Import Upstream version 1.0.39
This commit is contained in:
commit
95fa5b4b47
|
@ -0,0 +1,4 @@
|
||||||
|
This is a quicky package to enable unattended installs of software that need to
|
||||||
|
create ssl certificates.
|
||||||
|
Basically, it's just a wrapper for openssl req that feeds it the correct user
|
||||||
|
variables to create self-signed certificates.
|
|
@ -0,0 +1,132 @@
|
||||||
|
#!/bin/bash -e
|
||||||
|
# This is a mockup of a script to produce a snakeoil cert
|
||||||
|
# The aim is to have a debconfisable ssl-certificate script
|
||||||
|
|
||||||
|
. /usr/share/debconf/confmodule
|
||||||
|
db_version 2.0
|
||||||
|
db_capb backup
|
||||||
|
|
||||||
|
ask_via_debconf() {
|
||||||
|
RET=""
|
||||||
|
if db_settitle make-ssl-cert/title ; then
|
||||||
|
: # OK
|
||||||
|
else
|
||||||
|
echo Debconf failed with error code $? $RET >&2
|
||||||
|
echo Maybe your debconf database is corrupt. >&2
|
||||||
|
echo Try re-installing ssl-cert. >&2
|
||||||
|
fi
|
||||||
|
|
||||||
|
RET=""
|
||||||
|
while [ "x$RET" = "x" ]; do
|
||||||
|
db_fset make-ssl-cert/hostname seen false
|
||||||
|
db_input high make-ssl-cert/hostname || true
|
||||||
|
db_go
|
||||||
|
db_get make-ssl-cert/hostname
|
||||||
|
done
|
||||||
|
|
||||||
|
db_get make-ssl-cert/hostname
|
||||||
|
HostName="$RET"
|
||||||
|
db_fset make-ssl-cert/hostname seen false
|
||||||
|
|
||||||
|
db_fset make-ssl-cert/altname seen false
|
||||||
|
db_input high make-ssl-cert/altname || true
|
||||||
|
db_go
|
||||||
|
db_get make-ssl-cert/altname
|
||||||
|
AddAltName="$RET"
|
||||||
|
db_fset make-ssl-cert/altname seen false
|
||||||
|
SubjectAltName="DNS:$HostName"
|
||||||
|
[ -z "$AddAltName" ] || SubjectAltName="$SubjectAltName,$AddAltName"
|
||||||
|
}
|
||||||
|
|
||||||
|
make_snakeoil() {
|
||||||
|
if ! HostName="$(hostname -f)" ; then
|
||||||
|
HostName="$(hostname)"
|
||||||
|
echo make-ssl-cert: Could not get FQDN, using \"$HostName\".
|
||||||
|
echo make-ssl-cert: You may want to fix your /etc/hosts and/or DNS setup and run
|
||||||
|
echo make-ssl-cert: 'make-ssl-cert generate-default-snakeoil --force-overwrite'
|
||||||
|
echo make-ssl-cert: again.
|
||||||
|
fi
|
||||||
|
SubjectAltName="DNS:$HostName"
|
||||||
|
if [ ${#HostName} -gt 64 ] ; then
|
||||||
|
HostName="$(hostname)"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
create_temporary_cnf() {
|
||||||
|
sed -e s#@HostName@#"$HostName"# -e s#@SubjectAltName@#"$SubjectAltName"# $template > $TMPFILE
|
||||||
|
}
|
||||||
|
|
||||||
|
# Takes two arguments, the base layout and the output cert.
|
||||||
|
|
||||||
|
if [ $# -lt 2 ] && [ "$1" != "generate-default-snakeoil" ]; then
|
||||||
|
printf "Usage: $0 template output [--force-overwrite]\n";
|
||||||
|
printf "Usage: $0 generate-default-snakeoil [--force-overwrite]\n";
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$1" != "generate-default-snakeoil" ]; then
|
||||||
|
template="$1"
|
||||||
|
output="$2"
|
||||||
|
# be anal in manual mode.
|
||||||
|
if [ ! -f $template ]; then
|
||||||
|
printf "Could not open template file: $template!\n";
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
if [ -f $output ] && [ "$3" != "--force-overwrite" ]; then
|
||||||
|
printf "$output file already exists!\n";
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
ask_via_debconf
|
||||||
|
else
|
||||||
|
template="/usr/share/ssl-cert/ssleay.cnf"
|
||||||
|
if [ -f "/etc/ssl/certs/ssl-cert-snakeoil.pem" ] && [ -f "/etc/ssl/private/ssl-cert-snakeoil.key" ]; then
|
||||||
|
if [ "$2" != "--force-overwrite" ]; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
make_snakeoil
|
||||||
|
fi
|
||||||
|
|
||||||
|
# # should be a less common char
|
||||||
|
# problem is that openssl virtually accepts everything and we need to
|
||||||
|
# sacrifice one char.
|
||||||
|
|
||||||
|
TMPFILE="$(mktemp)" || exit 1
|
||||||
|
TMPOUT="$(mktemp)" || exit 1
|
||||||
|
|
||||||
|
trap "rm -f $TMPFILE $TMPOUT" EXIT
|
||||||
|
|
||||||
|
create_temporary_cnf
|
||||||
|
|
||||||
|
# create the certificate.
|
||||||
|
|
||||||
|
umask 077
|
||||||
|
|
||||||
|
if [ "$1" != "generate-default-snakeoil" ]; then
|
||||||
|
if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes -sha256 \
|
||||||
|
-out $output -keyout $output > $TMPOUT 2>&1
|
||||||
|
then
|
||||||
|
echo Could not create certificate. Openssl output was: >&2
|
||||||
|
cat $TMPOUT >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
chmod 600 $output
|
||||||
|
# hash symlink
|
||||||
|
cd $(dirname $output)
|
||||||
|
ln -sf $(basename $output) $(openssl x509 -hash -noout -in $(basename $output))
|
||||||
|
else
|
||||||
|
if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes -sha256 \
|
||||||
|
-out /etc/ssl/certs/ssl-cert-snakeoil.pem \
|
||||||
|
-keyout /etc/ssl/private/ssl-cert-snakeoil.key > $TMPOUT 2>&1
|
||||||
|
then
|
||||||
|
echo Could not create certificate. Openssl output was: >&2
|
||||||
|
cat $TMPOUT >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
chmod 644 /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
|
chmod 640 /etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
|
chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
|
# hash symlink
|
||||||
|
cd /etc/ssl/certs/
|
||||||
|
ln -sf ssl-cert-snakeoil.pem $(openssl x509 -hash -noout -in ssl-cert-snakeoil.pem)
|
||||||
|
fi
|
|
@ -0,0 +1,33 @@
|
||||||
|
.TH make-ssl-cert 8
|
||||||
|
.SH NAME
|
||||||
|
make-ssl-cert - Debconf wrapper for openssl
|
||||||
|
.SH SYNOPSIS
|
||||||
|
.B make-ssl-cert
|
||||||
|
\fItemplate\fR \fIoutput-certificate\fR [\fB\-\-force\-overwrite\fR]
|
||||||
|
.br
|
||||||
|
.B make-ssl-cert generate-default-snakeoil
|
||||||
|
[\fB\-\-force\-overwrite\fR]
|
||||||
|
.br
|
||||||
|
.SH "DESCRIPTION"
|
||||||
|
make-ssl-cert is a simple debconf to openssl wrapper to create self-signed
|
||||||
|
certificates.
|
||||||
|
It requires a source template (Ex: /usr/share/ssl-cert/ssleay.cnf)
|
||||||
|
and it will place the new generated certificate in the specified
|
||||||
|
output file.
|
||||||
|
.br
|
||||||
|
Invoked with "generate-default-snakeoil", it will generate
|
||||||
|
/etc/ssl/certs/ssl-cert-snakeoil.pem and /etc/ssl/private/ssl-cert-snakeoil.key.
|
||||||
|
.SH OPTIONS
|
||||||
|
A summary of options are included below.
|
||||||
|
.TP
|
||||||
|
.B \-\-force\-overwrite
|
||||||
|
Use this option
|
||||||
|
.B ONLY
|
||||||
|
when strictly required since it will overwrite the output certificate.
|
||||||
|
.SH "SEE ALSO"
|
||||||
|
.IR "openssl" (1)
|
||||||
|
.SH AUTHOR
|
||||||
|
The program author is Thom May <thom@debian.org>, manual
|
||||||
|
page was written for completness by Fabio M. Di Nitto
|
||||||
|
<fabbione@fabbione.net>, for the Debian GNU/Linux system
|
||||||
|
(but may be used by others).
|
|
@ -0,0 +1,21 @@
|
||||||
|
#
|
||||||
|
# SSLeay example configuration file.
|
||||||
|
#
|
||||||
|
|
||||||
|
RANDFILE = /dev/urandom
|
||||||
|
|
||||||
|
[ req ]
|
||||||
|
default_bits = 2048
|
||||||
|
default_keyfile = privkey.pem
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
prompt = no
|
||||||
|
policy = policy_anything
|
||||||
|
req_extensions = v3_req
|
||||||
|
x509_extensions = v3_req
|
||||||
|
|
||||||
|
[ req_distinguished_name ]
|
||||||
|
commonName = @HostName@
|
||||||
|
|
||||||
|
[ v3_req ]
|
||||||
|
basicConstraints = CA:FALSE
|
||||||
|
subjectAltName = @SubjectAltName@
|
Loading…
Reference in New Issue