X-Git-Url: https://git.hcoop.net/hcoop/scripts.git/blobdiff_plain/b7068ae3ae7bbb47c778e5f1e11ac9c1caad45ea..139107908a1f2611ea13cc4bc702ec82cc6edc4e:/ca-install diff --git a/ca-install b/ca-install index 9fa74bc..3eb2d5c 100755 --- a/ca-install +++ b/ca-install @@ -1,13 +1,14 @@ #!/bin/bash # # Install a signed certificate, placing a complimentary copy in the -# member's homedir. Also grant member domtool permissions for the -# certificate. +# member's homedir. Validation is done on the certificate before +# allowing it to be installed. Also grant member domtool permissions +# for the certificate. # # If the certificate comes from the member's home directory, then # don't place an extra copy there. # -# Run this on deleuze as an admin. +# Run this on an administrative node while holding admin tokens. # # Usage: ca-install member domain cert-file.pem [key-file.pem] @@ -30,7 +31,7 @@ else KEY=$4 fi -WEBSERVER=mire.hcoop.net +WEBSERVER=navajos.hcoop.net function verify_cert () { if test -z "$2" || test -n "$3"; then @@ -55,9 +56,9 @@ function verify_cert () { fi } -# Make sure we run this from deleuze -if test "$(hostname -s)" != "deleuze"; then - echo "Error: This script must be run from deleuze." +# Make sure we run this from an admin host... +if test "$(hostname -s)" != "fritz"; then + echo "Error: This script must be run from fritz." exit 1 fi @@ -101,7 +102,7 @@ fi echo # Determine whether we need to concatenate a private key -if grep "^-----BEGIN RSA PRIVATE KEY-----" "$CERT" > /dev/null; then +if grep "^-----BEGIN PRIVATE KEY-----" "$CERT" > /dev/null; then KEY= else if test -z "$KEY"; then @@ -127,6 +128,7 @@ if test -z "$KEY"; then else echo "Installing certificate and key to Apache SSL directory ..." cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null + ssh $WEBSERVER sudo chmod 400 "$APACHE_DEST" > /dev/null fi echo @@ -135,6 +137,10 @@ echo "Granting member Domtool permissions for the certificate ..." domtool-admin grant $MEMBER cert "$APACHE_DEST" echo +echo "Restarting apache ..." +ssh $WEBSERVER sudo apache2ctl restart +echo + # Tell admin what to do echo "Done. Tell $MEMBER that the certificate is available for use at" echo " $APACHE_DEST"