From 0f9f712c42a2edc78be0656f2c167265167df48a Mon Sep 17 00:00:00 2001 From: Clinton Ebadi Date: Fri, 25 Apr 2014 17:10:07 -0400 Subject: [PATCH] Scripts to bootstrap a development domtool environment --- bootstrap/README | 16 +++++ bootstrap/bootstrap | 14 +++++ bootstrap/common.ssl.conf | 91 ++++++++++++++++++++++++++++ bootstrap/domtool-create-ca | 52 ++++++++++++++++ bootstrap/domtool-create-local-root | 26 ++++++++ bootstrap/domtool-create-shared-root | 29 +++++++++ bootstrap/domtool-init-acl | 25 ++++++++ bootstrap/domtool-init-truststore | 15 +++++ bootstrap/test.domain.core.ssl.conf | 9 +++ 9 files changed, 277 insertions(+) create mode 100644 bootstrap/README create mode 100755 bootstrap/bootstrap create mode 100644 bootstrap/common.ssl.conf create mode 100755 bootstrap/domtool-create-ca create mode 100755 bootstrap/domtool-create-local-root create mode 100755 bootstrap/domtool-create-shared-root create mode 100755 bootstrap/domtool-init-acl create mode 100755 bootstrap/domtool-init-truststore create mode 100644 bootstrap/test.domain.core.ssl.conf diff --git a/bootstrap/README b/bootstrap/README new file mode 100644 index 0000000..a5115fc --- /dev/null +++ b/bootstrap/README @@ -0,0 +1,16 @@ +Basic bootstrapping + + - Customize config/core/core.sml and configDefault/ as needed + - Use config.sml for changes other than core. At least set defaultDomain. + - Create a user for domtool + - `make install' domtool + - Run domtool-create-shared-root to bootstrap shared directories + - Run domtool-create-local-root to bootstrap local work directories if this machine will be a node + - Customize and copy test.domain.core.conf to $defaultDomain.core.ssl.conf + - You unfortunately have to duplicate the value of Config.caPath here + - Run domtool-create-ca to boostrap your local domtool ca + - Run domtool-init-truststore to initialize the trust store + - Run domtool-init-acl $user to add yourself as an administrator of domtool + - Create needed work directories + - In theory, domtool should start and you should be able to grant + yourself domains and configure things \ No newline at end of file diff --git a/bootstrap/bootstrap b/bootstrap/bootstrap new file mode 100755 index 0000000..ba59893 --- /dev/null +++ b/bootstrap/bootstrap @@ -0,0 +1,14 @@ +#!/bin/sh + +# Bootstrap everything for a DEVELOPMENT ENVIRONMENT (an insecure one +# at that), assuming you are going to be domtool root + +if [ -z "`getent passwd domtool`" ]; then + adduser --disabled-password domtool +fi + +./domtool-create-shared-root +./domtool-create-local-root +./domtool-create-ca -force +./domtool-init-truststore +./domtool-init-acl `whoami` diff --git a/bootstrap/common.ssl.conf b/bootstrap/common.ssl.conf new file mode 100644 index 0000000..c2c0ddb --- /dev/null +++ b/bootstrap/common.ssl.conf @@ -0,0 +1,91 @@ +# Minimal openssl configuration needed to be a CA for domtool + +# intentionally not setting RANDFILE, because it is useless on modern +# machines. + +[ ca ] +default_ca = Domtool_CA + +[ Domtool_CA ] +dir = ${Domtool_Defaults::ca_dir} + +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/index + +# Needed because domtool does not revoke certs before +# reissuing. Possibly bad behavior, if a private key were to leak. +unique_subject = no + +new_certs_dir = $dir/newcerts + +certificate = $dir/ca-cert.pem +serial = $dir/serial +crlnumber = $dir/crlnumber + +crl = $dir/crl.pem +private_key = $dir/private/ca-key.pem +RANDFILE = $dir/private/.rand + +x509_extensions = usr_cert + +name_opt = ca_default +cert_opt = ca_default + +crl_extensions = crl_ext + +default_days = 365 +default_crl_days= 30 +default_md = sha1 +preserve = no + +policy = policy_domtool + +[ policy_domtool ] +# Domtool doesn't care where you claim to live +#countryName = optional +#stateOrProvinceName = optional +#localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = supplied + +# req section is only used when generating the request for the CA to sign itself! +[ req ] +default_bits = 4096 +default_keyfile = ${Domtool_Defaults::ca_dir}/private/ca-key.pem +default_md = sha1 + +prompt = no +distinguished_name = root_ca_distinguished_name +string_mask = nombstr + +# Extensions to add to the self-signed cert generated to certificate the CA +x509_extensions = v3_ca + +[ usr_cert ] +# These extensions are added when 'ca' signs a request. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +# leaving nsCaRevocationUrl unset, since domtool isn't checking revocations +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem + +[ v3_ca ] +# These extensions are added when the CA signs itself +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +# Ensure only user certificates and not another ca can be signed +basicConstraints = critical,CA:true,pathlen:0 + +[ root_ca_distinguished_name ] +commonName = ${Domtool_Defaults::org_name} +#countryName = US +#stateOrProvinceName = CA +#localityName = Berkeley +0.organizationName = ${Domtool_Defaults::org_domain} +emailAddress = ca@${Domtool_Defaults::org_domain} + +[ crl_ext ] +authorityKeyIdentifier=keyid:always,issuer:always diff --git a/bootstrap/domtool-create-ca b/bootstrap/domtool-create-ca new file mode 100755 index 0000000..452c2e1 --- /dev/null +++ b/bootstrap/domtool-create-ca @@ -0,0 +1,52 @@ +#!/bin/bash +# -*- sh -*- + +# Create a domtool certificate authority +# WARNING: Will not create a secure CA if it is in afs space + +if [[ `whoami` != "root" && "$1" != "-force" ]]; then + echo "This should be run as root. Use -force to force creating a CA" + echo "as a normal user" + exit 1 +fi + +# use domtool-config to extract ca path and site domain + +CAPATH=`../bin/domtool-config -path cert ca` +BASE_OPENSSL_CONFIG=`../bin/domtool-config -domain`.core.ssl.conf + +cat $BASE_OPENSSL_CONFIG common.ssl.conf > domtool-openssl.conf + +if [ -z "$CAPATH" ]; then + echo "No CA path set. Domtool has not yet been built?" + exit 1 +fi + +# 1. Create directory structure + +mkdir -p $CAPATH +for d in crl newcerts private; do + mkdir $CAPATH/$d +done + +chmod go-rwx $CAPATH/private +echo '01' > $CAPATH/serial +touch $CAPATH/index + +# 2. Generate private key + +openssl req -nodes -config domtool-openssl.conf -days 1825 -x509 -newkey rsa -out $CAPATH/ca-cert.pem -outform PEM + +# 3. Copy ssl configuration to ca dir + +# In general, publishing the openssl config for a domain in the ca +# directory might not be the best idea, but since this is a limited +# use internal CA, it is probably not a big deal. +cp domtool-openssl.conf $CAPATH/ +chmod 600 $CAPATH/domtool-openssl.conf + +# Does the CA need to be readable by domtool? Issues with sudo and +# tickets, but those could be solved by creating a 700 +# /tmp/domtool-ca-out/ and chowning to the actual user after for the +# copy/delete. Or maybe the ca ought to live in afs +# space... generality issues arise, probably just do option #1. diff --git a/bootstrap/domtool-create-local-root b/bootstrap/domtool-create-local-root new file mode 100755 index 0000000..e566f06 --- /dev/null +++ b/bootstrap/domtool-create-local-root @@ -0,0 +1,26 @@ +#!/bin/bash + +# ideally: domtool-create-local-root service+ +# service = bind, apache, exim, courier, etc. +# actually: domtool-create-local-root -> every possible service dir is created + +LOCALROOT=`domtool-config -path local-root` + +if [ -z "$LOCALROOT" ]; then + echo "ERROR: local root not set. Domtool not built?" + exit 1 +fi + +set -x + +mkdir -p $LOCALROOT + +for d in firewall vhosts zones; do + mkdir $LOCALROOT/$d +done + +# domtool probably ought to ensure directories exist, since the +# services configured by a worker are set statically. It makes little +# sense for a worker to advertise that it can configure a service, and +# not actually be able to do so. + diff --git a/bootstrap/domtool-create-shared-root b/bootstrap/domtool-create-shared-root new file mode 100755 index 0000000..ba0ebbf --- /dev/null +++ b/bootstrap/domtool-create-shared-root @@ -0,0 +1,29 @@ +#!/bin/bash + +# Create shared directories, set permissions + +SHAREDROOT=`../bin/domtool-config -path shared-root` + +if [ -z "$SHAREDROOT" ]; then + echo "shared-root not set, domtool not built?" + exit 1 +fi + +function if_afs () { + if [[ $SHAREDROOT == /afs/* ]]; then + $* + fi +} + +if_afs echo "AFS in use. This will not work correctly." + +set -x + +mkdir -p $SHAREDROOT + +for d in backup certs email firewall keys lib logs nodes nodes.old serials webalizer; do + mkdir $SHAREDROOT/$d +done + +touch $SHAREDROOT/firewall/user.rules + diff --git a/bootstrap/domtool-init-acl b/bootstrap/domtool-init-acl new file mode 100755 index 0000000..3759fa4 --- /dev/null +++ b/bootstrap/domtool-init-acl @@ -0,0 +1,25 @@ +#!/bin/bash + +SHAREDROOT=`../bin/domtool-config -path shared-root` +DOMTOOLROOT="$1" + +if [ -z "$SHAREDROOT" ]; then + echo "shared-root not set, domtool not built?" + exit 1 +fi + +if [ -z "$DOMTOOLROOT" ]; then + echo "Usage: $0 USER" + exit 1 +fi + +if [ -f $SHAREDROOT/acl ]; then + echo "acl file already exists. Refusing to overwrite" + exit 1 +fi + +cat > $SHAREDROOT/acl <> $TRUSTSTORE diff --git a/bootstrap/test.domain.core.ssl.conf b/bootstrap/test.domain.core.ssl.conf new file mode 100644 index 0000000..12ef0ee --- /dev/null +++ b/bootstrap/test.domain.core.ssl.conf @@ -0,0 +1,9 @@ +# You should be able to customize the settings in Domtool_Defaults and +# have everything Just Work (tm) +[ Domtool_Defaults ] +ca_dir = ${ENV::HOME}/domtool/ca +org_domain = test.domain +org_name = Foo Hacker, Inc. +#ca_dir = /etc/domtool/ca +#org_domain = hcoop.net +#org_name = HCoop, Inc. \ No newline at end of file -- 2.20.1