projects / apache2-cn.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Using umask while generating SSL certificates (carnet-generate-ssl).
[apache2-cn.git] / debian / postinst
diff --git a/debian/postinst b/debian/postinst
index cca66c1..19da2b1 100755 (executable)
--- a/debian/postinst
+++ b/debian/postinst
@@ -488,11 +488,8 @@ fi
 
 # Add VirtualHosts.
 #
-db_fget apache2-cn/wwwhost seen
-if [ "$RET" != "true" ]; then
-
-    db_get apache2-cn/wwwhost || true
-    if [ "$RET" = "true" ]; then
+db_get apache2-cn/wwwhost || true
+if [ "$RET" = "true" ]; then
 
        # Add WWW VirtualHost.
        if [ -f "$CONFDIR/sites-available/$FQDN" ]; then
@@ -503,13 +500,13 @@ if [ "$RET" != "true" ]; then
        fi
 
        chk_conf_tag "$CONFDIR/sites-available/$FQDN"
-       if [ ! -f "$CONFDIR/sites-available/$FQDN" ] || [ $RET -eq 0 -a -f "$CONFOLD" ]; then
+       if [ ! -f "$CONFDIR/sites-available/$FQDN" ] || [ $RET -eq 0 ]; then
                install_vhost -nvh -d -r www.$DOMAIN default $FQDN 000-$FQDN
                need_restart=1
        fi
 
        chk_conf_tag "$CONFDIR/sites-available/www.$DOMAIN"
-       if [ ! -f "$CONFDIR/sites-available/www.$DOMAIN" ] || [ $RET -eq 0 -a -f "$CONFOLD" ]; then
+       if [ ! -f "$CONFDIR/sites-available/www.$DOMAIN" ] || [ $RET -eq 0 ]; then
                install_vhost default www.$DOMAIN www.$DOMAIN
                need_restart=1
        fi
@@ -521,11 +518,10 @@ if [ "$RET" != "true" ]; then
        fi
 
        chk_conf_tag "$CONFDIR/sites-available/$FQDN"
-       if [ ! -f "$CONFDIR/sites-available/$FQDN" ] || [ $RET -eq 0 -a -f "$CONFOLD" ]; then
+       if [ ! -f "$CONFDIR/sites-available/$FQDN" ] || [ $RET -eq 0 ]; then
                install_vhost -nvh -d -r $FQDN default $FQDN 000-$FQDN
                need_restart=1
        fi
-    fi
 fi
 
 
@@ -554,7 +550,7 @@ if [ $apache2_sslcert -eq 0 ]; then
        if [ $RET -eq 0 ] && [ -n "$apache2_sslcf" ]; then
 
                SSLTMP=$(mktemp ${CONFDIR}/ssltmp.XXXXXX)
-               temp_files="${temp_files} ${SSLTMP}"
+               temp_files="${temp_files} ${SSLTMP} ${SSLTMP}.cn-old"
                cp ${CONFDIR}/sites-available/ssl $SSLTMP
 
                # SSLCertificateFile
@@ -579,13 +575,26 @@ if [ $apache2_sslcert -eq 0 ]; then
                need_restart=1
 
                # Just to be sure.
-               if [ -e "$SSLTMP" ]; then
-                       rm -f $SSLTMP
-               fi
+               [ -e "${SSLTMP}" ] && rm -f ${SSLTMP}
+               [ -e "${SSLTMP}.cn-old" ] && rm -f ${SSLTMP}.cn-old
        fi
 fi
 
 
+# Check file access permissions and group ownership for SSL certificates.
+#
+cp_echo "CN: Checking file permissions and group ownership for Apache2 SSL certificates."
+sslkey=/etc/ssl/private
+sslcerts="${sslkey}/ca.key ${sslkey}/ca.csr ${sslkey}/apache2-ca.key
+         ${sslkey}/apache2-ca.csr ${sslkey}/apache2.key ${sslkey}/apache2.csr"
+for certf in $sslcerts; do
+       if [ -f "$certf" ]; then
+           chgrp www-data $certf
+           chmod 640 $certf
+       fi
+done
+
+
 # Check for CustomLog, ErrorLog and TransferLog in Apache2 configuration.
 #
 cp_echo "CN: Checking Apache2 CustomLog, ErrorLog and TransferLog directives."
@@ -694,6 +703,7 @@ cp_mail "$PKG"
 # (re)generate monit.d files if monit-cn is installed.
 #
 if [ -x "/usr/sbin/update-monit.d" ]; then
+       cp_echo "CN: Updating monit configuration..."
        update-monit.d || true
 fi
 
apache2-cn