ref: refs/heads/master commit f5ded2d09b0ff8982c80364c727d332f27922df3 Author: J. Daniel Schmidt <jdsn@suse.de> Date: Tue Nov 24 16:10:40 2009 +0100 set organization and unit name in SSL certificate (bnc#557761), version 0.0.21 --- webclient/package/check-create-certificate.pl | 55 ++++++++++++++---------- webclient/package/yast2-webclient.changes | 6 +++ webclient/package/yastwc | 2 +- 3 files changed, 39 insertions(+), 24 deletions(-) diff --git a/webclient/package/check-create-certificate.pl b/webclient/package/check-create-certificate.pl index 8fb27a2..424f163 100755 --- a/webclient/package/check-create-certificate.pl +++ b/webclient/package/check-create-certificate.pl @@ -30,25 +30,33 @@ sub usage print STDERR " if omitted exitance of certificate files will only be checked\n"; print STDERR " -f [--force] force to overwrite certificate\n"; print STDERR " -h [--help] this help\n"; - print STDERR " -H [--hostname] <name> define hostname to use for certificate\n"; - print STDERR " if omitted defaults to 'hostname --fqdn'\n"; - print STDERR " -C [--certfile] <file> define certificate file\n"; + print STDERR " -H [--hostname] <name> defines hostname to use as CN for certificate\n"; + print STDERR " if omitted it will use the FQDN hostname or just the hostname or the default CN\n"; + print STDERR " -D [--defaultcn] <name> defines the default CN that is used if no FQDN can be found\n"; + print STDERR " hostnames like 'localhost' and 'linux' will be overwritten by this as well\n"; + print STDERR " -C [--certfile] <file> defines certificate file\n"; print STDERR " if omitted defaults to /etc/ssl/certs/self-signed-certificate.pem\n"; - print STDERR " -K [--keyfile] <file> define key file\n"; + print STDERR " -K [--keyfile] <file> defines key file\n"; print STDERR " if omitted defaults to /etc/ssl/private/self-signed-certificate.key\n"; - print STDERR " -B [--combinedfile] <file> define combination file of key and certificate\n"; + print STDERR " -B [--combinedfile] <file> defines combination file of key and certificate\n"; print STDERR " will not be created or checked if omitted\n"; + print STDERR " -O [--organization] <org> sets the organization name in the certificate\n"; + print STDERR " -U [--unit] <unit> sets the organizational unit name in the certificate\n"; print STDERR "\n"; } -sub create_certificate($$$$) +sub create_certificate($$$$$$) { my $fqdn = shift || return undef; + my $org = shift || ''; + my $orgunit = shift || ''; my $CERTFILE = shift || return undef; my $KEYFILE = shift || return undef; my $COMBINEDFILE = shift || undef; chomp $fqdn; + chomp $org; + chomp $orgunit; chomp $CERTFILE; chomp $KEYFILE; chomp $COMBINEDFILE if defined $COMBINEDFILE; @@ -63,6 +71,8 @@ prompt=no commonName = $fqdn emailAddress = root@$fqdn "; + $config .="organizationName = $org\n" if ( $org ne '' ); + $config .="organizationalUnitName = $orgunit\n" if ( $orgunit ne '' ); my $CNF = `mktemp /tmp/create-ssl-config-XXXXX`; my $CERT = `mktemp /tmp/create-ssl-cert-XXXXX`; @@ -132,10 +142,13 @@ emailAddress = root@$fqdn ################################# MAIN ######################################## -my ($create, $force, $hostname, $certfile, $keyfile, $combinedfile, $help); +my ($create, $force, $hostname, $certfile, $keyfile, $combinedfile, $help, $organization, $unit, $defaultcn); my $result = GetOptions ("create|c" => $create, "force|f" => $force, "hostname|H=s" => $hostname, + "defaultcn|D=s" => $defaultcn, + "organization|O=s" => $organization, + "unit|U=s" => $unit, "certfile|C=s" => $certfile, "keyfile|K=s" => $keyfile, "combinedfile|B=s" => $combinedfile, @@ -176,25 +189,21 @@ if (defined $create) } } - $hostname = `hostname --fqdn` unless defined $hostname; - chomp $hostname if defined $hostname; - if ( (not defined $hostname) || $hostname =~ /^$/) + my @HOSTNAMES = ('localhost'); + push @HOSTNAMES, $defaultcn; + push @HOSTNAMES, `hostname`; + push @HOSTNAMES, `hostname --fqdn`; + push @HOSTNAMES, $hostname; + + foreach my $H (@HOSTNAMES) { - # do not abort, just create a certificate (bnc#557752) - #print STDERR "Hostname missing or invalid. Aborting.\n"; - #exit 1; - - print STDERR "No fully qualified domain name can be found. Please fix your DNS setup.\n"; - print STDERR "Using only the hostname for SSL certificate.\n"; - $hostname = `hostname`; - chomp $hostname if defined $hostname; - if ( (not defined $hostname) || $hostname =~ /^$/) - { - $hostname = 'localhost'; - } + next unless (defined $H); + chomp $H; + $hostname = $H unless ( $H !~ /^$/ && $H !~ /^linux$/i && $H !~ /^localhost$/i ); } + $hostname = 'localhost' unless ( defined $hostname && $hostname !~ /^$/ ); - if ( create_certificate( $hostname, $certfile, $keyfile, $combinedfile ) ) + if ( create_certificate( $hostname, $organization, $unit, $certfile, $keyfile, $combinedfile ) ) { print "Successfully created certificate.\n"; exit 0; diff --git a/webclient/package/yast2-webclient.changes b/webclient/package/yast2-webclient.changes index 5dbf1cb..0f9db2e 100644 --- a/webclient/package/yast2-webclient.changes +++ b/webclient/package/yast2-webclient.changes @@ -1,4 +1,10 @@ ------------------------------------------------------------------- +Tue Nov 24 16:03:39 CET 2009 - jdsn@suse.de + +- set organization and unit name in SSL certificate (bnc#557761) +- 0.0.21 + +------------------------------------------------------------------- Mon Nov 23 18:15:24 CET 2009 - jdsn@suse.de - create an SSL certificate with the best hostname (bnc#557752) diff --git a/webclient/package/yastwc b/webclient/package/yastwc index f25a61a..a1ecf25 100755 --- a/webclient/package/yastwc +++ b/webclient/package/yastwc @@ -179,7 +179,7 @@ case "$1" in if [ ! -e $COMBINEDCERTFILE ] then echo "No certificate found. Creating one now." - if ! /usr/sbin/check-create-certificate.pl -c -C $CERTIFICATEFILE -K $CERTKEYFILE -B $COMBINEDCERTFILE >/srv/www/yast/log/check-create-certificate.log 2>&1 + if ! /usr/sbin/check-create-certificate.pl -c -C $CERTIFICATEFILE -K $CERTKEYFILE -B $COMBINEDCERTFILE -D webyast -O WebYaST -U WebYaST >/srv/www/yast/log/check-create-certificate.log 2>&1 then echo -n "Can not create certificate. Please see /srv/www/yast/log/check-create-certificate.log for details." rc_failed -- To unsubscribe, e-mail: yast-commit+unsubscribe@opensuse.org For additional commands, e-mail: yast-commit+help@opensuse.org