Skip to content

Instantly share code, notes, and snippets.

@doevelopper

doevelopper/ssl.md

Created December 22, 2020 22:04
Show Gist options
  • Save doevelopper/939d2c19acee86411257b4b2aebb7089 to your computer and use it in GitHub Desktop.
Save doevelopper/939d2c19acee86411257b4b2aebb7089 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ssl.md 
#!/bin/sh
# Quickstart document for Cobblerd on openSUSE
#
# This is both a document and a script. Read the configuration part carefully and when finished
# you can run the script.
#
# Setting up and running cobblerd is not a easy task. Knowledge in apache configuration (setting
# up ssl, virtual hosts, apache module and wsgi) is needed. Certificates and some server
# administration knowledge is required too.
#
# Configuration
# ==============================================================================
#
# The inter process session caching module to use. Configured in /etc/apache2/ssl-global.conf.
# Possible values:
#   - shmcb             (DEFAULT)
#   - none
#   - shmht
#   - dbm
APACHE_SSL_SESSION_CACHE_MODULE=${APACHE_SSL_SESSION_CACHE_MODULE:-shmcb}

# Cobbler requires https support which in turn requires a certificate. If you are just test driving
# cobbler locally it is possible to create a self signed certificate with gensslcert. If you
# generate one add meaningful values down there.
#
# The certificate can be found at /etc/apache2/ssl*/ after running this script.
#
# Change to "true" to generate the certificate.
GENERATE_SELF_SIGNED_CERTIFICATE=${GENERATE_SELF_SIGNED_CERTIFICATE:-true}
# Empty CN gives you the default files used in /etc/apache2/vhosts.d/vhost-ssl.template
CERTIFICATE_CN=${CERTIFICATE_CN:-"$(hostname --fqdn)"}
CERTIFICATE_COMMENT=${CERTIFICATE_COMMENT:-"Paranoic ssl certificate"}
CERTIFICATE_COUNTRY=${CERTIFICATE_COUNTRY:-"BTY"}
CERTIFICATE_STATE=${CERTIFICATE_STATE:-"From Here"}
CERTIFICATE_CITY=${CERTIFICATE_CITY:-"To Nowhere"}
CERTIFICATE_ORG=${CERTIFICATE_ORG:-"$(hostname --fqdn) Web Server"}
CERTIFICATE_UNIT=${CERTIFICATE_UNIT:-"Centurion Technologies"}
CERTIFICATE_FQDN=${CERTIFICATE_FQDN:-"$(hostname --fqdn)"}
CERTIFICATE_EMAIL=${CERTIFICATE_EMAIL:-"webmaster@${CERTIFICATE_FQDN}"}

# If you checked all configuration values uncomment the following line.
SCRIPT_CONFIGURED="true"



# EXECUTION
# ==============================================================================

echo "Step 0) Check preferences"
if [ 0 != $(id -u) ]; then
    echo "    fail - you are not root."
    exit -1
else
    echo "    ok - you are root."
fi

if [ -z "${SCRIPT_CONFIGURED}" ]; then
    echo "    fail - script not configured."
    exit -1
else
    echo "    ok - script configured."
fi

echo ""
echo "Step 1) Enabled require apache modules (/etc/sysconfig/apache2:APACHE_MODULES)"
(
    /usr/sbin/a2enmod proxy
    /usr/sbin/a2enmod proxy_http
    /usr/sbin/a2enmod proxy_connect
    /usr/sbin/a2enmod rewrite
    /usr/sbin/a2enmod ssl
    /usr/sbin/a2enmod wsgi
    /usr/sbin/a2enmod version
    /usr/sbin/a2enmod socache_${APACHE_SSL_SESSION_CACHE_MODULE}
) | sed -e "s/^/    /"

echo ""
echo "Step 2) Enable required apache flag (/etc/sysconfig/apache2:APACHE_SERVER_FLAGS)"
(
    /usr/sbin/a2enflag SSL
) | sed -e "s/^/    /"

if [ "${GENERATE_SELF_SIGNED_CERTIFICATE}" == "true" ]; then
    echo ""
    echo "Step 3) Generate self signed certificate"
    (
        gensslcert \
            -C "${CERTIFICATE_CN}" \
            -N "${CERTIFICATE_COMMENT}" \
            -c "${CERTIFICATE_COUNTRY}" \
            -s "${CERTIFICATE_STATE}" \
            -l "${CERTIFICATE_CITY}" \
            -o "${CERTIFICATE_ORG}" \
            -u "${CERTIFICATE_UNIT}" \
            -n "${CERTIFICATE_FQDN}" \
            -e "${CERTIFICATE_EMAIL}"
    ) 2>&1 | sed -e "s/^/    /"
else
    echo ""
    echo "Step 3) Generate self signed certificate. Skipped."
fi

echo ""
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
echo "The following steps have to be done manually!"
echo ""
echo "Step 4) Review /etc/sysconfig/apache2 and configure as necessary."
echo "    see https://activedoc.opensuse.org/book/opensuse-reference/chapter-20-the-apache-http-server"
echo ""
echo "Step 5) Enable HTTPS in apache."
echo "    see https://activedoc.opensuse.org/book/opensuse-reference/chapter-20-the-apache-http-server#sec.apache2.ssl"
echo ""
echo "Step 6) Check Firewall."
echo "    Make sure the port 80 is open and available from the desired locations."
echo ""
echo "Step 7) Start/enable the apache2 and cobblerd services."
echo "    systemctl enable apache2.service"
echo "    systemctl enable cobblerd.service"
echo "    or"
echo "    systemctl start apache2.service"
echo "    systemctl start cobblerd.service"
echo ""
echo "Step 8) visit https://${CERTIFICATE_FQDN}/cobbler_web/"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment