1 |
Greetings. |
2 |
|
3 |
There are several ebuilds currently that would benefit from having an |
4 |
initial self-signed certificate. Whether this is used for testing, or |
5 |
simple home servers or what-have-you. |
6 |
|
7 |
Some of these ebuilds (postfix, apache, cyrus-imspd) contain a |
8 |
gentestcrt.sh script to do this. This script resides in ${FILESDIR} and |
9 |
takes some |
10 |
effort to run from the ebuild. Here's a snippet from postfix: |
11 |
|
12 |
if [ "`use ssl`" ] ; then |
13 |
einfo "Generating self-signed test certificate." |
14 |
(yes "" | "${FILESDIR}/gentestcrt.sh") &>/dev/null |
15 |
(cat server.key && echo && cat server.crt) > server.pem |
16 |
insinto /etc/ssl/postfix |
17 |
doins server.{key,crt,pem} |
18 |
fowners postfix:root /etc/ssl/postfix/server.{key,crt,pem} |
19 |
fperms 0400 /etc/ssl/postfix/server.{key,crt,pem} |
20 |
fi |
21 |
|
22 |
Another limitation of this script is that you don't get a CSR that you can |
23 |
use to request a "real" certificate. |
24 |
|
25 |
To alleviate some of these issues, I threw together an ssl-cert.eclass. The |
26 |
code and docs are available here: |
27 |
|
28 |
<http://dev.gentoo.org/~max/ebuilds/eclass/ssl-cert.eclass> |
29 |
<http://dev.gentoo.org/~max/ebuilds/eclass/ssl-cert.5.txt> |
30 |
<http://dev.gentoo.org/~max/ebuilds/eclass/ssl-cert.5> |
31 |
|
32 |
So the above mess from postfix can be rewritten like so: |
33 |
|
34 |
inherit ssl-cert |
35 |
... |
36 |
if [ "`use ssl`" ] ; then |
37 |
insinto /etc/ssl/postfix |
38 |
docert server |
39 |
fowners postfix /etc/ssl/postfix/server.{key,crt,pem} |
40 |
then |
41 |
|
42 |
This also gives you a csr and there's no need for the gentestcrt.sh script |
43 |
in ${FILESDIR}. |
44 |
|
45 |
Would this be a worthy candidate for inclusion? Criticism welcome. :-) |
46 |
|
47 |
--mk |
48 |
|
49 |
-- |
50 |
gentoo-dev@g.o mailing list |