ab22b18a78
- Better crypto-policies (previous commit) - Better logrotation - Better bootstrap Signed-off-by: Alexander Scheel <ascheel@redhat.com>
101 lines
3.2 KiB
Diff
101 lines
3.2 KiB
Diff
From d38836ca4158b42c27f4d7f474e64f4f10aed16d Mon Sep 17 00:00:00 2001
|
|
From: Alexander Scheel <ascheel@redhat.com>
|
|
Date: Wed, 8 May 2019 10:29:08 -0400
|
|
Subject: [PATCH] Don't clobber existing files on bootstrap
|
|
|
|
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
|
---
|
|
raddb/certs/bootstrap | 39 ++++++++++++---------------------------
|
|
1 file changed, 12 insertions(+), 27 deletions(-)
|
|
|
|
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
|
index 0f719aafd4..be81a2d697 100755
|
|
--- a/raddb/certs/bootstrap
|
|
+++ b/raddb/certs/bootstrap
|
|
@@ -13,17 +13,6 @@
|
|
umask 027
|
|
cd `dirname $0`
|
|
|
|
-make -h > /dev/null 2>&1
|
|
-
|
|
-#
|
|
-# If we have a working "make", then use it. Otherwise, run the commands
|
|
-# manually.
|
|
-#
|
|
-if [ "$?" = "0" ]; then
|
|
- make all
|
|
- exit $?
|
|
-fi
|
|
-
|
|
#
|
|
# The following commands were created by running "make -n", and edited
|
|
# to remove the trailing backslash, and to add "exit 1" after the commands.
|
|
@@ -31,52 +20,48 @@ fi
|
|
# Don't edit the following text. Instead, edit the Makefile, and
|
|
# re-generate these commands.
|
|
#
|
|
-if [ ! -f dh ]; then
|
|
+if [ ! -e dh ]; then
|
|
openssl dhparam -out dh 2048 || exit 1
|
|
- if [ -e /dev/urandom ] ; then
|
|
- ln -sf /dev/urandom random
|
|
- else
|
|
- date > ./random;
|
|
- fi
|
|
+ ln -sf /dev/urandom random
|
|
fi
|
|
|
|
-if [ ! -f server.key ]; then
|
|
+if [ ! -e server.key ]; then
|
|
openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
|
|
fi
|
|
|
|
-if [ ! -f ca.key ]; then
|
|
+if [ ! -e ca.key ]; then
|
|
openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
|
|
fi
|
|
|
|
-if [ ! -f index.txt ]; then
|
|
+if [ ! -e index.txt ]; then
|
|
touch index.txt
|
|
fi
|
|
|
|
-if [ ! -f serial ]; then
|
|
+if [ ! -e serial ]; then
|
|
echo '01' > serial
|
|
fi
|
|
|
|
-if [ ! -f server.crt ]; then
|
|
+if [ ! -e server.crt ]; then
|
|
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1
|
|
fi
|
|
|
|
-if [ ! -f server.p12 ]; then
|
|
+if [ ! -e server.p12 ]; then
|
|
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
|
|
fi
|
|
|
|
-if [ ! -f server.pem ]; then
|
|
+if [ ! -e server.pem ]; then
|
|
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
|
|
openssl verify -CAfile ca.pem server.pem || exit 1
|
|
fi
|
|
|
|
-if [ ! -f ca.der ]; then
|
|
+if [ ! -e ca.der ]; then
|
|
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1
|
|
fi
|
|
|
|
-if [ ! -f client.key ]; then
|
|
+if [ ! -e client.key ]; then
|
|
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
|
|
fi
|
|
|
|
-if [ ! -f client.crt ]; then
|
|
+if [ ! -e client.crt ]; then
|
|
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
|
|
fi
|
|
--
|
|
2.21.0
|
|
|