Test2¶
Purpose¶
This is a test system that is as close to the real Webdb system. It is used by the critical admin team to test patches before bringing them into production.
Application Links¶
- Application
Administration¶
System Administration¶
Primary: Jan Dittberner
Secondary: Dirk Astrath
Application Administration¶
Application |
Administrator(s) |
|---|---|
CAcert web application |
Contact¶
Additional People¶
No additional people have sudo access on that machine.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra02.
Logical Location¶
- IP Internet:
- IP Intranet:
- IP Internal:
- IPv6:
- MAC address:
00:ff:8a:60:d6:dd(eth0)
See also
See Network
Monitoring¶
Todo
setup monitoring for test2
DNS¶
Name |
Type |
Content |
|---|---|---|
test2.cacert.org. |
IN A |
|
test2.cacert.org. |
IN SSHFP |
|
test2.cacert.org. |
IN SSHFP |
|
test2.cacert.org. |
IN SSHFP |
|
test2.cacert.org. |
IN SSHFP |
|
Todo
add AAAA record for IPv6 address
Todo
add SSHFP records for ECDSA and ED25519 host keys
Todo
remove SSHFP records for DSA host key
See also
Operating System¶
Debian GNU/Linux 8 Jessie
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
|---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
local |
mail delivery to local MTA |
80/tcp |
http |
ANY |
Apache httpd for http://test.cacert.org/ |
123/tcp 123/udp |
ntp |
local |
network time protocol server |
143/tcp |
imap |
testmgr |
Dovecot IMAP server |
443/tcp |
https |
ANY |
Apache httpd for https://test.cacert.org/ |
3306/tcp |
mysql |
local |
MySQL database for WebDB |
5666/tcp |
nrpe |
monitor |
remote monitoring service |
Running services¶
Service |
Usage |
Start mechanism |
|---|---|---|
Apache httpd |
Webserver for the CAcert web application |
init script
|
MySQL |
MySQL database server for the CAcert web application |
init script
|
acpid |
ACPI daemon |
systemd unit |
atop |
atop process accounting top |
init script
|
client.pl |
CAcert signer client |
init script
|
cron |
job scheduler |
init script
|
dovecot |
Dovecot IMAP server |
init script
|
Nagios NRPE server |
remote monitoring service queried by Monitor |
init script
|
ntpd |
Network time protocol server |
init script
|
openssh server |
ssh daemon for remote administration |
init script |
postfix |
SMTP server for local mail submission |
init script
|
rsyslog |
syslog daemon |
init script
|
server.pl |
CAcert signer server |
init script
|
socat |
Emulate serial connection between CAcert signer client and server |
entry in
|
Databases¶
RDBMS |
Name |
Used for |
|---|---|---|
MySQL |
cacert |
CAcert web application |
Connected Systems¶
Outbound network connections¶
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
|---|---|
RSA |
|
DSA |
|
ECDSA |
- |
ED25519 |
- |
See also
Todo
generate ECDSA and ED25519 host keys
Todo
remove DSA host key
Dedicated user roles¶
User |
Purpose |
|---|---|
cacertmail |
IMAP mailbox user |
signer |
User for the CAcert signer |
Todo
clarify why the signer software on test2 is currently running as the root user
The directory /home/cacert/ is owned by root. The signer is running
from /home/signer/cacert-devel/CommModule/server.pl the client is
running from /home/cacert/www/CommModule/client.pl. Both are running as
root. Currently no process uses the cacertsigner user.
Non-distribution packages and modifications¶
Apache httpd is running in a chroot /home/cacert/, the configuration in
/etc/apache2 as well as the system binaries are not used. The Apache
httpd binary seems to be relatively up-to-date.
The CAcert WebDB application is stored in /home/cacert/www.
The CAcert Signer code is stored in /home/signer/www/CommModule.
Todo
clarify the process how changes get into the WebDB and Signer directories and clarify differences to Git and test
Risk assessments on critical packages¶
The operating system on this container is no longer supported. The PHP version in the file:/home/cacert/ chroot is 5.6.40 which is no longer supported upstream.
Critical Configuration items¶
Keys and X.509 certificates¶
Certificate for CN cacert2.it-sls.de, see details in the certificate list
certificate in file /home/cacert/etc/ssl/certs/cacert2_it-sls_de.crt
private key in file /home/cacert/etc/ssl/private/cacert2_it-sls_de.pem
Certificate for CN ca-mgr2.it-sls.de, see details in the certificate list
certificate in file /home/cacert/etc/ssl/certs/ca-mgr2_it-sls_de.crt
private key in file /home/cacert/etc/ssl/private/ca-mgr2_it-sls_de.pem
Certificate for CN mgr.test2.cacert.org, see details in the certificate list
certificate in file /home/cacert/etc/ssl/certs/mgr_test2_cacert_org.crt
private key in file /home/cacert/etc/ssl/private/mgr_test2_cacert_org.pem
Certificate for CN secure2.it-sls.de, see details in the certificate list
certificate in file /home/cacert/etc/ssl/certs/secure2_it-sls_de.crt
private key in file /home/cacert/etc/ssl/private/secure2_it-sls_de.pem
Certificate for CN secure.test2.cacert.org, see details in the certificate list
certificate in file /home/cacert/etc/ssl/certs/secure_test2_cacert_org.crt
private key in file /home/cacert/etc/ssl/private/secure_test2_cacert_org.pem
Certificate for CN test2.cacert.org, see details in the certificate list
certificate in file /home/cacert/etc/ssl/certs/test2_cacert_org.crt
private key in file /home/cacert/etc/ssl/private/test2_cacert_org.pem
Todo
clarify whether old it-sls.de certificates can be decommissioned
CA certificates on test:
Certificate for CN CAcert Testserver Root, see details in the certificate list
certificate in file /etc/ssl/CA/cacert.crt
private key in file /etc/ssl/CA/cacert.pem
Certificate for CN CAcert Testserver Class 3, see details in the certificate list
certificate in file /etc/ssl/class3/cacert.crt
private key in file /etc/ssl/class3/cacert.pem
openssl configuration for the signer server¶
There are some openssl configuration files that are used by the server.pl
signer that are stored in /etc/ssl/caname-purpose.cnf.
Todo
check whether the openssl configuration files on test2 are equal to those in http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/
Apache httpd configuration¶
Apache httpd is running in a chroot /home/cacert/ its configuration is
stored in /home/cacert/etc/apache2.
Postfix configuration¶
Postfix configuration is stored in /etc/postfix.
Postfix is configured to accept mail for cacert2.it-sls.de,
localhost.it-sls.de and localhost all mail is delivered to the mailbox
of the cacertmail user in /var/mail/cacertmail via
/etc/postfix/virtual.regexp.
Todo
reconfigure postfix on test2 to use the correct hostnames
Dovecot configuration¶
Dovecot is configured via configuration in /etc/dovecot.
Todo
check dovecot configuration on test2, compare with test and/or production webdb system
Tasks¶
Changes¶
Planned¶
Todo
ensure that test2 is really similar to webdb, implement a proper deployment process to support real staging
System Future¶
Additional documentation¶
See also
References¶
- Apache httpd documentation
- Apache Debian wiki page
- Dovecot documentation
- openssl documentation
- Postfix documentation
- Postfix Debian wiki page
