[ssl_mgmt] Stop hardcoding path
Replace hardcoded paths by a bunch of variables with default values and that can be set from a configuration file. This should make testing much more easy.
This commit is contained in:
parent
01f601c8c2
commit
8bf95f40af
|
@ -21,7 +21,22 @@
|
||||||
|
|
||||||
set -u
|
set -u
|
||||||
|
|
||||||
confFile=openssl.cnf
|
cnfFilePath=${cnfFilePath:-/etc/${0##*/}.conf}
|
||||||
|
|
||||||
|
. $cnfFilePath
|
||||||
|
|
||||||
|
workDir=${workDir:-/usr/lib/ssl/CA}
|
||||||
|
csrSubdir=${csrSubdir:-csr}
|
||||||
|
certSubdir=${certSubdir:-newcerts}
|
||||||
|
keySubdir=${keySubdir:-newkeys}
|
||||||
|
certDestDir=${certDestDir:-/etc/ssl/certs}
|
||||||
|
keyDestDir=${keyDestDir:-/etc/ssl/private}
|
||||||
|
CACertPath=${CACertPath:-$certDestDir/ca-cert.pem}
|
||||||
|
CAKeyPath=${CAKeyPath:-$keyDestDir/ca-key.pem}
|
||||||
|
opensslCnfFile=openssl.cnf
|
||||||
|
rootCAPwdPath=${rootCAPwdPath:-/root/passwords/root_ca}
|
||||||
|
managedCerts=${managedCerts:-$(xargs </root/homemade-certs)}
|
||||||
|
|
||||||
|
|
||||||
# Display usage.
|
# Display usage.
|
||||||
usage ()
|
usage ()
|
||||||
|
@ -122,7 +137,9 @@ try_sudo ()
|
||||||
ret=$?
|
ret=$?
|
||||||
if [ ! $ret -eq 0 ]
|
if [ ! $ret -eq 0 ]
|
||||||
then
|
then
|
||||||
echo "Error! You must be root or being able to become root by sudo without password to create an email account or add an email alias." >&2
|
echo -n "Error! You must be root or being able to become root"
|
||||||
|
echo -n " by sudo without password to\ncreate an email account"
|
||||||
|
echo -n " or add an email alias." >&2
|
||||||
fi
|
fi
|
||||||
exit $ret
|
exit $ret
|
||||||
}
|
}
|
||||||
|
@ -211,18 +228,18 @@ generate_config ()
|
||||||
replaceCmd="$(add_to_replace_cmd "$replaceCmd" "@COMMONNAME@" "${commonName:-}")"
|
replaceCmd="$(add_to_replace_cmd "$replaceCmd" "@COMMONNAME@" "${commonName:-}")"
|
||||||
replaceCmd="$(add_to_replace_cmd "$replaceCmd" "@ALTNAME@" "${altName:-}")"
|
replaceCmd="$(add_to_replace_cmd "$replaceCmd" "@ALTNAME@" "${altName:-}")"
|
||||||
replaceCmd="$replaceCmd${replaceCmd:+;}s/\(.*=[[:blank:]]*\$\)/#\\1/"
|
replaceCmd="$replaceCmd${replaceCmd:+;}s/\(.*=[[:blank:]]*\$\)/#\\1/"
|
||||||
cnfTmpFile="$(mktemp --tmpdir=. openssl.cnf.XXXXXXXXXX)"
|
opensslCnfTmpFile="$(mktemp --tmpdir=. openssl.cnf.XXXXXXXXXX)"
|
||||||
sed "$replaceCmd" $confFile.in > $cnfTmpFile
|
sed "$replaceCmd" $opensslCnfFile.in > $opensslCnfTmpFile
|
||||||
if ask_user_default_no "Do you want to edit the openssl configuration file?"
|
if ask_user_default_no "Do you want to edit the openssl configuration file?"
|
||||||
then
|
then
|
||||||
if [ -n "${EDITOR:-}" ]
|
if [ -n "${EDITOR:-}" ]
|
||||||
then
|
then
|
||||||
$EDITOR $cnfTmpFile
|
$EDITOR $opensslCnfTmpFile
|
||||||
else
|
else
|
||||||
editor $cnfTmpFile
|
editor $opensslCnfTmpFile
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
mv $cnfTmpFile $confFile
|
mv $opensslCnfTmpFile $opensslCnfFile
|
||||||
}
|
}
|
||||||
|
|
||||||
# @param service the name of the service associated with the certificate to
|
# @param service the name of the service associated with the certificate to
|
||||||
|
@ -244,36 +261,36 @@ generate_cert ()
|
||||||
certFile=${certPath##*/}
|
certFile=${certPath##*/}
|
||||||
keyFile=${keyPath##*/}
|
keyFile=${keyPath##*/}
|
||||||
keycertFile=${service}-keycert.pem
|
keycertFile=${service}-keycert.pem
|
||||||
openssl req -new -nodes -out csr/$reqFile -keyout newkeys/$keyFile -config $confFile
|
openssl req -new -nodes -out $csrSubdir/$reqFile -keyout $keySubdir/$keyFile -config $opensslCnfFile
|
||||||
openssl req -in csr/$reqFile -text -verify -noout
|
openssl req -in $csrSubdir/$reqFile -text -verify -noout
|
||||||
if ! ask_user_default_no "Is the Certificate Signing Request correct?"
|
if ! ask_user_default_no "Is the Certificate Signing Request correct?"
|
||||||
then
|
then
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
getfacl "$keyPath" | setfacl --set-file=- newkeys/$keyFile
|
getfacl "$keyPath" | setfacl --set-file=- $keySubdir/$keyFile
|
||||||
if [ -z "$no_overwrite" ]
|
if [ -z "$no_overwrite" ]
|
||||||
then
|
then
|
||||||
if [ ! -f "private/$keyFile" ]
|
if [ ! -f "$keyDestDir/$keyFile" ]
|
||||||
then
|
then
|
||||||
echo -n "Error! No file named $keyFile in directory" >&2
|
echo "Error! No file named $keyFile in directory $keyDestDir:" >&2
|
||||||
echo " $(readlink -f private):" >&2
|
echo "there might be a problem." >&2
|
||||||
echo "there might be a problem" >&2
|
|
||||||
fi
|
fi
|
||||||
mv newkeys/$keyFile private
|
mv $keySubdir/$keyFile $keyDestDir
|
||||||
fi
|
fi
|
||||||
openssl ca -batch -out newcerts/$certFile -config $confFile -passin file:/root/passwords/root_ca -infiles csr/$reqFile
|
openssl ca -batch -config $opensslCnfFile -cert $CACertPath \
|
||||||
getfacl "$certPath" | setfacl --set-file=- newcerts/$certFile
|
-keyfile $CAKeyPath -passin file:$rootCAPwdPath \
|
||||||
|
-out $certSubdir/$certFile -infiles $csrSubdir/$reqFile
|
||||||
|
getfacl "$certPath" | setfacl --set-file=- $certSubdir/$certFile
|
||||||
if [ -z "$no_overwrite" ]
|
if [ -z "$no_overwrite" ]
|
||||||
then
|
then
|
||||||
if [ ! -f "certs/$certFile" ]
|
if [ ! -f "$certDestDir/$certFile" ]
|
||||||
then
|
then
|
||||||
echo "No file named $certFile in directory" >&2
|
echo "No file named $certFile in directory $certDestDir:" >&2
|
||||||
echo " $(readlink -f certs):" >&2
|
|
||||||
echo "there might be a problem" >&2
|
echo "there might be a problem" >&2
|
||||||
fi
|
fi
|
||||||
mv newcerts/$certFile certs
|
mv $certSubdir/$certFile $certDestDir
|
||||||
fi
|
fi
|
||||||
cat private/$keyFile certs/$certFile > private/$keycertFile
|
cat $keyDestDir/$keyFile $certDestDir/$certFile > $keyDestDir/$keycertFile
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -288,14 +305,14 @@ main ()
|
||||||
then
|
then
|
||||||
try_sudo "$@"
|
try_sudo "$@"
|
||||||
fi
|
fi
|
||||||
cd /usr/lib/ssl/CA/
|
cd $workDir
|
||||||
if [ "${service}" = "all" ]
|
if [ "${service}" = "all" ]
|
||||||
then
|
then
|
||||||
services=""
|
services=""
|
||||||
while read service
|
for service in $managedCerts
|
||||||
do
|
do
|
||||||
services="$services $service"
|
services="$services $service"
|
||||||
done </root/homemade-certs
|
done
|
||||||
else
|
else
|
||||||
services=${service}
|
services=${service}
|
||||||
fi
|
fi
|
||||||
|
@ -307,10 +324,10 @@ main ()
|
||||||
then
|
then
|
||||||
service="${service##*/}"
|
service="${service##*/}"
|
||||||
service="${service%.*}"
|
service="${service%.*}"
|
||||||
keyPath="/etc/ssl/private/${service}.key"
|
keyPath="$keyDestDir/${service}.key"
|
||||||
else
|
else
|
||||||
certPath="/etc/ssl/certs/${service}-cert.pem"
|
certPath="$certDestDir/${service}-cert.pem"
|
||||||
keyPath="/etc/ssl/private/${service}-key.pem"
|
keyPath="$keyDestDir/${service}-key.pem"
|
||||||
fi
|
fi
|
||||||
if [ ! -f "$certPath" ]
|
if [ ! -f "$certPath" ]
|
||||||
then
|
then
|
||||||
|
|
Loading…
Reference in New Issue