[ssl_mgmt] group cmd to set ownership+rights
This commit is contained in:
parent
9d5b8c1e9c
commit
39da9a23b6
|
@ -300,12 +300,15 @@ generate_cert ()
|
||||||
-keyfile $CAKeyPath -passin file:$rootCAPwdPath \
|
-keyfile $CAKeyPath -passin file:$rootCAPwdPath \
|
||||||
-out $certSubdir/$certFile -infiles $csrSubdir/$reqFile
|
-out $certSubdir/$certFile -infiles $csrSubdir/$reqFile
|
||||||
|
|
||||||
|
# Create the keycert file (file with merged key and certificate)
|
||||||
|
cat $keySubdir/$keyFile $certSubdir/$certFile > $keySubdir/$keycertFile
|
||||||
|
|
||||||
# Safety check
|
# Safety check
|
||||||
if ! openssl x509 -noout -text -in $certSubdir/$certFile >/dev/null 2>&1 ||
|
if ! openssl x509 -noout -text -in $certSubdir/$certFile >/dev/null 2>&1 ||
|
||||||
! openssl verify -CAfile $CACertPath $certSubdir/$certFile >/dev/null 2>&1
|
! openssl verify -CAfile $CACertPath $certSubdir/$certFile >/dev/null 2>&1
|
||||||
then
|
then
|
||||||
echo "Generated certificate is corrupted." >&2
|
echo "Generated certificate is corrupted." >&2
|
||||||
rm $certSubdir/$certFile $keySubdir/$keyFile
|
rm $certSubdir/$certFile $keySubdir/$keyFile $keySubdir/$keycertFile
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
if ! openssl rsa -noout -text -in $keySubdir/$keyFile >/dev/null 2>&1
|
if ! openssl rsa -noout -text -in $keySubdir/$keyFile >/dev/null 2>&1
|
||||||
|
@ -320,13 +323,17 @@ generate_cert ()
|
||||||
then
|
then
|
||||||
echo -n "Generated certificate and key do not match." >&2
|
echo -n "Generated certificate and key do not match." >&2
|
||||||
echo " Aborting." >&2
|
echo " Aborting." >&2
|
||||||
rm $certSubdir/$certFile $keySubdir/$keyFile
|
rm $certSubdir/$certFile $keySubdir/$keyFile $keySubdir/$keycertFile
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Notify and install the new certificate
|
# Sets ownership and rights of generated files
|
||||||
getfacl "$certPath" | setfacl --set-file=- $certSubdir/$certFile
|
getfacl "$certPath" | setfacl --set-file=- $certSubdir/$certFile
|
||||||
chown --reference="$certPath" $certSubdir/$certFile
|
chown --reference="$certPath" $certSubdir/$certFile
|
||||||
|
getfacl "$keyPath" | setfacl --set-file=- $keySubdir/$keycertFile
|
||||||
|
chown --reference="$keyPath" $keySubdir/$keycertFile
|
||||||
|
|
||||||
|
# Notify and install the new certificate
|
||||||
if [ -z "$no_overwrite" ]
|
if [ -z "$no_overwrite" ]
|
||||||
then
|
then
|
||||||
if [ ! -f "$certDestDir/$certFile" ]
|
if [ ! -f "$certDestDir/$certFile" ]
|
||||||
|
@ -339,7 +346,13 @@ generate_cert ()
|
||||||
echo "Error! No file named $keyFile in directory $keyDestDir:" >&2
|
echo "Error! No file named $keyFile in directory $keyDestDir:" >&2
|
||||||
echo "there might be a problem." >&2
|
echo "there might be a problem." >&2
|
||||||
fi
|
fi
|
||||||
|
if [ ! -f "$keyDestDir/$keycertFile" ]
|
||||||
|
then
|
||||||
|
echo "Error! No file named $keycertFile in directory $keyDestDir:" >&2
|
||||||
|
echo "there might be a problem." >&2
|
||||||
|
fi
|
||||||
mv $keySubdir/$keyFile $keyDestDir
|
mv $keySubdir/$keyFile $keyDestDir
|
||||||
|
mv $keySubdir/$keycertFile $keyDestDir
|
||||||
fingerprint="$(openssl x509 -in "$certPath" -noout -fingerprint)"
|
fingerprint="$(openssl x509 -in "$certPath" -noout -fingerprint)"
|
||||||
fingerprint=${fingerprint#*=}
|
fingerprint=${fingerprint#*=}
|
||||||
if [ -n "$notifiedUsers" ]
|
if [ -n "$notifiedUsers" ]
|
||||||
|
@ -352,9 +365,6 @@ EOF
|
||||||
fi
|
fi
|
||||||
mv $certSubdir/$certFile $certDestDir
|
mv $certSubdir/$certFile $certDestDir
|
||||||
fi
|
fi
|
||||||
cat $keyDestDir/$keyFile $certDestDir/$certFile > $keyDestDir/$keycertFile
|
|
||||||
getfacl "$keyPath" | setfacl --set-file=- $keyDestDir/$keycertFile
|
|
||||||
chown --reference="$keyPath" $keyDestDir/$keycertFile
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue