Attachment 899367 Details for Bug 1101347 – upstream patch

[patch] upstream patch

puppet-3.6.1-Apache-2.4-requires-explicit-CRL.patch (text/plain), 9.35 KB, created by Murray McAllister on 2014-05-27 03:09:26 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Murray McAllister

Created: 2014-05-27 03:09:26 UTC

Size: 9.35 KB

patch

obsolete

>From a04f8fa4c44d4fd73bf600556456acd785d50bd2 Mon Sep 17 00:00:00 2001
>From: Adrien Thebo <git@somethingsinistral.net>
>Date: Tue, 13 May 2014 11:51:30 -0700
>Subject: [PATCH] (PUP-2533) Apache 2.4 requires explicit CRL configuration
>
>In Apache 2.2, if either the SSLCARevocationFile or SSLCARevocationPath
>directives were specified then the specified file(s) would be checked
>when establishing an SSL connection. Apache 2.4+ the
>SSLCARevocationCheck directive was added to control how CRLs were
>checked when verifying a connection and had a default value of none.
>This means that Apache defaults to ignoring CRLs even if paths are
>specified to CRL files.
>
>This commit updates the debian postinst script for the
>puppetmaster-passenger package to set SSLCARevocationCheck directive to
>'chain' when Apache 2.4 is installed. This ensures that the the
>puppetmaster-passenger vhost respects CRL files in the same way that
>Apache 2.2 does by default.
>Apache 2.2
>
>(maint) extract initial Passenger configuration
>
>(PUP-2533) Insert SSLCARevocationCheck on upgrade
>
>diff --git a/ext/debian/puppetmaster-passenger.postinst b/ext/debian/puppetmaster-passenger.postinst
>index 2c9f20c..02c71c3 100644
>--- a/ext/debian/puppetmaster-passenger.postinst
>+++ b/ext/debian/puppetmaster-passenger.postinst
>@@ -3,6 +3,7 @@
> set -e
> 
> sitename="puppetmaster"
>+apache2_version="$(dpkg-query --showformat='${Version}\n' --show apache2)"
> 
> # The debian provided a2* utils in Apache 2.4 uses "site name" as
> # argument, while the version in Apache 2.2 uses "file name".
>@@ -14,7 +15,6 @@ sitename="puppetmaster"
> # This will end in tearsâ¦
> # Can be removed when we only support apache >= 2.4
> apache2_puppetmaster_sitename() {
>-    apache2_version="$(dpkg-query --showformat='${Version}\n' --show apache2)"
>     if dpkg --compare-versions "$apache2_version" gt "2.4~"; then
>         echo "${sitename}.conf"
>     else
>@@ -49,6 +49,91 @@ update_vhost_for_passenger4() {
>     fi
> }
> 
>+# In Apache 2.2, if either the SSLCARevocationFile or SSLCARevocationPath
>+# directives were specified then the specified file(s) would be checked when
>+# establishing an SSL connection. Apache 2.4+ the SSLCARevocationCheck directive
>+# was added to control how CRLs were checked when verifying a connection and had
>+# a default value of none.  This means that Apache defaults to ignoring CRLs even
>+# if paths are specified to CRL files.
>+#
>+# This function automatically uncomments the SSLCARevocationCheck directive when
>+# the currently installed version of Apache is 2.4.
>+update_vhost_for_apache24() {
>+    if dpkg --compare-versions "$apache2_version" gt "2.4~"; then
>+        sed -r -i \
>+            -e "/# SSLCARevocationCheck/s/# //" \
>+        $tempfile
>+    fi
>+}
>+
>+# Update an existing vhost definition with the SSLCARevocationCheck directive
>+# on Apache 2.4+. This scans an existing vhost file for the SSLCARevocationCheck
>+# directive and adds it to the file after the SSLCARevocationFile directive.
>+#
>+# See https://tickets.puppetlabs.com/browse/PUP-2533 for more information.
>+update_vhost_for_apache24_upgrade() {
>+    APACHE2_SITE_FILE="/etc/apache2/sites-available/$(apache2_puppetmaster_sitename)"
>+
>+    if dpkg --compare-versions "$apache2_version" gt "2.4~"; then
>+        if ! grep -q "^[[:space:]]*SSLCARevocationCheck" $APACHE2_SITE_FILE ; then
>+            tempfile=$(mktemp)
>+            sed -r \
>+                -e "/SSLCARevocationFile/a\\        SSLCARevocationCheck chain" \
>+                $APACHE2_SITE_FILE > $tempfile
>+            mv $tempfile $APACHE2_SITE_FILE
>+        fi
>+    fi
>+}
>+
>+
>+create_initial_puppetmaster_vhost() {
>+    # Check that puppet master --configprint works properly
>+    # If it doesn't the following steps to update the vhost will produce a very unhelpful and broken vhost
>+    if [ $(puppet master --configprint all 2>&1 | grep "Could not parse" | wc -l) != "0" ]; then
>+        echo "Puppet config print not working properly, exiting"
>+        exit 1
>+    fi
>+
>+    # Initialize puppetmaster CA and generate the master certificate
>+    # only if the host doesn't already have any puppet ssl certificate.
>+    # The ssl key and cert need to be available (eg generated) before
>+    # apache2 is configured and started since apache2 ssl configuration
>+    # uses the puppetmaster ssl files.
>+    if [ ! -e "$(puppet master --configprint hostcert)" ]; then
>+        puppet cert generate $(puppet master --configprint certname)
>+    fi
>+
>+    # Setup apache2 configuration files
>+    APACHE2_SITE_FILE="/etc/apache2/sites-available/$(apache2_puppetmaster_sitename)"
>+    if  [ ! -e "${APACHE2_SITE_FILE}" ]; then
>+        tempfile=$(mktemp)
>+        sed -r \
>+            -e "s|(SSLCertificateFile\s+).+$|\1$(puppet master --configprint hostcert)|" \
>+            -e "s|(SSLCertificateKeyFile\s+).+$|\1$(puppet master --configprint hostprivkey)|" \
>+            -e "s|(SSLCACertificateFile\s+).+$|\1$(puppet master --configprint localcacert)|" \
>+            -e "s|(SSLCertificateChainFile\s+).+$|\1$(puppet master --configprint localcacert)|" \
>+            -e "s|(SSLCARevocationFile\s+).+$|\1$(puppet master --configprint cacrl)|" \
>+            -e "s|DocumentRoot /etc/puppet/rack/public|DocumentRoot /usr/share/puppet/rack/puppetmasterd/public|" \
>+            -e "s|<Directory /etc/puppet/rack/>|<Directory /usr/share/puppet/rack/puppetmasterd/>|" \
>+            /usr/share/puppetmaster-passenger/apache2.site.conf.tmpl > $tempfile
>+        update_vhost_for_passenger4
>+        update_vhost_for_apache24
>+        mv $tempfile "${APACHE2_SITE_FILE}"
>+    fi
>+
>+    # Enable needed modules
>+    a2enmod ssl
>+    a2enmod headers
>+    a2ensite ${sitename}
>+    restart_apache2
>+}
>+
>+update_existing_puppetmaster_vhost() {
>+    if dpkg --compare-versions "${1}" lt "3.6.2~"; then
>+        update_vhost_for_apache24_upgrade
>+    fi
>+}
>+
> if [ "$1" = "configure" ]; then
> 
>     # Change the owner of the rack config.ru to be the puppet user
>@@ -57,47 +142,12 @@ if [ "$1" = "configure" ]; then
>     then
>         dpkg-statoverride --update --add puppet puppet 0644 /usr/share/puppet/rack/puppetmasterd/config.ru
>     fi
>-    # Setup passenger configuration
>-    if [ "$2" = "" ]; then
> 
>-        # Check that puppet master --configprint works properly
>-        # If it doesn't the following steps to update the vhost will produce a very unhelpful and broken vhost
>-        if [ $(puppet master --configprint all 2>&1 | grep "Could not parse" | wc -l) != "0" ]; then
>-            echo "Puppet config print not working properly, exiting"
>-            exit 1
>-        fi
>-
>-        # Initialize puppetmaster CA and generate the master certificate
>-        # only if the host doesn't already have any puppet ssl certificate.
>-        # The ssl key and cert need to be available (eg generated) before
>-        # apache2 is configured and started since apache2 ssl configuration
>-        # uses the puppetmaster ssl files.
>-        if [ ! -e "$(puppet master --configprint hostcert)" ]; then
>-            puppet cert generate $(puppet master --configprint certname)
>-        fi
>-
>-        # Setup apache2 configuration files
>-        APACHE2_SITE_FILE="/etc/apache2/sites-available/$(apache2_puppetmaster_sitename)"
>-        if  [ ! -e "${APACHE2_SITE_FILE}" ]; then
>-            tempfile=$(mktemp)
>-            sed -r \
>-                -e "s|(SSLCertificateFile\s+).+$|\1$(puppet master --configprint hostcert)|" \
>-                -e "s|(SSLCertificateKeyFile\s+).+$|\1$(puppet master --configprint hostprivkey)|" \
>-                -e "s|(SSLCACertificateFile\s+).+$|\1$(puppet master --configprint localcacert)|" \
>-                -e "s|(SSLCertificateChainFile\s+).+$|\1$(puppet master --configprint localcacert)|" \
>-                -e "s|(SSLCARevocationFile\s+).+$|\1$(puppet master --configprint cacrl)|" \
>-                -e "s|DocumentRoot /etc/puppet/rack/public|DocumentRoot /usr/share/puppet/rack/puppetmasterd/public|" \
>-                -e "s|<Directory /etc/puppet/rack/>|<Directory /usr/share/puppet/rack/puppetmasterd/>|" \
>-                /usr/share/puppetmaster-passenger/apache2.site.conf.tmpl > $tempfile
>-            update_vhost_for_passenger4
>-            mv $tempfile "${APACHE2_SITE_FILE}"
>-        fi
>-
>-        # Enable needed modules
>-        a2enmod ssl
>-        a2enmod headers
>-        a2ensite ${sitename}
>-        restart_apache2
>+    # Setup puppetmaster passenger vhost
>+    if [ "$2" = "" ]; then
>+        create_initial_puppetmaster_vhost
>+    else
>+        update_existing_puppetmaster_vhost $2
>     fi
> 
>     # Fix CRL file on upgrade to use the CA crl file instead of the host crl.
>diff --git a/ext/rack/example-passenger-vhost.conf b/ext/rack/example-passenger-vhost.conf
>index 860e6f3..79059d1 100644
>--- a/ext/rack/example-passenger-vhost.conf
>+++ b/ext/rack/example-passenger-vhost.conf
>@@ -28,6 +28,10 @@ Listen 8140
>         # If Apache complains about invalid signatures on the CRL, you can try disabling
>         # CRL checking by commenting the next line, but this is not recommended.
>         SSLCARevocationFile     /etc/puppet/ssl/ca/ca_crl.pem
>+        # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
>+        # which effectively disables CRL checking; if you are using Apache 2.4+ you must
>+        # specify 'SSLCARevocationCheck chain' to actually use the CRL.
>+        # SSLCARevocationCheck chain
>         SSLVerifyClient optional
>         SSLVerifyDepth  1
>         # The `ExportCertData` option is needed for agent certificate expiration warnings
>-- 
>1.8.4.3
>

Actions: View | Diff

Attachments on bug 1101347: 899367 | 902402