[ssl_mgmt] Stop hardcoding path
Replace hardcoded paths by a bunch of variables with default values and that can be set from a configuration file. This should make testing much more easy.
This commit is contained in:
parent
01f601c8c2
commit
8bf95f40af
|
|
@ -21,7 +21,22 @@
|
|||
|
||||
set -u
|
||||
|
||||
confFile=openssl.cnf
|
||||
cnfFilePath=${cnfFilePath:-/etc/${0##*/}.conf}
|
||||
|
||||
. $cnfFilePath
|
||||
|
||||
workDir=${workDir:-/usr/lib/ssl/CA}
|
||||
csrSubdir=${csrSubdir:-csr}
|
||||
certSubdir=${certSubdir:-newcerts}
|
||||
keySubdir=${keySubdir:-newkeys}
|
||||
certDestDir=${certDestDir:-/etc/ssl/certs}
|
||||
keyDestDir=${keyDestDir:-/etc/ssl/private}
|
||||
CACertPath=${CACertPath:-$certDestDir/ca-cert.pem}
|
||||
CAKeyPath=${CAKeyPath:-$keyDestDir/ca-key.pem}
|
||||
opensslCnfFile=openssl.cnf
|
||||
rootCAPwdPath=${rootCAPwdPath:-/root/passwords/root_ca}
|
||||
managedCerts=${managedCerts:-$(xargs </root/homemade-certs)}
|
||||
|
||||
|
||||
# Display usage.
|
||||
usage ()
|
||||
|
|
@ -122,7 +137,9 @@ try_sudo ()
|
|||
ret=$?
|
||||
if [ ! $ret -eq 0 ]
|
||||
then
|
||||
echo "Error! You must be root or being able to become root by sudo without password to create an email account or add an email alias." >&2
|
||||
echo -n "Error! You must be root or being able to become root"
|
||||
echo -n " by sudo without password to\ncreate an email account"
|
||||
echo -n " or add an email alias." >&2
|
||||
fi
|
||||
exit $ret
|
||||
}
|
||||
|
|
@ -211,18 +228,18 @@ generate_config ()
|
|||
replaceCmd="$(add_to_replace_cmd "$replaceCmd" "@COMMONNAME@" "${commonName:-}")"
|
||||
replaceCmd="$(add_to_replace_cmd "$replaceCmd" "@ALTNAME@" "${altName:-}")"
|
||||
replaceCmd="$replaceCmd${replaceCmd:+;}s/\(.*=[[:blank:]]*\$\)/#\\1/"
|
||||
cnfTmpFile="$(mktemp --tmpdir=. openssl.cnf.XXXXXXXXXX)"
|
||||
sed "$replaceCmd" $confFile.in > $cnfTmpFile
|
||||
opensslCnfTmpFile="$(mktemp --tmpdir=. openssl.cnf.XXXXXXXXXX)"
|
||||
sed "$replaceCmd" $opensslCnfFile.in > $opensslCnfTmpFile
|
||||
if ask_user_default_no "Do you want to edit the openssl configuration file?"
|
||||
then
|
||||
if [ -n "${EDITOR:-}" ]
|
||||
then
|
||||
$EDITOR $cnfTmpFile
|
||||
$EDITOR $opensslCnfTmpFile
|
||||
else
|
||||
editor $cnfTmpFile
|
||||
editor $opensslCnfTmpFile
|
||||
fi
|
||||
fi
|
||||
mv $cnfTmpFile $confFile
|
||||
mv $opensslCnfTmpFile $opensslCnfFile
|
||||
}
|
||||
|
||||
# @param service the name of the service associated with the certificate to
|
||||
|
|
@ -244,36 +261,36 @@ generate_cert ()
|
|||
certFile=${certPath##*/}
|
||||
keyFile=${keyPath##*/}
|
||||
keycertFile=${service}-keycert.pem
|
||||
openssl req -new -nodes -out csr/$reqFile -keyout newkeys/$keyFile -config $confFile
|
||||
openssl req -in csr/$reqFile -text -verify -noout
|
||||
openssl req -new -nodes -out $csrSubdir/$reqFile -keyout $keySubdir/$keyFile -config $opensslCnfFile
|
||||
openssl req -in $csrSubdir/$reqFile -text -verify -noout
|
||||
if ! ask_user_default_no "Is the Certificate Signing Request correct?"
|
||||
then
|
||||
return 1
|
||||
fi
|
||||
getfacl "$keyPath" | setfacl --set-file=- newkeys/$keyFile
|
||||
getfacl "$keyPath" | setfacl --set-file=- $keySubdir/$keyFile
|
||||
if [ -z "$no_overwrite" ]
|
||||
then
|
||||
if [ ! -f "private/$keyFile" ]
|
||||
if [ ! -f "$keyDestDir/$keyFile" ]
|
||||
then
|
||||
echo -n "Error! No file named $keyFile in directory" >&2
|
||||
echo " $(readlink -f private):" >&2
|
||||
echo "there might be a problem" >&2
|
||||
echo "Error! No file named $keyFile in directory $keyDestDir:" >&2
|
||||
echo "there might be a problem." >&2
|
||||
fi
|
||||
mv newkeys/$keyFile private
|
||||
mv $keySubdir/$keyFile $keyDestDir
|
||||
fi
|
||||
openssl ca -batch -out newcerts/$certFile -config $confFile -passin file:/root/passwords/root_ca -infiles csr/$reqFile
|
||||
getfacl "$certPath" | setfacl --set-file=- newcerts/$certFile
|
||||
openssl ca -batch -config $opensslCnfFile -cert $CACertPath \
|
||||
-keyfile $CAKeyPath -passin file:$rootCAPwdPath \
|
||||
-out $certSubdir/$certFile -infiles $csrSubdir/$reqFile
|
||||
getfacl "$certPath" | setfacl --set-file=- $certSubdir/$certFile
|
||||
if [ -z "$no_overwrite" ]
|
||||
then
|
||||
if [ ! -f "certs/$certFile" ]
|
||||
if [ ! -f "$certDestDir/$certFile" ]
|
||||
then
|
||||
echo "No file named $certFile in directory" >&2
|
||||
echo " $(readlink -f certs):" >&2
|
||||
echo "No file named $certFile in directory $certDestDir:" >&2
|
||||
echo "there might be a problem" >&2
|
||||
fi
|
||||
mv newcerts/$certFile certs
|
||||
mv $certSubdir/$certFile $certDestDir
|
||||
fi
|
||||
cat private/$keyFile certs/$certFile > private/$keycertFile
|
||||
cat $keyDestDir/$keyFile $certDestDir/$certFile > $keyDestDir/$keycertFile
|
||||
return 0
|
||||
}
|
||||
|
||||
|
|
@ -288,14 +305,14 @@ main ()
|
|||
then
|
||||
try_sudo "$@"
|
||||
fi
|
||||
cd /usr/lib/ssl/CA/
|
||||
cd $workDir
|
||||
if [ "${service}" = "all" ]
|
||||
then
|
||||
services=""
|
||||
while read service
|
||||
for service in $managedCerts
|
||||
do
|
||||
services="$services $service"
|
||||
done </root/homemade-certs
|
||||
done
|
||||
else
|
||||
services=${service}
|
||||
fi
|
||||
|
|
@ -307,10 +324,10 @@ main ()
|
|||
then
|
||||
service="${service##*/}"
|
||||
service="${service%.*}"
|
||||
keyPath="/etc/ssl/private/${service}.key"
|
||||
keyPath="$keyDestDir/${service}.key"
|
||||
else
|
||||
certPath="/etc/ssl/certs/${service}-cert.pem"
|
||||
keyPath="/etc/ssl/private/${service}-key.pem"
|
||||
certPath="$certDestDir/${service}-cert.pem"
|
||||
keyPath="$keyDestDir/${service}-key.pem"
|
||||
fi
|
||||
if [ ! -f "$certPath" ]
|
||||
then
|
||||
|
|
|
|||
Loading…
Reference in New Issue