[ssl_mgmt] group cmd to set ownership+rights
This commit is contained in:
parent
9d5b8c1e9c
commit
39da9a23b6
|
|
@ -300,12 +300,15 @@ generate_cert ()
|
|||
-keyfile $CAKeyPath -passin file:$rootCAPwdPath \
|
||||
-out $certSubdir/$certFile -infiles $csrSubdir/$reqFile
|
||||
|
||||
# Create the keycert file (file with merged key and certificate)
|
||||
cat $keySubdir/$keyFile $certSubdir/$certFile > $keySubdir/$keycertFile
|
||||
|
||||
# Safety check
|
||||
if ! openssl x509 -noout -text -in $certSubdir/$certFile >/dev/null 2>&1 ||
|
||||
! openssl verify -CAfile $CACertPath $certSubdir/$certFile >/dev/null 2>&1
|
||||
then
|
||||
echo "Generated certificate is corrupted." >&2
|
||||
rm $certSubdir/$certFile $keySubdir/$keyFile
|
||||
rm $certSubdir/$certFile $keySubdir/$keyFile $keySubdir/$keycertFile
|
||||
return 1
|
||||
fi
|
||||
if ! openssl rsa -noout -text -in $keySubdir/$keyFile >/dev/null 2>&1
|
||||
|
|
@ -320,13 +323,17 @@ generate_cert ()
|
|||
then
|
||||
echo -n "Generated certificate and key do not match." >&2
|
||||
echo " Aborting." >&2
|
||||
rm $certSubdir/$certFile $keySubdir/$keyFile
|
||||
rm $certSubdir/$certFile $keySubdir/$keyFile $keySubdir/$keycertFile
|
||||
return 1
|
||||
fi
|
||||
|
||||
# Notify and install the new certificate
|
||||
# Sets ownership and rights of generated files
|
||||
getfacl "$certPath" | setfacl --set-file=- $certSubdir/$certFile
|
||||
chown --reference="$certPath" $certSubdir/$certFile
|
||||
getfacl "$keyPath" | setfacl --set-file=- $keySubdir/$keycertFile
|
||||
chown --reference="$keyPath" $keySubdir/$keycertFile
|
||||
|
||||
# Notify and install the new certificate
|
||||
if [ -z "$no_overwrite" ]
|
||||
then
|
||||
if [ ! -f "$certDestDir/$certFile" ]
|
||||
|
|
@ -339,7 +346,13 @@ generate_cert ()
|
|||
echo "Error! No file named $keyFile in directory $keyDestDir:" >&2
|
||||
echo "there might be a problem." >&2
|
||||
fi
|
||||
if [ ! -f "$keyDestDir/$keycertFile" ]
|
||||
then
|
||||
echo "Error! No file named $keycertFile in directory $keyDestDir:" >&2
|
||||
echo "there might be a problem." >&2
|
||||
fi
|
||||
mv $keySubdir/$keyFile $keyDestDir
|
||||
mv $keySubdir/$keycertFile $keyDestDir
|
||||
fingerprint="$(openssl x509 -in "$certPath" -noout -fingerprint)"
|
||||
fingerprint=${fingerprint#*=}
|
||||
if [ -n "$notifiedUsers" ]
|
||||
|
|
@ -352,9 +365,6 @@ EOF
|
|||
fi
|
||||
mv $certSubdir/$certFile $certDestDir
|
||||
fi
|
||||
cat $keyDestDir/$keyFile $certDestDir/$certFile > $keyDestDir/$keycertFile
|
||||
getfacl "$keyPath" | setfacl --set-file=- $keyDestDir/$keycertFile
|
||||
chown --reference="$keyPath" $keyDestDir/$keycertFile
|
||||
return 0
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue