[debian-lan-devel] [SCM] Debian-LAN development and packaging branch, master, updated. debian/0.9-14-ga830313

Andreas B. Mundt andi at debian.org
Wed May 1 19:40:08 UTC 2013 

The following commit has been merged in the master branch:
commit a8303134ba9b2e3bfd951343344a31e809033639
Author: Andreas B. Mundt <andi at debian.org>
Date:   Wed May 1 21:27:31 2013 +0200

    Rework the creation of self-signed certificates.
    
    Add 'subjectAltName=*' when appropriate and use common template for
    the config file.
    
    ToDo:  Import the certificates on the clients system wide during
    installation, to get of warnings about untrusted services.

diff --git a/fai/config/files/etc/ldap/slapd.conf/GOSA b/fai/config/files/etc/ldap/slapd.conf/GOSA
index f6b66d4..5dae8c9 100644
--- a/fai/config/files/etc/ldap/slapd.conf/GOSA
+++ b/fai/config/files/etc/ldap/slapd.conf/GOSA
@@ -31,9 +31,9 @@ argsfile        /var/run/slapd/slapd.args
 loglevel	none
 
 # TLS/SSL
-TLSCACertificateFile    /etc/ldap/ssl/slapd.pem
-TLSCertificateKeyFile   /etc/ldap/ssl/slapd.pem
-TLSCertificateFile      /etc/ldap/ssl/slapd.pem
+TLSCACertificateFile    /etc/ldap/slapd.crt
+TLSCertificateKeyFile   /etc/ldap/slapd.key
+TLSCertificateFile      /etc/ldap/slapd.crt
 TLSVerifyClient		try
 
 modulepath	/usr/lib/ldap
diff --git a/fai/config/files/etc/ldap/slapd.conf/SERVER_A b/fai/config/files/etc/ldap/slapd.conf/SERVER_A
index eee7806..df1e6d7 100644
--- a/fai/config/files/etc/ldap/slapd.conf/SERVER_A
+++ b/fai/config/files/etc/ldap/slapd.conf/SERVER_A
@@ -20,9 +20,9 @@ argsfile        /var/run/slapd/slapd.args
 loglevel	none
 
 # TLS/SSL
-TLSCACertificateFile    /etc/ldap/ssl/slapd.pem
-TLSCertificateKeyFile   /etc/ldap/ssl/slapd.pem
-TLSCertificateFile      /etc/ldap/ssl/slapd.pem
+TLSCACertificateFile    /etc/ldap/slapd.crt
+TLSCertificateKeyFile   /etc/ldap/slapd.key
+TLSCertificateFile      /etc/ldap/slapd.crt
 TLSVerifyClient		try
 
 modulepath	/usr/lib/ldap
diff --git a/fai/config/files/etc/ldap/ssl/slapd-cert.cnf/SERVER_A b/fai/config/files/etc/ldap/ssl/slapd-cert.cnf/SERVER_A
deleted file mode 100644
index 07c3a0e..0000000
--- a/fai/config/files/etc/ldap/ssl/slapd-cert.cnf/SERVER_A
+++ /dev/null
@@ -1,34 +0,0 @@
-RANDOM=/dev/random
-
-[ req ]
-default_bits = 1024
-encrypt_key = yes
-distinguished_name = req_dn
-x509_extensions = v3_req
-prompt = no
-
-[ req_dn ]
-O  = Debian-LAN LDAP server
-OU = Automatically-generated LDAP SSL key
-
-###
-### run LDAP service on main server -> default
-### make sure CN is also one of subjectAltName
-###
-CN = mainserver.intern
-emailAddress = postmaster at mail.intern
-
-[ v3_req ]
-nsCertType = server
-subjectAltName=DNS:mainserver.intern,DNS:mainserver,DNS:ldap.intern,DNS:ldap,DNS:localhost
-
-###
-### run LDAP service on a separate machine
-### (server's IP must revresolv to ldap.intern)
-###
-#commonName=ldap.intern
-#emailAddress=postmaster at mail.intern
-
-#[ v3_req ]
-#nsCertType = server
-#subjectAltName=DNS:ldap.intern,DNS:ldap,DNS:localhost
diff --git a/fai/config/scripts/LDAP_CLIENT/10-ldap.conf b/fai/config/scripts/LDAP_CLIENT/10-ldap.conf
index d747826..182056b 100755
--- a/fai/config/scripts/LDAP_CLIENT/10-ldap.conf
+++ b/fai/config/scripts/LDAP_CLIENT/10-ldap.conf
@@ -21,5 +21,5 @@ editfiles:
          BeginGroupIfNoLineMatching "^TLS_REQCERT .*"
             AppendIfNoSuchLine "TLS_REQCERT demand"
          EndGroup
-         AppendIfNoSuchLine "TLS_CACERT /etc/ldap/ssl/slapd-cert.pem"
+         AppendIfNoSuchLine "TLS_CACERT /etc/ldap/slapd.crt"
       }
diff --git a/fai/config/scripts/LDAP_CLIENT/20-nslcd.conf b/fai/config/scripts/LDAP_CLIENT/20-nslcd.conf
index dc4b1b8..83b218a 100755
--- a/fai/config/scripts/LDAP_CLIENT/20-nslcd.conf
+++ b/fai/config/scripts/LDAP_CLIENT/20-nslcd.conf
@@ -8,5 +8,5 @@ control:
 editfiles:
    any::
       { ${target}/etc/nslcd.conf
-         AppendIfNoSuchLine "tls_cacertfile /etc/ldap/ssl/slapd-cert.pem"
+         AppendIfNoSuchLine "tls_cacertfile /etc/ldap/slapd.crt"
       }
diff --git a/fai/config/scripts/LDAP_CLIENT/30-certificate b/fai/config/scripts/LDAP_CLIENT/30-certificate
index 7898677..df13147 100755
--- a/fai/config/scripts/LDAP_CLIENT/30-certificate
+++ b/fai/config/scripts/LDAP_CLIENT/30-certificate
@@ -1,3 +1,3 @@
 #!/bin/bash
 
-ifclass LDAP_SERVER || fcopy /etc/ldap/ssl/slapd-cert.pem
+ifclass LDAP_SERVER || fcopy /etc/ldap/slapd.crt
diff --git a/fai/config/scripts/LDAP_SERVER/10-mkslapdcert b/fai/config/scripts/LDAP_SERVER/10-mkslapdcert
index 2b7fce7..5ac8ebd 100755
--- a/fai/config/scripts/LDAP_SERVER/10-mkslapdcert
+++ b/fai/config/scripts/LDAP_SERVER/10-mkslapdcert
@@ -1,30 +1,31 @@
 #!/bin/bash
+#
+# Create a self-signed certificate for LDAP
+#
 
 set -e
 
-CERTCONFIG="/etc/ldap/ssl/slapd-cert.cnf"
-PRIVATKEY="/etc/ldap/ssl/slapd-key.pem"
-CERTIFICATE="/etc/ldap/ssl/slapd-cert.pem"
-PRIVKEYCERT="/etc/ldap/ssl/slapd.pem"
+CERT="/etc/ldap/slapd.crt"
+KEY="/etc/ldap/slapd.key"
+CONF="/etc/ldap/slapd.cnf"
+TEMPLATE="${target}/usr/share/ssl-cert/ssleay.cnf"
+HostName="${HOSTNAME}.intern"
 
-if [ -f $PRIVATKEY ] ; then 
-    echo "Private key already exists, exiting."
-    exit 0
+if [ -f $target/$CERT ] && [ -f $target/$KEY ]; then
+  echo "$CERT and $KEY exists, exiting!"
+  exit 0
 fi
 
-fcopy $CERTCONFIG
+sed -e s#@HostName@#"$HostName"# $TEMPLATE > ${target}/$CONF
+echo "subjectAltName=DNS:$HostName,DNS:$HOSTNAME,DNS:ldap.intern,DNS:ldap" >> ${target}/$CONF
 
-$ROOTCMD openssl req -new -x509 -nodes -sha1 -config $CERTCONFIG -days 3650 \
-      -out $CERTIFICATE -keyout $PRIVATKEY
+$ROOTCMD openssl req -config $CONF -new -x509 -days 7000 -nodes -out $CERT -keyout $KEY
 
-$ROOTCMD cat $PRIVATKEY $CERTIFICATE > $target$PRIVKEYCERT
-
-$ROOTCMD chown openldap:openldap $PRIVKEYCERT
-$ROOTCMD chmod 600 $PRIVKEYCERT
-$ROOTCMD chmod 600 $PRIVATKEY
+$ROOTCMD chmod 600 $KEY $CONF
+$ROOTCMD chown openldap:openldap $KEY
 
 ifclass FAISERVER || exit 0
 
 ## Add the LDAP certificate to the fai config space:
-$ROOTCMD mkdir -pv /srv/fai/config/files/${CERTIFICATE}/
-$ROOTCMD cp -v $CERTIFICATE /srv/fai/config/files/${CERTIFICATE}/LDAP_CLIENT
+$ROOTCMD mkdir -pv /srv/fai/config/files/${CERT}/
+$ROOTCMD cp -v $CERT /srv/fai/config/files/${CERT}/LDAP_CLIENT
diff --git a/fai/config/scripts/MAIL_SERVER/30-certs b/fai/config/scripts/MAIL_SERVER/30-certs
index 7308a72..cc7d072 100755
--- a/fai/config/scripts/MAIL_SERVER/30-certs
+++ b/fai/config/scripts/MAIL_SERVER/30-certs
@@ -1,52 +1,30 @@
 #!/bin/bash
 #
 # Create a self-signed certificate for exim4 and switch on TLS.
-# Inspired by: /usr/share/doc/exim4-base/examples/exim-gencert
 #
 
 set -e
 
-## Activate TLS:
+## Activate TLS for exim:
 FILE=/etc/exim4/conf.d/main/000_localmacros
 ainsl -a $FILE "MAIN_TLS_ENABLE = yes"
 
-
 ## Create certificate:
-
-DIR=/etc/exim4
-CERT=$DIR/exim.crt
-KEY=$DIR/exim.key
-
-# valid for ten years:
-DAYS=3650
+CERT="/etc/exim4/exim.crt"
+KEY="/etc/exim4/exim.key"
+CONF="/etc/exim4/exim.cnf"
+TEMPLATE="${target}/usr/share/ssl-cert/ssleay.cnf"
+HostName="${HOSTNAME}.intern"
 
 if [ -f $target/$CERT ] && [ -f $target/$KEY ]; then
   echo "$CERT and $KEY exists, exiting!"
   exit 0
 fi
 
-SSLEAY="$(tempfile -m600 -pexi)"
-
-cat > $target/$SSLEAY <<EOF
-RANDOM=/dev/random
-[ req ]
-default_bits = 1024
-default_keyfile = exim.key
-distinguished_name = req_distinguished_name
-x509_extensions = v3_req
-prompt = no
-[ req_distinguished_name ]
-O  = Debian-LAN SMTP server
-OU = Automatically-generated SMTP SSL key
-CN = mainserver.intern
-emailAddress = postmaster at mail.intern
-[ v3_req ]
-nsCertType = server
-subjectAltName=DNS:mainserver.intern,DNS:mainserver,DNS:mail.intern,DNS:mail,DNS:localhost
-EOF
+sed -e s#@HostName@#"$HostName"# $TEMPLATE > ${target}/$CONF
+echo "subjectAltName=DNS:$HostName,DNS:mail.intern" >> ${target}/$CONF
 
-$ROOTCMD openssl req -config $SSLEAY -x509 -newkey rsa:1024 -keyout $KEY -out $CERT -days $DAYS -nodes
-rm -f $SSLEAY
+$ROOTCMD openssl req -config $CONF -new -x509 -days 7000 -nodes -out $CERT -keyout $KEY
 
+$ROOTCMD chmod 640 $KEY $CERT $CONF
 $ROOTCMD chown root:Debian-exim $KEY $CERT
-$ROOTCMD chmod 640 $KEY $CERT
diff --git a/fai/config/scripts/SERVER_A/50-apache b/fai/config/scripts/SERVER_A/50-apache
index b976261..8bdc158 100755
--- a/fai/config/scripts/SERVER_A/50-apache
+++ b/fai/config/scripts/SERVER_A/50-apache
@@ -5,7 +5,32 @@ set -e
 ## Switch apache userdir module on:
 $ROOTCMD a2enmod userdir
 
-## Create certificate and enable ssl:
-$ROOTCMD make-ssl-cert generate-default-snakeoil
+## Create certificate and enable ssl (cf. make-ssl-cert):
+CERT="/etc/ssl/certs/ssl-cert-snakeoil.pem"
+KEY="/etc/ssl/private/ssl-cert-snakeoil.key"
+CONF="/etc/apache2/ssl-crt.cnf"
+TEMPLATE="${target}/usr/share/ssl-cert/ssleay.cnf"
+HostName="${HOSTNAME}.intern"
+
+## Overwrite existing certificate only when installing:
+if [ "$FAI_ACTION" != "install" ] && [ "$CONVERT" != "true" ] ; then
+    if [ -f $target/$CERT ] && [ -f $target/$KEY ]; then
+        echo "$CERT and $KEY exists, exiting!"
+        exit 0
+    fi
+fi
+
+sed -e s#@HostName@#"$HostName"# $TEMPLATE > ${target}/$CONF
+echo "subjectAltName=DNS:$HostName,DNS:www.intern,DNS:syslog.intern" >> ${target}/$CONF
+
+$ROOTCMD openssl req -config $CONF -new -x509 -days 7000 -nodes -out $CERT -keyout $KEY
+
+$ROOTCMD chmod 644 $CERT
+$ROOTCMD chmod 640 $KEY $CONF
+$ROOTCMD chown root:ssl-cert $KEY
+
+HASHNAME=$(dirname $CERT)/$($ROOTCMD openssl x509 -hash -noout -in $CERT)
+$ROOTCMD ln -vsf $CERT $HASHNAME
+
 $ROOTCMD a2enmod ssl
 $ROOTCMD a2ensite default-ssl

-- 
Debian-LAN development and packaging

More information about the debian-lan-devel mailing list