/usr/sbin/make-ssl-cert is in ssl-cert 1.0.35.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 | #!/bin/bash -e
# This is a mockup of a script to produce a snakeoil cert
# The aim is to have a debconfisable ssl-certificate script
. /usr/share/debconf/confmodule
db_version 2.0
db_capb backup
ask_via_debconf() {
RET=""
if db_settitle make-ssl-cert/title ; then
: # OK
else
echo Debconf failed with error code $? $RET >&2
echo Maybe your debconf database is corrupt. >&2
echo Try re-installing ssl-cert. >&2
fi
RET=""
while [ "x$RET" = "x" ]; do
db_fset make-ssl-cert/hostname seen false
db_input high make-ssl-cert/hostname || true
db_go
db_get make-ssl-cert/hostname
done
db_get make-ssl-cert/hostname
HostName="$RET"
db_fset make-ssl-cert/hostname seen false
db_fset make-ssl-cert/altname seen false
db_input high make-ssl-cert/altname || true
db_go
db_get make-ssl-cert/altname
AltName="$RET"
db_fset make-ssl-cert/altname seen false
}
make_snakeoil() {
if ! HostName="$(hostname -f)" ; then
HostName="$(hostname)"
echo make-ssl-cert: Could not get FQDN, using \"$HostName\".
echo make-ssl-cert: You may want to fix your /etc/hosts and/or DNS setup and run
echo make-ssl-cert: 'make-ssl-cert generate-default-snakeoil --force-overwrite'
echo make-ssl-cert: again.
fi
if [ ${#HostName} -gt 64 ] ; then
AltName="DNS:$HostName"
HostName="$(hostname)"
fi
}
create_temporary_cnf() {
sed -e s#@HostName@#"$HostName"# $template > $TMPFILE
[ -z "$AltName" ] || echo "subjectAltName=$AltName" >> $TMPFILE
}
# Takes two arguments, the base layout and the output cert.
if [ $# -lt 2 ] && [ "$1" != "generate-default-snakeoil" ]; then
printf "Usage: $0 template output [--force-overwrite]\n";
printf "Usage: $0 generate-default-snakeoil [--force-overwrite]\n";
exit 1;
fi
if [ "$1" != "generate-default-snakeoil" ]; then
template="$1"
output="$2"
# be anal in manual mode.
if [ ! -f $template ]; then
printf "Could not open template file: $template!\n";
exit 1;
fi
if [ -f $output ] && [ "$3" != "--force-overwrite" ]; then
printf "$output file already exists!\n";
exit 1;
fi
ask_via_debconf
else
template="/usr/share/ssl-cert/ssleay.cnf"
if [ -f "/etc/ssl/certs/ssl-cert-snakeoil.pem" ] && [ -f "/etc/ssl/private/ssl-cert-snakeoil.key" ]; then
if [ "$2" != "--force-overwrite" ]; then
exit 0
fi
fi
make_snakeoil
fi
# # should be a less common char
# problem is that openssl virtually accepts everything and we need to
# sacrifice one char.
TMPFILE="$(mktemp)" || exit 1
TMPOUT="$(mktemp)" || exit 1
trap "rm -f $TMPFILE $TMPOUT" EXIT
create_temporary_cnf
# create the certificate.
if [ "$1" != "generate-default-snakeoil" ]; then
if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes -sha256 \
-out $output -keyout $output > $TMPOUT 2>&1
then
echo Could not create certificate. Openssl output was: >&2
cat $TMPOUT >&2
exit 1
fi
chmod 600 $output
# hash symlink
cd $(dirname $output)
ln -sf $(basename $output) $(openssl x509 -hash -noout -in $(basename $output))
else
if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes -sha256 \
-out /etc/ssl/certs/ssl-cert-snakeoil.pem \
-keyout /etc/ssl/private/ssl-cert-snakeoil.key > $TMPOUT 2>&1
then
echo Could not create certificate. Openssl output was: >&2
cat $TMPOUT >&2
exit 1
fi
chmod 644 /etc/ssl/certs/ssl-cert-snakeoil.pem
chmod 640 /etc/ssl/private/ssl-cert-snakeoil.key
chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key
# hash symlink
cd /etc/ssl/certs/
ln -sf ssl-cert-snakeoil.pem $(openssl x509 -hash -noout -in ssl-cert-snakeoil.pem)
fi
|