cert_install_available_DATA = \
cert-install-ssl \
cert-install-sssd \
+ cert-install-ldaputils \
+ cert-install-cockpit \
cert-install-dirsrv \
cert-install-lighttpd \
cert-install-openxpki \
EXTRA_DIST = \
cert-enroll.conf cert-enroll.in cert-enroll.service.in cert-enroll.timer \
- cert-install-dirsrv cert-install-gitea cert-install-ipsec.in \
- cert-install-lighttpd cert-install-openxpki cert-install-ssl \
- cert-install-sssd cert-install-swanctl.in
+ cert-install-cockpit cert-install-dirsrv cert-install-gitea \
+ cert-install-ipsec.in cert-install-ldaputils cert-install-lighttpd \
+ cert-install-openxpki cert-install-ssl cert-install-sssd \
+ cert-install-swanctl.in
man8_MANS = cert-enroll.8
: ${CAOUT=cacert}
: ${ROOTCA=$CAOUT.pem}
: ${OLDROOTCA=$CAOUT-old.pem}
+: ${OLDERROOTCA=$CAOUT-older.pem}
: ${SUBCA=$CAOUT-1.pem}
: ${OLDSUBCA=$CAOUT-1-old.pem}
+: ${OLDERSUBCA=$CAOUT-1-older.pem}
: ${RAOUT=racert}
: ${RACERT=$RAOUT.pem}
if [ $ROOTCA_CHANGED -ne 0 ]
then
echo "Warning: '$ROOTCA' has changed"
+ if [ -s old/$ROOTCA ]
+ then
+ mv old/$ROOTCA older
+ fi
mv $ROOTCA old
mv new/$ROOTCA .
fi
if [ $SUBCA_CHANGED -ne 0 ]
then
echo "Warning: '$SUBCA' has changed"
+ if [ -s old/$SUBCA ]
+ then
+ mv old/$SUBCA older
+ fi
mv $SUBCA old
mv new/$SUBCA .
fi
KEYTYPE="$KEYTYPE" CERTDIR="$CERTDIR" HOSTKEY="$HOSTKEY" \
HOSTCERT="$HOSTCERT" ROOTCA="$ROOTCA" SUBCA="$SUBCA" \
OLDROOTCA="$OLDROOTCA" OLDSUBCA="$OLDSUBCA" \
+ OLDERROOTCA="$OLDERROOTCA" OLDERSUBCA="$OLDERSUBCA" \
USER_GROUP="$USER_GROUP" SERVICE="$SERVICE" \
/bin/bash $script || status=$?
if [ $status -ne 0 ]
##############################################################################
# Create and change into certificates directory
#
-mkdir -p $CERTDIR/new $CERTDIR/old
+mkdir -p $CERTDIR/new $CERTDIR/old $CERTDIR/older
cd $CERTDIR
echo " changed into the '$CERTDIR' directory"
--- /dev/null
+#!/bin/bash
+# Install the generated key and certificate as TLS credentials for the Cockpit
+# management interface.
+#
+# Copyright (C) 2024 Andreas Steffen
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#
+set -e
+
+##############################################################################
+# Set local paths
+#
+
+# Path to the cockpit credentials
+COCKPIT="/etc/cockpit/ws-certs.d"
+
+##############################################################################
+# Change into the certificates directory
+#
+cd $CERTDIR
+
+##############################################################################
+# Install the private key and certificate
+#
+cp $HOSTKEY $COCKPIT/ldap.key
+cp $HOSTCERT $COCKPIT/ldap.crt
+
+##############################################################################
+# Restart the cockpit systemd service
+#
+/usr/bin/systemctl restart cockpit.service
+exit 0
+
$CERTUTIL -d . -A -t "CT,," -n "Old Sub CA" -i $CERTDIR/old/$SUBCA \
-f passwd.txt
fi
+if [ -s $CERTDIR/older/$ROOTCA ]
+then
+ $CERTUTIL -d . -A -t "CT,," -n "Older Root CA" -i $CERTDIR/older/$ROOTCA \
+ -f passwd.txt
+fi
+if [ -s $CERTDIR/older/$SUBCA ]
+then
+ $CERTUTIL -d . -A -t "CT,," -n "Older Sub CA" -i $CERTDIR/older/$SUBCA \
+ -f passwd.txt
+fi
##############################################################################
# Move the generated credentials to the correct place and delete the build dir
# Install the CA certificates
#
cp $ROOTCA $SUBCA $IPSECDIR/cacerts
+if [ -s old/$ROOTCA ]
+then
+ cp old/$ROOTCA $IPSECDIR/cacerts/$OLDROOTCA
+fi
+if [ -s old/$SUBCA ]
+then
+ cp old/$SUBCA $IPSECDIR/cacerts/$OLDSUBCA
+fi
+if [ -s older/$ROOTCA ]
+then
+ cp older/$ROOTCA $IPSECDIR/cacerts/$OLDERROOTCA
+fi
+if [ -s older/$SUBCA ]
+then
+ cp older/$SUBCA $IPSECDIR/cacerts/$OLDERSUBCA
+fi
##############################################################################
# Reload the strongSwan charon daemon if it is running
--- /dev/null
+#!/bin/bash
+# Concatenate the present and past CA certificates into a single TLS_CACERT
+# file defined by ldap.conf so that the ldap-utils can verify the LDAP server
+# certificate.
+#
+# Copyright (C) 2024 Andreas Steffen
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#
+set -e
+
+##############################################################################
+# Set some local paths
+#
+
+# Path to the LDAP configuration file
+LDAP_CONF="/etc/ldap/ldap.conf"
+
+# Extract or set path to the LDAP TLS CA cert directory
+LDAP_TLS_CACERTS=$(awk '/TLS_CACERT/ {print $2}' $LDAP_CONF)
+
+##############################################################################
+# Change into the certificate directory
+#
+cd $CERTDIR
+
+##############################################################################
+# Concatenate the CA certificates into a single file
+#
+cat $ROOTCA $SUBCA > $LDAP_TLS_CACERTS
+if [ -s old/$ROOTCA ]
+then
+ cat old/$ROOTCA >> $LDAP_TLS_CACERTS
+fi
+if [ -s old/$SUBCA ]
+then
+ cat old/$SUBCA >> $LDAP_TLS_CACERTS
+fi
+if [ -s older/$ROOTCA ]
+then
+ cat older/$ROOTCA >> $LDAP_TLS_CACERTS
+fi
+if [ -s older/$SUBCA ]
+then
+ cat older/$SUBCA >> $LDAP_TLS_CACERTS
+fi
+
+exit 0
then
cp old/$SUBCA $OPENXPKI_TLS/chain/$OLDSUBCA
fi
+if [ -s older/$ROOTCA ]
+then
+ cp older/$ROOTCA $OPENXPKI_TLS/chain/$OLDERROOTCA
+fi
+if [ -s older/$SUBCA ]
+then
+ cp older/$SUBCA $OPENXPKI_TLS/chain/$OLDERSUBCA
+fi
rm -f $OPENXPKI_TLS/chain/*.0
then
cat $CERTDIR/old/$SUBCA >> $SSL_DIR/trusted.pem
fi
+if [ -s $CERTDIR/older/$ROOTCA ]
+then
+ cat $CERTDIR/older/$ROOTCA >> $SSL_DIR/trusted.pem
+fi
+if [ -s $CERTDIR/older/$SUBCA ]
+then
+ cat $CERTDIR/older/$SUBCA >> $SSL_DIR/trusted.pem
+fi
##############################################################################
# Restart the systemd service if it is active
then
cp old/$SUBCA $LDAP_TLS_CACERTDIR/$OLDSUBCA
fi
+if [ -s older/$ROOTCA ]
+then
+ cp older/$ROOTCA $LDAP_TLS_CACERTDIR/$OLDERROOTCA
+fi
+if [ -s older/$SUBCA ]
+then
+ cp older/$SUBCA $LDAP_TLS_CACERTDIR/$OLDERSUBCA
+fi
rm -f $LDAP_TLS_CACERTDIR/*.0
then
cp old/$SUBCA ${SWANCTLDIR}/x509ca/$OLDSUBCA
fi
+if [ -s older/$ROOTCA ]
+then
+ cp older/$ROOTCA ${SWANCTLDIR}/x509ca/$OLDERROOTCA
+fi
+if [ -s older/$SUBCA ]
+then
+ cp older/$SUBCA ${SWANCTLDIR}/x509ca/$OLDERSUBCA
+fi
##############################################################################
# Reload the strongswan systemd service if it is running
projects / thirdparty / strongswan.git / commitdiff
