projects / apache2-cn.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Using umask while generating SSL certificates (carnet-generate-ssl).
[apache2-cn.git] / debian / postinst
diff --git a/debian/postinst b/debian/postinst
index e9923d7..19da2b1 100755 (executable)
--- a/debian/postinst
+++ b/debian/postinst
@@ -37,7 +37,7 @@ PORTCONF="$CONFDIR/ports.conf"
 A2CNDIR=/usr/share/apache2-cn
 TMPLDIR=$A2CNDIR/templates
 CERTDIR=/etc/ssl/certs
-A2PHPINI="/etc/php4/apache2/php.ini"
+A2PHPINI="/etc/php5/apache2/php.ini"
 
 HOST=$(hostname)
 FQDN=$(hostname --fqdn)
@@ -137,6 +137,9 @@ conf_log_fix () {
                    $conf_file > $out
                mv $out $conf_file
            fi
+           
+           # Be sure..
+           chmod 644 $conf_file
        fi
 }
 
@@ -156,15 +159,20 @@ generate_ssl () {
 #   Check if port 443 is configured in ports.conf file.
 #
 listen_ssl() {
-       
-       if ! egrep -iq "^[[:space:]]*Listen[[:space:]]*.*443$" "$PORTCONF"; then
+
+       if [ ! -f "$PORTCONF" ] || ! egrep -iq "^[[:space:]]*Listen[[:space:]]*.*443$" "$PORTCONF"; then
        
                cp_echo "CN: Enabling SSL port (443) for Apache2 web server."
 
                out=$(mktemp ${PORTCONF}.XXXXXX)
-               cp $PORTCONF $out
+               
+               if [ -f "$PORTCONF" ]; then
+                       cp $PORTCONF $out
+               fi
+               
                echo "Listen 443" >> $out
                cp_mv $out $PORTCONF
+               chmod 644 $PORTCONF
                
                need_restart=1
                temp_files="${temp_files} ${out}"
@@ -311,13 +319,14 @@ trap cleanup 0 1 2 15
 
 
 # Make sure that monit conf for Apache is disabled.
+#
 if [ -f "/etc/monit.d/apache1.conf" ]; then
        mv /etc/monit.d/apache1.conf /etc/monit.d/apache1.conf.disabled
        pkill -9 -f /usr/sbin/monit || true
 fi
 
 
-# First of all - stop Apache web server, make sure Apache is NOT running.
+# Make sure Apache is NOT running.
 #
 if [ -x /usr/sbin/invoke-rc.d ]; then
        [ -x /usr/sbin/apache ] && invoke-rc.d apache stop || true
@@ -358,7 +367,7 @@ if [ $backup_done -eq 1 ]; then
 fi
 
 
-# Enable Apache2 web server modules (cgi, rewrite, userdir, suexec, php4, ssl).
+# Enable Apache2 web server modules (cgi, rewrite, userdir, suexec, php5, ssl).
 #
 if [ -e "$CONF" ]; then
 
@@ -386,10 +395,20 @@ if [ -e "$CONF" ]; then
                need_restart=1
        fi
 
+       if [ ! -e "$A2MODEDIR/php5.load" ] || [ ! -e "$A2MODEDIR/php5.conf" ]; then
+           if [ -e "/usr/lib/apache2/modules/libphp5.so" ]; then
+               cp_echo "CN: Enabling PHP5 module for Apache2 web server."
+               a2enmod php5 >/dev/null || true
+               need_restart=1
+           fi
+       fi
+
        if [ ! -e "$A2MODEDIR/php4.load" ] || [ ! -e "$A2MODEDIR/php4.conf" ]; then
+            if [ -e "/usr/lib/apache2/modules/libphp4.so" ]; then
                cp_echo "CN: Enabling PHP4 module for Apache2 web server."
                a2enmod php4 >/dev/null || true
                need_restart=1
+            fi
        fi
 
        if [ ! -e "$A2MODEDIR/ssl.load" ] || [ ! -e "$A2MODEDIR/ssl.conf" ]; then
@@ -481,17 +500,17 @@ if [ "$RET" = "true" ]; then
        fi
 
        chk_conf_tag "$CONFDIR/sites-available/$FQDN"
-       if [ ! -f "$CONFDIR/sites-available/$FQDN" ] || [ $RET -eq 0 -a -f "$CONFOLD" ]; then
+       if [ ! -f "$CONFDIR/sites-available/$FQDN" ] || [ $RET -eq 0 ]; then
                install_vhost -nvh -d -r www.$DOMAIN default $FQDN 000-$FQDN
                need_restart=1
        fi
 
        chk_conf_tag "$CONFDIR/sites-available/www.$DOMAIN"
-       if [ ! -f "$CONFDIR/sites-available/www.$DOMAIN" ] || [ $RET -eq 0 -a -f "$CONFOLD" ]; then
+       if [ ! -f "$CONFDIR/sites-available/www.$DOMAIN" ] || [ $RET -eq 0 ]; then
                install_vhost default www.$DOMAIN www.$DOMAIN
                need_restart=1
        fi
-else
+    else
 
        # No WWW VirtualHost.
        if [ -f "$CONFDIR/sites-available/$FQDN" ]; then
@@ -499,7 +518,7 @@ else
        fi
 
        chk_conf_tag "$CONFDIR/sites-available/$FQDN"
-       if [ ! -f "$CONFDIR/sites-available/$FQDN" ] || [ $RET -eq 0 -a -f "$CONFOLD" ]; then
+       if [ ! -f "$CONFDIR/sites-available/$FQDN" ] || [ $RET -eq 0 ]; then
                install_vhost -nvh -d -r $FQDN default $FQDN 000-$FQDN
                need_restart=1
        fi
@@ -531,7 +550,7 @@ if [ $apache2_sslcert -eq 0 ]; then
        if [ $RET -eq 0 ] && [ -n "$apache2_sslcf" ]; then
 
                SSLTMP=$(mktemp ${CONFDIR}/ssltmp.XXXXXX)
-               temp_files="${temp_files} ${SSLTMP}"
+               temp_files="${temp_files} ${SSLTMP} ${SSLTMP}.cn-old"
                cp ${CONFDIR}/sites-available/ssl $SSLTMP
 
                # SSLCertificateFile
@@ -546,9 +565,9 @@ if [ $apache2_sslcert -eq 0 ]; then
 
                # SSLCertificateChainFile
                if [ -n "$apache2_sslccf" ]; then
-               cp_check_and_sed "^# SSLCertificateChainFile \/etc\/ssl\/certs/sureserverEDU\.pem" \
-                   "s#\# SSLCertificateChainFile /etc/ssl/certs/sureserverEDU.pem#SSLCertificateChainFile $apache2_sslccf #g" \
-                   $SSLTMP || true
+                   cp_check_and_sed "^# SSLCertificateChainFile \/etc\/ssl\/certs/sureserverEDU\.pem" \
+                       "s#\# SSLCertificateChainFile /etc/ssl/certs/sureserverEDU.pem#SSLCertificateChainFile $apache2_sslccf #g" \
+                       $SSLTMP || true
                fi
 
                cp_mv $SSLTMP ${CONFDIR}/sites-available/ssl
@@ -556,13 +575,26 @@ if [ $apache2_sslcert -eq 0 ]; then
                need_restart=1
 
                # Just to be sure.
-               if [ -e "$SSLTMP" ]; then
-                       rm -f $SSLTMP
-               fi
+               [ -e "${SSLTMP}" ] && rm -f ${SSLTMP}
+               [ -e "${SSLTMP}.cn-old" ] && rm -f ${SSLTMP}.cn-old
        fi
 fi
 
 
+# Check file access permissions and group ownership for SSL certificates.
+#
+cp_echo "CN: Checking file permissions and group ownership for Apache2 SSL certificates."
+sslkey=/etc/ssl/private
+sslcerts="${sslkey}/ca.key ${sslkey}/ca.csr ${sslkey}/apache2-ca.key
+         ${sslkey}/apache2-ca.csr ${sslkey}/apache2.key ${sslkey}/apache2.csr"
+for certf in $sslcerts; do
+       if [ -f "$certf" ]; then
+           chgrp www-data $certf
+           chmod 640 $certf
+       fi
+done
+
+
 # Check for CustomLog, ErrorLog and TransferLog in Apache2 configuration.
 #
 cp_echo "CN: Checking Apache2 CustomLog, ErrorLog and TransferLog directives."
@@ -671,6 +703,7 @@ cp_mail "$PKG"
 # (re)generate monit.d files if monit-cn is installed.
 #
 if [ -x "/usr/sbin/update-monit.d" ]; then
+       cp_echo "CN: Updating monit configuration..."
        update-monit.d || true
 fi
 
apache2-cn