Issue

Purpose

The purpose of the issue server is to serve the issue tracking system, implemented with OTRS <https://www.otrs.com/> used by Wiki Triage and Wiki Support for handling requests going to the support@cacert.org mail address. Usage for other teams e.g. Arbitration (currently used occasionally), Organisation Assurance is planned in future.

Administration

System Administration

Application Administration

Application

Administrator(s)

OTRS

Mario Lipinski, Nicolas Bebout, Ian Grigg, Michael Tänzer

Additional People

Jan Dittberner and Dirk Astrath have sudo access on that machine too.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet

213.154.225.244

IP Intranet

172.16.2.28

IP Internal

10.0.0.28

MAC address

00:ff:8c:94:e1:c8 (eth0)

See also

See Network

DNS

Name

Type

Content

issue.cacert.org.

IN A

213.154.225.244

issue.intra.cacert.org.

IN A

172.16.2.28

issue.cacert.org.

IN SSHFP

2 1 FD9A5C79C4A9057B87AE8E639FD223B386AF4BDB

issue.cacert.org.

IN SSHFP

1 1 3F55E52B51D142EF9D15EEAA9CA25B3AA30C7C6E

Operating System

  • Debian GNU/Linux 7.11

Todo

upgrade to Debian Jessie

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

localnet

local mail pickup in order to send out notifications via Emailout, incoming mail from Email

80/tcp

http

ANY

HTTP access to issue, redirects to HTTPS

443/tcp

https

ANY

HTTPS access to issue

5666/tcp

nrpe

monitor

remote monitoring service

3306/tcp

mysql

local

MySQL database for OTRS

Running services

Service

Usage

Start mechanism

openssh server

ssh daemon for remote administration

init script /etc/init.d/ssh

Apache httpd

Webserver for OTRS

init script /etc/init.d/apache2

cron

job scheduler

init script /etc/init.d/cron

rsyslog

syslog daemon

init script /etc/init.d/syslog

MySQL

MySQL database server for OTRS

init script /etc/init.d/mysql

Postfix

SMTP server for local mail submission and for receiving mail directed to OTRS addresses

init script /etc/init.d/postfix

Puppet agent

configuration management agent

init script /etc/init.d/puppet

Nagios NRPE server

remote monitoring service queried by Monitor

init script /etc/init.d/nagios-nrpe-server

Databases

RDBMS

Name

Used for

MySQL

otrs

database for OTRS

Connected Systems

Outbound network connections

  • DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3

  • Emailout as SMTP relay

  • Email as SMTP submission relay (587, tcp) for specific addresses (see Postfix configuration below)

  • Puppet (tcp/8140) as Puppet master

  • Proxyout as HTTP proxy for APT

  • crl.cacert.org (rsync) for getting CRLs

Security

SSH host keys

Algorithm

Fingerprints

RSA

MD5:61:32:04:12:e3:4f:0b:b7:14:2d:d1:8f:82:b2:c7:47

DSA

MD5:a8:57:20:2f:09:a2:f3:d6:24:7a:29:35:2f:28:5e:4e

ECDSA

MD5:f1:a9:da:27:1a:ef:a8:67:51:d1:b4:e2:b7:83:c8:82

ED25519

-

Todo

setup ED25519 host key

Non-distribution packages and modifications

OTRS is installed from Debian packages but has been patched. The OTRS packages must not be updated from Debian packages without reapplying the patch.

/usr/share/otrs/Kernel/Output/HTML/Layout.pm

--- otrs_orig/Layout.pm	2015-01-11 03:13:29.049626928 +0000
+++ /usr/share/otrs/Kernel/Output/HTML/Layout.pm	2015-01-11 03:18:55.736035997 +0000
@@ -369,7 +369,21 @@
     }
 
     # locate template files
-    $Self->{TemplateDir} = $Self->{ConfigObject}->Get('TemplateDir') . '/HTML/' . $Theme;
+    $Self->{TemplateDir}
+        = $Self->{ConfigObject}->Get('TemplateDir') . '/HTML/' . $Theme;
+    $Self->{StandardTemplateDir}
+        = $Self->{ConfigObject}->Get('TemplateDir') . '/HTML/' . 'Standard';
+
+    # Check if 'Standard' fallback exists
+    if ( !-e $Self->{StandardTemplateDir} ) {
+        $Self->{LogObject}->Log(
+            Priority => 'error',
+            Message =>
+                "No existing template directory found ('$Self->{TemplateDir}')! Check your Home in Kernel/Config.pm",
+        );
+        $Self->FatalDie();
+    }
+
     if ( !-e $Self->{TemplateDir} ) {
         $Self->{LogObject}->Log(
             Priority => 'error',
@@ -378,17 +392,9 @@
                 Default theme used instead.",
         );
 
-        # Set TemplateDir to 'Standard' as a fallback and check if it exists.
+        # Set TemplateDir to 'Standard' as a fallback.
         $Theme = 'Standard';
-        $Self->{TemplateDir} = $Self->{ConfigObject}->Get('TemplateDir') . '/HTML/' . $Theme;
-        if ( !-e $Self->{TemplateDir} ) {
-            $Self->{LogObject}->Log(
-                Priority => 'error',
-                Message =>
-                    "No existing template directory found ('$Self->{TemplateDir}')! Check your Home in Kernel/Config.pm",
-            );
-            $Self->FatalDie();
-        }
+        $Self->{TemplateDir} = $Self->{StandardTemplateDir};
     }
 
     # load sub layout files
@@ -531,7 +537,7 @@
             $File = "$Self->{TemplateDir}/$Param{TemplateFile}.dtl";
         }
         else {
-            $File = "$Self->{TemplateDir}/../Standard/$Param{TemplateFile}.dtl";
+            $File = "$Self->{StandardTemplateDir}/$Param{TemplateFile}.dtl";
         }
         if ( open my $TEMPLATEIN, '<', $File ) {
             $TemplateString = do { local $/; <$TEMPLATEIN> };

Risk assessments on critical packages

Patching OTRS implies the danger of delayed security updates. The package is set on hold via echo otrs hold | dpkg --set-selections and must be updated explicitly. OTRS 3.1 is not supported by upstream anymore.

The used Apache httpd has a good reputation. OTRS is integrated into Apache httpd via mod_perl2.

Critical Configuration items

Keys and X.509 certificates

The following certificate and its corresponding private key is used by Apache httpd and Postfix:

  • Certificate for CN issue.cacert.org, see details in the certificate list

    • certificate in file /etc/ssl/certs/issue.cacert.org.pem

    • private key in file /etc/ssl/private/issue.cacert.org.key

Apache httpd configuration

  • /etc/apache2/sites-available/default

    HTTP virtualhost configuration that redirects to HTTPS

  • /etc/apache2/sites-available/default-ssl

    HTTPS virtualhost configuration, /cgi-bin/ is aliased to /usr/lib/cgi-bin/ which contains a symbolic link to the OTRS CGIs

OTRS configuration

  • /etc/otrs/

    OTRS configuration

  • /etc/otrs/database.pm

    OTRS’s database configuration

Postfix configuration

  • /etc/postfix

    Postfix configuration

  • /etc/postfix/sender_relay

    Defines a list of sender addresses that are relayed via Email

  • /etc/postfix/sender_rewrite

    Configures rewriting of all but a short list of addresses to returns@cacert.org

Tasks

Creating new OTRS user accounts

  • Go to Admin -> Users -> Add

  • Fill out user details

    • Use a securely random generated password (min. 12 chars, mixed of capital- non-capital letters, numbers and special chars), send it to the user via encrypted mail (also include URL of the issue tracking system, username and some initial instructions or a link to documentation if available)

    • Use CAcert email addresses only

  • Set the preferences for the user. Good standards are:

    • Show tickets: 25

    • New ticket notification: Yes (or No for high volume queues having agents regulary looking at

    • Follow up notification: Yes

    • Ticket lock timeout notification: Yes

    • Move notification: Yes (or No if the queues for the user get many new tickets)

    • Spelling Dictionary: English

  • Submit

  • Do NOT set any groups for the user.

  • Go to Admin -> Users -> Roles <-> Users

  • Choose the newly created user

  • Set the roles the user has

  • Submit

  • Now you are done :)

Changes

Planned

Ideas

System Future

  • No plans