steffen: server/kolab/kolab kolab_ca.sh, NONE, 1.1 kolab_bootstrap, 1.39, 1.40 kolab_sslcert.sh, 1.10, 1.11
cvs at intevation.de
cvs at intevation.de
Wed Jul 7 01:49:12 CEST 2004
Author: steffen
Update of /kolabrepository/server/kolab/kolab
In directory doto:/tmp/cvs-serv13867/kolab
Modified Files:
kolab_bootstrap kolab_sslcert.sh
Added Files:
kolab_ca.sh
Log Message:
create our own CA and use that to sign certs for master and slaves
--- NEW FILE: kolab_ca.sh ---
#!/bin/sh
##
## Copyright (c) 2004 Klaraelvdalens Datakonsult AB
## Written by Steffen Hansen <steffen at klaralvdalens-datakonsult.se>
##
## CA management script that is heavily inspired by Tim Hudson's
## CA.sh script from the openssl distribution
PREFIX=/kolab
DAYS="-days 3650"
REQ="$PREFIX/bin/openssl req"
CA="$PREFIX/bin/openssl ca"
VERIFY="$PREFIX/bin/openssl verify"
X509="$PREFIX/bin/openssl x509"
RSA="$PREFIX/bin/openssl rsa"
GENRSA="$PREFIX/bin/openssl genrsa"
CATOP=$PREFIX/etc/kolab/ca
CAKEY=cakey.pem
CACERT=cacert.pem
cd @l_prefix@/etc/kolab
# Config
function createconf() {
local hostname=$1
echo "Using fqdn $hostname"
#if [ ! -d "$PREFIX/etc/kolab/ca" ]; then
# mkdir $PREFIX/etc/kolab/ca
#fi
export OPENSSL_CONF=$PREFIX/etc/kolab/kolab-ssl.cnf
cat > ${OPENSSL_CONF} <<EOF
[ req ]
distinguished_name = req_distinguished_name
default_bits = 1024
prompt = no
x509_extensions = v3_req
attributes = req_attributes
string_mask = nombstr
[ req_attributes ]
[ req_distinguished_name ]
#C =
#ST =
#L =
#O =
#OU =
CN = $hostname
#emailAddress =
[ v3_req ]
basicConstraints = CA:TRUE
[ ca ]
default_ca = CA_kolab
[ CA_kolab ]
dir = $CATOP
certs = \$dir/certs # Where the issued certs are kept
crl_dir = \$dir/crl # Where the issued crl are kept
database = \$dir/index.txt # database index file.
unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = \$dir/newcerts # default place for new certs.
certificate = \$dir/cacert.pem # The CA certificate
serial = \$dir/serial # The current serial number
#crlnumber = \$dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = \$dir/crl.pem # The current CRL
private_key = \$dir/private/cakey.pem# The private key
RANDFILE = \$dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
commonName = supplied
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
EOF
}
appname=$0
while [ $# -gt 0 ]; do
case $1 in
-h|-help|--help)
echo "Usage: $appname {-newca hostname|-newreq hostname [keyfile] [certfile]|-sign [filename]|-verify [filename]|-help}"
;;
-newca)
createconf $2
shift
NEW="1"
if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
# create the directory hierarchy
mkdir ${CATOP}
mkdir ${CATOP}/certs
mkdir ${CATOP}/crl
mkdir ${CATOP}/newcerts
mkdir ${CATOP}/private
echo "01" > ${CATOP}/serial
touch ${CATOP}/index.txt
fi
if [ ! -f ${CATOP}/private/$CAKEY ]; then
echo "CA certificate filename (or enter to create)"
read FILE
# ask user for existing CA certificate
if [ "$FILE" ]; then
cp $FILE ${CATOP}/private/$CAKEY
RET=$?
else
echo "Making CA certificate ..."
$REQ -new -x509 -keyout ${CATOP}/private/$CAKEY \
-out ${CATOP}/$CACERT $DAYS
RET=$?
fi
fi
;;
-newkey)
# create a new priv. key
createconf $2
keyfile=key.pem
if [ -n "$3" ]; then
keyfile=$3
fi
echo "secret"|$GENRSA -des3 -passout fd:0 -out .tmp.pass.key 1024
echo "secret"|$RSA -passin fd:0 -in .tmp.pass.key -out $keyfile
rm .tmp.pass.key
;;
-newreq)
# create a certificate request
createconf $2
reqfile=newreq.pem
if [ -n "$3" ]; then
keyfile=$3
fi
if [ -n "$4" ]; then
reqfile=$4
fi
shift 3
$REQ -new -nodes -key ${keyfile} -out ${reqfile} $DAYS
RET=$?
echo "Request is in $reqfile and private key is in $keyfile"
;;
-sign|-signreq)
createconf
infile=newreq.pem
outfile=newcert.pem
if [ -n "$2" ]; then
infile=$2
fi
if [ -n "$3" ]; then
outfile=$3
fi
shift 2
$CA -policy policy_anything -out ${outfile} -infiles ${infile}
RET=$?
#cat ${outfile}
echo "Signed certificate is in ${outfile}"
;;
-verify)
createconf
shift
if [ -z "$1" ]; then
$VERIFY -CAfile $CATOP/$CACERT newcert.pem
RET=$?
else
for j
do
$VERIFY -CAfile $CATOP/$CACERT $j
if [ $? != 0 ]; then
RET=$?
fi
done
fi
exit 0
;;
*)
echo "Unknown arg $i";
exit 1
;;
esac
shift
done
cd -
exit $RET
Index: kolab_bootstrap
===================================================================
RCS file: /kolabrepository/server/kolab/kolab/kolab_bootstrap,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -d -r1.39 -r1.40
--- kolab_bootstrap 30 Jun 2004 10:42:50 -0000 1.39
+++ kolab_bootstrap 6 Jul 2004 23:49:10 -0000 1.40
@@ -13,7 +13,7 @@
# and templates
use strict;
-use vars qw($opt_b);
+use vars qw($opt_b $opt_f);
use URI;
use Socket;
@@ -120,6 +120,8 @@
if ( $is_master eq "true" ) {
##### Master server setup
+ getopt('f');
+
(my $dummy, my $domain) = split(/\./, $fqdn, 2);
if (!$domain) {
$domain = $fqdn;
@@ -133,7 +135,7 @@
}
print "proceeding with Maildomain $domain\n";
- if ($base_dn =~ /\@\@\@/ || $bind_dn =~ /\@\@\@/ || $bind_pw =~ /\@\@\@/ ) {
+ if ( $opt_f || $base_dn =~ /\@\@\@/ || $bind_dn =~ /\@\@\@/ || $bind_pw =~ /\@\@\@/ ) {
print "Generating default configuration:\n";
if ($base_dn =~ /\@\@\@/) {
$base_dn = "";
@@ -257,9 +259,9 @@
}
my $ldapuri = URI->new($ldap_uri) || warn "error: could not parse given uri";
- my $ldap = Net::LDAP->new($ldap_uri, verify => 'none' ) || warn "could not connect ldap server";
+ my $ldap = Net::LDAP->new($ldap_uri, verify => 'none' ) || warn "could not connect ldap server $ldap_uri";
if ($ldap) {
- $ldap->bind($bind_dn, password=> $bind_pw) || warn "could not bind to ldap";
+ $ldap->bind($bind_dn, password=> $bind_pw) || warn "could not bind to ldap server $ldap_uri";
my $mesg = $ldap->search(base=> "$base_dn", scope=> 'exact', filter=> "(objectclass=*)");
if ($mesg && $mesg->count != 1) {
print "no $base_dn object found, creating one\n";
@@ -422,7 +424,15 @@
sleep 5;
#system("killall -9 slapd >/dev/null 2>&1");
}
- }
+ }
+ system("$kolab_prefix/etc/kolab/kolab_ca.sh -newca $fqdn");
+ system("$kolab_prefix/etc/kolab/kolab_ca.sh -newkey $fqdn $kolab_prefix/etc/kolab/key.pem");
+ system("$kolab_prefix/etc/kolab/kolab_ca.sh -newreq $fqdn $kolab_prefix/etc/kolab/key.pem $kolab_prefix/etc/kolab/newreq.pem ");
+ system("$kolab_prefix/etc/kolab/kolab_ca.sh -sign $kolab_prefix/etc/kolab/newreq.pem $kolab_prefix/etc/kolab/cert.pem");
+ system("chgrp @l_rusr@ $kolab_prefix/etc/kolab/key.pem;");
+ system("chmod 0640 $kolab_prefix/etc/kolab/key.pem;");
+ system("chgrp @l_rusr@ $kolab_prefix/etc/kolab/cert.pem;");
+ system("chmod 0640 $kolab_prefix/etc/kolab/cert.pem;");
} else {
##### Slave server setup
@@ -432,7 +442,7 @@
system("$kolab_prefix/bin/openpkg rc openldap stop");
sleep 1;
- # Make sure that no rouge demons are running
+ # Make sure that no rogue demons are running
tryConnect( '127.0.0.1', 389 ) && die "A process is already listening to port 389 (ldap)\n"
."Please stop any running ldap server and bootstrap again\n";
tryConnect( '127.0.0.1', 9999 ) && die "A process is already listening to port 9999 (kolabd)\n"
@@ -469,7 +479,7 @@
copy("$kolab_prefix/etc/kolab/templates/smtpd.conf.template", $confname) || die "could not write to $confname";
print "Checking server info...\n";
- my $ldap = Net::LDAP->new($ldap_uri, verify => 'none' ) || warn "could not connect ldap server";
+ my $ldap = Net::LDAP->new($ldap_uri, verify => 'none' ) || warn "could not connect ldap server at $ldap_uri";
if ($ldap) {
$ldap->bind($bind_dn, password=> $bind_pw) || warn "could not bind to ldap";
my $mesg = $ldap->search(base=> "$base_dn", scope=> 'exact', filter=> "(objectclass=*)");
@@ -486,6 +496,20 @@
my $entry = $mesg->entry(0);
$php_pw = $entry->get_value( 'userPassword' );
+ # Get ldap database from master
+# print <<'EOS';
+#Now we need to ssh to the master server,
+#temporarily stop the LDAP server,
+#copy the LDAP database files to the slave and
+#restart the master LDAP server again\n\n";
+#This will be done as root. Type in the root password or
+#passphrase when asked
+#EOS
+
+ my $master_host = $ldapuri->host();
+ # `ssh $master_host`;
+
+
$fd = IO::File->new($kolab_config, "w+") || die "could not open $kolab_config";
print $fd "fqhostname : $fqdn\n";
print $fd "is_master : $is_master\n";
@@ -513,12 +537,35 @@
close(FH);
undef $cfg;
+ print <<'EOS';
+Now we need to create a cerificate request for this slave
+and then ssh to the master server to have the request signed.
+You will be asked multiple times for the root password of the
+master server and the passphrase for the CA key on the master.
+################################################################################
+EOS
+
+ # Create cert req
+ system("$kolab_prefix/etc/kolab/kolab_ca.sh -newkey $fqdn $kolab_prefix/etc/kolab/key.pem");
+ system("$kolab_prefix/etc/kolab/kolab_ca.sh -newreq $fqdn $kolab_prefix/etc/kolab/key.pem $kolab_prefix/etc/kolab/newreq.pem ");
+ # Log into master and sign cert request
+ system("scp $kolab_prefix/etc/kolab/newreq.pem $master_host:$kolab_prefix/etc/kolab/$fqdn-req.pem");
+ system("ssh -CA $master_host \"$kolab_prefix/etc/kolab/kolab_ca.sh -sign $kolab_prefix/etc/kolab/$fqdn-req.pem $kolab_prefix/etc/kolab/$fqdn.pem;\"");
+ system("scp $master_host:$kolab_prefix/etc/kolab/$fqdn.pem $kolab_prefix/etc/kolab/cert.pem");
+ system("ssh -CA $master_host \"rm $kolab_prefix/etc/kolab/$fqdn.pem $kolab_prefix/etc/kolab/$fqdn-req.pem\"");
+ die("Creation of $kolab_prefix/etc/kolab/cert.pem failed") unless -f "$kolab_prefix/etc/kolab/cert.pem";
+
+ print <<'EOS';
+################################################################################
+Certificate creation done!
+EOS
+
system("$kolab_prefix/sbin/kolabconf");
} else {
die "Error contacting LDAP server\n";
}
}
-system("$kolab_prefix/etc/kolab/kolab_sslcert.sh $fqdn");
+#system("$kolab_prefix/etc/kolab/kolab_sslcert.sh $fqdn");
print "kolab should now be ready to run\n";
print "please run '$kolab_prefix/bin/openpkg rc all start'\n";
Index: kolab_sslcert.sh
===================================================================
RCS file: /kolabrepository/server/kolab/kolab/kolab_sslcert.sh,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -d -r1.10 -r1.11
--- kolab_sslcert.sh 31 Mar 2004 13:23:12 -0000 1.10
+++ kolab_sslcert.sh 6 Jul 2004 23:49:10 -0000 1.11
@@ -30,7 +30,7 @@
echo -n "generate self-signed certificate for hostname $HN... "
- @l_prefix@/bin/openssl req -new -x509 -outform PEM -keyform PEM -nodes \
+ /kolab/bin/openssl req -new -x509 -outform PEM -keyform PEM -nodes \
-days 3650 -out cert.pem -keyout key.pem \
-config tmp.req.cnf >/dev/null 2>&1
echo "done"
@@ -40,7 +40,7 @@
chgrp @l_rusr@ cert.pem
chmod 0640 cert.pem
-rm -f tmp.req.cnf
+#rm -f tmp.req.cnf
cd -
More information about the commits
mailing list