Move SSL certificate generation into the systemd service file

generate-certs

@@ -0,0 +1,14 @@
+#!/bin/bash
+cd /etc/Pegasus
+
+if [ ! -e /etc/Pegasus/ssl.cnf ] || [ ! -e /etc/Pegasus/server.pem ] ||
+     [ ! -e /etc/Pegasus/file.pem ]  || [ ! -e /etc/Pegasus/client.pem ]; then
+         if [ -x /usr/share/Pegasus/scripts/genOpenPegasusSSLCerts ]; then
+            # Create self-signed certificates for initial usage
+            /usr/share/Pegasus/scripts/genOpenPegasusSSLCerts
+            # Add the self-signed certificate to the local trust store
+            cp /etc/Pegasus/ca.crt \
+               /etc/pki/ca-trust/source/anchors/localhost-pegasus.pem
+            /usr/bin/update-ca-trust extract
+         fi;
+      fi;

tog-pegasus.service

@@ -4,6 +4,7 @@ After=syslog.target
 
 [Service]
 Type=forking
+ExecStartPre=/usr/share/Pegasus/scripts/generate-certs
 ExecStart=/usr/sbin/cimserver
 PIDFile=/var/run/tog-pegasus/cimserver.pid
 

tog-pegasus.spec

@@ -32,6 +32,9 @@ Source7:        cimprovagt-wrapper.sh
 Source8:        cmpiOSBase_OperatingSystemProvider-cimprovagt.example
 #  9: DMTF CIM schema
 Source9:        cim_schema_2.38.0Experimental-MOFs.zip
+# 10: Fedora/RHEL script for adding self-signed certificates to the local CA
+#     trust store
+Source10:       generate-certs
 
 #  1: http://cvs.rdg.opengroup.org/bugzilla/show_bug.cgi?id=5011
 #     Removing insecure -rpath
@@ -91,10 +94,9 @@ BuildRequires:  net-snmp-devel, openslp-devel
 BuildRequires:  systemd-units
 Requires:       net-snmp-libs
 Requires:       %{name}-libs = %{epoch}:%{version}-%{release}
+Requires:       openssl
 Requires:       ca-certificates
 Provides:       cim-server = 1
-Requires(post): /usr/bin/update-ca-trust
-Requires(post): /usr/bin/openssl
 Requires(post): /sbin/ldconfig
 
 %description
@@ -281,6 +283,10 @@ make -f $PEGASUS_ROOT/Makefile.Release stage \
     install -p -D -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/tmpfiles.d/tog-pegasus.conf
 %endif
 
+# Install script to generate SSL certificates at startup
+mkdir -p $RPM_BUILD_ROOT/usr/share/Pegasus/scripts
+install -p -m 755 %{SOURCE10} $RPM_BUILD_ROOT/usr/share/Pegasus/scripts/generate-certs
+
 # remove SysV initscript, install .service file
 rm -f $RPM_BUILD_ROOT/etc/init.d/tog-pegasus
 mkdir -p $RPM_BUILD_ROOT%{_unitdir}
@@ -409,20 +415,6 @@ restorecon /var/run/tog-pegasus
 %systemd_post tog-pegasus.service
 if [ $1 -ge 1 ]; then
    echo `date` >>  /var/lib/Pegasus/log/install.log 2>&1 || :;
-   if [ $1 -eq 1 ] ; then
-      # Initial installation
-      if [ ! -e /etc/Pegasus/ssl.cnf ] || [ ! -e /etc/Pegasus/server.pem ] ||                                                                                                                          
-         [ ! -e /etc/Pegasus/file.pem ]  || [ ! -e /etc/Pegasus/client.pem ]; then
-         if [ -x /usr/share/Pegasus/scripts/genOpenPegasusSSLCerts ]; then
-            # Create self-signed certificates for initial usage
-            /usr/share/Pegasus/scripts/genOpenPegasusSSLCerts
-            # Add the self-signed certificate to the local trust store
-            cp /etc/Pegasus/ca.crt \
-               /etc/pki/ca-trust/source/anchors/localhost-pegasus.pem
-            /usr/bin/update-ca-trust extract
-         fi;
-      fi;
-   fi
    if [ $1 -gt 1 ]; then
       if [ -d /var/lib/Pegasus/prev_repository ]; then
       #  The user's old repository was moved to /var/lib/Pegasus/prev_repository, which 
@@ -507,6 +499,7 @@ fi
 * Thu Mar 06 2014 Stephen Gallagher <sgallagh@redhat.com> - 2:2.13.0-8
 - Generate SSL certificates with x509v3 and CA:FALSE
 - Automatically import self-signed certificates into local trust-store
+- Move SSL certificate generation into the systemd service file
 
 * Thu Jan 30 2014 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.13.0-7
 - Add Platform_LINUX_XSCALE_GNU.h to -devel because of lmiwbem on arm