Bug#292344: SSL certs in postinst script

Frederic Pauget Wed, 26 Jan 2005 07:23:32 -0800

Package: dovecot-common
Version: 0.99.13-3
Followup-For: Bug #292344

When I upgrade dovecot the postinst script crashes when tesing SSL certificates.


I found 2 problem in this script :
 * certs can't be generated if openssl is not configured, in this case the
openssl req crashes and the upgrade aborded.
 * the second problem is minor : the script want the cert to be named
/etc/ssl/certs/dovecot/pem (and /etc/ssl/private/dovecot.pem for the key)
but it is not the case in my system. So the script want to generate new
certs.

I try to correct this two problems in the patch above  by reading the real
path of the files in the dovecot config file and dont exit the script if
problem occurs in certs generation.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing'), (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8.1
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-1) (ignored: 
LC_ALL set to fr_FR)

Versions of packages dovecot-common depends on:
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libldap2                    2.1.30-3     OpenLDAP libraries
ii  libmysqlclient10            3.23.56-2    LGPL-licensed client library for M
ii  libpam-runtime              0.76-22      Runtime support for the PAM librar
ii  libpam0g                    0.76-22      Pluggable Authentication Modules l
ii  libpq3                      7.4.6-6      PostgreSQL C client library
ii  libsasl2                    2.1.19-1.5   Authentication abstraction library
ii  libssl0.9.7                 0.9.7e-2     SSL shared libraries
ii  openssl                     0.9.7e-2     Secure Socket Layer (SSL) binary a
ii  zlib1g                      1:1.2.2-3    compression library - runtime

-- no debconf information

*** /home/pauget/patch
diff -Nur dovecot-common.postinst.orig dovecot-common.postinst
--- dovecot-common.postinst.orig        2005-01-25 20:53:42.000000000 +0100
+++ dovecot-common.postinst     2005-01-26 15:38:36.000000000 +0100
@@ -10,33 +10,42 @@
   if [ -z "`id -u dovecot 2> /dev/null`" ]; then
     /usr/sbin/adduser --system --group --home /usr/lib/dovecot --gecos 
"Dovecot mail server" --disabled-password --quiet dovecot || true
   fi
+  
+  ## SSL Certs
+  # Certs and key file
+  SSL_CERT=$((grep -s ssl_cert_file /etc/dovecot/dovecot.conf  || echo 
'/etc/ssl/certs/dovecot.pem') | cut -d'=' -f2)
+  SSL_KEY=$((grep -s ssl_cert_file /etc/dovecot/dovecot.conf || echo 
'/etc/ssl/private/dovecot.pem') | cut -d'=' -f2)
+  
+  # Certs from imapd
   if [ -f /etc/ssl/certs/imapd.pem ]; then
-    if [ -f /etc/ssl/certs/dovecot.pem ]; then
+    if [ -f $SSL_CERT ]; then
       rm -f /etc/ssl/certs/imapd.pem
       find /etc/ssl/certs -lname imapd.pem -exec rm -f \{} \;
     else
-      mv /etc/ssl/certs/imapd.pem /etc/ssl/certs/dovecot.pem
-      find /etc/ssl/certs -lname imapd.pem -exec ln -sf \{} dovecot.pem \;
+      mv /etc/ssl/certs/imapd.pem $SSL_CERT
+      find /etc/ssl/certs -lname imapd.pem -exec ln -sf \{} $SSL_CERT \;
     fi
   fi
   if [ -f /etc/ssl/private/imapd.pem ]; then
-    if [ -f /etc/ssl/private/dovecot.pem ]; then
+    if [ -f $SSL_KEY ]; then
       rm -f /etc/ssl/private/imapd.pem
     else
-      mv /etc/ssl/private/imapd.pem /etc/ssl/private/dovecot.pem
+      mv /etc/ssl/private/imapd.pem $SSL_KEY
     fi
   fi
-  if ! [ -f /etc/ssl/certs/dovecot.pem -a -f /etc/ssl/private/dovecot.pem ]; 
then
-    echo "You already have /etc/ssl/certs/dovecot.pem"
+
+  # Generate new certs if needed
+  if [ -f $SSL_CERT -a -f $SSL_KEY ]; then
+    echo "You already have ssl certs for dovecot."
   else
-    echo "Creating generic self-signed certificate: /etc/ssl/certs/dovecot.pem"
+    echo "Creating generic self-signed certificate: $SSL_CERT"
     echo "(replace with hand-crafted or authorized one if needed)."
     cd /etc/ssl/certs
     PATH=$PATH:/usr/bin/ssl
     HOSTNAME=`hostname -s`
     FQDN=`hostname -f`
     MAILNAME=`cat /etc/mailname 2> /dev/null || hostname -f`
-    openssl req -new -x509 -days 365 -nodes -out dovecot.pem -keyout 
../private/dovecot.pem > /dev/null 2>&1 <<+
+    (openssl req -new -x509 -days 365 -nodes -out $SSL_CERT -keyout $SSL_KEY > 
/dev/null 2>&1 <<+
 .
 .
 .
@@ -45,13 +54,14 @@
 $FQDN
 [EMAIL PROTECTED]
 +
+) || echo "Warning : Bad SSL config, can't generate certificate"
   fi
-  chown root /etc/ssl/certs/dovecot.pem || true
-  chgrp dovecot /etc/ssl/certs/dovecot.pem || true
-  chmod 0644 /etc/ssl/certs/dovecot.pem || true
-  chown root /etc/ssl/private/dovecot.pem || true
-  chgrp dovecot /etc/ssl/private/dovecot.pem || true
-  chmod 0600 /etc/ssl/private/dovecot.pem || true
+  chown root $SSL_CERT 2>/dev/null || true
+  chgrp dovecot $SSL_CERT 2>/dev/null || true
+  chmod 0644 $SSL_CERT 2>/dev/null || true
+  chown root $SSL_KEY 2>/dev/null || true
+  chgrp dovecot $SSL_KEY 2>/dev/null || true
+  chmod 0600 $SSL_KEY 2>/dev/null || true
 fi
 
 # Automatically added by dh_installinit


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#292344: SSL certs in postinst script

Reply via email to