fix apache2 davlockdb path in chowns

[hcoop/scripts.git] / ca-install

diff --git a/ca-install b/ca-install
index c008d2b..5b17734 100755 (executable)
--- a/ca-install
+++ b/ca-install
@@ -13,12 +13,12 @@
 # Usage: ca-install member domain cert-file.pem [key-file.pem]
 
 function usage () {
-    echo "Usage: ca-install member domain cert-file.pem [key-file.pem]"
+    echo "Usage: ca-install member domain cert-file.pem [key-file.pem] [intermediate-chain.pem]"
     exit 1
 }
 
 # Check arguments
-if test -n "$5"; then
+if test -n "$6"; then
     echo "Error: Too many arguments."
     usage
 elif test -z "$3"; then
@@ -29,9 +29,10 @@ else
     DOMAIN=$2
     CERT=$3
     KEY=$4
+    CHAIN=$5
 fi
 
-WEBSERVER=navajos.hcoop.net
+WEBSERVERS="shelob.hcoop.net minsky.hcoop.net"
 
 function verify_cert () {
     if test -z "$2" || test -n "$3"; then
@@ -56,9 +57,24 @@ function verify_cert () {
     fi
 }
 
+function verify_chain () {
+    if test -z "$1" || test -n "$2"; then
+       echo "Bad programming."
+       exit 1
+    fi
+    # just make sure the intermediate chain contains a cert, might be
+    # nice if this checked if it was used to sign the user's cert
+    local CERT=$1
+    local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1)
+    if test $(echo "$MOD1" | wc -c) -lt 500; then
+        echo "Error: Bad x509 part in intermediate chain."
+        exit 1
+    fi
+}
+
 # Make sure we run this from an admin host...
-if test "$(hostname -s)" != "fritz"; then
-    echo "Error: This script must be run from fritz."
+if test "$(hostname -s)" != "gibran"; then
+    echo "Error: This script must be run from gibran."
     exit 1
 fi
 
@@ -70,6 +86,10 @@ fi
 if test -n "$KEY" && test ! -f "$KEY"; then
     echo "Error: Nonexistent or unreadable key $KEY."
     exit 1
+fi
+if test -n "$CHAIN" && test ! -f "$CHAIN"; then
+    echo "Error: Nonexistent or unreadable intermediate chain $CHAIN."
+    exit 1
 fi    
 
 # Check for valid username
@@ -118,18 +138,27 @@ if test -z "$KEY"; then
 else
     verify_cert "$CERT" "$KEY"
 fi
+if test -n "$CHAIN"; then
+    verify_chain "$CHAIN"
+fi
 echo "Certificate passed validatation."
 echo
 
 # Copy complete certificate to webserver
 if test -z "$KEY"; then
     echo "Installing certificate to Apache SSL directory ..."
-    < "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
+    for WEBSERVER in $WEBSERVERS; do
+       < "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
+    done
 else
     echo "Installing certificate and key to Apache SSL directory ..."
-    cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
-    ssh $WEBSERVER sudo chmod 400 "$APACHE_DEST" > /dev/null
+    for WEBSERVER in $WEBSERVERS; do
+       cat "$CERT" "$KEY" "$CHAIN" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
+    done
 fi
+for WEBSERVER in $WEBSERVERS; do
+    ssh $WEBSERVER sudo chmod 400 "$APACHE_DEST" > /dev/null
+done
 echo
 
 # Grant Domtool permissions
@@ -138,7 +167,9 @@ domtool-admin grant $MEMBER cert "$APACHE_DEST"
 echo
 
 echo "Restarting apache ..."
-ssh $WEBSERVER sudo apache2ctl restart
+for WEBSERVER in $WEBSERVERS; do
+    ssh $WEBSERVER sudo apache2ctl graceful
+done
 echo
 
 # Tell admin what to do