[ocserv] Generate the certificates and private keys before the first run
Nikos Mavrogiannopoulos
nmav at fedoraproject.org
Fri Jun 6 15:37:42 UTC 2014
commit 925686a46452fc4ec64b23048ddf38575ef151e7
Author: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date: Fri Jun 6 17:24:25 2014 +0200
Generate the certificates and private keys before the first run
ocserv.service | 1 +
ocserv.spec | 36 ++++++++----------------------------
2 files changed, 9 insertions(+), 28 deletions(-)
---
diff --git a/ocserv.service b/ocserv.service
index 86fca91..3f6a3e2 100644
--- a/ocserv.service
+++ b/ocserv.service
@@ -9,6 +9,7 @@ After=dbus.service
PrivateTmp=true
Type=forking
PIDFile=/var/run/ocserv.pid
+ExecStartPre=/usr/sbin/ocserv-genkey
ExecStart=/usr/sbin/ocserv --pid-file /var/run/ocserv.pid --config /etc/ocserv/ocserv.conf
ExecReload=/bin/kill -HUP $MAINPID
diff --git a/ocserv.spec b/ocserv.spec
index 27665b5..3b7d8f1 100644
--- a/ocserv.spec
+++ b/ocserv.spec
@@ -1,6 +1,6 @@
Name: ocserv
Version: 0.8.0
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: OpenConnect SSL VPN server
# For a breakdown of the licensing, see PACKAGE-LICENSING
@@ -14,6 +14,7 @@ Source3: ocserv-pamd.conf
Source4: PACKAGE-LICENSING
Source5: org.infradead.ocserv.conf
Source6: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig
+Source7: ocserv-genkey
Patch1: ocserv-0.8.0-endianness.patch
Patch2: ocserv-0.8.0-cmp.patch
@@ -92,33 +93,6 @@ getent passwd ocserv &>/dev/null || \
mkdir -p %{_sysconfdir}/pki/ocserv/public
mkdir -p -m 700 %{_sysconfdir}/pki/ocserv/private
mkdir -p %{_sysconfdir}/pki/ocserv/cacerts
-#generate CA certificate/key
-if test ! -f %{_sysconfdir}/pki/ocserv/private/ca.key;then
-certtool --generate-privkey --outfile %{_sysconfdir}/pki/ocserv/private/ca.key >/dev/null 2>&1
-echo "cn=`hostname -f` CA" >%{_sysconfdir}/pki/ocserv/ca.tmpl
-echo "expiration_days=-1" >>%{_sysconfdir}/pki/ocserv/ca.tmpl
-echo "serial=1" >>%{_sysconfdir}/pki/ocserv/ca.tmpl
-echo "ca" >>%{_sysconfdir}/pki/ocserv/ca.tmpl
-echo "cert_signing_key" >>%{_sysconfdir}/pki/ocserv/ca.tmpl
-certtool --template %{_sysconfdir}/pki/ocserv/ca.tmpl \
- --generate-self-signed --load-privkey %{_sysconfdir}/pki/ocserv/private/ca.key \
- --outfile %{_sysconfdir}/pki/ocserv/cacerts/ca.crt >/dev/null 2>&1
-#rm -f %{_sysconfdir}/pki/ocserv/ca.tmpl
-fi
-#generate server certificate/key
-if test ! -f %{_sysconfdir}/pki/ocserv/private/server.key;then
-certtool --generate-privkey --outfile %{_sysconfdir}/pki/ocserv/private/server.key >/dev/null 2>&1
-echo "cn=`hostname -f`" >%{_sysconfdir}/pki/ocserv/server.tmpl
-echo "serial=2" >>%{_sysconfdir}/pki/ocserv/server.tmpl
-echo "expiration_days=-1" >>%{_sysconfdir}/pki/ocserv/server.tmpl
-echo "signing_key" >>%{_sysconfdir}/pki/ocserv/server.tmpl
-echo "encryption_key" >>%{_sysconfdir}/pki/ocserv/server.tmpl
-certtool --template %{_sysconfdir}/pki/ocserv/server.tmpl \
- --generate-certificate --load-privkey %{_sysconfdir}/pki/ocserv/private/server.key \
- --load-ca-certificate %{_sysconfdir}/pki/ocserv/cacerts/ca.crt --load-ca-privkey \
- %{_sysconfdir}/pki/ocserv/private/ca.key --outfile %{_sysconfdir}/pki/ocserv/public/server.crt >/dev/null 2>&1
-#rm -f %{_sysconfdir}/pki/ocserv/server.tmpl
-fi
%post
%systemd_post ocserv.service
@@ -142,6 +116,8 @@ mkdir -p %{buildroot}/%{_unitdir}
install -p -m 644 %{SOURCE2} %{buildroot}/%{_unitdir}
mkdir -p %{buildroot}%{_localstatedir}/lib/ocserv/
install -p -m 644 doc/profile.xml %{buildroot}%{_localstatedir}/lib/ocserv/
+mkdir -p %{buildroot}/%{_sbindir}
+install -p -m 755 %{SOURCE7} %{buildroot}/%{_sbindir}
%make_install
%clean
@@ -165,10 +141,14 @@ rm -rf %{buildroot}
%{_bindir}/ocpasswd
%{_bindir}/occtl
%{_sbindir}/ocserv
+%{_sbindir}/ocserv-genkey
%{_unitdir}/ocserv.service
%{_localstatedir}/lib/ocserv/profile.xml
%changelog
+* Mon Jun 02 2014 Nikos Mavrogiannopoulos <nmav at redhat.com> - 0.8.0-2
+- Generate certificates and private keys before the first run
+
* Mon Jun 02 2014 Nikos Mavrogiannopoulos <nmav at redhat.com> - 0.8.0-1
- New upstream release
More information about the scm-commits
mailing list