Last update: 2009-05-09 (土) 19:29:33
実施: 2009/02/10
玄箱HGメモ:Debian:apache2-ssl-cert編集画面
緑文字が入力コマンド。
Debian Apache2 SSL対応
SSL設定
SSL設定スクリプト編集
/usr/sbin/apache2-ssl-certの例
#!/bin/bash -e # This is a mockup of a script to produce a snakeoil cert # The aim is to have a debconfisable ssl-certificate script
. /usr/share/debconf/confmodule db_version 2.0 db_capb backup
ask_via_debconf() {
db_settitle make-ssl-cert/title
templates="countryname statename localityname organisationname ouname hostname email"
for i in $templates; do
RET=""
while [ "x$RET" = "x" ]; do
db_fset make-ssl-cert/$i seen false
db_input high make-ssl-cert/$i || true
db_go
db_get make-ssl-cert/$i
done
done
db_get make-ssl-cert/countryname
CountryName="$RET"
db_fset make-ssl-cert/countryname seen false
db_get make-ssl-cert/statename
StateName="$RET"
db_fset make-ssl-cert/statename seen false
db_get make-ssl-cert/localityname
LocalityName="$RET"
db_fset make-ssl-cert/localityname seen false
db_get make-ssl-cert/organisationname
OrganisationName="$RET"
db_fset make-ssl-cert/organisationname seen false
db_get make-ssl-cert/ouname
OUName="$RET"
db_fset make-ssl-cert/ouname seen false
db_get make-ssl-cert/hostname
HostName="$RET"
db_fset make-ssl-cert/hostname seen false
db_get make-ssl-cert/email
Email="$RET"
db_fset make-ssl-cert/email seen false
}
make_snakeoil() {
CountryName="XX"
StateName="There is no such thing outside US"
LocalityName="Everywhere"
OrganisationName="OCOSA"
OUName="Office for Complication of Otherwise Simple Affairs"
HostName="$(hostname)"
Email="root@$HostName"
}
create_temporary_cnf() {
sed -e s#@CountryName@#"$CountryName"# \
-e s#@StateName@#"$StateName"# \
-e s#@LocalityName@#"$LocalityName"# \
-e s#@OrganisationName@#"$OrganisationName"# \
-e s#@OUName@#"$OUName"# \
-e s#@HostName@#"$HostName"# \
-e s#@Email@#"$Email"# \
$template > $TMPFILE
}
# Takes two arguments, the base layout and the output cert.
if [ $# -lt 2 ] && [ "$1" != "generate-default-snakeoil" ]; then
printf "Usage: $0 template output [--force-overwrite]\n";
printf "Usage: $0 generate-default-snakeoil [--force-overwrite]\n";
exit 1;
fi
if [ "$1" != "generate-default-snakeoil" ]; then
template="$1"
output="$2"
# be anal in manual mode.
if [ ! -f $template ]; then
printf "Could not open template file: $template!\n";
exit 1;
fi
if [ -f $output ] && [ "$3" != "--force-overwrite" ]; then
printf "$output file already exists!\n";
exit 1;
fi
ask_via_debconf
else
template="/usr/share/ssl-cert/ssleay.cnf"
if [ -f "/etc/ssl/certs/ssl-cert-snakeoil.pem" ] && [ -f "/etc/ssl/private/ssl-cert-snakeoil.key" ]; then
if [ "$2" != "--force-overwrite" ]; then
exit 0
fi
fi
make_snakeoil
fi
# # should be a less common char # problem is that openssl virtually accepts everything and we need to # sacrifice one char.
TMPFILE="$(mktemp)" || exit 1
create_temporary_cnf
# create the certiface.
export RANDFILE=/dev/random
if [ "$1" != "generate-default-snakeoil" ]; then
以下の行に-days 365を追加
旧
openssl req -config $TMPFILE -new -x509 -nodes -out $output -keyout $output > /dev/null 2>&1
新
openssl req -config $TMPFILE -new -days 365 -x509 -nodes -out $output -keyout $output > /dev/null 2>&1
chmod 600 $output
# hash symlink
cd $(dirname $output)
ln -sf $(basename $output) $(openssl x509 -hash -noout -in $output)
else
openssl req -config $TMPFILE -new -x509 -nodes \
-out /etc/ssl/certs/ssl-cert-snakeoil.pem \
-keyout /etc/ssl/private/ssl-cert-snakeoil.key > /dev/null 2>&1
chmod 644 /etc/ssl/certs/ssl-cert-snakeoil.pem
chmod 640 /etc/ssl/private/ssl-cert-snakeoil.key
chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key
# hash symlink
cd /etc/ssl/certs/
ln -sf ssl-cert-snakeoil.pem $(openssl x509 -hash -noout -in ssl-cert-snakeoil.pem)
fi
# cleanup rm -f $TMPFILE