#!/usr/bin/sh #---------------------------------------------------------------------------------- # /var/install/bin/certs-update-crl-uri - update crl uri in openssl.cnf # # Copyright (c) 2001-2025 The Eisfair Team, team(at)eisfair(dot)org # # Creation: 2007-11-11 jed # Last Update: $Id$ # # Usage: certs-update-crl-uri [--quiet][--batch] # - update CRL URI in openssl.cnf and # updating web link to crl file # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. #---------------------------------------------------------------------------------- # include eislib etc. . /var/install/include/eislib . /var/install/include/jedlib # activate debug output #debug_certs=true if ${debug_certs:-false} then exec 2> /tmp/$(basename ${0})-trace$$.log set -x ask_debug=true export ask_debug fi #---------------------------------------------------------------------------------------- # create policy web-access #---------------------------------------------------------------------------------------- create_policy_webaccess () { # make sure that the destination path exists if [ ! -d ${webdir} ] then mkdir -p ${webdir} fi if [ -d ${webdir} ] then _cpw_doc_root_list="${APACHE2_DOCUMENT_ROOT}" # check document root directories of virtual hosts _cpw_idx=1 while [ ${_cpw_idx} -le ${APACHE2_VHOST_N} ] do eval _cpw_active='$APACHE2_VHOST_'${_cpw_idx}'_ACTIVE' if [ "${_cpw_active}" = 'yes' ] then # virtual host configuration active eval _cpw_doc_root='$APACHE2_VHOST_'${_cpw_idx}'_DOCUMENT_ROOT' # remove trailing slash from path _cpw_doc_root=`echo "${_cpw_doc_root}" | sed 's#/$##'` echo " ${_cpw_doc_root_list} " | grep -q " ${_cpw_doc_root} " if [ $? -ne 0 ] then # add document root path to list _cpw_doc_root_list="${_cpw_doc_root_list} ${_cpw_doc_root}" fi fi _cpw_idx=`expr ${_cpw_idx} + 1` done # make sure the apache2 root directories exist myecho --pack ${module_name} "checking document root pathes ..." for DOCNAME in ${_cpw_doc_root_list} do myecho --pack ${module_name} -n "- '${DOCNAME}' - " if [ ! -d ${DOCNAME} ] then myecho --pack ${module_name} --info "created." mkdir -p ${DOCNAME} chown ${wwwuser} ${DOCNAME} chgrp ${wwwgroup} ${DOCNAME} else myecho --pack ${module_name} "ok." fi # make sure certs links exist _cpw_webhttpdir=${DOCNAME}/certs if [ ! -d ${_cpw_webhttpdir} ] then ln -sf ${webdir} ${_cpw_webhttpdir} fi done # creating symbolic link to crl myecho --pack ${module_name} "creating/updating link to crl file ..." _cpw_webhttpdir=`echo "${_cpw_doc_root_list}" | cut -d' ' -f1` ln -sf ${ssldir}/crl/${crl_file_name} ${_cpw_webhttpdir}/certs/crl.pem # set access rights chmod 0644 ${webdir}/* chown ${wwwuser} ${webdir}/* chgrp ${wwwgroup} ${webdir}/* chmod 0644 ${ssldir}/crl/${crl_file_name} fi } #---------------------------------------------------------------------------------------- # check if apache2 has been enabled #---------------------------------------------------------------------------------------- check_installed_apache2 () { retval=1 if [ -f ${apache2file} ] then # apache2 installed . ${apache2file} if [ "${START_APACHE2}" = 'yes' ] then # mail activated myecho --pack ${module_name} "apache2 has been enabled ..." retval=0 else # apache2 deactivated myecho --pack ${module_name} --warn "apache2 has been disabled ..." fi fi return ${retval} } #======================================================================================== # main #======================================================================================== EXEC_TIMESTAMP="`date +"%Y-%m-%d %H:%M:%S"`" EXEC_CMD_LINE="$0 $*" EXEC_INSTANCE=$$ pgmname=`basename $0` module_name="`echo "${pgmname}" | cut -d- -f1 | cut -d. -f1`" ### set pathes ### certsdir=/var/certs ssldir=${certsdir}/ssl webdir=${ssldir}/web tmpdir=/tmp ### set file names ### apache2file=/etc/config.d/apache2 certsfile=/etc/config.d/certs openssl_conf_file=${ssldir}/openssl.cnf crl_file_name='crl.pem' # default to eisfair-1 wwwuser='wwwrun' wwwgroup='nogroup' # load configuration . ${certsfile} force_quiet_run=0 runmode='interactive' if [ $# -gt 0 ] then # read command line parameters while [ $# -gt 0 ] do case "$1" in batch|-batch|--batch ) runmode='batch' shift ;; --quiet ) force_quiet_run=1 shift ;; * ) # skip parameter shift ;; esac done fi # print menue if [ "${runmode}" = 'interactive' ] then clrhome myecho --pack ${module_name} --info "Update URLs in OpenSSL configuration" myecho --pack ${module_name} "" fi if [ "${CERTS_CA_HOME}" = 'yes' ] then if [ -f ${openssl_conf_file} ] then if check_installed_apache2 then myecho --pack ${module_name} "reading Apache2 parameters ..." # config file exists, go on ... # read apache2 parameters tmp_conf=${tmpdir}/certsconf.$$ grep -E "^APACHE2_PORT|^APACHE2_SERVER_NAME|^APACHE2_DOCUMENT_ROOT|^APACHE2_VHOST_N|^APACHE2_VHOST_[0-9]*_ACTIVE|^APACHE2_VHOST_[0-9]*_DOCUMENT_ROOT" ${apache2file} > ${tmp_conf} . ${tmp_conf} rm -f ${tmp_conf} # remove trailing '/' from path APACHE2_DOCUMENT_ROOT=`echo "${APACHE2_DOCUMENT_ROOT}" | sed 's#/$##'` # override default apache2 servername if [ -n "${CERTS_WEBSERVER_NAME}" ] then # define individual fqdn webserver name and port echo "${CERTS_WEBSERVER_NAME}" | grep -q ":" if [ $? -eq 0 ] then # individual port has given, use it APACHE2_SERVER_NAME=`echo "${CERTS_WEBSERVER_NAME}" | cut -d: -f1` APACHE2_PORT=`echo "${CERTS_WEBSERVER_NAME}" | cut -d: -f2` else APACHE2_SERVER_NAME="${CERTS_WEBSERVER_NAME}" APACHE2_PORT='' fi fi # if necessary set individual port certs_apache_port='' if [ -n "${APACHE2_PORT}" -a "${APACHE2_PORT}" != '80' ] then certs_apache_port=":${APACHE2_PORT}" fi # set individual CRL file name crl_file_name="${APACHE2_SERVER_NAME}-crl.pem" # crl file doesn't exist, create dummy file if [ ! -f ${ssldir}/crl/${crl_file_name} ] then touch ${ssldir}/crl/${crl_file_name} fi # check policy web-access create_policy_webaccess # replace urls in config file myecho --pack ${module_name} "updating URLs in Certs configuration ..." # crlDistributionPoints certs_dist_point="URI:http://${APACHE2_SERVER_NAME}${certs_apache_port}/certs/crl.pem" # nsBaseUrl certs_base_url="http://${APACHE2_SERVER_NAME}${certs_apache_port}/" # nsCaPolicyUrl certs_policy_url="http://${APACHE2_SERVER_NAME}${certs_apache_port}/certs/x509policy.htm" myecho --pack ${module_name} "- crlDistributionPoints: ${certs_dist_point}" myecho --pack ${module_name} "- nsBaseUrl ...........: ${certs_base_url}" myecho --pack ${module_name} "- nsCaPolicyUrl .......: ${certs_dist_point}" { sed -e "s+crlDistributionPoints *=.*$+crlDistributionPoints = ${certs_dist_point}+g" \ -e "s+nsBaseUrl *=.*$+nsBaseUrl = ${certs_base_url}+g" \ -e "s+nsCaPolicyUrl *=.*$+nsCaPolicyUrl = ${certs_dist_point}+g" ${openssl_conf_file} } > ${openssl_conf_file}.tmp cp ${openssl_conf_file} ${openssl_conf_file}.backup cp ${openssl_conf_file}.tmp ${openssl_conf_file} chmod 644 ${openssl_conf_file} rm -f ${openssl_conf_file}.tmp fi else # error myecho --pack ${module_name} --force-output --error "configuration file '${openssl_conf_file}' not found!" myecho --pack ${module_name} "aborted." fi else # info myecho --pack ${module_name} "No CA is hosted on this server." fi if [ "${runmode}" = 'interactive' ] then myecho --pack ${module_name} "finished." myanykey --pack ${module_name} fi #======================================================================================== # end #========================================================================================