use sscg defaults; append CA cert to generated cert
document httpd-init.service in httpd-init.service(8)
This commit is contained in:
parent
f0c4143d98
commit
45393c8877
@ -1,5 +1,6 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=One-time configuration for httpd.service
|
Description=One-time configuration for httpd.service
|
||||||
|
Documentation=man:httpd-init.service(8)
|
||||||
|
|
||||||
ConditionPathExists=|!/etc/pki/tls/certs/localhost.crt
|
ConditionPathExists=|!/etc/pki/tls/certs/localhost.crt
|
||||||
ConditionPathExists=|!/etc/pki/tls/certs/localhost-ca.crt
|
ConditionPathExists=|!/etc/pki/tls/certs/localhost-ca.crt
|
||||||
|
@ -3,22 +3,20 @@
|
|||||||
set -e
|
set -e
|
||||||
|
|
||||||
FQDN=`hostname`
|
FQDN=`hostname`
|
||||||
# A >59 char FQDN means "root@FQDN" exceeds 64-char max length for emailAddress
|
|
||||||
if [ "x${FQDN}" = "x" -o ${#FQDN} -gt 59 ]; then
|
if test -f /etc/pki/tls/certs/localhost.crt -o \
|
||||||
FQDN=localhost.localdomain
|
-f /etc/pki/tls/private/localhost.key -o \
|
||||||
|
-f /etc/pki/tls/certs/localhost-ca.crt; then
|
||||||
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
sscg -q \
|
sscg -q \
|
||||||
--cert-file /etc/pki/tls/certs/localhost.crt \
|
--cert-file /etc/pki/tls/certs/localhost.crt \
|
||||||
--cert-key-file /etc/pki/tls/private/localhost.key \
|
--cert-key-file /etc/pki/tls/private/localhost.key \
|
||||||
--ca-file /etc/pki/tls/certs/localhost-ca.crt \
|
--ca-file /etc/pki/tls/certs/localhost-ca.crt \
|
||||||
--hash-alg sha256 \
|
|
||||||
--key-strength 2048 \
|
|
||||||
--lifetime 365 \
|
--lifetime 365 \
|
||||||
--country "--" \
|
|
||||||
--state SomeState \
|
|
||||||
--locality SomeCity \
|
|
||||||
--organization SomeOrganization \
|
|
||||||
--organizational-unit SomeOrganizationalUnit \
|
|
||||||
--hostname $FQDN \
|
--hostname $FQDN \
|
||||||
--email root@$FQDN
|
--email root@$FQDN
|
||||||
|
|
||||||
|
# mod_ssl will send the CA cert if it's appended to the server cert.
|
||||||
|
cat /etc/pki/tls/certs/localhost-ca.crt >> /etc/pki/tls/certs/localhost.crt
|
||||||
|
@ -37,12 +37,14 @@
|
|||||||
<refnamediv>
|
<refnamediv>
|
||||||
<refname>httpd.service</refname>
|
<refname>httpd.service</refname>
|
||||||
<refname>httpd.socket</refname>
|
<refname>httpd.socket</refname>
|
||||||
|
<refname>httpd-init.service</refname>
|
||||||
<refpurpose>httpd unit files for systemd</refpurpose>
|
<refpurpose>httpd unit files for systemd</refpurpose>
|
||||||
</refnamediv>
|
</refnamediv>
|
||||||
|
|
||||||
<refsynopsisdiv>
|
<refsynopsisdiv>
|
||||||
<para>
|
<para>
|
||||||
<filename>/usr/lib/systemd/system/httpd.service</filename>,
|
<filename>/usr/lib/systemd/system/httpd.service</filename>,
|
||||||
|
<filename>/usr/lib/systemd/system/httpd-init.service</filename>,
|
||||||
<filename>/usr/lib/systemd/system/httpd.socket</filename>
|
<filename>/usr/lib/systemd/system/httpd.socket</filename>
|
||||||
</para>
|
</para>
|
||||||
</refsynopsisdiv>
|
</refsynopsisdiv>
|
||||||
@ -124,6 +126,20 @@ Wants=network-online.target</programlisting>
|
|||||||
|
|
||||||
</refsect2>
|
</refsect2>
|
||||||
|
|
||||||
|
<refsect2>
|
||||||
|
<title>SSL/TLS certificate generation</title>
|
||||||
|
|
||||||
|
<para>The <command>httpd-init.service</command> unit is provided
|
||||||
|
with the mod_ssl package. This oneshot unit automatically
|
||||||
|
creates a TLS server certificate and key (using a generated
|
||||||
|
self-signed CA certificate and key) for testing purposes before
|
||||||
|
httpd is started. To inhibit certificate generation, use
|
||||||
|
<command>systemctl mask httpd-init.service</command> after
|
||||||
|
installing mod_ssl, and adjust the mod_ssl configuration to use
|
||||||
|
an appropriate certicate and key.</para>
|
||||||
|
|
||||||
|
</refsect2>
|
||||||
|
|
||||||
<refsect2>
|
<refsect2>
|
||||||
<title>Reloading and stopping the service</title>
|
<title>Reloading and stopping the service</title>
|
||||||
|
|
||||||
|
10
httpd.spec
10
httpd.spec
@ -13,7 +13,7 @@
|
|||||||
Summary: Apache HTTP Server
|
Summary: Apache HTTP Server
|
||||||
Name: httpd
|
Name: httpd
|
||||||
Version: 2.4.27
|
Version: 2.4.27
|
||||||
Release: 8.4%{?dist}
|
Release: 9%{?dist}
|
||||||
URL: https://httpd.apache.org/
|
URL: https://httpd.apache.org/
|
||||||
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
|
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
|
||||||
Source1: index.html
|
Source1: index.html
|
||||||
@ -454,7 +454,7 @@ install -m 644 -p $RPM_SOURCE_DIR/httpd.logrotate \
|
|||||||
$RPM_BUILD_ROOT/etc/logrotate.d/httpd
|
$RPM_BUILD_ROOT/etc/logrotate.d/httpd
|
||||||
|
|
||||||
# Install systemd service man pages
|
# Install systemd service man pages
|
||||||
install -m 644 -p httpd.service.8 httpd.socket.8 \
|
install -m 644 -p httpd.service.8 httpd-init.service.8 httpd.socket.8 \
|
||||||
$RPM_BUILD_ROOT%{_mandir}/man8
|
$RPM_BUILD_ROOT%{_mandir}/man8
|
||||||
|
|
||||||
# fix man page paths
|
# fix man page paths
|
||||||
@ -618,6 +618,7 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd/proxy
|
%attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd/proxy
|
||||||
|
|
||||||
%{_mandir}/man8/*
|
%{_mandir}/man8/*
|
||||||
|
%exclude %{_mandir}/man8/httpd-init.*
|
||||||
|
|
||||||
%{_unitdir}/httpd.service
|
%{_unitdir}/httpd.service
|
||||||
%{_unitdir}/htcacheclean.service
|
%{_unitdir}/htcacheclean.service
|
||||||
@ -658,6 +659,7 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%{_libexecdir}/httpd-ssl-pass-dialog
|
%{_libexecdir}/httpd-ssl-pass-dialog
|
||||||
%{_libexecdir}/httpd-ssl-gencerts
|
%{_libexecdir}/httpd-ssl-gencerts
|
||||||
%{_unitdir}/httpd.socket.d/10-listen443.conf
|
%{_unitdir}/httpd.socket.d/10-listen443.conf
|
||||||
|
%{_mandir}/man8/httpd-init.*
|
||||||
|
|
||||||
%files -n mod_proxy_html
|
%files -n mod_proxy_html
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
@ -687,6 +689,10 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%{_rpmconfigdir}/macros.d/macros.httpd
|
%{_rpmconfigdir}/macros.d/macros.httpd
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Sep 21 2017 Joe Orton <jorton@redhat.com> - 2.4.27-9
|
||||||
|
- use sscg defaults; append CA cert to generated cert
|
||||||
|
- document httpd-init.service in httpd-init.service(8)
|
||||||
|
|
||||||
* Wed Sep 20 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.4.27-8.1
|
* Wed Sep 20 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.4.27-8.1
|
||||||
- Generate SSL certificates on service start, not %posttrans
|
- Generate SSL certificates on service start, not %posttrans
|
||||||
|
|
||||||
|
2
ssl.conf
2
ssl.conf
@ -122,7 +122,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
|
|||||||
# Set the CA certificate verification path where to find CA
|
# Set the CA certificate verification path where to find CA
|
||||||
# certificates for client authentication or alternatively one
|
# certificates for client authentication or alternatively one
|
||||||
# huge file containing all of them (file must be PEM encoded)
|
# huge file containing all of them (file must be PEM encoded)
|
||||||
SSLCACertificateFile /etc/pki/tls/certs/localhost-ca.crt
|
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
|
||||||
|
|
||||||
# Client Authentication (Type):
|
# Client Authentication (Type):
|
||||||
# Client certificate verification type and depth. Types are
|
# Client certificate verification type and depth. Types are
|
||||||
|
Loading…
Reference in New Issue
Block a user