Test

Purpose

This is a public test system for the software from cacertgit:cacert-devel’s release branch running on www.cacert.org. It is used for testing new features and bug fixes by testers and software assessors.

Application Links

Application

https://test.cacert.org/

Administration

System Administration

• Primary: Jan Dittberner

• Secondary: None

Application Administration

Application	Administrator(s)
CAcert web application	Dirk Astrath, Bernhard Fröhlich

Contact

• test-admin@cacert.org

Additional People

Dirk Astrath, Aleš Kastner, Kim Nilsson and Bernhard Fröhlich have sudo access on that machine too.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet:

213.154.225.248

IP Intranet:

172.16.2.248

IP Internal:

10.0.0.248

IPv6:

2001:7b8:616:162:2::248

MAC address:

00:ff:91:10:5d:cd (eth0)

See also

See Network

Monitoring

internal checks:

Monitoring checks for test.infra.cacert.org

DNS

Name	Type	Content
test.cacert.org.	IN A	213.154.225.248
test.cacert.org.	IN SSHFP	1 1 11BCB0AB4D1FD39547426D9527B88AFB8FF85209
test.cacert.org.	IN SSHFP	2 1 3414C17E5AE898B2F5DB7B3DDF9E34C2F5E816AC
test.intra.cacert.org.	IN A	172.16.2.248
test.infra.cacert.org.	IN A	10.0.0.248

Todo

add AAAA record for IPv6 address

See also

See Wiki page SystemAdministration/Procedures/DNSChanges

Operating System

• Debian GNU/Linux 8 Jessie

Services

Listening services

Port	Service	Origin	Purpose
22/tcp	ssh	ANY	admin console access
25/tcp	smtp	local	mail delivery to local MTA
80/tcp	http	ANY	Apache httpd for http://test.cacert.org/
123/tcp 123/udp	ntp	local	network time protocol server
143/tcp	imap	testmgr	Dovecot IMAP server
443/tcp	https	ANY	Apache httpd for https://test.cacert.org/
993/tcp	imaps	testmgr	Dovecot IMAP server
3306/tcp	mysql	local	MySQL database for WebDB
5666/tcp	nrpe	monitor	remote monitoring service

Running services

Service	Usage	Start mechanism
Apache httpd	Webserver for the CAcert web application	init script /etc/init.d/apache2
MySQL	MySQL database server for the CAcert web application	init script /etc/init.d/mysql
atop	atop process accounting top	init script /etc/init.d/atop
client.pl	CAcert signer client	init script /etc/init.d/commmodule
cron	job scheduler	init script /etc/init.d/cron
dovecot	Dovecot IMAP server	init script /etc/init.d/dovecot
Nagios NRPE server	remote monitoring service queried by Monitor	init script /etc/init.d/nagios-nrpe-server
ntpd	Network time protocol server	init script /etc/init.d/ntp
openssh server	ssh daemon for remote administration	init script /etc/init.d/ssh
postfix	SMTP server for local mail submission	init script /etc/init.d/postfix
rsyslog	syslog daemon	init script /etc/init.d/syslog
server.pl	CAcert signer server	init script /etc/init.d/commmodule-signer
socat	Emulate serial connection between CAcert signer client and server	entry in /etc/rc.local that executes /usr/local/sbin/socat-signer inside a screen session

Databases

RDBMS	Name	Used for
MySQL	cacert	CAcert web application

Connected Systems

• Monitor

• Testmgr has access to imap and MySQL

Outbound network connections

• Infra02 as resolving nameserver

• Proxyout as HTTP proxy for APT and Github

• crl.cacert.org (rsync) for getting CRLs

• ocsp.cacert.org (HTTP and HTTPS) for OCSP queries

• arbitrary Internet SMTP servers for outgoing mail

Security

SSH host keys

Algorithm	Fingerprints
RSA	SHA256:5wItpTiTpy2F8L/97EbbbBzAm9jGEtDbK7VkgYX2ciU, MD5:fd:19:a1:64:ae:ef:c2:50:a2:be:a4:c5:9f:f7:9d:98
DSA	SHA256:K+QXsmvqJmUWqKtewyLVFejd/7jxvgZx0tKvBQMvwhg, MD5:1c:8c:39:5e:9e:0b:db:8e:c3:66:89:e3:3d:94:5e:13
ECDSA	SHA256:mI7AeT1zOeEhZpQ1Go3TgwAnzyqGEgy8ePFGiYJsyzk, MD5:ac:fb:c8:88:d1:dd:e5:38:99:34:7b:29:54:e1:f2:f1
ED25519	-

See also

SSH host key list

Todo

generate ED25519 key for test

Todo

remove DSA host key

Dedicated user roles

User	Purpose
cacertmail	IMAP mailbox user
cacertsigner	User for the CAcert signer

Todo

clarify why the signer software on test is currently running as the root user

The directory /home/cacert/ is owned by root. The signer is running from /home/signer/cacert-devel/CommModule/server.pl the client is running from /home/cacert/www/CommModule/client.pl. Both are running as root. Currently no process uses the cacertsigner user.

Non-distribution packages and modifications

Apache httpd is running in a chroot /home/cacert/, the configuration in /etc/apache2 as well as the system binaries are not used. The Apache httpd binary seems to be relatively up-to-date.

The CAcert web application code as well as the CAcert signer client code come from CAcert Git repository cacert-devel’s release branch.

The signer in /home/signer/cacert-devel/CommModule/server.pl has a few uncommitted manual modifications. And the whole working copy in /home/signer/cacert-devel is based on an old repository at git://git-cacert.it-sls.de/cacert-devel.git that is no longer available. The last commit in the working copy is:

commit 2262fe14e4bf1e0afb4ab7f9340e18a9f281ddfe
Merge: c33bbc5 a3d0b8a
Author: Michael Tänzer <neo@nhng.de>
Date:   Wed Apr 10 00:03:42 2013 +0200

    Merge branch 'bug-1159' into signer

Todo

integrate or revert the changes to server.pl on test, use the current release branch version from CAcert Git repository cacert-devel

Risk assessments on critical packages

The operating system on this container is no longer supported. The PHP version in the file:/home/cacert/ chroot is 5.6.38 which is no longer supported upstream.

Critical Configuration items

Keys and X.509 certificates

• Certificate for CN cats.test.cacert.org, see details in the certificate list

• certificate in file /home/cacert/etc/ssl/certs/cats_test_cacert_org.crt

• private key in file /home/cacert/etc/ssl/private/cats_test_cacert_org.pem

• Certificate for CN mgr.test.cacert.org, see details in the certificate list

• certificate in file /home/cacert/etc/ssl/certs/mgr_test_cacert_org.crt

• private key in file /home/cacert/etc/ssl/private/mgr_test_cacert_org.pem

• Certificate for CN secure.test.cacert.org, see details in the certificate list

• certificate in file /home/cacert/etc/ssl/certs/secure_test_cacert_org.crt

• private key in file /home/cacert/etc/ssl/private/secure_test_cacert_org.pem

• Certificate for CN test.cacert.org (dovecot), see details in the certificate list

• certificate in file /etc/dovecot/dovecot.pem

• private key in file /etc/dovecot/private/dovecot.pem

• Certificate for CN test.cacert.org, see details in the certificate list

• certificate in file /home/cacert/etc/ssl/certs/test_cacert_org.crt

• private key in file /home/cacert/etc/ssl/private/cacert.pem

CA certificates on test:

• Certificate for CN CAcert Testserver Root, see details in the certificate list

• certificate in file /etc/ssl/CA/cacert.crt

• private key in file /etc/ssl/CA/cacert.pem

• Certificate for CN CAcert Testserver Root, see details in the certificate list

• certificate in file /etc/ssl/CA/root_256.crt

• private key in file /etc/ssl/CA/cacert.pem

• Certificate for CN CAcert Testserver Class 3, see details in the certificate list

• certificate in file /etc/ssl/class3/cacert.md5.crt

• private key in file /etc/ssl/class3/cacert.pem

• Certificate for CN CAcert Testserver Class 3, see details in the certificate list

• certificate in file /etc/ssl/class3/cacert.crt

• private key in file /etc/ssl/class3/cacert.pem

Note

There are two directories /etc/root3/ and /etc/root4/ that are supported by the signer but do not contain actual keys and certificates.

See also

• Wiki page SystemAdministration/CertificateList

openssl configuration for the signer server

There are some openssl configuration files that are used by the server.pl signer that are stored in /etc/ssl/caname-purpose.cnf.

Todo

check whether the openssl configuration files on test are equal to those in http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/

Apache httpd configuration

Apache httpd is running in a chroot /home/cacert/ its configuration is stored in /home/cacert/etc/apache2.

Postfix configuration

Postfix configuration is stored in /etc/postfix.

Postfix is configured to accept mail for test.cacert.org and localhost all mail is delivered to the mailbox of the cacertmail user in /var/mail/cacertmail via /etc/postfix/virtual.regexp.

Dovecot configuration

Dovecot is configured to use pam for authentication and to support SSL and IMAP and to use mbox style mailboxes in /var/mail/%u in the following files:

• /etc/dovecot/conf.d/10-auth.conf

• /etc/dovecot/conf.d/10-mail.conf

• /etc/dovecot/conf.d/20-imap.conf

• /etc/dovecot/conf.d/auth-system.conf

Note

dovecot uses an old self-signed certificate for test.cacert.org

Tasks

Changes

Planned

Todo

Upgrade test to Debian Stretch/Buster/Bullseye when the software is ready.

System Future

Additional documentation

See also

• Wiki page PostfixConfiguration

• https://codedocs.cacert.org/

References

Apache httpd documentation

http://httpd.apache.org/docs/2.4/

Apache Debian wiki page

https://wiki.debian.org/Apache

Dovecot documentation

https://wiki2.dovecot.org/FrontPage

openssl documentation

https://www.openssl.org/docs/

Postfix documentation

http://www.postfix.org/documentation.html

Postfix Debian wiki page

https://wiki.debian.org/Postfix