use sscg defaults; append CA cert to generated cert

document httpd-init.service in httpd-init.service(8)
2017-09-21 16:41:20 +01:00 · 2017-09-21 16:41:20 +01:00 · 6a77761740
commit 6a77761740
parent 180ad320f4
5 changed files with 34 additions and 13 deletions
--- a/httpd-init.service
+++ b/httpd-init.service
@ -1,5 +1,6 @@
 [Unit]
 Description=One-time configuration for httpd.service
+Documentation=man:httpd-init.service(8)

 ConditionPathExists=|!/etc/pki/tls/certs/localhost.crt
 ConditionPathExists=|!/etc/pki/tls/certs/localhost-ca.crt
--- a/18
+++ b/18
@ -3,22 +3,20 @@
 set -e

 FQDN=`hostname`
-# A >59 char FQDN means "root@FQDN" exceeds 64-char max length for emailAddress
-if [ "x${FQDN}" = "x" -o ${#FQDN} -gt 59 ]; then
-   FQDN=localhost.localdomain
+
+if test -f /etc/pki/tls/certs/localhost.crt -o \
+        -f /etc/pki/tls/private/localhost.key -o \
+        -f /etc/pki/tls/certs/localhost-ca.crt; then
+    exit 1
 fi

 sscg -q                                                             \
     --cert-file           /etc/pki/tls/certs/localhost.crt         \
     --cert-key-file       /etc/pki/tls/private/localhost.key       \
     --ca-file             /etc/pki/tls/certs/localhost-ca.crt      \
-     --hash-alg            sha256                                   \
-     --key-strength        2048                                     \
     --lifetime            365                                      \
-     --country             "--"                                     \
-     --state               SomeState                                \
-     --locality            SomeCity                                 \
-     --organization        SomeOrganization                         \
-     --organizational-unit SomeOrganizationalUnit                   \
     --hostname            $FQDN                                    \
     --email               root@$FQDN
+
+# mod_ssl will send the CA cert if it's appended to the server cert.
+cat /etc/pki/tls/certs/localhost-ca.crt >> /etc/pki/tls/certs/localhost.crt
--- a/httpd.service.xml
+++ b/httpd.service.xml
@ -37,12 +37,14 @@
  <refnamediv>
    <refname>httpd.service</refname>
    <refname>httpd.socket</refname>
+    <refname>httpd-init.service</refname>
    <refpurpose>httpd unit files for systemd</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para>
      <filename>/usr/lib/systemd/system/httpd.service</filename>, 
+      <filename>/usr/lib/systemd/system/httpd-init.service</filename>,
      <filename>/usr/lib/systemd/system/httpd.socket</filename>
    </para>
  </refsynopsisdiv>
@ -124,6 +126,20 @@ Wants=network-online.target</programlisting>

    </refsect2>

+    <refsect2>
+      <title>SSL/TLS certificate generation</title>
+
+      <para>The <command>httpd-init.service</command> unit is provided
+      with the mod_ssl package. This oneshot unit automatically
+      creates a TLS server certificate and key (using a generated
+      self-signed CA certificate and key) for testing purposes before
+      httpd is started. To inhibit certificate generation, use
+      <command>systemctl mask httpd-init.service</command> after
+      installing mod_ssl, and adjust the mod_ssl configuration to use
+      an appropriate certicate and key.</para>
+
+    </refsect2>
+
    <refsect2>
      <title>Reloading and stopping the service</title>

--- a/httpd.spec
+++ b/httpd.spec
@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.27
-Release: 8.4%{?dist}
+Release: 9%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@ -452,7 +452,7 @@ install -m 644 -p $RPM_SOURCE_DIR/httpd.logrotate \
 	$RPM_BUILD_ROOT/etc/logrotate.d/httpd

 # Install systemd service man pages
-install -m 644 -p httpd.service.8 httpd.socket.8 \
+install -m 644 -p httpd.service.8 httpd-init.service.8 httpd.socket.8 \
        $RPM_BUILD_ROOT%{_mandir}/man8

 # fix man page paths
@ -616,6 +616,7 @@ rm -rf $RPM_BUILD_ROOT
 %attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd/proxy

 %{_mandir}/man8/*
+%exclude %{_mandir}/man8/httpd-init.*

 %{_unitdir}/httpd.service
 %{_unitdir}/htcacheclean.service
@ -656,6 +657,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_libexecdir}/httpd-ssl-pass-dialog
 %{_libexecdir}/httpd-ssl-gencerts
 %{_unitdir}/httpd.socket.d/10-listen443.conf
+%{_mandir}/man8/httpd-init.*

 %files -n mod_proxy_html
 %defattr(-,root,root)
@ -685,6 +687,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd

 %changelog
+* Thu Sep 21 2017 Joe Orton <jorton@redhat.com> - 2.4.27-9
+- use sscg defaults; append CA cert to generated cert
+- document httpd-init.service in httpd-init.service(8)
+
 * Wed Sep 20 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.4.27-8.1
 - Generate SSL certificates on service start, not %posttrans

--- a/ssl.conf
+++ b/ssl.conf
@ -122,7 +122,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
 #   Set the CA certificate verification path where to find CA
 #   certificates for client authentication or alternatively one
 #   huge file containing all of them (file must be PEM encoded)
-SSLCACertificateFile /etc/pki/tls/certs/localhost-ca.crt
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

 #   Client Authentication (Type):
 #   Client certificate verification type and depth.  Types are