diff --git a/httpd-init.service b/httpd-init.service index 05af86e..e2e8dd6 100644 --- a/httpd-init.service +++ b/httpd-init.service @@ -1,5 +1,6 @@ [Unit] Description=One-time configuration for httpd.service +Documentation=man:httpd-init.service(8) ConditionPathExists=|!/etc/pki/tls/certs/localhost.crt ConditionPathExists=|!/etc/pki/tls/certs/localhost-ca.crt diff --git a/httpd-ssl-gencerts b/httpd-ssl-gencerts index 0771b73..67b6d9a 100755 --- a/httpd-ssl-gencerts +++ b/httpd-ssl-gencerts @@ -3,22 +3,20 @@ set -e FQDN=`hostname` -# A >59 char FQDN means "root@FQDN" exceeds 64-char max length for emailAddress -if [ "x${FQDN}" = "x" -o ${#FQDN} -gt 59 ]; then - FQDN=localhost.localdomain + +if test -f /etc/pki/tls/certs/localhost.crt -o \ + -f /etc/pki/tls/private/localhost.key -o \ + -f /etc/pki/tls/certs/localhost-ca.crt; then + exit 1 fi sscg -q \ --cert-file /etc/pki/tls/certs/localhost.crt \ --cert-key-file /etc/pki/tls/private/localhost.key \ --ca-file /etc/pki/tls/certs/localhost-ca.crt \ - --hash-alg sha256 \ - --key-strength 2048 \ --lifetime 365 \ - --country "--" \ - --state SomeState \ - --locality SomeCity \ - --organization SomeOrganization \ - --organizational-unit SomeOrganizationalUnit \ --hostname $FQDN \ --email root@$FQDN + +# mod_ssl will send the CA cert if it's appended to the server cert. +cat /etc/pki/tls/certs/localhost-ca.crt >> /etc/pki/tls/certs/localhost.crt diff --git a/httpd.service.xml b/httpd.service.xml index 8f82e59..d851862 100644 --- a/httpd.service.xml +++ b/httpd.service.xml @@ -37,12 +37,14 @@ httpd.service httpd.socket + httpd-init.service httpd unit files for systemd /usr/lib/systemd/system/httpd.service, + /usr/lib/systemd/system/httpd-init.service, /usr/lib/systemd/system/httpd.socket @@ -124,6 +126,20 @@ Wants=network-online.target + + SSL/TLS certificate generation + + The httpd-init.service unit is provided + with the mod_ssl package. This oneshot unit automatically + creates a TLS server certificate and key (using a generated + self-signed CA certificate and key) for testing purposes before + httpd is started. To inhibit certificate generation, use + systemctl mask httpd-init.service after + installing mod_ssl, and adjust the mod_ssl configuration to use + an appropriate certicate and key. + + + Reloading and stopping the service diff --git a/httpd.spec b/httpd.spec index 717e321..cccea46 100644 --- a/httpd.spec +++ b/httpd.spec @@ -13,7 +13,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.27 -Release: 8.4%{?dist} +Release: 9%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -454,7 +454,7 @@ install -m 644 -p $RPM_SOURCE_DIR/httpd.logrotate \ $RPM_BUILD_ROOT/etc/logrotate.d/httpd # Install systemd service man pages -install -m 644 -p httpd.service.8 httpd.socket.8 \ +install -m 644 -p httpd.service.8 httpd-init.service.8 httpd.socket.8 \ $RPM_BUILD_ROOT%{_mandir}/man8 # fix man page paths @@ -618,6 +618,7 @@ rm -rf $RPM_BUILD_ROOT %attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd/proxy %{_mandir}/man8/* +%exclude %{_mandir}/man8/httpd-init.* %{_unitdir}/httpd.service %{_unitdir}/htcacheclean.service @@ -658,6 +659,7 @@ rm -rf $RPM_BUILD_ROOT %{_libexecdir}/httpd-ssl-pass-dialog %{_libexecdir}/httpd-ssl-gencerts %{_unitdir}/httpd.socket.d/10-listen443.conf +%{_mandir}/man8/httpd-init.* %files -n mod_proxy_html %defattr(-,root,root) @@ -687,6 +689,10 @@ rm -rf $RPM_BUILD_ROOT %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Thu Sep 21 2017 Joe Orton - 2.4.27-9 +- use sscg defaults; append CA cert to generated cert +- document httpd-init.service in httpd-init.service(8) + * Wed Sep 20 2017 Stephen Gallagher - 2.4.27-8.1 - Generate SSL certificates on service start, not %posttrans diff --git a/ssl.conf b/ssl.conf index a2709ce..a07bd8f 100644 --- a/ssl.conf +++ b/ssl.conf @@ -122,7 +122,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) -SSLCACertificateFile /etc/pki/tls/certs/localhost-ca.crt +#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # Client Authentication (Type): # Client certificate verification type and depth. Types are