steffen: server/kolab/kolab kolab_ca.sh, NONE, 1.1 kolab_bootstrap, 1.39, 1.40 kolab_sslcert.sh, 1.10, 1.11

cvs at intevation.de cvs at intevation.de
Wed Jul 7 01:49:12 CEST 2004


Author: steffen

Update of /kolabrepository/server/kolab/kolab
In directory doto:/tmp/cvs-serv13867/kolab

Modified Files:
	kolab_bootstrap kolab_sslcert.sh 
Added Files:
	kolab_ca.sh 
Log Message:
create our own CA and use that to sign certs for master and slaves

--- NEW FILE: kolab_ca.sh ---
#!/bin/sh
##
##  Copyright (c) 2004  Klaraelvdalens Datakonsult AB
##   Written by Steffen Hansen <steffen at klaralvdalens-datakonsult.se>
##
## CA management script that is heavily inspired by Tim Hudson's
## CA.sh script from the openssl distribution

PREFIX=/kolab

DAYS="-days 3650"
REQ="$PREFIX/bin/openssl req"
CA="$PREFIX/bin/openssl ca"
VERIFY="$PREFIX/bin/openssl verify"
X509="$PREFIX/bin/openssl x509"
RSA="$PREFIX/bin/openssl rsa"
GENRSA="$PREFIX/bin/openssl genrsa"

CATOP=$PREFIX/etc/kolab/ca
CAKEY=cakey.pem
CACERT=cacert.pem

cd @l_prefix@/etc/kolab

# Config
function createconf() {
local hostname=$1
echo "Using fqdn $hostname"
#if [ ! -d "$PREFIX/etc/kolab/ca" ]; then
#    mkdir $PREFIX/etc/kolab/ca
#fi
export OPENSSL_CONF=$PREFIX/etc/kolab/kolab-ssl.cnf
cat > ${OPENSSL_CONF} <<EOF
[ req ]
distinguished_name = req_distinguished_name
default_bits = 1024
prompt = no
x509_extensions = v3_req
attributes = req_attributes

string_mask = nombstr

[ req_attributes ]

[ req_distinguished_name ]
#C = 
#ST = 
#L = 
#O = 
#OU = 
CN = $hostname
#emailAddress = 

[ v3_req ]
basicConstraints = CA:TRUE

[ ca ]
default_ca      = CA_kolab

[ CA_kolab ]
dir = $CATOP
certs           = \$dir/certs            # Where the issued certs are kept
crl_dir         = \$dir/crl              # Where the issued crl are kept
database        = \$dir/index.txt        # database index file.
unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = \$dir/newcerts         # default place for new certs.

certificate     = \$dir/cacert.pem       # The CA certificate
serial          = \$dir/serial           # The current serial number
#crlnumber      = \$dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = \$dir/crl.pem          # The current CRL
private_key     = \$dir/private/cakey.pem# The private key
RANDFILE        = \$dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions        = crl_ext

default_days    = 3650                  # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = md5                   # which md to use.
preserve        = no                    # keep passed DN ordering

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
commonName              = supplied

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType                    = server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment                       = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

EOF
}

appname=$0

while [ $# -gt 0 ]; do
case $1 in
-h|-help|--help)
    echo "Usage: $appname {-newca hostname|-newreq hostname [keyfile] [certfile]|-sign [filename]|-verify [filename]|-help}"
    ;;
-newca)
    createconf $2
    shift
    NEW="1"
    if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
        # create the directory hierarchy
        mkdir ${CATOP}
        mkdir ${CATOP}/certs
        mkdir ${CATOP}/crl
        mkdir ${CATOP}/newcerts
        mkdir ${CATOP}/private
        echo "01" > ${CATOP}/serial
        touch ${CATOP}/index.txt
    fi
    if [ ! -f ${CATOP}/private/$CAKEY ]; then
        echo "CA certificate filename (or enter to create)"
        read FILE

        # ask user for existing CA certificate
        if [ "$FILE" ]; then
            cp $FILE ${CATOP}/private/$CAKEY
            RET=$?
        else
            echo "Making CA certificate ..."
            $REQ -new -x509 -keyout ${CATOP}/private/$CAKEY \
                           -out ${CATOP}/$CACERT $DAYS
            RET=$?
        fi
    fi
    ;;
-newkey)
    # create a new priv. key
    createconf $2
    keyfile=key.pem
    if [ -n "$3" ]; then
	keyfile=$3
    fi
    echo "secret"|$GENRSA -des3 -passout fd:0 -out .tmp.pass.key 1024
    echo "secret"|$RSA -passin fd:0 -in .tmp.pass.key -out $keyfile
    rm .tmp.pass.key
    ;;
-newreq)
    # create a certificate request
    createconf $2
    reqfile=newreq.pem
    if [ -n "$3" ]; then
	keyfile=$3
    fi
    if [ -n "$4" ]; then
	reqfile=$4
    fi
    shift 3
    $REQ -new -nodes -key ${keyfile} -out ${reqfile} $DAYS
    RET=$?
    echo "Request is in $reqfile and private key is in $keyfile"
    ;;
-sign|-signreq)
    createconf
    infile=newreq.pem
    outfile=newcert.pem
    if [ -n "$2" ]; then
	infile=$2
    fi
    if [ -n "$3" ]; then
	outfile=$3
    fi
    shift 2
    $CA -policy policy_anything -out ${outfile} -infiles ${infile}
    RET=$?
    #cat ${outfile}
    echo "Signed certificate is in ${outfile}"
    ;;
-verify)
    createconf
    shift
    if [ -z "$1" ]; then
            $VERIFY -CAfile $CATOP/$CACERT newcert.pem	    
            RET=$?
    else
        for j
        do
            $VERIFY -CAfile $CATOP/$CACERT $j
            if [ $? != 0 ]; then
                    RET=$?
            fi
        done
    fi
    exit 0
    ;;
*)
    echo "Unknown arg $i";
    exit 1
    ;;
esac
shift
done

cd -

exit $RET


Index: kolab_bootstrap
===================================================================
RCS file: /kolabrepository/server/kolab/kolab/kolab_bootstrap,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -d -r1.39 -r1.40
--- kolab_bootstrap	30 Jun 2004 10:42:50 -0000	1.39
+++ kolab_bootstrap	6 Jul 2004 23:49:10 -0000	1.40
@@ -13,7 +13,7 @@
 # and templates
 
 use strict;
-use vars qw($opt_b);
+use vars qw($opt_b $opt_f);
 
 use URI;
 use Socket;
@@ -120,6 +120,8 @@
 
 if ( $is_master eq "true" ) {
   ##### Master server setup
+  getopt('f');
+
   (my $dummy, my $domain) = split(/\./, $fqdn, 2);
   if (!$domain) {
     $domain = $fqdn;
@@ -133,7 +135,7 @@
   }
   print "proceeding with Maildomain $domain\n";
 
-  if ($base_dn =~ /\@\@\@/ || $bind_dn =~ /\@\@\@/ || $bind_pw =~ /\@\@\@/ ) {
+  if ( $opt_f || $base_dn =~ /\@\@\@/ || $bind_dn =~ /\@\@\@/ || $bind_pw =~ /\@\@\@/ ) {
     print "Generating default configuration:\n";
     if ($base_dn =~ /\@\@\@/) {
       $base_dn = "";
@@ -257,9 +259,9 @@
     }
 
     my $ldapuri = URI->new($ldap_uri) || warn "error: could not parse given uri";
-    my $ldap = Net::LDAP->new($ldap_uri, verify => 'none' ) || warn "could not connect ldap server";
+    my $ldap = Net::LDAP->new($ldap_uri, verify => 'none' ) || warn "could not connect ldap server $ldap_uri";
     if ($ldap) {
-      $ldap->bind($bind_dn, password=> $bind_pw) || warn "could not bind to ldap";
+      $ldap->bind($bind_dn, password=> $bind_pw) || warn "could not bind to ldap server $ldap_uri";
       my $mesg = $ldap->search(base=> "$base_dn", scope=> 'exact', filter=> "(objectclass=*)");
       if ($mesg && $mesg->count != 1) {
 	print "no $base_dn object found, creating one\n";
@@ -422,7 +424,15 @@
       sleep 5;
       #system("killall -9 slapd >/dev/null 2>&1");
    }
- }
+  }
+  system("$kolab_prefix/etc/kolab/kolab_ca.sh -newca $fqdn");
+  system("$kolab_prefix/etc/kolab/kolab_ca.sh -newkey $fqdn $kolab_prefix/etc/kolab/key.pem");
+  system("$kolab_prefix/etc/kolab/kolab_ca.sh -newreq $fqdn $kolab_prefix/etc/kolab/key.pem $kolab_prefix/etc/kolab/newreq.pem ");
+  system("$kolab_prefix/etc/kolab/kolab_ca.sh -sign $kolab_prefix/etc/kolab/newreq.pem $kolab_prefix/etc/kolab/cert.pem");
+  system("chgrp @l_rusr@ $kolab_prefix/etc/kolab/key.pem;");
+  system("chmod 0640 $kolab_prefix/etc/kolab/key.pem;");
+  system("chgrp @l_rusr@ $kolab_prefix/etc/kolab/cert.pem;");
+  system("chmod 0640 $kolab_prefix/etc/kolab/cert.pem;");
 } else {
   ##### Slave server setup
 
@@ -432,7 +442,7 @@
   system("$kolab_prefix/bin/openpkg rc openldap stop");
   sleep 1;
 
-  # Make sure that no rouge demons are running
+  # Make sure that no rogue demons are running
   tryConnect( '127.0.0.1', 389 ) && die "A process is already listening to port 389 (ldap)\n"
     ."Please stop any running ldap server and bootstrap again\n";
   tryConnect( '127.0.0.1', 9999 ) && die "A process is already listening to port 9999 (kolabd)\n"
@@ -469,7 +479,7 @@
   copy("$kolab_prefix/etc/kolab/templates/smtpd.conf.template", $confname) || die "could not write to $confname";
 
   print "Checking server info...\n";
-  my $ldap = Net::LDAP->new($ldap_uri, verify => 'none' ) || warn "could not connect ldap server";
+  my $ldap = Net::LDAP->new($ldap_uri, verify => 'none' ) || warn "could not connect ldap server at $ldap_uri";
   if ($ldap) {
     $ldap->bind($bind_dn, password=> $bind_pw) || warn "could not bind to ldap";
     my $mesg = $ldap->search(base=> "$base_dn", scope=> 'exact', filter=> "(objectclass=*)");
@@ -486,6 +496,20 @@
     my $entry = $mesg->entry(0);
     $php_pw = $entry->get_value( 'userPassword' );
 
+    # Get ldap database from master
+#    print <<'EOS';
+#Now we need to ssh to the master server,
+#temporarily stop the LDAP server,
+#copy the LDAP database files to the slave and
+#restart the master LDAP server again\n\n";
+#This will be done as root. Type in the root password or
+#passphrase when asked
+#EOS
+
+    my $master_host = $ldapuri->host();
+    # `ssh $master_host`;
+
+
     $fd = IO::File->new($kolab_config, "w+") || die "could not open $kolab_config";
     print $fd "fqhostname : $fqdn\n";
     print $fd "is_master : $is_master\n";
@@ -513,12 +537,35 @@
     close(FH);
     undef $cfg;
 
+    print <<'EOS';
+Now we need to create a cerificate request for this slave
+and then ssh to the master server to have the request signed.
+You will be asked multiple times for the root password of the
+master server and the passphrase for the CA key on the master.
+################################################################################
+EOS
+
+    # Create cert req
+    system("$kolab_prefix/etc/kolab/kolab_ca.sh -newkey $fqdn $kolab_prefix/etc/kolab/key.pem");
+    system("$kolab_prefix/etc/kolab/kolab_ca.sh -newreq $fqdn $kolab_prefix/etc/kolab/key.pem $kolab_prefix/etc/kolab/newreq.pem ");
+    # Log into master and sign cert request
+    system("scp $kolab_prefix/etc/kolab/newreq.pem $master_host:$kolab_prefix/etc/kolab/$fqdn-req.pem");
+    system("ssh -CA $master_host \"$kolab_prefix/etc/kolab/kolab_ca.sh -sign $kolab_prefix/etc/kolab/$fqdn-req.pem $kolab_prefix/etc/kolab/$fqdn.pem;\"");
+    system("scp $master_host:$kolab_prefix/etc/kolab/$fqdn.pem $kolab_prefix/etc/kolab/cert.pem");
+    system("ssh -CA $master_host \"rm $kolab_prefix/etc/kolab/$fqdn.pem $kolab_prefix/etc/kolab/$fqdn-req.pem\"");
+    die("Creation of $kolab_prefix/etc/kolab/cert.pem failed") unless -f "$kolab_prefix/etc/kolab/cert.pem";
+
+    print <<'EOS';
+################################################################################
+Certificate creation done!
+EOS
+
     system("$kolab_prefix/sbin/kolabconf");
   } else {
     die "Error contacting LDAP server\n";
   }
 }
 
-system("$kolab_prefix/etc/kolab/kolab_sslcert.sh $fqdn");
+#system("$kolab_prefix/etc/kolab/kolab_sslcert.sh $fqdn");
 print "kolab should now be ready to run\n";
 print "please run '$kolab_prefix/bin/openpkg rc all start'\n";

Index: kolab_sslcert.sh
===================================================================
RCS file: /kolabrepository/server/kolab/kolab/kolab_sslcert.sh,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -d -r1.10 -r1.11
--- kolab_sslcert.sh	31 Mar 2004 13:23:12 -0000	1.10
+++ kolab_sslcert.sh	6 Jul 2004 23:49:10 -0000	1.11
@@ -30,7 +30,7 @@
 
 echo -n "generate self-signed certificate for hostname $HN... "
 
-    @l_prefix@/bin/openssl req -new -x509 -outform PEM -keyform PEM -nodes \
+    /kolab/bin/openssl req -new -x509 -outform PEM -keyform PEM -nodes \
                                    -days 3650 -out cert.pem -keyout key.pem \
 		                   -config tmp.req.cnf >/dev/null 2>&1
 echo "done"
@@ -40,7 +40,7 @@
 chgrp @l_rusr@ cert.pem
 chmod 0640 cert.pem
 
-rm -f tmp.req.cnf
+#rm -f tmp.req.cnf
 
 cd -
 





More information about the commits mailing list