fixed #10. docker cert generation works

outbit · Sep 24, 2016 · 9f477e1 · 9f477e1
1 parent 9658c88
commit 9f477e1
Show file tree

Hide file tree

Showing 12 changed files with 17 additions and 14 deletions.
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -28,20 +28,22 @@ COPY ./httpd-pivportal.conf /etc/apache2/sites-enabled/
 RUN chown root: /etc/apache2/sites-enabled/httpd-pivportal.conf && chmod 755 /etc/apache2/sites-enabled/httpd-pivportal.conf
 
 # SSL CA Certificate For Client Cert
-RUN openssl genrsa -nodes -out /etc/ssl/certs/pivportalClientCA.key 4096
-RUN openssl req -new -x509 -subj "/C=US/ST=Oregon/L=Portland/O=IT/CN=pivportalclient" -days 3650 -key /etc/ssl/certs/pivportalClientCA.key -out /etc/ssl/certs/pivportalClientCA.crt
+RUN cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 > /root/pivportal_ca_pw.txt
+RUN cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 > /root/pivportal_cl_pw.txt
+RUN openssl genrsa -aes256 -passout pass:$(cat /root/pivportal_ca_pw.txt) -out /etc/ssl/private/pivportalClientCA.key 4096
+RUN openssl req -new -x509 -passin pass:$(cat /root/pivportal_ca_pw.txt) -subj "/C=US/ST=Oregon/L=Portland/O=IT/CN=pivportalclient" -days 3650 -key /etc/ssl/private/pivportalClientCA.key -out /etc/ssl/private/pivportalClientCA.crt
 
 # SSL Create the Client Key and CSR
-RUN openssl genrsa -nodes -out /etc/ssl/certs/pivportalClient.key 1024
-RUN openssl req -new -subj "/C=US/ST=Oregon/L=Portland/O=IT/CN=testhost" -key /etc/ssl/certs/pivportalClient.key -out /etc/ssl/certs/pivportalClient.csr
+RUN openssl genrsa -aes256 -passout pass:$(cat /root/pivportal_cl_pw.txt) -out /etc/ssl/private/pivportalClient.key 1024
+RUN openssl req -new -passin pass:$(cat /root/pivportal_cl_pw.txt) -subj "/C=US/ST=Oregon/L=Portland/O=IT/CN=pivportalclient" -key /etc/ssl/private/pivportalClient.key -out /etc/ssl/private/pivportalClient.csr
 
 # SSL Sign the client certificate with our CA cert.
-RUN openssl x509 -req -days 3650 -in /etc/ssl/certs/pivportalClient.csr -CA /etc/ssl/certs/pivportalClientCA.crt -CAkey /etc/ssl/certs/pivportalClientCA.key -set_serial 01 -out /etc/ssl/certs/pivportalClient.crt
-RUN cat /etc/ssl/certs/pivportalClient.crt /etc/ssl/certs/pivportalClient.key > /etc/ssl/certs/pivportalClient.pem
+RUN openssl x509 -req -days 3650 -passin pass:$(cat /root/pivportal_ca_pw.txt) -in /etc/ssl/private/pivportalClient.csr -CA /etc/ssl/private/pivportalClientCA.crt -CAkey /etc/ssl/private/pivportalClientCA.key -set_serial 01 -out /etc/ssl/private/pivportalClient.crt
+RUN cat /etc/ssl/private/pivportalClient.crt /etc/ssl/private/pivportalClient.key > /etc/ssl/private/pivportalClient.pem
 
 # SSL Server Cert
-RUN openssl req -new -nodes -x509 -subj "/C=US/ST=Oregon/L=Portland/O=IT/CN=testhost" -days 3650 -keyout /etc/ssl/certs/pivportal.key -out /etc/ssl/certs/pivportal.crt -extensions v3_ca || true
-RUN chown pivportal: /etc/ssl/certs/pivportal* && chmod 440 /etc/ssl/certs/pivportal*
+RUN openssl req -new -nodes -x509 -subj "/C=US/ST=Oregon/L=Portland/O=IT/CN=testhost" -days 3650 -keyout /etc/ssl/private/pivportal.key -out /etc/ssl/private/pivportal.crt -extensions v3_ca || true
+RUN chown pivportal: /etc/ssl/private/pivportal* && chmod 440 /etc/ssl/private/pivportal*
 
 # Log file
 RUN touch /var/log/pivportal.log && chmod 755 /var/log/pivportal.log && chown pivportal: /var/log/pivportal.log

diff --git a/docker/httpd-pivportal.conf b/docker/httpd-pivportal.conf
@@ -6,26 +6,27 @@ NameVirtualHost *:80
 
 <VirtualHost *:80>
     ServerName pivportal
-    DocumentRoot /tmp/pivportal/pivportal/lib/pivportal/data_files/
+    DocumentRoot /usr/local/lib/python2.7/dist-packages/pivportal/data_files/
     Redirect permanent / https://pivportal/
 </VirtualHost>
 
 <VirtualHost *:443>
     SSLEngine On
     SSLCertificateFile /etc/ssl/private/pivportal.crt
     SSLCertificateKeyFile /etc/ssl/private/pivportal.key
-#    SSLCARevocationFile /etc/ssl/private/pivportal.crl
     SSLCACertificateFile /etc/ssl/private/pivportalCA.crt
+    # Uncomment for CRL
+    # SSLCARevocationFile /etc/ssl/private/pivportal.crl
 
     # Client
     SSLVerifyClient require
     SSLVerifyDepth  5
 
     ServerName pivportal
-    DocumentRoot /tmp/pivportal/pivportal/lib/pivportal/data_files/
+    DocumentRoot /usr/local/lib/python2.7/dist-packages/pivportal/data_files/
     DirectoryIndex index.html
 
-    <Directory /tmp/pivportal/pivportal/lib/pivportal/data_files/>
+    <Directory /usr/local/lib/python2.7/dist-packages/pivportal/data_files/>
         Allow from all
         Order allow,deny
         AllowOverride All
@@ -65,10 +66,10 @@ NameVirtualHost *:80
     SSLVerifyDepth  5
 
     ServerName pivportal_client
-    DocumentRoot /tmp/pivportal/pivportal/lib/pivportal/data_files/
+    DocumentRoot /usr/local/lib/python2.7/dist-packages/pivportal/data_files/
     DirectoryIndex index.html
 
-    <Directory /tmp/pivportal/pivportal/lib/pivportal/data_files/>
+    <Directory /usr/local/lib/python2.7/dist-packages/pivportal/data_files/>
         Allow from all
         Order allow,deny
         AllowOverride All

diff --git a/...tal/lib/pivportal/data_files/css/main.css → ...vportal/data_files/pivportal/css/main.css b/...tal/lib/pivportal/data_files/css/main.css → ...vportal/data_files/pivportal/css/main.css
diff --git a/...b/pivportal/data_files/imgs/pivportal.ico → ...l/data_files/pivportal/imgs/pivportal.ico b/...b/pivportal/data_files/imgs/pivportal.ico → ...l/data_files/pivportal/imgs/pivportal.ico
diff --git a/...ortal/lib/pivportal/data_files/index.html → ...pivportal/data_files/pivportal/index.html b/...ortal/lib/pivportal/data_files/index.html → ...pivportal/data_files/pivportal/index.html
diff --git a/.../pivportal/data_files/js/angular-route.js → .../data_files/pivportal/js/angular-route.js b/.../pivportal/data_files/js/angular-route.js → .../data_files/pivportal/js/angular-route.js
diff --git a/...al/lib/pivportal/data_files/js/angular.js → ...portal/data_files/pivportal/js/angular.js b/...al/lib/pivportal/data_files/js/angular.js → ...portal/data_files/pivportal/js/angular.js
diff --git a/pivportal/lib/pivportal/data_files/js/app.js → .../pivportal/data_files/pivportal/js/app.js b/pivportal/lib/pivportal/data_files/js/app.js → .../pivportal/data_files/pivportal/js/app.js
diff --git a/...ib/pivportal/data_files/js/controllers.js → ...al/data_files/pivportal/js/controllers.js b/...ib/pivportal/data_files/js/controllers.js → ...al/data_files/pivportal/js/controllers.js
diff --git a/...pivportal/data_files/js/satellizer.min.js → ...data_files/pivportal/js/satellizer.min.js b/...pivportal/data_files/js/satellizer.min.js → ...data_files/pivportal/js/satellizer.min.js
diff --git a/...ib/pivportal/data_files/js/toaster.min.js → ...al/data_files/pivportal/js/toaster.min.js b/...ib/pivportal/data_files/js/toaster.min.js → ...al/data_files/pivportal/js/toaster.min.js
diff --git a/.../pivportal/data_files/templates/dash.html → .../data_files/pivportal/templates/dash.html b/.../pivportal/data_files/templates/dash.html → .../data_files/pivportal/templates/dash.html