ b/share/debian-edu-config/tools/gosa-create
@@ -38,21 +38,24 @@ while read KEY VALUE ; do
nscd -i passwd || true
nscd -i group || true
fi
+ certutil -A -d dbm:$HOMEDIR/.mozilla/firefox/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
+ certutil -A -d dbm:$HOMEDIR/.thunderbird/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
+ certutil -A -d sql:$HOMEDIR/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
+ logger -t gosa-create -p notice Both dbm and sql nssdb files created in \'$HOMEDIR\'.
chown -R $USERID:$GROUPID $HOMEDIR
kadmin.local -q "add_principal -policy users -randkey -x \"$USERDN\" $USERID"
- logger -t gosa-create -p notice Home directory \'$HOMEDIR\' and principal \'$USERID\' created.
-## send a welcome-email:
+ logger -t gosa-create -p notice Home directory \'$HOMEDIR\' and principal \'$USERID\' created.
+## send a welcome-email:
cat << EOF | /usr/lib/sendmail $USERID
Subject: Welcome to the mail-system
Hello $USERNAME,
-welcome to the mail-system.
+welcome to the mail-system.
-Your userID is $USERID, and your email
-address is:
+Your userID is $USERID, and your email address is:
- $USERID at postoffice.intern
+ $USERID at postoffice.intern
Regards,
diff --git a/share/debian-edu-config/tools/update-cert-dbs b/share/debian-edu-config/tools/update-cert-dbs
new file mode 100755
index 0000000..3ee4ca2
--- /dev/null
+++ b/share/debian-edu-config/tools/update-cert-dbs
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# Update both dbm and sql type nssdb files in users' homedirs.
+#
+
+set -e
+
+BASE_HOME=/skole/tjener/home0
+for i in $(ls /skole/tjener/home0/ | grep -v lost+found) ; do
+ echo "$i"
+ if [ -d $BASE_HOME/$i/.mozilla/firefox/debian-edu.default ] ; then
+ su - $i sh -c 'certutil -A -d dbm:$HOME/.mozilla/firefox/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
+ fi
+ if [ -d $BASE_HOME/$i/.thunderbird/debian-edu.default ] ; then
+ su - $i sh -c 'certutil -A -d dbm:$HOME/.thunderbird/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
+ fi
+ if [ -d $BASE_HOME/$i/.pki/nssdb ] ; then
+ su - $i sh -c 'certutil -A -d sql:$HOME/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
+ fi
+ logger -t update-cert-dbs "updated both dbm and sql type nssdb files in homedirs"
+done
diff --git a/share/debian-edu-config/tools/update-chromium-homepage b/share/debian-edu-config/tools/update-chromium-homepage
index d5c0df6..fc25261 100755
--- a/share/debian-edu-config/tools/update-chromium-homepage
+++ b/share/debian-edu-config/tools/update-chromium-homepage
@@ -15,7 +15,7 @@ if [ ldap:homepage = "$1" ] ; then
fi
url="$($GETDEFAULTHOMEPAGE || true)"
if [ -z "$url" ] ; then # No LDAP available On main-server during installation
- url="http://www/"
+ url="https://www/"
fi
else
url="$1"
@@ -26,8 +26,8 @@ if [ -z "$url" ] || [ "about:blank" = "$url" ]; then
else
cat > $etcfile.new <<EOF
{
- "HomepageLocation": "http://www",
- "homepage_is_newtabpage": false
+ "HomepageLocation" : "https://www",
+ "HomepageIsNewTabPage" : false
}
EOF
chmod 644 $etcfile.new
diff --git a/share/debian-edu-config/tools/update-firefox-homepage b/share/debian-edu-config/tools/update-firefox-homepage
index 5f3bfc6..462dcd6 100755
--- a/share/debian-edu-config/tools/update-firefox-homepage
+++ b/share/debian-edu-config/tools/update-firefox-homepage
@@ -15,7 +15,7 @@ if [ ldap:homepage = "$1" ] ; then
fi
url="$($GETDEFAULTHOMEPAGE || true)"
if [ -z "$url" ] ; then # No LDAP available On main-server during installation
- url="http://www/"
+ url="https://www/"
fi
else
url="$1"
diff --git a/share/debian-edu-config/v3.cnf b/share/debian-edu-config/v3.cnf
new file mode 100644
index 0000000..f70db72
--- /dev/null
+++ b/share/debian-edu-config/v3.cnf
@@ -0,0 +1,19 @@
+# v3.ext
+authorityKeyIdentifier=keyid,issuer
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = www
+DNS.2 = www.intern
+DNS.3 = tjener
+DNS.4 = tjener.intern
+DNS.5 = backup
+DNS.6 = backup.intern
+DNS.7 = postoffice
+DNS.8 = postoffice.intern
+DNS.9 = dovecot
+DNS.10 = dovecot.intern
+DNS.11 = ipp
+DNS.12 = ipp.intern
+DNS.13 = sitesummary
+DNS.14 = sitesummary.intern
\ No newline at end of file
diff --git a/share/debian-edu-config/v3CA.cnf b/share/debian-edu-config/v3CA.cnf
new file mode 100644
index 0000000..fc52077
--- /dev/null
+++ b/share/debian-edu-config/v3CA.cnf
@@ -0,0 +1,9 @@
+# v3.ext
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:True
+keyUsage = digitalSignature
+subjectAltName = @alt_names
+
+[alt_names]
+DNS = www
+
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-edu/debian-edu-config.git
More information about the debian-edu-commits
mailing list