- gensslcert:
* set also SAN [bsc#1045159] * drop -C argument, it was not mapped to CN actually * consider also case when hostname does return empty string or does not exist [bsc#1057406] * do not consider environment ROOT variable OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=529
This commit is contained in:
parent
52dd150f04
commit
a7a85e96b3
@ -1,3 +1,13 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 17 12:41:23 UTC 2017 - pgajdos@suse.com
|
||||
|
||||
- gensslcert:
|
||||
* set also SAN [bsc#1045159]
|
||||
* drop -C argument, it was not mapped to CN actually
|
||||
* consider also case when hostname does return empty string or
|
||||
does not exist [bsc#1057406]
|
||||
* do not consider environment ROOT variable
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 6 07:45:55 UTC 2017 - pgajdos@suse.com
|
||||
|
||||
|
69
gensslcert
69
gensslcert
@ -16,7 +16,6 @@ function usage
|
||||
|
||||
These options are recognized: Default:
|
||||
|
||||
-C Common name "$name"
|
||||
-N comment "$comment"
|
||||
-c country (two letters, e.g. DE) $C
|
||||
-s state $ST
|
||||
@ -38,18 +37,23 @@ function myecho { echo $BRIGHT$@$NORMAL; }
|
||||
function error { echo $RED$@$NORMAL; }
|
||||
function myexit { error something ugly seems to have happened in line $1...; exit $2; }
|
||||
|
||||
r=$ROOT
|
||||
. $r/etc/sysconfig/network/config
|
||||
FQHOSTNAME=`hostname -f`
|
||||
|
||||
fqlength=`echo $FQHOSTNAME|wc -c`
|
||||
if [ $fqlength -gt 63 ]; then
|
||||
FQHOSTNAME=`hostname`
|
||||
hostname=/usr/bin/hostname
|
||||
FQHOSTNAME=""
|
||||
if [ -x $hostname ]; then
|
||||
FQHOSTNAME=`$hostname -f 2>/dev/null`
|
||||
# bsc#1035829
|
||||
fqlength=`echo -n $FQHOSTNAME|wc -c`
|
||||
if [ $fqlength -gt 64 ]; then
|
||||
FQHOSTNAME=`$hostname 2>/dev/null`
|
||||
fi
|
||||
fi
|
||||
# bsc#1057406
|
||||
if [ -z $FQHOSTNAME ]; then
|
||||
FQHOSTNAME='localhost'
|
||||
fi
|
||||
|
||||
# defaults
|
||||
comment="mod_ssl server certificate"
|
||||
name=
|
||||
C=XY
|
||||
ST=unknown
|
||||
L=unknown
|
||||
@ -62,7 +66,6 @@ fi
|
||||
|
||||
while getopts C:N:c:s:l:o:u:n:e:y:Y:dh OPT; do
|
||||
case $OPT in
|
||||
C) name=$OPTARG-;;
|
||||
N) comment=$OPTARG;;
|
||||
c) C=$OPTARG;;
|
||||
s) ST=$OPTARG;;
|
||||
@ -81,24 +84,26 @@ done
|
||||
|
||||
GO_LEFT="\033[80D"
|
||||
GO_MIDDLE="$GO_LEFT\033[15C"
|
||||
for i in comment name C ST L U O CN email srvdays CAdays; do
|
||||
for i in comment C ST L U O CN email srvdays CAdays; do
|
||||
eval "echo -e $i\"$GO_MIDDLE\" \$$i;"
|
||||
done
|
||||
|
||||
|
||||
openssl=$r/usr/bin/openssl
|
||||
sslcrtdir=$r/etc/apache2/ssl.crt
|
||||
sslcsrdir=$r/etc/apache2/ssl.csr
|
||||
sslkeydir=$r/etc/apache2/ssl.key
|
||||
sslprmdir=$r/etc/apache2/ssl.prm
|
||||
openssl=/usr/bin/openssl
|
||||
sslcrtdir=/etc/apache2/ssl.crt
|
||||
sslcsrdir=/etc/apache2/ssl.csr
|
||||
sslkeydir=/etc/apache2/ssl.key
|
||||
sslprmdir=/etc/apache2/ssl.prm
|
||||
|
||||
name="$CN-"
|
||||
|
||||
#
|
||||
# CA
|
||||
#
|
||||
echo;myecho creating CA key ...
|
||||
(umask 0377 ; $openssl genrsa -rand $r/var/log/y2log:$r/var/log/messages -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?)
|
||||
(umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?)
|
||||
|
||||
cat >$r/root/.mkcert.cfg <<EOT
|
||||
cat >/root/.mkcert.cfg <<EOT
|
||||
[ req ]
|
||||
default_bits = 2048
|
||||
default_keyfile = keyfile.pem
|
||||
@ -121,17 +126,17 @@ challengePassword = $RANDOM$RANDOMA challenge password
|
||||
EOT
|
||||
|
||||
echo;myecho creating CA request/certificate ...
|
||||
(umask 0377 ; $openssl req -config $r/root/.mkcert.cfg -new -x509 -days $CAdays -key $sslkeydir/${name}ca.key -out $sslcrtdir/${name}ca.crt || myexit $LINENO $?)
|
||||
(umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -x509 -days $CAdays -key $sslkeydir/${name}ca.key -out $sslcrtdir/${name}ca.crt || myexit $LINENO $?)
|
||||
|
||||
cp -pv $sslcrtdir/${name}ca.crt $r/srv/www/htdocs/$(echo $name | tr 'a-z' 'A-Z')CA.crt
|
||||
cp -pv $sslcrtdir/${name}ca.crt /srv/www/htdocs/$(echo $name | tr 'a-z' 'A-Z')CA.crt
|
||||
|
||||
#
|
||||
# Server CERT
|
||||
#
|
||||
echo;myecho creating server key ...
|
||||
(umask 0377 ; $openssl genrsa -rand $r/etc/rc.config:$r/var/log/messages -out $sslkeydir/${name}server.key 2048 || myexit $LINENO $?)
|
||||
(umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}server.key 2048 || myexit $LINENO $?)
|
||||
|
||||
cat >$r/root/.mkcert.cfg <<EOT
|
||||
cat >/root/.mkcert.cfg <<EOT
|
||||
[ req ]
|
||||
default_bits = 2048
|
||||
default_keyfile = keyfile.pem
|
||||
@ -139,6 +144,7 @@ distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
prompt = no
|
||||
output_password = mypass
|
||||
req_extensions = x509v3
|
||||
|
||||
[ req_distinguished_name ]
|
||||
C = $C
|
||||
@ -149,35 +155,40 @@ OU = $U
|
||||
CN = $CN
|
||||
emailAddress = $email
|
||||
|
||||
[ x509v3 ]
|
||||
subjectAltName = DNS:$CN
|
||||
nsComment = $comment
|
||||
nsCertType = server
|
||||
|
||||
[ req_attributes ]
|
||||
challengePassword = $RANDOM$RANDOMA challenge password
|
||||
EOT
|
||||
|
||||
echo;myecho creating server request ...
|
||||
(umask 0377 ; $openssl req -config $r/root/.mkcert.cfg -new -key $sslkeydir/${name}server.key -out $sslcsrdir/${name}server.csr || myexit $LINENO $?)
|
||||
(umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -key $sslkeydir/${name}server.key -out $sslcsrdir/${name}server.csr || myexit $LINENO $?)
|
||||
|
||||
|
||||
cat >$r/root/.mkcert.cfg <<EOT
|
||||
cat >/root/.mkcert.cfg <<EOT
|
||||
extensions = x509v3
|
||||
[ x509v3 ]
|
||||
subjectAltName = email:copy
|
||||
subjectAltName = DNS:$CN
|
||||
nsComment = $comment
|
||||
nsCertType = server
|
||||
EOT
|
||||
|
||||
|
||||
test -f $r/root/.mkcert.serial || echo 01 >$r/root/.mkcert.serial
|
||||
test -f /root/.mkcert.serial || echo 01 >/root/.mkcert.serial
|
||||
myecho "creating server certificate ..."
|
||||
(umask 0377 ; $openssl x509 \
|
||||
-extfile $r/root/.mkcert.cfg \
|
||||
-extfile /root/.mkcert.cfg \
|
||||
-days $srvdays \
|
||||
-CAserial $r/root/.mkcert.serial \
|
||||
-CAserial /root/.mkcert.serial \
|
||||
-CA $sslcrtdir/${name}ca.crt \
|
||||
-CAkey $sslkeydir/${name}ca.key \
|
||||
-in $sslcsrdir/${name}server.csr -req \
|
||||
-out $sslcrtdir/${name}server.crt || myexit $LINENO $?)
|
||||
|
||||
rm -f $r/root/.mkcert.cfg
|
||||
rm -f /root/.mkcert.cfg
|
||||
|
||||
|
||||
|
||||
|
@ -53,7 +53,7 @@ APACHE_CONF_INCLUDE_DIRS=""
|
||||
# 1. Before you can use mod_ssl, you need a server certificate.
|
||||
# A test certificate can be created by entering e. g.
|
||||
#
|
||||
# $ gensslcert -n a.com -C a.com -e webmaster@a.com
|
||||
# $ gensslcert -n a.com
|
||||
#
|
||||
# See gensslcert -h for or gensslcert script itself for details.
|
||||
# 2. Also, you need to set the ServerName inside the <VirtualHost _default_:443>
|
||||
|
Loading…
Reference in New Issue
Block a user