Test

Purpose

This is a test system for the software from cacertgit:cacert-devel’s release branch running on www.cacert.org.

Administration

System Administration

Application Administration

Application

Administrator(s)

CAcert web application

Dirk Astrath, Bernhard Fröhlich

Additional People

Dirk Astrath, Karl-Heinz Gödderz, Mario Lipinski, Mendel Mobach, Michael Tänzer and Bernhard Fröhlich have sudo access on that machine too.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet

213.154.225.248

IP Intranet

172.16.2.248

IP Internal

10.0.0.248

IPv6

2001:7b8:616:162:2::248

MAC address

00:ff:91:10:5d:cd (eth0)

See also

See Network

DNS

Name

Type

Content

test.cacert.org.

IN A

213.154.225.248

test.cacert.org.

IN SSHFP

1 1 11BCB0AB4D1FD39547426D9527B88AFB8FF85209

test.cacert.org.

IN SSHFP

2 1 3414C17E5AE898B2F5DB7B3DDF9E34C2F5E816AC

test.intra.cacert.org.

IN A

172.16.2.248

test.infra.cacert.org.

IN A

10.0.0.248

Todo

add AAAA record for IPv6 address

Operating System

  • Debian GNU/Linux 8.11

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

local

mail delivery to local MTA

80/tcp

http

ANY

Apache httpd for http://test.cacert.org/

123/tcp 123/udp

ntp

local

network time protocol server

143/tcp

imap

testmgr

Dovecot IMAP server

443/tcp

https

ANY

Apache httpd for https://test.cacert.org/

993/tcp

imaps

testmgr

Dovecot IMAP server

3306/tcp

mysql

local

MySQL database for …

5666/tcp

nrpe

monitor

remote monitoring service

Running services

Service

Usage

Start mechanism

Apache httpd

Webserver for the CAcert web application

init script /etc/init.d/apache2

MySQL

MySQL database server for the CAcert web application

init script /etc/init.d/mysql

Postfix

SMTP server for local mail submission

init script /etc/init.d/postfix

atop

atop process accounting top

init script /etc/init.d/atop

client.pl

CAcert signer client

init script /etc/init.d/commmodule

cron

job scheduler

init script /etc/init.d/cron

dovecot

Dovecot IMAP server

init script /etc/init.d/dovecot

Nagios NRPE server

remote monitoring service queried by Monitor

init script /etc/init.d/nagios-nrpe-server

ntpd

Network time protocol server

init script /etc/init.d/ntp

openssh server

ssh daemon for remote administration

init script /etc/init.d/ssh

rsyslog

syslog daemon

init script /etc/init.d/syslog

server.pl

CAcert signer server

init script /etc/init.d/commmodule-signer

socat

Emulate serial connection between CAcert signer client and server

entry in /etc/rc.local that executes /usr/local/sbin/socat-signer inside a screen session

Databases

RDBMS

Name

Used for

MySQL

cacert

CAcert web application

Connected Systems

  • Monitor

  • testmgr has access to imap and MySQL

Outbound network connections

  • Infra02 as resolving nameserver

  • Proxyout as HTTP proxy for APT and Github

  • crl.cacert.org (rsync) for getting CRLs

  • ocsp.cacert.org (HTTP and HTTPS) for OCSP queries

  • arbitrary Internet SMTP servers for outgoing mail

Security

Todo

add the SHA-256 fingerprints of the SSH host keys

SSH host keys

Algorithm

Fingerprints

RSA

MD5:fd:19:a1:64:ae:ef:c2:50:a2:be:a4:c5:9f:f7:9d:98

DSA

MD5:1c:8c:39:5e:9e:0b:db:8e:c3:66:89:e3:3d:94:5e:13

ECDSA

MD5:ac:fb:c8:88:d1:dd:e5:38:99:34:7b:29:54:e1:f2:f1

ED25519

-

Todo

add ED25519 key for test

Dedicated user roles

User

Purpose

cacertmail

IMAP mailbox user

cacertsigner

User for the CAcert signer

Todo

clarify why the signer software on test is currently running as the root user

The directory /home/cacert/ is owned by root. The signer is running from /home/signer/cacert-devel/CommModule/server.pl the client is running from /home/cacert/www/CommModule/client.pl. Both are running as root. Currently no process uses the cacertsigner user.

Non-distribution packages and modifications

Apache httpd is running in a chroot /home/cacert/, the configuration in /etc/apache2 as well as the system binaries are not used. The Apache httpd binary seems to be relatively up-to-date.

The CAcert web application code as well as the CAcert signer client code come from CAcert Git repository cacert-devel’s release branch.

The signer in /home/signer/cacert-devel/CommModule/server.pl has a few uncommitted manual modifications. And the whole working copy in /home/signer/cacert-devel is based on an old repository at git://git-cacert.it-sls.de/cacert-devel.git that is no longer available. The last commit in the working copy is:

commit 2262fe14e4bf1e0afb4ab7f9340e18a9f281ddfe
Merge: c33bbc5 a3d0b8a
Author: Michael Tänzer <neo@nhng.de>
Date:   Wed Apr 10 00:03:42 2013 +0200

    Merge branch 'bug-1159' into signer

Todo

integrate or revert the changes to server.pl on test, use the current release branch version from CAcert Git repository cacert-devel

Risk assessments on critical packages

The operating system on this container is no longer supported. The PHP version in the file:/home/cacert/ chroot is 5.6.38 which is no longer supported upstream

Critical Configuration items

Keys and X.509 certificates

  • Certificate for CN cats.test.cacert.org, see details in the certificate list

    • certificate in file /home/cacert/etc/ssl/certs/cats_test_cacert_org.crt

    • private key in file /home/cacert/etc/ssl/private/cats_test_cacert_org.pem

  • Certificate for CN mgr.test.cacert.org, see details in the certificate list

    • certificate in file /home/cacert/etc/ssl/certs/mgr_test_cacert_org.crt

    • private key in file /home/cacert/etc/ssl/private/mgr_test_cacert_org.pem

  • Certificate for CN secure.test.cacert.org, see details in the certificate list

    • certificate in file /home/cacert/etc/ssl/certs/secure_test_cacert_org.crt

    • private key in file /home/cacert/etc/ssl/private/secure_test_cacert_org.pem

  • Certificate for CN test.cacert.org (dovecot), see details in the certificate list

    • certificate in file /etc/dovecot/dovecot.pem

    • private key in file /etc/dovecot/private/dovecot.pem

  • Certificate for CN test.cacert.org, see details in the certificate list

    • certificate in file /home/cacert/etc/ssl/certs/test_cacert_org.crt

    • private key in file /home/cacert/etc/ssl/private/cacert.pem

CA certificates on test:

  • Certificate for CN CAcert Testserver Root, see details in the certificate list

    • certificate in file /etc/ssl/CA/cacert.crt

    • private key in file /etc/ssl/CA/cacert.pem

  • Certificate for CN CAcert Testserver Root, see details in the certificate list

    • certificate in file /etc/ssl/CA/root_256.crt

    • private key in file /etc/ssl/CA/cacert.pem

  • Certificate for CN CAcert Testserver Class 3, see details in the certificate list

    • certificate in file /etc/ssl/class3/cacert.md5.crt

    • private key in file /etc/ssl/class3/cacert.pem

  • Certificate for CN CAcert Testserver Class 3, see details in the certificate list

    • certificate in file /etc/ssl/class3/cacert.crt

    • private key in file /etc/ssl/class3/cacert.pem

Note

There are two directories /etc/root3/ and /etc/root4/ that are supported by the signer but do not contain actual keys and certificates.

openssl configuration for the signer server

There are some openssl configuration files that are used by the server.pl signer that are stored in /etc/ssl/caname-purpose.cnf.

Todo

check whether the openssl configuration files on test are equal to those in http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/

Apache httpd configuration

Apache httpd is running in a chroot /home/cacert/ its configuration is stored in /home/cacert/etc/apache2.

Postfix configuration

Postfix configuration is stored in /etc/postfix.

Postfix is configured to accept mail for test.cacert.org and localhost all mail is delivered to the mailbox of the cacertmail user in /var/mail/cacertmail via /etc/postfix/virtual.regexp.

Dovecot configuration

Dovecot is configured to use pam for authentication and to support SSL and IMAP and to use mbox style mailboxes in /var/mail/%u in the following files:

  • /etc/dovecot/conf.d/10-auth.conf

  • /etc/dovecot/conf.d/10-mail.conf

  • /etc/dovecot/conf.d/20-imap.conf

  • /etc/dovecot/conf.d/auth-system.conf

Note

dovecot uses an old self-signed certificate for test.cacert.org

Tasks

Changes

Planned

Todo

Upgrade test to Debian Stretch when the software is ready.

System Future

Additional documentation

References

Apache httpd documentation

http://httpd.apache.org/docs/2.4/

Apache Debian wiki page

https://wiki.debian.org/Apache

Dovecot documentation

https://wiki2.dovecot.org/FrontPage

openssl documentation

https://www.openssl.org/docs/

Postfix documentation

http://www.postfix.org/documentation.html

Postfix Debian wiki page

https://wiki.debian.org/Postfix