From 5eef3088cbdc6c095719aa1bea7a1369b51514b5 Mon Sep 17 00:00:00 2001 From: Peter Hormanns Date: Fri, 7 Aug 2015 14:33:33 +0200 Subject: [PATCH] Support SSL-Cert per Domain (SNI) --- .../mods/dom/DomainProcessorFactory.java | 22 +++++++++---------- .../src/de/hsadmin/mods/dom/apache-vhost.vm | 7 +++--- 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/hsarback/src/de/hsadmin/mods/dom/DomainProcessorFactory.java b/hsarback/src/de/hsadmin/mods/dom/DomainProcessorFactory.java index f6c0cdf..577d908 100644 --- a/hsarback/src/de/hsadmin/mods/dom/DomainProcessorFactory.java +++ b/hsarback/src/de/hsadmin/mods/dom/DomainProcessorFactory.java @@ -256,25 +256,25 @@ public class DomainProcessorFactory implements EntityProcessorFactory { return domDirsProcessor; } - private Processor createApacheVHostSetupProcessor(EntityManager em, Domain dom) throws ProcessorException { - Map templateVars = new HashMap(); + private Processor createApacheVHostSetupProcessor(final EntityManager em, final Domain dom) throws ProcessorException { + final Map templateVars = new HashMap(); templateVars.put("dynamicWeb", new Boolean(dom.isDynamic())); - String domName = dom.getName(); + final String domName = dom.getName(); int level = domName.split("\\.").length; - String linkPrefix = Integer.toString(100 - level); - String pac = dom.getUser().getPac().getName(); - Query query = em.createQuery("SELECT d FROM Domains d WHERE d.domainoptions.name = :option AND d.name = :domname"); + final String linkPrefix = Integer.toString(100 - level); + final Query query = em.createQuery("SELECT d FROM Domains d WHERE d.domainoptions.name = :option AND d.name = :domname"); query.setParameter("domname", dom.getName()); ifOption(templateVars, query, "indexes", "+Indexes", "-Indexes"); ifOption(templateVars, query, "includes", "+IncludesNoExec", "-Includes"); ifOption(templateVars, query, "multiviews", "+MultiViews", "-MultiViews"); ifOption(templateVars, query, "htdocsfallback", Boolean.TRUE, Boolean.FALSE); - Processor domSetupProcessor = new CompoundProcessor( + final Processor domSetupProcessor = new CompoundProcessor( + new ShellProcessor("export PEMS_DIR=/etc/apache2/pems-enabled/" + dom.getUser().getName() + " && " + + "mkdir -p $PEMS_DIR/ && " + + "cd $PEMS_DIR && " + + "echo \"\" > " + domName + ".chain && " + + "openssl req -x509 -newkey rsa:2048 -keyout " + domName + ".key -out " + domName + ".crt -days 1100 -nodes -subj '/CN=" + domName + "'"), new CreateFileProcessor("/de/hsadmin/mods/dom/apache-vhost.vm", templateVars, dom, "/etc/apache2/sites-available/" + domName + ".tmp", "root", "root", "644", true), - new ShellProcessor("ls /etc/apache2/pems/" + pac + ".pem >/dev/null 2>&1" + - " && sed -i '/SSLCertificate.*default/d' " + "/etc/apache2/sites-available/" + domName + ".tmp" + - " && (ls /etc/apache2/pems/" + pac + ".chain.pem >/dev/null 2>&1 || sed -i '/SSLCertificateChain.*" + pac + "/d' " + "/etc/apache2/sites-available/" + domName + ".tmp )" + - " || sed -i '/SSLCertificate.*" + pac + "/d' " + "/etc/apache2/sites-available/" + domName + ".tmp"), new ShellProcessor( " (diff -q /etc/apache2/sites-available/" + domName + ".tmp /etc/apache2/sites-available/" + domName + " && rm /etc/apache2/sites-available/" + domName + ".tmp ) " + " || (mv /etc/apache2/sites-available/" + domName + ".tmp /etc/apache2/sites-available/" + domName + diff --git a/hsarback/src/de/hsadmin/mods/dom/apache-vhost.vm b/hsarback/src/de/hsadmin/mods/dom/apache-vhost.vm index b98de63..e4fdd2d 100644 --- a/hsarback/src/de/hsadmin/mods/dom/apache-vhost.vm +++ b/hsarback/src/de/hsadmin/mods/dom/apache-vhost.vm @@ -90,10 +90,9 @@ #end SSLEngine On - SSLCertificateFile /etc/apache2/pems/default.pem - SSLCertificateChainFile /etc/apache2/pems/default.chain.pem - SSLCertificateFile /etc/apache2/pems/${pac.name}.pem - SSLCertificateChainFile /etc/apache2/pems/${pac.name}.chain.pem + SSLCertificateFile /etc/apache2/pems-enabled/${dom.user.name}/${dom.name}.crt + SSLCertificateKeyFile /etc/apache2/pems-enabled/${dom.user.name}/${dom.name}.key + SSLCertificateChainFile /etc/apache2/pems-enabled/${dom.user.name}/${dom.name}.chain DocumentRoot /home/doms/${dom.name}/htdocs-ssl