# If the certificate comes from the member's home directory, then
# don't place an extra copy there.
#
-# Run this on deleuze as an admin.
+# Run this on an administrative node while holding admin tokens.
#
# Usage: ca-install member domain cert-file.pem [key-file.pem]
KEY=$4
fi
-WEBSERVER=mire.hcoop.net
+WEBSERVERS="shelob.hcoop.net"
function verify_cert () {
if test -z "$2" || test -n "$3"; then
fi
}
-# Make sure we run this from deleuze
-if test "$(hostname -s)" != "deleuze"; then
- echo "Error: This script must be run from deleuze."
+# Make sure we run this from an admin host...
+if test "$(hostname -s)" != "gibran"; then
+ echo "Error: This script must be run from fritz."
exit 1
fi
echo
# Determine whether we need to concatenate a private key
-if grep "^-----BEGIN RSA PRIVATE KEY-----" "$CERT" > /dev/null; then
+if openssl rsa -noout -check -in "$CERT" > /dev/null; then
KEY=
else
if test -z "$KEY"; then
# Copy complete certificate to webserver
if test -z "$KEY"; then
echo "Installing certificate to Apache SSL directory ..."
- < "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
+ for WEBSERVER in $WEBSERVERS; do
+ < "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
+ done
else
echo "Installing certificate and key to Apache SSL directory ..."
- cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
+ for WEBSERVER in $WEBSERVERS; do
+ cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
+ done
fi
+for WEBSERVER in $WEBSERVERS; do
+ ssh $WEBSERVER sudo chmod 400 "$APACHE_DEST" > /dev/null
+done
echo
# Grant Domtool permissions
domtool-admin grant $MEMBER cert "$APACHE_DEST"
echo
+echo "Restarting apache ..."
+for WEBSERVER in $WEBSERVERS; do
+ ssh $WEBSERVER sudo apache2ctl graceful
+done
+echo
+
# Tell admin what to do
echo "Done. Tell $MEMBER that the certificate is available for use at"
echo " $APACHE_DEST"