paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-03 21:43:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

install --self-signed-cert: Generate our own, rather than use system's.

Browse Source 
This gives us just one way of adopting a self-signed cert, rather than
one script which would generate a new one and an option to another
which would symlink to the system's snakeoil cert.  Now those two
codepaths converge, and do the same thing.

The small advantage of generating our own over the alternative is that
it lets us set the name in the cert to EXTERNAL_HOST, rather than the
system's hostname as embedded in the system snakeoil certs.  Not a big
deal, but might make things go slightly smoother if some browsers are
lenient (in a way that they probably shouldn't be.)
This commit is contained in:
Greg Price
2018-01-23 17:13:09 -08:00
parent d76c2d77f4
commit f26b34405e
2 changed files with 16 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
scripts/lib/install
View File

@@ -8,10 +8,8 @@ Usage:
install --help install --help
Other options: Other options:
--certbot --certbot (requires --hostname and --email)
--self-signed-cert --self-signed-cert
If --certbot is used, --hostname and --email are required.
EOF EOF
exit 0 exit 0
}; };
@@ -54,6 +52,12 @@ if [ -n "$show_help" ]; then
usage usage
fi fi
if [ -n "$SELF_SIGNED_CERT" ] && [ -n "$USE_CERTBOT" ]; then
echo "error: --self-signed-cert and --certbot are incompatible" >&2
echo >&2
usage
fi
if [ -n "$USE_CERTBOT" ] \ if [ -n "$USE_CERTBOT" ] \
&& { [ -z "$EXTERNAL_HOST" ] || [ -z "$ZULIP_ADMINISTRATOR" ]; }; then && { [ -z "$EXTERNAL_HOST" ] || [ -z "$ZULIP_ADMINISTRATOR" ]; }; then
usage usage
@@ -186,10 +190,8 @@ fi
apt-get -y upgrade apt-get -y upgrade
if [ "$has_nginx" = 0 ]; then if [ "$has_nginx" = 0 ]; then
if [ -n "$SELF_SIGNED_CERT" ] && ! [ -e "/etc/ssl/private/zulip.key" ]; then if [ -n "$SELF_SIGNED_CERT" ]; then
apt-get install -y openssl ssl-cert "$ZULIP_PATH"/scripts/setup/generate-self-signed-cert --exists-ok "${EXTERNAL_HOST:-$(hostname)}"
ln -nsf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/zulip.combined-chain.crt
ln -nsf /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/zulip.key
fi fi
# Check nginx was configured properly now that we've installed it. # Check nginx was configured properly now that we've installed it.

9
scripts/setup/generate-self-signed-cert
View File

@@ -2,16 +2,17 @@
set -e set -e
usage() { usage() {
echo "usage: $0 [--force] EXTERNAL_HOST" >&2 echo "usage: $0 [--force] [--exists-ok] EXTERNAL_HOST" >&2
exit 1 exit 1
} }
args="$(getopt -o '' --long help,force -- "$@")" args="$(getopt -o '' --long help,force,exists-ok -- "$@")"
eval "set -- $args" eval "set -- $args"
while true; do while true; do
case "$1" in case "$1" in
--help) usage;; --help) usage;;
--force) FORCE=1; shift;; --force) FORCE=1; shift;;
--exists-ok) EXISTS_OK=1; shift;;
--) shift; break;; --) shift; break;;
*) usage;; *) usage;;
esac esac
@@ -32,6 +33,10 @@ set -x
KEYFILE=/etc/ssl/private/zulip.key KEYFILE=/etc/ssl/private/zulip.key
CERTFILE=/etc/ssl/certs/zulip.combined-chain.crt CERTFILE=/etc/ssl/certs/zulip.combined-chain.crt
if [ -n "$EXISTS_OK" ] && [ -e "$KEYFILE" -a -e "$CERTFILE" ]; then
exit 0
fi
if [ -z "$FORCE" ] && [ -e "$KEYFILE" -o -e "$CERTFILE" ]; then if [ -z "$FORCE" ] && [ -e "$KEYFILE" -o -e "$CERTFILE" ]; then
echo "$0: certificate and/or key already exists; use --force to overwrite." >&2 echo "$0: certificate and/or key already exists; use --force to overwrite." >&2
exit 1 exit 1