Test2

Purpose

This is a test system that is as close to the real Webdb system. It is used by the critical admin team to test patches before bringing them into production.

Administration

System Administration

Application Administration

Application

Administrator(s)

CAcert web application

Dirk Astrath

Contact

Additional People

Mario Lipinski has sudo access on that machine too.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet

213.154.225.241

IP Intranet

172.16.2.249

IP Internal

10.0.0.249

IPv6

2001:7b8:616:162:2::249

MAC address

00:ff:8a:60:d6:dd (eth0)

See also

See Network

Monitoring

Todo

setup monitoring for test2

DNS

Name

Type

Content

test2.cacert.org.

IN A

213.154.225.249

test2.cacert.org.

IN SSHFP

1 1 6CF47397AFD468336DC07A27F7FC00797693FE12

test2.cacert.org.

IN SSHFP

1 2 C008E67B906AF92DF0C9CF30A1C5DF998D2B47CB518698FB2974193C07CE7F40

test2.cacert.org.

IN SSHFP

2 1 666DF52C894AAFA85FB3A890077BC29046DF9B96

test2.cacert.org.

IN SSHFP

2 2 E5794CFF631FACB7C294CC6727A5335E15BD39041DF3E73E3440DB3A995EA43A

Todo

add AAAA record for IPv6 address

Todo

add SSHFP records for ECDSA and ED25519 host keys

Todo

remove SSHFP records for DSA host key

Operating System

  • Debian GNU/Linux 8.11 Jessie

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

local

mail delivery to local MTA

80/tcp

http

ANY

Apache httpd for http://test.cacert.org/

123/tcp 123/udp

ntp

local

network time protocol server

143/tcp

imap

testmgr

Dovecot IMAP server

443/tcp

https

ANY

Apache httpd for https://test.cacert.org/

3306/tcp

mysql

local

MySQL database for WebDB

5666/tcp

nrpe

monitor

remote monitoring service

Running services

Service

Usage

Start mechanism

Apache httpd

Webserver for the CAcert web application

init script /etc/init.d/apache2

MySQL

MySQL database server for the CAcert web application

init script /etc/init.d/mysql

acpid

ACPI daemon

systemd unit acpid.service

atop

atop process accounting top

init script /etc/init.d/atop

client.pl

CAcert signer client

init script /etc/init.d/commmodule

cron

job scheduler

init script /etc/init.d/cron

dovecot

Dovecot IMAP server

init script /etc/init.d/dovecot

Nagios NRPE server

remote monitoring service queried by Monitor

init script /etc/init.d/nagios-nrpe-server

ntpd

Network time protocol server

init script /etc/init.d/ntp

openssh server

ssh daemon for remote administration

init script /etc/init.d/ssh

postfix

SMTP server for local mail submission

init script /etc/init.d/postfix

rsyslog

syslog daemon

init script /etc/init.d/syslog

server.pl

CAcert signer server

init script /etc/init.d/commmodule-signer

socat

Emulate serial connection between CAcert signer client and server

entry in /etc/rc.local that executes /usr/local/sbin/socat-signer inside a screen session

Databases

RDBMS

Name

Used for

MySQL

cacert

CAcert web application

Connected Systems

Outbound network connections

  • Infra02 as resolving nameserver

  • Proxyout as HTTP proxy for APT and Github

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:wAjme5Bq+S3wyc8wocXfmY0rR8tRhpj7KXQZPAfOf0A, MD5:99:f4:e6:78:7a:57:d6:9d:a9:b8:ca:f3:ce:07:cc:57

DSA

SHA256:5XlM/2MfrLfClMxnJ6UzXhW9OQQd8+c+NEDbOplepDo, MD5:0f:56:a7:04:b5:f4:48:b9:fa:2c:1e:58:de:d3:e8:cb

ECDSA

-

ED25519

-

Todo

generate ECDSA and ED25519 host keys

Todo

remove DSA host key

Dedicated user roles

User

Purpose

cacertmail

IMAP mailbox user

signer

User for the CAcert signer

Todo

clarify why the signer software on test2 is currently running as the root user

The directory /home/cacert/ is owned by root. The signer is running from /home/signer/cacert-devel/CommModule/server.pl the client is running from /home/cacert/www/CommModule/client.pl. Both are running as root. Currently no process uses the cacertsigner user.

Non-distribution packages and modifications

Apache httpd is running in a chroot /home/cacert/, the configuration in /etc/apache2 as well as the system binaries are not used. The Apache httpd binary seems to be relatively up-to-date.

The CAcert WebDB application is stored in /home/cacert/www.

The CAcert Signer code is stored in /home/signer/www/CommModule.

Todo

clarify the process how changes get into the WebDB and Signer directories and clarify differences to Git and test

Risk assessments on critical packages

The operating system on this container is no longer supported. The PHP version in the file:/home/cacert/ chroot is 5.6.40 which is no longer supported upstream.

Critical Configuration items

Keys and X.509 certificates

  • Certificate for CN cacert2.it-sls.de, see details in the certificate list

    • certificate in file /home/cacert/etc/ssl/certs/cacert2_it-sls_de.crt

    • private key in file /home/cacert/etc/ssl/private/cacert2_it-sls_de.pem

  • Certificate for CN ca-mgr2.it-sls.de, see details in the certificate list

    • certificate in file /home/cacert/etc/ssl/certs/ca-mgr2_it-sls_de.crt

    • private key in file /home/cacert/etc/ssl/private/ca-mgr2_it-sls_de.pem

  • Certificate for CN mgr.test2.cacert.org, see details in the certificate list

    • certificate in file /home/cacert/etc/ssl/certs/mgr_test2_cacert_org.crt

    • private key in file /home/cacert/etc/ssl/private/mgr_test2_cacert_org.pem

  • Certificate for CN secure2.it-sls.de, see details in the certificate list

    • certificate in file /home/cacert/etc/ssl/certs/secure2_it-sls_de.crt

    • private key in file /home/cacert/etc/ssl/private/secure2_it-sls_de.pem

  • Certificate for CN secure.test2.cacert.org, see details in the certificate list

    • certificate in file /home/cacert/etc/ssl/certs/secure_test2_cacert_org.crt

    • private key in file /home/cacert/etc/ssl/private/secure_test2_cacert_org.pem

  • Certificate for CN test2.cacert.org, see details in the certificate list

    • certificate in file /home/cacert/etc/ssl/certs/test2_cacert_org.crt

    • private key in file /home/cacert/etc/ssl/private/test2_cacert_org.pem

Todo

clarify whether old it-sls.de certificates can be decommissioned

CA certificates on test:

  • Certificate for CN CAcert Testserver Root, see details in the certificate list

    • certificate in file /etc/ssl/CA/cacert.crt

    • private key in file /etc/ssl/CA/cacert.pem

  • Certificate for CN CAcert Testserver Class 3, see details in the certificate list

    • certificate in file /etc/ssl/class3/cacert.crt

    • private key in file /etc/ssl/class3/cacert.pem

openssl configuration for the signer server

There are some openssl configuration files that are used by the server.pl signer that are stored in /etc/ssl/caname-purpose.cnf.

Todo

check whether the openssl configuration files on test2 are equal to those in http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/

Apache httpd configuration

Apache httpd is running in a chroot /home/cacert/ its configuration is stored in /home/cacert/etc/apache2.

Postfix configuration

Postfix configuration is stored in /etc/postfix.

Postfix is configured to accept mail for cacert2.it-sls.de, localhost.it-sls.de and localhost all mail is delivered to the mailbox of the cacertmail user in /var/mail/cacertmail via /etc/postfix/virtual.regexp.

Todo

reconfigure postfix on test2 to use the correct hostnames

Dovecot configuration

Dovecot is configured via configuration in /etc/dovecot.

Todo

check dovecot configuration on test2, compare with test and/or production webdb system

Tasks

Changes

Planned

Todo

ensure that test2 is really similar to webdb, implement a proper deployment process to support real staging

System Future

Additional documentation

References

Apache httpd documentation

http://httpd.apache.org/docs/2.4/

Apache Debian wiki page

https://wiki.debian.org/Apache

Dovecot documentation

https://wiki2.dovecot.org/FrontPage

openssl documentation

https://www.openssl.org/docs/

Postfix documentation

http://www.postfix.org/documentation.html

Postfix Debian wiki page

https://wiki.debian.org/Postfix