HCoop / hcoop / scripts.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
hcoop-all-db-backup: update backup script
[hcoop/scripts.git] / ca-install
... / ...
CommitLineData
1#!/bin/bash
2#
3# Install a signed certificate, placing a complimentary copy in the
4# member's homedir. Validation is done on the certificate before
5# allowing it to be installed. Also grant member domtool permissions
6# for the certificate.
7#
8# If the certificate comes from the member's home directory, then
9# don't place an extra copy there.
10#
11# Run this on an administrative node while holding admin tokens.
12#
13# Usage: ca-install member domain cert-file.pem [key-file.pem]
14
15function usage () {
16 echo "Usage: ca-install member domain cert-file.pem [key-file.pem] [intermediate-chain.pem]"
17 exit 1
18}
19
20# Check arguments
21if test -n "$6"; then
22 echo "Error: Too many arguments."
23 usage
24elif test -z "$3"; then
25 echo "Error: Not enough arguments."
26 usage
27else
28 MEMBER=$1
29 DOMAIN=$2
30 CERT=$3
31 KEY=$4
32 CHAIN=$5
33fi
34
35WEBSERVERS="shelob.hcoop.net minsky.hcoop.net"
36
37function verify_cert () {
38 if test -z "$2" || test -n "$3"; then
39 echo "Bad programming."
40 exit 1
41 fi
42 local CERT=$1
43 local KEY=$2
44 local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1)
45 if test $(echo "$MOD1" | wc -c) -lt 500; then
46 echo "Error: Bad x509 part in certificate."
47 exit 1
48 fi
49 local MOD2=$(openssl rsa -noout -modulus -in "$KEY" 2>&1)
50 if test $(echo "$MOD2" | wc -c) -lt 500; then
51 echo "Error: Bad RSA part in certificate or key."
52 exit 1
53 fi
54 if test "$MOD1" != "$MOD2"; then
55 echo "Error: x509 and RSA parts in certificate do not match."
56 exit 1
57 fi
58}
59
60function verify_chain () {
61 if test -z "$1" || test -n "$2"; then
62 echo "Bad programming."
63 exit 1
64 fi
65 # just make sure the intermediate chain contains a cert, might be
66 # nice if this checked if it was used to sign the user's cert
67 local CERT=$1
68 local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1)
69 if test $(echo "$MOD1" | wc -c) -lt 500; then
70 echo "Error: Bad x509 part in intermediate chain."
71 exit 1
72 fi
73}
74
75# Make sure we run this from an admin host...
76if test "$(hostname -s)" != "gibran"; then
77 echo "Error: This script must be run from gibran."
78 exit 1
79fi
80
81# Sanity-check some paths
82if test ! -f "$CERT"; then
83 echo "Error: Nonexistent or unreadable cert $CERT."
84 exit 1
85fi
86if test -n "$KEY" && test ! -f "$KEY"; then
87 echo "Error: Nonexistent or unreadable key $KEY."
88 exit 1
89fi
90if test -n "$CHAIN" && test ! -f "$CHAIN"; then
91 echo "Error: Nonexistent or unreadable intermediate chain $CHAIN."
92 exit 1
93fi
94
95# Check for valid username
96if ! getent passwd "$MEMBER" > /dev/null; then
97 echo "Error: Invalid user \"$MEMBER\"."
98 exit 1
99fi
100
101# Figure out destination for complimentary copy
102APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem
103MEMBERHOME=$(getent passwd $MEMBER | cut -d':' -f 6)
104if test -n "$KEY"; then
105 DEST="$(dirname $KEY)/$DOMAIN.pem"
106else
107 DEST=
108fi
109
110# Perform complimentary copy
111if test -z "$DEST"; then
112 echo "No key specified, so skipping complimentary copy."
113elif echo "$CERT" | grep "^$MEMBERHOME" > /dev/null; then
114 echo "Member already has a cert, skipping the complimentary copy."
115elif test -f "$DEST"; then
116 echo "Not overwriting existing file $DEST."
117else
118 echo "Copying signed certificate to member's home directory ..."
119 cp "$CERT" "$DEST"
120 chown $MEMBER:nogroup "$DEST"
121fi
122echo
123
124# Determine whether we need to concatenate a private key
125if openssl rsa -noout -check -in "$CERT" > /dev/null; then
126 KEY=
127else
128 if test -z "$KEY"; then
129 echo "Error: No RSA private key is included with this certificate."
130 exit 1
131 fi
132fi
133
134# Verify certificate and key
135echo "Validating certificate ..."
136if test -z "$KEY"; then
137 verify_cert "$CERT" "$CERT"
138else
139 verify_cert "$CERT" "$KEY"
140fi
141if test -n "$CHAIN"; then
142 verify_chain "$CHAIN"
143fi
144echo "Certificate passed validatation."
145echo
146
147# Copy complete certificate to webserver
148if test -z "$KEY"; then
149 echo "Installing certificate to Apache SSL directory ..."
150 for WEBSERVER in $WEBSERVERS; do
151 < "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
152 done
153else
154 echo "Installing certificate and key to Apache SSL directory ..."
155 for WEBSERVER in $WEBSERVERS; do
156 cat "$CERT" "$KEY" "$CHAIN" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
157 done
158fi
159for WEBSERVER in $WEBSERVERS; do
160 ssh $WEBSERVER sudo chmod 400 "$APACHE_DEST" > /dev/null
161done
162echo
163
164# Grant Domtool permissions
165echo "Granting member Domtool permissions for the certificate ..."
166domtool-admin grant $MEMBER cert "$APACHE_DEST"
167echo
168
169echo "Restarting apache ..."
170for WEBSERVER in $WEBSERVERS; do
171 ssh $WEBSERVER sudo apache2ctl graceful
172done
173echo
174
175# Tell admin what to do
176echo "Done. Tell $MEMBER that the certificate is available for use at"
177echo " $APACHE_DEST"
Unnamed repository; edit this file 'description' to name the repository.