Test¶

Name	Type	Content
test.cacert.org.	IN A	213.154.225.248
test.cacert.org.	IN SSHFP	1 1 11BCB0AB4D1FD39547426D9527B88AFB8FF85209
test.cacert.org.	IN SSHFP	2 1 3414C17E5AE898B2F5DB7B3DDF9E34C2F5E816AC
test.intra.cacert.org.	IN A	172.16.2.248
test.infra.cacert.org.	IN A	10.0.0.248

Todo

add AAAA record for IPv6 address

Operating System¶

Debian GNU/Linux 8.11

Services¶

Listening services¶

Port	Service	Origin	Purpose
22/tcp	ssh	ANY	admin console access
25/tcp	smtp	local	mail delivery to local MTA
80/tcp	http	ANY	Apache httpd for http://test.cacert.org/
123/tcp 123/udp	ntp	local	network time protocol server
143/tcp	imap	testmgr	Dovecot IMAP server
443/tcp	https	ANY	Apache httpd for https://test.cacert.org/
993/tcp	imaps	testmgr	Dovecot IMAP server
3306/tcp	mysql	local	MySQL database for …
5666/tcp	nrpe	monitor	remote monitoring service

Running services¶

Service	Usage	Start mechanism
Apache httpd	Webserver for the CAcert web application	init script `/etc/init.d/apache2`
MySQL	MySQL database server for the CAcert web application	init script `/etc/init.d/mysql`
Postfix	SMTP server for local mail submission	init script `/etc/init.d/postfix`
atop	atop process accounting top	init script `/etc/init.d/atop`
client.pl	CAcert signer client	init script `/etc/init.d/commmodule`
cron	job scheduler	init script `/etc/init.d/cron`
dovecot	Dovecot IMAP server	init script `/etc/init.d/dovecot`
Nagios NRPE server	remote monitoring service queried by Monitor	init script `/etc/init.d/nagios-nrpe-server`
ntpd	Network time protocol server	init script `/etc/init.d/ntp`
openssh server	ssh daemon for remote administration	init script `/etc/init.d/ssh`
rsyslog	syslog daemon	init script `/etc/init.d/syslog`
server.pl	CAcert signer server	init script `/etc/init.d/commmodule-signer`
socat	Emulate serial connection between CAcert signer client and server	entry in `/etc/rc.local` that executes `/usr/local/sbin/socat-signer` inside a screen session

Databases¶

RDBMS	Name	Used for
MySQL	cacert	CAcert web application

Connected Systems¶

Monitor
testmgr has access to imap and MySQL

Outbound network connections¶

Infra02 as resolving nameserver
Proxyout as HTTP proxy for APT and Github
crl.cacert.org (rsync) for getting CRLs
ocsp.cacert.org (HTTP and HTTPS) for OCSP queries
arbitrary Internet SMTP servers for outgoing mail

Security¶

Todo

add the SHA-256 fingerprints of the SSH host keys

SSH host keys¶

Algorithm	Fingerprints
RSA	`MD5:fd:19:a1:64:ae:ef:c2:50:a2:be:a4:c5:9f:f7:9d:98`
DSA	`MD5:1c:8c:39:5e:9e:0b:db:8e:c3:66:89:e3:3d:94:5e:13`
ECDSA	`MD5:ac:fb:c8:88:d1:dd:e5:38:99:34:7b:29:54:e1:f2:f1`
ED25519	-

See also

SSH host key list

Todo

add ED25519 key for test

Dedicated user roles¶

User	Purpose
cacertmail	IMAP mailbox user
cacertsigner	User for the CAcert signer

Todo

clarify why the signer software on test is currently running as the root user

The directory /home/cacert/ is owned by root. The signer is running from /home/signer/cacert-devel/CommModule/server.pl the client is running from /home/cacert/www/CommModule/client.pl. Both are running as root. Currently no process uses the cacertsigner user.

Non-distribution packages and modifications¶

Apache httpd is running in a chroot /home/cacert/, the configuration in /etc/apache2 as well as the system binaries are not used. The Apache httpd binary seems to be relatively up-to-date.

The CAcert web application code as well as the CAcert signer client code come from CAcert Git repository cacert-devel’s release branch.

The signer in /home/signer/cacert-devel/CommModule/server.pl has a few uncommitted manual modifications. And the whole working copy in /home/signer/cacert-devel is based on an old repository at git://git-cacert.it-sls.de/cacert-devel.git that is no longer available. The last commit in the working copy is:

commit 2262fe14e4bf1e0afb4ab7f9340e18a9f281ddfe
Merge: c33bbc5 a3d0b8a
Author: Michael Tänzer <neo@nhng.de>
Date:   Wed Apr 10 00:03:42 2013 +0200

    Merge branch 'bug-1159' into signer

Todo

integrate or revert the changes to server.pl on test, use the current release branch version from CAcert Git repository cacert-devel

Risk assessments on critical packages¶

The operating system on this container is no longer supported. The PHP version in the file:/home/cacert/ chroot is 5.6.38 which is no longer supported upstream

Critical Configuration items¶

Keys and X.509 certificates¶

Certificate for CN cats.test.cacert.org, see details in the certificate list

certificate in file /home/cacert/etc/ssl/certs/cats_test_cacert_org.crt
private key in file /home/cacert/etc/ssl/private/cats_test_cacert_org.pem

Certificate for CN mgr.test.cacert.org, see details in the certificate list

certificate in file /home/cacert/etc/ssl/certs/mgr_test_cacert_org.crt
private key in file /home/cacert/etc/ssl/private/mgr_test_cacert_org.pem

Certificate for CN secure.test.cacert.org, see details in the certificate list

certificate in file /home/cacert/etc/ssl/certs/secure_test_cacert_org.crt
private key in file /home/cacert/etc/ssl/private/secure_test_cacert_org.pem

Certificate for CN test.cacert.org (dovecot), see details in the certificate list

certificate in file /etc/dovecot/dovecot.pem
private key in file /etc/dovecot/private/dovecot.pem

Certificate for CN test.cacert.org, see details in the certificate list

certificate in file /home/cacert/etc/ssl/certs/test_cacert_org.crt
private key in file /home/cacert/etc/ssl/private/cacert.pem

CA certificates on test:

Certificate for CN CAcert Testserver Root, see details in the certificate list

certificate in file /etc/ssl/CA/cacert.crt
private key in file /etc/ssl/CA/cacert.pem

Certificate for CN CAcert Testserver Root, see details in the certificate list

certificate in file /etc/ssl/CA/root_256.crt
private key in file /etc/ssl/CA/cacert.pem

Certificate for CN CAcert Testserver Class 3, see details in the certificate list

certificate in file /etc/ssl/class3/cacert.md5.crt
private key in file /etc/ssl/class3/cacert.pem

Certificate for CN CAcert Testserver Class 3, see details in the certificate list

certificate in file /etc/ssl/class3/cacert.crt
private key in file /etc/ssl/class3/cacert.pem

Note

There are two directories /etc/root3/ and /etc/root4/ that are supported by the signer but do not contain actual keys and certificates.

See also

Wiki SystemAdministration/CertificateList

openssl configuration for the signer server¶

There are some openssl configuration files that are used by the server.pl signer that are stored in /etc/ssl/caname-purpose.cnf.

Todo

check whether the openssl configuration files on test are equal to those in http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/

Apache httpd configuration¶

Apache httpd is running in a chroot /home/cacert/ its configuration is stored in /home/cacert/etc/apache2.

Postfix configuration¶

Postfix configuration is stored in /etc/postfix.

Postfix is configured to accept mail for test.cacert.org and localhost all mail is delivered to the mailbox of the cacertmail user in /var/mail/cacertmail via /etc/postfix/virtual.regexp.

Dovecot configuration¶

Dovecot is configured to use pam for authentication and to support SSL and IMAP and to use mbox style mailboxes in /var/mail/%u in the following files:

/etc/dovecot/conf.d/10-auth.conf
/etc/dovecot/conf.d/10-mail.conf
/etc/dovecot/conf.d/20-imap.conf
/etc/dovecot/conf.d/auth-system.conf

Note

dovecot uses an old self-signed certificate for test.cacert.org

Tasks¶

Changes¶

Planned¶

Todo

Upgrade test to Debian Stretch when the software is ready.

System Future¶

Additional documentation¶

See also

References¶

Apache httpd documentation: http://httpd.apache.org/docs/2.4/
Apache Debian wiki page: https://wiki.debian.org/Apache
Dovecot documentation: https://wiki2.dovecot.org/FrontPage
openssl documentation: https://www.openssl.org/docs/
Postfix documentation: http://www.postfix.org/documentation.html
Postfix Debian wiki page: https://wiki.debian.org/Postfix