#!/bin/bash
#
# Install a signed certificate, placing a complimentary copy in the
-# member's homedir. Also grant member domtool permissions for the
-# certificate.
+# member's homedir. Validation is done on the certificate before
+# allowing it to be installed. Also grant member domtool permissions
+# for the certificate.
#
# If the certificate comes from the member's home directory, then
# don't place an extra copy there.
#
-# Run this on deleuze as an admin.
+# Run this on an administrative node while holding admin tokens.
#
# Usage: ca-install member domain cert-file.pem [key-file.pem]
function usage () {
- echo "Usage: ca-install member domain cert-file.pem [key-file.pem]"
+ echo "Usage: ca-install member domain cert-file.pem [key-file.pem] [intermediate-chain.pem]"
exit 1
}
# Check arguments
-if test -n "$5"; then
+if test -n "$6"; then
echo "Error: Too many arguments."
usage
elif test -z "$3"; then
DOMAIN=$2
CERT=$3
KEY=$4
+ CHAIN=$5
fi
-WEBSERVER=mire.hcoop.net
+WEBSERVERS="shelob.hcoop.net minsky.hcoop.net"
function verify_cert () {
if test -z "$2" || test -n "$3"; then
fi
}
-# Make sure we run this from deleuze
-if test "$(hostname -s)" != "deleuze"; then
- echo "Error: This script must be run from deleuze."
+function verify_chain () {
+ if test -z "$1" || test -n "$2"; then
+ echo "Bad programming."
+ exit 1
+ fi
+ # just make sure the intermediate chain contains a cert, might be
+ # nice if this checked if it was used to sign the user's cert
+ local CERT=$1
+ local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1)
+ if test $(echo "$MOD1" | wc -c) -lt 500; then
+ echo "Error: Bad x509 part in intermediate chain."
+ exit 1
+ fi
+}
+
+# Make sure we run this from an admin host...
+if test "$(hostname -s)" != "gibran"; then
+ echo "Error: This script must be run from gibran."
exit 1
fi
if test -n "$KEY" && test ! -f "$KEY"; then
echo "Error: Nonexistent or unreadable key $KEY."
exit 1
+fi
+if test -n "$CHAIN" && test ! -f "$CHAIN"; then
+ echo "Error: Nonexistent or unreadable intermediate chain $CHAIN."
+ exit 1
fi
# Check for valid username
echo
# Determine whether we need to concatenate a private key
-if grep "^-----BEGIN RSA PRIVATE KEY-----" "$CERT" > /dev/null; then
+if openssl rsa -noout -check -in "$CERT" > /dev/null; then
KEY=
else
if test -z "$KEY"; then
else
verify_cert "$CERT" "$KEY"
fi
+if test -n "$CHAIN"; then
+ verify_chain "$CHAIN"
+fi
echo "Certificate passed validatation."
echo
# Copy complete certificate to webserver
if test -z "$KEY"; then
echo "Installing certificate to Apache SSL directory ..."
- < "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
+ for WEBSERVER in $WEBSERVERS; do
+ < "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
+ done
else
echo "Installing certificate and key to Apache SSL directory ..."
- cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
+ for WEBSERVER in $WEBSERVERS; do
+ cat "$CERT" "$KEY" "$CHAIN" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
+ done
fi
+for WEBSERVER in $WEBSERVERS; do
+ ssh $WEBSERVER sudo chmod 400 "$APACHE_DEST" > /dev/null
+done
echo
# Grant Domtool permissions
domtool-admin grant $MEMBER cert "$APACHE_DEST"
echo
+echo "Restarting apache ..."
+for WEBSERVER in $WEBSERVERS; do
+ ssh $WEBSERVER sudo apache2ctl graceful
+done
+echo
+
# Tell admin what to do
echo "Done. Tell $MEMBER that the certificate is available for use at"
echo " $APACHE_DEST"