Test¶
Purpose¶
This is a public test system for the software from cacertgit:cacert-devel’s release branch running on www.cacert.org. It is used for testing new features and bug fixes by testers and software assessors.
Application Links¶
- Application
Administration¶
System Administration¶
Primary: Jan Dittberner
Secondary: None
Application Administration¶
Application |
Administrator(s) |
---|---|
CAcert web application |
Contact¶
Additional People¶
Dirk Astrath, Aleš Kastner, Kim Nilsson and Bernhard Fröhlich have sudo access on that machine too.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra02.
Logical Location¶
- IP Internet:
- IP Intranet:
- IP Internal:
- IPv6:
- MAC address:
00:ff:91:10:5d:cd
(eth0)
See also
See Network
Monitoring¶
- internal checks:
DNS¶
Name |
Type |
Content |
---|---|---|
test.cacert.org. |
IN A |
213.154.225.248 |
test.cacert.org. |
IN SSHFP |
1 1 11BCB0AB4D1FD39547426D9527B88AFB8FF85209 |
test.cacert.org. |
IN SSHFP |
2 1 3414C17E5AE898B2F5DB7B3DDF9E34C2F5E816AC |
test.intra.cacert.org. |
IN A |
172.16.2.248 |
test.infra.cacert.org. |
IN A |
10.0.0.248 |
Todo
add AAAA record for IPv6 address
See also
Operating System¶
Debian GNU/Linux 8 Jessie
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
local |
mail delivery to local MTA |
80/tcp |
http |
ANY |
Apache httpd for http://test.cacert.org/ |
123/tcp 123/udp |
ntp |
local |
network time protocol server |
143/tcp |
imap |
testmgr |
Dovecot IMAP server |
443/tcp |
https |
ANY |
Apache httpd for https://test.cacert.org/ |
993/tcp |
imaps |
testmgr |
Dovecot IMAP server |
3306/tcp |
mysql |
local |
MySQL database for WebDB |
5666/tcp |
nrpe |
monitor |
remote monitoring service |
Running services¶
Service |
Usage |
Start mechanism |
---|---|---|
Apache httpd |
Webserver for the CAcert web application |
init script
|
MySQL |
MySQL database server for the CAcert web application |
init script
|
atop |
atop process accounting top |
init script
|
client.pl |
CAcert signer client |
init script
|
cron |
job scheduler |
init script
|
dovecot |
Dovecot IMAP server |
init script
|
Nagios NRPE server |
remote monitoring service queried by Monitor |
init script
|
ntpd |
Network time protocol server |
init script
|
openssh server |
ssh daemon for remote administration |
init script |
postfix |
SMTP server for local mail submission |
init script
|
rsyslog |
syslog daemon |
init script
|
server.pl |
CAcert signer server |
init script
|
socat |
Emulate serial connection between CAcert signer client and server |
entry in
|
Databases¶
RDBMS |
Name |
Used for |
---|---|---|
MySQL |
cacert |
CAcert web application |
Connected Systems¶
Outbound network connections¶
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
---|---|
RSA |
|
DSA |
|
ECDSA |
|
ED25519 |
- |
See also
Todo
generate ED25519 key for test
Todo
remove DSA host key
Dedicated user roles¶
User |
Purpose |
---|---|
cacertmail |
IMAP mailbox user |
cacertsigner |
User for the CAcert signer |
Todo
clarify why the signer software on test is currently running as the root user
The directory /home/cacert/
is owned by root. The signer is running
from /home/signer/cacert-devel/CommModule/server.pl
the client is
running from /home/cacert/www/CommModule/client.pl
. Both are running as
root. Currently no process uses the cacertsigner user.
Non-distribution packages and modifications¶
Apache httpd is running in a chroot /home/cacert/
, the configuration in
/etc/apache2
as well as the system binaries are not used. The Apache
httpd binary seems to be relatively up-to-date.
The CAcert web application code as well as the CAcert signer client code come from CAcert Git repository cacert-devel’s release branch.
The signer in /home/signer/cacert-devel/CommModule/server.pl
has a few
uncommitted manual modifications. And the whole working copy in
/home/signer/cacert-devel is based on an old repository at
git://git-cacert.it-sls.de/cacert-devel.git that is no longer available. The
last commit in the working copy is:
commit 2262fe14e4bf1e0afb4ab7f9340e18a9f281ddfe
Merge: c33bbc5 a3d0b8a
Author: Michael Tänzer <neo@nhng.de>
Date: Wed Apr 10 00:03:42 2013 +0200
Merge branch 'bug-1159' into signer
Todo
integrate or revert the changes to server.pl on test, use the current release branch version from CAcert Git repository cacert-devel
Risk assessments on critical packages¶
The operating system on this container is no longer supported. The PHP version in the file:/home/cacert/ chroot is 5.6.38 which is no longer supported upstream.
Critical Configuration items¶
Keys and X.509 certificates¶
Certificate for CN cats.test.cacert.org, see details in the certificate list
certificate in file /home/cacert/etc/ssl/certs/cats_test_cacert_org.crt
private key in file /home/cacert/etc/ssl/private/cats_test_cacert_org.pem
Certificate for CN mgr.test.cacert.org, see details in the certificate list
certificate in file /home/cacert/etc/ssl/certs/mgr_test_cacert_org.crt
private key in file /home/cacert/etc/ssl/private/mgr_test_cacert_org.pem
Certificate for CN secure.test.cacert.org, see details in the certificate list
certificate in file /home/cacert/etc/ssl/certs/secure_test_cacert_org.crt
private key in file /home/cacert/etc/ssl/private/secure_test_cacert_org.pem
Certificate for CN test.cacert.org (dovecot), see details in the certificate list
certificate in file /etc/dovecot/dovecot.pem
private key in file /etc/dovecot/private/dovecot.pem
Certificate for CN test.cacert.org, see details in the certificate list
certificate in file /home/cacert/etc/ssl/certs/test_cacert_org.crt
private key in file /home/cacert/etc/ssl/private/cacert.pem
CA certificates on test:
Certificate for CN CAcert Testserver Root, see details in the certificate list
certificate in file /etc/ssl/CA/cacert.crt
private key in file /etc/ssl/CA/cacert.pem
Certificate for CN CAcert Testserver Root, see details in the certificate list
certificate in file /etc/ssl/CA/root_256.crt
private key in file /etc/ssl/CA/cacert.pem
Certificate for CN CAcert Testserver Class 3, see details in the certificate list
certificate in file /etc/ssl/class3/cacert.md5.crt
private key in file /etc/ssl/class3/cacert.pem
Certificate for CN CAcert Testserver Class 3, see details in the certificate list
certificate in file /etc/ssl/class3/cacert.crt
private key in file /etc/ssl/class3/cacert.pem
Note
There are two directories /etc/root3/
and /etc/root4/
that
are supported by the signer but do not contain actual keys and certificates.
openssl configuration for the signer server¶
There are some openssl configuration files that are used by the server.pl
signer that are stored in /etc/ssl/caname-purpose.cnf
.
Todo
check whether the openssl configuration files on test are equal to those in http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/
Apache httpd configuration¶
Apache httpd is running in a chroot /home/cacert/
its configuration is
stored in /home/cacert/etc/apache2
.
Postfix configuration¶
Postfix configuration is stored in /etc/postfix
.
Postfix is configured to accept mail for test.cacert.org
and localhost
all mail is delivered to the mailbox of the cacertmail user in
/var/mail/cacertmail
via /etc/postfix/virtual.regexp
.
Dovecot configuration¶
Dovecot is configured to use pam for authentication and to support SSL and IMAP and to use mbox style mailboxes in /var/mail/%u in the following files:
/etc/dovecot/conf.d/10-auth.conf
/etc/dovecot/conf.d/10-mail.conf
/etc/dovecot/conf.d/20-imap.conf
/etc/dovecot/conf.d/auth-system.conf
Note
dovecot uses an old self-signed certificate for test.cacert.org
Tasks¶
Changes¶
Planned¶
Todo
Upgrade test to Debian Stretch/Buster/Bullseye when the software is ready.
System Future¶
Additional documentation¶
References¶
- Apache httpd documentation
- Apache Debian wiki page
- Dovecot documentation
- openssl documentation
- Postfix documentation
- Postfix Debian wiki page