Test3¶
Purpose¶
This is a test system for testing a version of the CAcert application software revised to run with php-7.0 on Debian Stretch. When these tests are succesful, the other test servers and the production server running on www.cacert.org can be upgraded tot Debian Stretch. After that this server can probably be scrapped again.
Application Links¶
- Application via HTTP:
- Application via HTTPS:
Administration¶
System Administration¶
Primary: Jan Dittberner
Secondary: None
Application Administration¶
Application |
Administrator(s) |
---|---|
CAcert web application |
Contact¶
Additional People¶
Dirk Astrath and Bernhard Fröhlich have sudo access on that machine too.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra02.
Logical Location¶
- IP Internet:
- IP Intranet:
- IP Internal:
- IPv6:
- MAC address:
00:ff:ce:d1:22:1d
(eth0)
Because this system is sharing its IPv4 internet address with test.cacert.org, there are some special mappings in the infra02 firewall to get access to this system:
test,cacert.org port 14922 maps to test3 port 22 (ssh)
test.cacert.org port 14980 maps to test3 port 80 (http)
test.cacert.org port 14943 maps to test3 port 443 (https)
See also
See Network
Monitoring¶
DNS¶
Name |
Type |
Content |
---|---|---|
test3.cacert.org. |
IN A |
213.154.225.248 |
test3.cacert.org. |
IN AAAA |
2001:7b8:616:162:2::149 |
secure.test3.cacert.org. |
IN CNAME |
test3.cacert.org |
www.test3.cacert.org. |
IN CNAME |
test3.cacert.org |
test3.cacert.org. |
IN SSHFP |
1 1 39fd3b77396529f83e095ff09c59994c47d9e0d3 |
test3.cacert.org. |
IN SSHFP |
1 2 680fe134289e79678f7eaa5689fdce3db5efed9f6ebefd5bcfadce04a96475c1 |
test3.cacert.org. |
IN SSHFP |
2 1 70f5730c127bd701fc5c4baba329e93346a975c1 |
test3.cacert.org. |
IN SSHFP |
2 2 364252b906aec15a00994620d5c90c0f692a41cbc8c6f3bfc229149511209328 |
test3.cacert.org. |
IN SSHFP |
3 1 e4d81b532dc90ebb6d087ae732ce016b87945ebd |
test3.cacert.org. |
IN SSHFP |
3 2 71b5aedcc999e6ffc0f90eeb9254c8771ddaa6a4981cf55e8e2228f6bdee64ce |
test3.cacert.org. |
IN SSHFP |
4 1 50b22453f5c8d845895bacccbc1fc325d033f65d |
test3.cacert.org. |
IN SSHFP |
4 1 a928b84465769480d70dfc5ecd3af2e4cdb192ee11d1cffc4f31ea1fbed09d41 |
test.infra.cacert.org. |
IN A |
10.0.0.149 |
Todo
add intra.cacert.org. A record
See also
Operating System¶
Debian GNU/Linux 11
Applicable Documentation¶
Notes about installing the CAcert application on test3.cacert.org.
Starting point is a Debian Bullseye LXC setup from Jan Dittberner
install the following packages (and their dependencies):
$ sudo apt-get install \ apache2 \ default-mysql-server gettext locales locales-all recode \ dnsutils whois locate rcs screen tmux make \ libdevice-serialport-perl libfile-counterfile-perl xdelta
create empty cacert database:
$ sudo mysql > CREATE DATABASE cacert; > GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES ON cacert.* TO 'cacert'@'localhost' IDENTIFIED BY 'klodder'; > \q
dump current cacert database on test.cacert.org:
$ mysqldump -u cacert -p --single-transaction cacert >BACKUP
copy over cacert database BACKUP from test.cacert.org to test3.cacert.org
import the database backup into the empty cacert database:
$ mysql -u cacert -p cacert <BACKUP
copy scripts
/etc/rc.local
and/usr/local/sbin/socat
from test.cacert.orgcopy signer files with
collect-signer-files
script from test.cacert.orgmake small adjustmenst to scripts and install signer stuff in
/etc
generate certificates for test.cacert.org based on CAcert test root with
~wytze/local/localcerts
script (using the locally installed signer config)copy
/root/chroot
from test.cacert.orguse updated
mkchrootenv
script from http://svn.cacert.org/CAcert/SystemAdministration/webdb/mkchrootenv to setup/home/cacert
create
/home/cacert/www/includes/mysql.php
frommysql.php.sample
prototypeinstall commmodule client from
/home/cacert/www/CommModule
in/etc/init.d
copy
/etc/init.d/apache2
script to/etc/init.d/apache2-cacert
and modify it to use chroot to the/home/cacert
environment:--- apache2 2018-04-05 18:32:55.000000000 +0000 +++ apache2-cacert 2018-11-20 16:05:38.740396894 +0000 @@ -1,22 +1,26 @@ #!/bin/sh ### BEGIN INIT INFO -# Provides: apache2 +# Provides: apache2-cacert # Required-Start: $local_fs $remote_fs $network $syslog $named # Required-Stop: $local_fs $remote_fs $network $syslog $named # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # X-Interactive: true -# Short-Description: Apache2 web server +# Short-Description: Apache2 web server for CAcert # Description: Start the web server # This script will start the apache2 web server. ### END INIT INFO -DESC="Apache httpd web server" +DESC="Apache httpd web server for CAcert" NAME=apache2 DAEMON=/usr/sbin/$NAME +CHRDIR=/home/cacert/ +CHROOT="/usr/sbin/chroot ${CHRDIR}" + SCRIPTNAME="${0##*/}" SCRIPTNAME="${SCRIPTNAME##[KS][0-9][0-9]}" +SCRIPTNAME=apache2 if [ -n "$APACHE_CONFDIR" ] ; then if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then DIR_SUFFIX="${APACHE_CONFDIR##/etc/apache2-}" @@ -53,8 +57,8 @@ # Now, set defaults: -APACHE2CTL="$ENV apache2ctl" -PIDFILE=$(. $APACHE_ENVVARS && echo $APACHE_PID_FILE) +APACHE2CTL="${CHROOT} $ENV apache2ctl" +PIDFILE=$(. ${CHRDIR}$APACHE_ENVVARS && echo ${CHRDIR}$APACHE_PID_FILE) APACHE2_INIT_MESSAGE="" CONFTEST_OUTFILE=
disable startup of
apache2
and enable startup ofapache2-cacert
:$ sudo systemctl disable apache2 $ sudo systemctl enable apache2-cacert $ sudo systemctl start apache2-cacert
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
local |
mail delivery to local MTA |
80/tcp |
http |
ANY |
Apache httpd for http://test3.cacert.org/ |
443/tcp |
https |
ANY |
Apache httpd for https://test3.cacert.org/ |
3306/tcp |
mariadb |
local |
MySQL database for CAcert web application |
5665/tcp |
icinga2 |
monitor |
remote monitoring service |
Running services¶
Service |
Usage |
Start mechanism |
---|---|---|
Apache httpd |
Webserver for the CAcert web application |
init script
|
client.pl |
CAcert signer client |
init script
|
cron |
job scheduler |
systemd unit |
dbus-daemon |
System message bus |
systemd unit |
icinga2 |
Icinga2 monitoring agent |
systemd unit |
MariaDB |
MariaDB database server for the CAcert web application |
systemd unit |
openssh server |
ssh daemon for remote administration |
systemd unit |
Postfix |
SMTP server for local mail submission |
systemd unit |
Puppet agent |
configuration management agent |
systemd unit |
rsyslog |
syslog daemon |
systemd unit |
server.pl |
CAcert signer server |
init script
|
socat |
Emulate serial connection between CAcert signer client and server |
entry in
|
Databases¶
RDBMS |
Name |
Used for |
---|---|---|
MariaDB |
cacert |
CAcert web application |
Connected Systems¶
Outbound network connections¶
Infra02 as resolving nameserver
Puppet (tcp/8140) as Puppet master
Proxyout as HTTP proxy for APT and Github
crl.cacert.org (rsync) for getting CRLs
ocsp.cacert.org (HTTP and HTTPS) for OCSP queries
translations.cacert.org (HTTP and HTTPS) for obtaining fresh translations
arbitrary Internet SMTP servers for outgoing mail
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
---|---|
RSA |
|
DSA |
- |
ECDSA |
|
ED25519 |
|
See also
Dedicated user roles¶
User |
Purpose |
---|---|
cacertmail |
IMAP mailbox user |
Todo
clarify why the signer software on test3 is currently running as the root user
The directory /home/cacert/
is owned by root. The signer is running
from /home/signer/www/CommModule/server.pl
the client is
running from /home/cacert/www/CommModule/client.pl
. Both are running as
root. Currently no process uses the cacertsigner user.
Non-distribution packages and modifications¶
The setup is similar to Test.
Risk assessments on critical packages¶
The operating system is up-to-date
Critical Configuration items¶
Keys and X.509 certificates¶
Certificate for CN secure.test3.cacert.org, see details in the certificate list
certificate in file /home/cacert/etc/ssl/certs/secure_test3_cacert_org.crt
private key in file /home/cacert/etc/ssl/private/secure_test3_cacert_org.pem
Certificate for CN test3.cacert.org, see details in the certificate list
certificate in file /home/cacert/etc/ssl/certs/test3_cacert_org.crt
private key in file /home/cacert/etc/ssl/private/test3_cacert_org.pem
Todo
implement monitoring and renewal processes for the server certificates
CA certificates on test3:
The test root certficates are copies from the ones on Test
Note
There are two directories /etc/root3/
and /etc/root4/
that
are supported by the signer but do not contain actual keys and certificates.
openssl configuration for the signer server¶
There are some openssl configuration files that are used by the server.pl
signer that are stored in /etc/ssl/caname-purpose.cnf
.
These files are modified with respect to the reference version in http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/, the modifications involve recent development patches (CRL serial numbers) and test server adjustments (copied over from test.cacert.org).
Apache httpd configuration¶
Apache httpd is running in a chroot /home/cacert/
its configuration is
stored in /home/cacert/etc/apache2
.
Postfix configuration¶
Postfix configuration is stored in /etc/postfix
.
Postfix is configured to accept mail for test3.cacert.org
and localhost
all mail is delivered to the mailbox of the cacertmail user in
/var/mail/cacertmail
via /etc/postfix/virtual.regexp
.
Tasks¶
Changes¶
Planned¶
Todo
implement git workflows for updates maybe using Jenkins
System Future¶
Additional documentation¶
References¶
- Apache httpd documentation
- Apache Debian wiki page
- openssl documentation
- Postfix documentation
- Postfix Debian wiki page