use sscg defaults; append CA cert to generated cert

document httpd-init.service in httpd-init.service(8)
This commit is contained in:
Joe Orton 2017-09-21 16:41:20 +01:00
parent f0c4143d98
commit 45393c8877
5 changed files with 34 additions and 13 deletions

View File

@ -1,5 +1,6 @@
[Unit]
Description=One-time configuration for httpd.service
Documentation=man:httpd-init.service(8)
ConditionPathExists=|!/etc/pki/tls/certs/localhost.crt
ConditionPathExists=|!/etc/pki/tls/certs/localhost-ca.crt

View File

@ -3,22 +3,20 @@
set -e
FQDN=`hostname`
# A >59 char FQDN means "root@FQDN" exceeds 64-char max length for emailAddress
if [ "x${FQDN}" = "x" -o ${#FQDN} -gt 59 ]; then
FQDN=localhost.localdomain
if test -f /etc/pki/tls/certs/localhost.crt -o \
-f /etc/pki/tls/private/localhost.key -o \
-f /etc/pki/tls/certs/localhost-ca.crt; then
exit 1
fi
sscg -q \
--cert-file /etc/pki/tls/certs/localhost.crt \
--cert-key-file /etc/pki/tls/private/localhost.key \
--ca-file /etc/pki/tls/certs/localhost-ca.crt \
--hash-alg sha256 \
--key-strength 2048 \
--lifetime 365 \
--country "--" \
--state SomeState \
--locality SomeCity \
--organization SomeOrganization \
--organizational-unit SomeOrganizationalUnit \
--hostname $FQDN \
--email root@$FQDN
# mod_ssl will send the CA cert if it's appended to the server cert.
cat /etc/pki/tls/certs/localhost-ca.crt >> /etc/pki/tls/certs/localhost.crt

View File

@ -37,12 +37,14 @@
<refnamediv>
<refname>httpd.service</refname>
<refname>httpd.socket</refname>
<refname>httpd-init.service</refname>
<refpurpose>httpd unit files for systemd</refpurpose>
</refnamediv>
<refsynopsisdiv>
<para>
<filename>/usr/lib/systemd/system/httpd.service</filename>,
<filename>/usr/lib/systemd/system/httpd-init.service</filename>,
<filename>/usr/lib/systemd/system/httpd.socket</filename>
</para>
</refsynopsisdiv>
@ -124,6 +126,20 @@ Wants=network-online.target</programlisting>
</refsect2>
<refsect2>
<title>SSL/TLS certificate generation</title>
<para>The <command>httpd-init.service</command> unit is provided
with the mod_ssl package. This oneshot unit automatically
creates a TLS server certificate and key (using a generated
self-signed CA certificate and key) for testing purposes before
httpd is started. To inhibit certificate generation, use
<command>systemctl mask httpd-init.service</command> after
installing mod_ssl, and adjust the mod_ssl configuration to use
an appropriate certicate and key.</para>
</refsect2>
<refsect2>
<title>Reloading and stopping the service</title>

View File

@ -13,7 +13,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.27
Release: 8.4%{?dist}
Release: 9%{?dist}
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html
@ -454,7 +454,7 @@ install -m 644 -p $RPM_SOURCE_DIR/httpd.logrotate \
$RPM_BUILD_ROOT/etc/logrotate.d/httpd
# Install systemd service man pages
install -m 644 -p httpd.service.8 httpd.socket.8 \
install -m 644 -p httpd.service.8 httpd-init.service.8 httpd.socket.8 \
$RPM_BUILD_ROOT%{_mandir}/man8
# fix man page paths
@ -618,6 +618,7 @@ rm -rf $RPM_BUILD_ROOT
%attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd/proxy
%{_mandir}/man8/*
%exclude %{_mandir}/man8/httpd-init.*
%{_unitdir}/httpd.service
%{_unitdir}/htcacheclean.service
@ -658,6 +659,7 @@ rm -rf $RPM_BUILD_ROOT
%{_libexecdir}/httpd-ssl-pass-dialog
%{_libexecdir}/httpd-ssl-gencerts
%{_unitdir}/httpd.socket.d/10-listen443.conf
%{_mandir}/man8/httpd-init.*
%files -n mod_proxy_html
%defattr(-,root,root)
@ -687,6 +689,10 @@ rm -rf $RPM_BUILD_ROOT
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Thu Sep 21 2017 Joe Orton <jorton@redhat.com> - 2.4.27-9
- use sscg defaults; append CA cert to generated cert
- document httpd-init.service in httpd-init.service(8)
* Wed Sep 20 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.4.27-8.1
- Generate SSL certificates on service start, not %posttrans

View File

@ -122,7 +122,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/pki/tls/certs/localhost-ca.crt
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are