common: Added Makefile for SSL cert generation + combination

7e726e9c · Patrick J Cherry · b46b104c · 7e726e9c · 7e726e9c · 7e726e9c
Commit 7e726e9c authored Nov 03, 2015 by Patrick J Cherry
--- a/common/debian/changelog
+++ b/common/debian/changelog
+symbiosis-common (2015:1103) stable; urgency=medium
+
+  * Added Makefile in /etc/ssl to generate certificate, key, and combined form
+    of certificate and bundle, which is required for the email servers.
+
+ -- Patrick J Cherry <patrick@bytemark.co.uk>  Tue, 03 Nov 2015 17:21:51 +0000
+
 symbiosis-common (2015:1027) stable; urgency=medium

  * Added Symbiosis::Host#fqdn method.

--- a/common/debian/install
+++ b/common/debian/install
@@ -2,3 +2,4 @@ bin        usr/
 sbin       usr/
 test.d     etc/symbiosis/
 sudoers.d  etc/
+ssl        etc/
--- a/common/debian/postinst
+++ b/common/debian/postinst
@@ -85,23 +85,8 @@ if ! [ -e /etc/ssl/ssl.crt -a -e /etc/ssl/ssl.key ]; then
    [ -e /etc/ssl/ssl.$i ] && mv /etc/ssl/ssl.$i /etc/ssl/ssl.$i.dpkg-old
  done

-  if [ -n "$HOSTNAME" ] ; then
-    #
-    #  Make the cert + key
-    #
-    echo "I: Generating a new SSL certificate for $HOSTNAME"
-    openssl req -subj "/C=GB/ST=England/L=York/CN=$HOSTNAME" -new -x509 -days 3650 -nodes -out  /etc/ssl/ssl.crt -keyout /etc/ssl/ssl.key
-
-    #
-    #  Combine Cert + Key
-    #
-    cat /etc/ssl/ssl.key /etc/ssl/ssl.crt > /etc/ssl/ssl.combined
-  else
-    #
-    # No hostname, no certificate
-    #
-    echo "W: Could not work out hostname to generate a self-signed SSL certificate."
-  fi
+  cd /etc/ssl && make check || true
+
 fi

 #DEBHELPER#

--- a/common/ssl/Makefile
+++ b/common/ssl/Makefile
+
+
+# hostname := $(shell hostname -f)
+tempext  := symbiosis.$(shell echo $$$$)
+
+check: ssl.combined ssl.crt ssl.key
+	@if [ "$$(openssl x509 -noout -modulus -in ssl.crt)" = "$$(openssl rsa -noout -modulus -in ssl.key)" ] ; then \
+		echo "I: Successfully verified that ssl.key matches ssl.crt." ; \
+	else \
+		echo "W: The key in ssl.key does not work for ssl.crt." ; \
+	fi
+
+	@if ( openssl verify -CAfile ssl.combined ssl.combined 2>&1 > /dev/null ) ; then \
+    echo "I: Successfully verified $<."; \
+	else \
+     echo "W: Warning: Cannot verify $< -- maybe a bundle is missing?" ; \
+	fi
+
+ssl.crt:
+	@if [ -z "$(hostname)" ]  ; then \
+		echo "W: Could not determine hostname"; \
+		exit 1 ; \
+	fi
+	@openssl req -subj "/C=GB/ST=England/L=York/CN=$(hostname)" -new \
+		-x509 -days 3650 -nodes -out ssl.crt.$(tempext) -newkey rsa:2048 \
+		-keyout ssl.key.$(tempext) -sha256 > /dev/null
+	@mv ssl.crt.$(tempext) ssl.crt
+	@mv ssl.key.$(tempext) ssl.key
+	@echo "I: Created a self-signed certificate and key."
+
+ssl.key: ssl.crt
+
+ssl.combined: ssl.crt
+	@cp $< ssl.combined.$(tempext)
+	@if ( openssl x509 -in ssl.bundle -noout > /dev/null 2>&1 ) ; then \
+		if ( openssl verify -CAfile ssl.bundle $< > /dev/null 2>&1 ) ; then \
+			cat ssl.bundle >> ssl.combined.$(tempext) ; \
+		else \
+			echo "W: Cannot verify $< using ssl.bundle." ; \
+		fi ; \
+	fi
+#
+# Check to see if the combined cert can verify itself
+#
+	@mv ssl.combined.$(tempext) ssl.combined
+	@echo "I: Created combined bundle and certificate."
+
+clean:
+	@$(RM) -v ssl.crt.symbiosis.[0-9]* ssl.key.symbiosis.[0-9]* ssl.combined.symbiosis.[0-9]* 
+
+.PHONY: clean