Community

Purpose

This system provides the community self service system and the webmail interface for the community email service.

Administration

System Administration

Application Administration

Application

Administrator(s)

self service

Jan Dittberner

Additional People

Mario Lipinski, Dirk Astrath and Jochim Selzer have sudo access on that machine too.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet

None

IP Intranet

None

IP Internal

10.0.0.118

IPv6

2001:7b8:616:162:2::118

MAC address

00:ff:67:c2:08:53 (eth0)

See also

See Network

DNS

Name

Type

Content

selfservice.cacert.org. selfservice.cacert.org.

IN A IN AAAA

213.154.225.241 2001:7b8:616:162:2::35

Operating System

  • Debian GNU/Linux 10.4

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

local

mail delivery to local MTA

80/tcp

http

ANY

Apache httpd

3306/tcp

mariadb

local

MariaDB database for roundcube settings

5665/tcp

icinga2

monitor

remote monitoring service

8443/tcp

https

ANY

Community self-service application

Running services

Service

Usage

Start mechanism

Apache httpd

Webserver for Roundcube webmailer

systemd unit apache2.service

cacert-selfservice

Community self service application

systemd unit cacert-selfservice.service

cron

job scheduler

systemd unit cron.service

dbus-daemon

System message bus daemon

systemd unit dbus.service

icinga2

Icinga2 monitoring agent

systemd unit icinga2.service

MariaDB

MariaDB database server

systemd unit mariadb.service

openssh server

ssh daemon for remote administration

systemd unit ssh.service

Postfix

SMTP server for local mail submission

systemd unit postfix.service

Puppet agent

configuration management agent

systemd unit puppet.service

rsyslog

syslog daemon

systemd unit rsyslog.service

Databases

RDBMS

Name

Used for

MariaDB

roundcube

RoundCube webmail settings

Connected Systems

Outbound network connections

  • DNS (53) resolver at 10.0.0.1 (Infra02)

  • Email for self service API access as well as IMAP (110/tcp), IMAPS (993/tcp), Manage Sieve (2001/tcp), SMTPS (465/tcp) and SMTP Submission (587/tcp) for the webmail system

  • Emailout as SMTP relay

  • Puppet (tcp/8140) as Puppet master

  • Proxyout as HTTP proxy for APT and Puppet

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:bb05y6dWnOxrKuCLUFAPajtH9GsvuyFmDSOeDbj5xZg, MD5:ca:42:d9:26:46:16:a1:31:1f:a0:ca:d4:79:c5:b4:06

DSA

-

ECDSA

SHA256:ucfyZPkyfKYsVnglXXFrWm8Fvng8vbfETvJ48wUzcO8, MD5:21:18:06:8e:77:ee:eb:f6:2e:9f:57:77:3d:e2:31:a4

ED25519

SHA256:RBGmoIIOuBFHS81x6C8AwAcDC3m/8R35cdHBvxpcyP8, MD5:af:11:72:ce:f8:64:a8:c0:d9:95:45:db:50:37:4f:d8

Dedicated user roles

  • None

Non-distribution packages and modifications

Building the cacert-selfservice Debian package

The cacert-selfservice git repository contains a debian branch that can be used to build the package.

The Debian package can be built using gbp. For a clean build environment using sbuild/schroot is recommended.

sudo sbuild-createchroot --arch=amd64 --chroot-prefix=buster-cacert \
  --extra-repository="deb http://deb.debian.org/debian buster-backports main" \
  buster /srv/chroot/buster-cacert-amd64 http://deb.debian.org/debian
gbp buildpackage --git-builder="sbuild --build-dep-resolver=aptitude \
  -d buster-cacert

Uploads can be done via sftp with the debarchive user on Webstatic. You need an ssh public key in the user’s ~/.ssh/authorized_keys file. Packages are only accepted if they are signed with a GPG key whose public key is stored in the keyring of the reprepro installation on Webstatic.

Risk assessments on critical packages

The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.

The CAcert community self service software is developed using Go which handles a lot of common programming errors at compile time and has a quite good security track record.

The CAcert community self service system is run as a separate user cacert-selfservice and is built as a small self-contained static binary. Access is restricted via https.

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.

Keys and X.509 certificates

  • Certificate for CN webmail.cacert.org, see details in the certificate list

    • certificate in file /etc/ssl/public/webmail.cacert.org.crt.pem

    • private key in file /etc/ssl/private/webmail.cacert.org.key.pem

  • Certificate for CN selfservice.cacert.org, see details in the certificate list

    • certificate in file /etc/cacert-selfservice/certs/server.crt.pem

    • private key in file /etc/cacert-selfservice/private/server.key.pem

  • /etc/cacert-selfservice/certs/api_cas.pem contains the trust anchor to validate the selfservice API certificate.

  • /etc/cacert-selfservice/certs/client_cas.pem contains the CAcert.org Class 1 and Class 3 CA certificates that are used to validate client certificates for the CAcert community self service system

  • /etc/ssl/public/webmail.cacert.org.chain.pem contains the certificate for webmail.cacert.org concatenated with the CA chain.

The certificates are rolled out by Puppet. All changes to the certificates need to be made to the file hieradata/nodes/community.yaml in the CAcert Git repository cacert-puppet repository.

/etc/hosts

Defines an alias for Email that is required by the Roundcube installation to reach the email system via its internal IP address with the correct hostname.

Roundcube configuration

Roundcube configuration is managed by Puppet.

cacert-selfservice configuration

The service configuration is contained in /etc/cacert-selfservice/config.yaml and is managed by the Puppet manifest profiles::cacert_selfservice.

Tasks

  • None

Changes

Planned

System Future

Additional documentation

References