| 1 |
Greetings. |
| 2 |
|
| 3 |
There are several ebuilds currently that would benefit from having an |
| 4 |
initial self-signed certificate. Whether this is used for testing, or |
| 5 |
simple home servers or what-have-you. |
| 6 |
|
| 7 |
Some of these ebuilds (postfix, apache, cyrus-imspd) contain a |
| 8 |
gentestcrt.sh script to do this. This script resides in ${FILESDIR} and |
| 9 |
takes some |
| 10 |
effort to run from the ebuild. Here's a snippet from postfix: |
| 11 |
|
| 12 |
if [ "`use ssl`" ] ; then |
| 13 |
einfo "Generating self-signed test certificate." |
| 14 |
(yes "" | "${FILESDIR}/gentestcrt.sh") &>/dev/null |
| 15 |
(cat server.key && echo && cat server.crt) > server.pem |
| 16 |
insinto /etc/ssl/postfix |
| 17 |
doins server.{key,crt,pem} |
| 18 |
fowners postfix:root /etc/ssl/postfix/server.{key,crt,pem} |
| 19 |
fperms 0400 /etc/ssl/postfix/server.{key,crt,pem} |
| 20 |
fi |
| 21 |
|
| 22 |
Another limitation of this script is that you don't get a CSR that you can |
| 23 |
use to request a "real" certificate. |
| 24 |
|
| 25 |
To alleviate some of these issues, I threw together an ssl-cert.eclass. The |
| 26 |
code and docs are available here: |
| 27 |
|
| 28 |
<http://dev.gentoo.org/~max/ebuilds/eclass/ssl-cert.eclass> |
| 29 |
<http://dev.gentoo.org/~max/ebuilds/eclass/ssl-cert.5.txt> |
| 30 |
<http://dev.gentoo.org/~max/ebuilds/eclass/ssl-cert.5> |
| 31 |
|
| 32 |
So the above mess from postfix can be rewritten like so: |
| 33 |
|
| 34 |
inherit ssl-cert |
| 35 |
... |
| 36 |
if [ "`use ssl`" ] ; then |
| 37 |
insinto /etc/ssl/postfix |
| 38 |
docert server |
| 39 |
fowners postfix /etc/ssl/postfix/server.{key,crt,pem} |
| 40 |
then |
| 41 |
|
| 42 |
This also gives you a csr and there's no need for the gentestcrt.sh script |
| 43 |
in ${FILESDIR}. |
| 44 |
|
| 45 |
Would this be a worthy candidate for inclusion? Criticism welcome. :-) |
| 46 |
|
| 47 |
--mk |
| 48 |
|
| 49 |
-- |
| 50 |
gentoo-dev@g.o mailing list |
Archives