Add README, move URLs to cacert.localhost
This commit is contained in:
parent
279dbcffbf
commit
c39be2c6c8
7 changed files with 85 additions and 46 deletions
40
README.md
Normal file
40
README.md
Normal file
|
@ -0,0 +1,40 @@
|
|||
# CAcert local development setup
|
||||
|
||||
This repository contains a local development environment setup for the CAcert software.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
* Linux system (tested on Debian Bullseye)
|
||||
* [Docker](https://tracker.debian.org/pkg/docker.io)
|
||||
* [docker-compose](https://pypi.org/project/docker-compose/)
|
||||
* [openssl](https://tracker.debian.org/pkg/openssl)
|
||||
* [myrepos](https://tracker.debian.org/pkg/myrepos)
|
||||
|
||||
```shell
|
||||
sudo apt-get update
|
||||
sudo apt-get install docker.io openssl myrepos
|
||||
sudo adduser $USER docker
|
||||
newgrp docker
|
||||
python3 -m pip install --user -U docker-compose
|
||||
# make sure that ~/.local/bin is in $PATH
|
||||
```
|
||||
|
||||
## Usage
|
||||
|
||||
Create a .env file that defines the following variables
|
||||
|
||||
Variable | Usage
|
||||
--- | ---
|
||||
`MYSQL_ROOT_PASSWORD` | Database root password
|
||||
`MYSQL_APP_USER` | Database application user
|
||||
`MYSQL_APP_PASSWORD` | Database application password
|
||||
|
||||
```shell
|
||||
git clone https://git.dittberner.info/jan/cacert-devsetup.git
|
||||
cd cacert-devsetup
|
||||
mr checkout
|
||||
./setup_test_ca.sh
|
||||
docker-compose up
|
||||
```
|
||||
|
||||
After these steps you should be able to reach the CAcert application at https://test.cacert.localhost:8443/.
|
|
@ -4,15 +4,15 @@ set -eux
|
|||
# Apache gets grumpy about PID files pre-existing
|
||||
rm -f /run/apache2/apache2.pid
|
||||
|
||||
cp /usr/local/etc/testca/certs/test.cacert.org.crt.pem /etc/ssl/certs/test.cacert.org.crt
|
||||
cp /usr/local/etc/testca/certs/test.cacert.org.key.pem /etc/ssl/private/test.cacert.org.pem
|
||||
cp /usr/local/etc/testca/certs/test.cacert.localhost.crt.pem /etc/ssl/certs/
|
||||
cp /usr/local/etc/testca/certs/test.cacert.localhost.key.pem /etc/ssl/private/
|
||||
(
|
||||
openssl x509 -in /usr/local/etc/testca/class3/ca.crt.pem
|
||||
openssl x509 -in /usr/local/etc/testca/root/ca.crt.pem
|
||||
) >/etc/ssl/certs/combined.crt
|
||||
|
||||
cp /usr/local/etc/testca/certs/secure.test.cacert.org.crt.pem /etc/ssl/certs/secure.crt
|
||||
cp /usr/local/etc/testca/certs/secure.test.cacert.org.key.pem /etc/ssl/private/secure_test_cacert_org.pem
|
||||
cp /usr/local/etc/testca/certs/secure.test.cacert.localhost.crt.pem /etc/ssl/certs/
|
||||
cp /usr/local/etc/testca/certs/secure.test.cacert.localhost.key.pem /etc/ssl/private/
|
||||
|
||||
sed -i "s/@MYSQL_USERNAME@/$MYSQL_APP_USER/g; s/@MYSQL_PASSWORD@/$MYSQL_APP_PASSWORD/g" \
|
||||
/usr/local/etc/application/mysql.php
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
<VirtualHost *:80>
|
||||
ServerName test.cacert.org
|
||||
ServerAlias www.test.cacert.org
|
||||
ServerName test.cacert.localhost
|
||||
ServerAlias www.test.cacert.localhost
|
||||
DocumentRoot /www/www
|
||||
|
||||
ScriptAlias /cgi-bin/ /www/cgi-bin/
|
||||
Redirect permanent /revoke.crl http://crl.cacert.org/revoke.crl
|
||||
Redirect permanent /class3-revoke.crl http://crl.cacert.org/class3-revoke.crl
|
||||
Redirect permanent /revoke.crl http://crl.cacert.localhost/revoke.crl
|
||||
Redirect permanent /class3-revoke.crl http://crl.cacert.localhost/class3-revoke.crl
|
||||
RewriteEngine On
|
||||
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
|
||||
RewriteRule .* - [F]
|
||||
|
@ -15,8 +15,8 @@
|
|||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:443>
|
||||
ServerName test.cacert.org
|
||||
ServerAlias www.test.cacert.org
|
||||
ServerName test.cacert.localhost
|
||||
ServerAlias www.test.cacert.localhost
|
||||
DocumentRoot /www/www
|
||||
|
||||
SSLEngine on
|
||||
|
@ -24,15 +24,15 @@
|
|||
SSLProtocol all -SSLv2 -SSLv3
|
||||
SSLHonorCipherOrder on
|
||||
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
|
||||
SSLCertificateFile /etc/ssl/certs/test.cacert.org.crt
|
||||
SSLCertificateKeyFile /etc/ssl/private/test.cacert.org.pem
|
||||
SSLCertificateFile /etc/ssl/certs/test.cacert.localhost.crt.pem
|
||||
SSLCertificateKeyFile /etc/ssl/private/test.cacert.localhost.key.pem
|
||||
SSLCACertificateFile /etc/ssl/certs/combined.crt
|
||||
|
||||
Header always set Strict-Transport-Security "max-age=31536000"
|
||||
|
||||
ScriptAlias /cgi-bin/ /www/cgi-bin/
|
||||
Redirect permanent /revoke.crl http://crl.cacert.org/revoke.crl
|
||||
Redirect permanent /class3-revoke.crl http://crl.cacert.org/class3-revoke.crl
|
||||
Redirect permanent /revoke.crl http://crl.cacert.localhost/revoke.crl
|
||||
Redirect permanent /class3-revoke.crl http://crl.cacert.localhost/class3-revoke.crl
|
||||
RewriteEngine On
|
||||
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
|
||||
RewriteRule .* - [F]
|
||||
|
@ -42,8 +42,7 @@
|
|||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:443>
|
||||
ServerName secure.test.cacert.org
|
||||
ServerAlias secure.test.cacert.org
|
||||
ServerName secure.test.cacert.localhost
|
||||
DocumentRoot /www/www
|
||||
|
||||
SSLEngine on
|
||||
|
@ -51,20 +50,20 @@
|
|||
SSLProtocol all -SSLv2 -SSLv3
|
||||
SSLHonorCipherOrder on
|
||||
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
|
||||
SSLCertificateFile /etc/ssl/certs/secure.crt
|
||||
SSLCertificateKeyFile /etc/ssl/private/secure_test_cacert_org.pem
|
||||
SSLCertificateFile /etc/ssl/certs/secure.test.cacert.localhost.crt.pem
|
||||
SSLCertificateKeyFile /etc/ssl/private/secure.test.cacert.localhost.key.pem
|
||||
SSLVerifyClient require
|
||||
SSLVerifyDepth 2
|
||||
SSLCACertificateFile /etc/ssl/certs/combined.crt
|
||||
#SSLCARevocationFile /etc/ssl/crls/cacert-combined.crl
|
||||
#SSLOCSPEnable on
|
||||
#SSLOCSPDefaultResponder http://ocsp.cacert.org/
|
||||
#SSLOCSPDefaultResponder http://ocsp.cacert.localhost/
|
||||
SSLOptions +StdEnvVars
|
||||
|
||||
Header always set Strict-Transport-Security "max-age=31536000"
|
||||
|
||||
Redirect permanent /revoke.crl http://crl.cacert.org/revoke.crl
|
||||
Redirect permanent /class3-revoke.crl http://crl.cacert.org/class3-revoke.crl
|
||||
Redirect permanent /revoke.crl http://crl.cacert.localhost/revoke.crl
|
||||
Redirect permanent /class3-revoke.crl http://crl.cacert.localhost/class3-revoke.crl
|
||||
RewriteEngine On
|
||||
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
|
||||
RewriteRule .* - [F]
|
||||
|
|
|
@ -2,8 +2,8 @@
|
|||
|
||||
MaxRequestsPerChild 100
|
||||
|
||||
ServerAdmin support@cacert.org
|
||||
ServerName cacert.org
|
||||
ServerAdmin support@cacert.localhost
|
||||
ServerName cacert.localhost
|
||||
|
||||
Header always set X-Frame-Options "DENY"
|
||||
Header always set X-XSS-Protection "1; mode=block"
|
||||
|
|
|
@ -22,11 +22,11 @@ if ($_SESSION['mconn'] != FALSE)
|
|||
mysql_select_db("cacert");
|
||||
$_SESSION['mconn'] = TRUE;
|
||||
}
|
||||
$_SESSION['_config']['normalhostname'] = "test.cacert.org:8443";
|
||||
$_SESSION['_config']['securehostname'] = "secure.test.cacert.org:8443";
|
||||
$_SESSION['_config']['tverify'] = "tverify.cacert.org";
|
||||
$_SESSION['_config']['normalhostname'] = "test.cacert.localhost:8443";
|
||||
$_SESSION['_config']['securehostname'] = "secure.test.cacert.localhost:8443";
|
||||
$_SESSION['_config']['tverify'] = "tverify.cacert.localhost";
|
||||
|
||||
function sendmail($to, $subject, $message, $from, $replyto = "", $toname = "", $fromname = "", $errorsto = "returns@cacert.org", $use_utf8 = true)
|
||||
function sendmail($to, $subject, $message, $from, $replyto = "", $toname = "", $fromname = "", $errorsto = "returns@cacert.localhost", $use_utf8 = true)
|
||||
{
|
||||
$lines = explode("\n", $message);
|
||||
$message = "";
|
||||
|
@ -53,9 +53,9 @@ function sendmail($to, $subject, $message, $from, $replyto = "", $toname = "", $
|
|||
return;
|
||||
}
|
||||
$InputBuffer = fgets($smtp, 1024);
|
||||
fputs($smtp, "EHLO test.cacert.org\r\n");
|
||||
fputs($smtp, "EHLO test.cacert.localhost\r\n");
|
||||
$InputBuffer = fgets($smtp, 1024);
|
||||
fputs($smtp, "MAIL FROM:<returns@cacert.org>\r\n");
|
||||
fputs($smtp, "MAIL FROM:<returns@cacert.localhost>\r\n");
|
||||
$InputBuffer = fgets($smtp, 1024);
|
||||
$bits = explode(",", $to);
|
||||
foreach($bits as $user)
|
||||
|
@ -63,7 +63,7 @@ function sendmail($to, $subject, $message, $from, $replyto = "", $toname = "", $
|
|||
$InputBuffer = fgets($smtp, 1024);
|
||||
fputs($smtp, "DATA\r\n");
|
||||
$InputBuffer = fgets($smtp, 1024);
|
||||
fputs($smtp, "X-Mailer: CAcert.org Website\r\n");
|
||||
fputs($smtp, "X-Mailer: CAcert.org Website (local development)\r\n");
|
||||
if (array_key_exists("REMOTE_ADDR", $_SERVER))
|
||||
fputs($smtp, "X-OriginatingIP: ".$_SERVER["REMOTE_ADDR"]."\r\n");
|
||||
fputs($smtp, "Sender: $errorsto\r\n");
|
||||
|
|
|
@ -8,7 +8,7 @@ memory_limit = 18M
|
|||
display_errors = Off
|
||||
log_errors = On
|
||||
error_log = /var/log/apache2/phperrors.log
|
||||
sendmail_path = "/usr/sbin/sendmail -t -i -freturns@cacert.org"
|
||||
sendmail_path = "/usr/sbin/sendmail -t -i -freturns@cacert.localhost"
|
||||
session.use_only_cookies = On
|
||||
session.cookie_secure = On
|
||||
error_reporting = E_ALL
|
||||
|
|
|
@ -96,8 +96,8 @@ keyUsage = critical,keyCertSign,cRLSign
|
|||
extendedKeyUsage = serverAuth,clientAuth
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always
|
||||
authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.org/ca/root/ca.crt,OCSP;URI:http://ocsp.test.cacert.org/
|
||||
crlDistributionPoints = URI:http://crl.test.cacert.org/class3.crl
|
||||
authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.localhost/ca/root/ca.crt,OCSP;URI:http://ocsp.test.cacert.localhost/
|
||||
crlDistributionPoints = URI:http://crl.test.cacert.localhost/class3.crl
|
||||
certificatePolicies = @policy_class3_ca
|
||||
|
||||
[server_ext]
|
||||
|
@ -106,13 +106,13 @@ keyUsage = digitalSignature,keyEncipherment
|
|||
extendedKeyUsage = serverAuth
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always
|
||||
authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.org/ca/class3/ca.crt,OCSP;URI:http://ocsp.test.cacert.org/
|
||||
crlDistributionPoints = URI:http://crl.test.cacert.org/class3.crl
|
||||
authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.localhost/ca/class3/ca.crt,OCSP;URI:http://ocsp.test.cacert.localhost/
|
||||
crlDistributionPoints = URI:http://crl.test.cacert.localhost/class3.crl
|
||||
certificatePolicies = @policy_class3_ca
|
||||
|
||||
[policy_class3_ca]
|
||||
policyIdentifier = 1.3.6.1.5.5.7.2.1
|
||||
CPS = http://test.cacert.org/ca/class3/cps.html
|
||||
CPS = http://test.cacert.localhost/ca/class3/cps.html
|
||||
EOF
|
||||
|
||||
openssl req -new -x509 -config ca.cnf \
|
||||
|
@ -133,23 +133,23 @@ openssl ca -config ca.cnf \
|
|||
-rand_serial \
|
||||
-extensions class3_extensions \
|
||||
-batch
|
||||
openssl req -new -keyout certs/test.cacert.org.key.pem -nodes \
|
||||
-out certs/test.cacert.org.csr.pem -subj "/CN=test.cacert.org" \
|
||||
-addext "subjectAltName=DNS:test.cacert.org,DNS:www.test.cacert.org"
|
||||
openssl req -new -keyout certs/secure.test.cacert.org.key.pem -nodes \
|
||||
-out certs/secure.test.cacert.org.csr.pem -subj "/CN=secure.test.cacert.org" \
|
||||
-addext "subjectAltName=DNS:secure.test.cacert.org"
|
||||
openssl req -new -keyout certs/test.cacert.localhost.key.pem -nodes \
|
||||
-out certs/test.cacert.localhost.csr.pem -subj "/CN=test.cacert.localhost" \
|
||||
-addext "subjectAltName=DNS:test.cacert.localhost,DNS:www.test.cacert.localhost"
|
||||
openssl req -new -keyout certs/secure.test.cacert.localhost.key.pem -nodes \
|
||||
-out certs/secure.test.cacert.localhost.csr.pem -subj "/CN=secure.test.cacert.localhost" \
|
||||
-addext "subjectAltName=DNS:secure.test.cacert.localhost"
|
||||
openssl ca -config ca.cnf \
|
||||
-name class3_ca \
|
||||
-in certs/test.cacert.org.csr.pem \
|
||||
-out certs/test.cacert.org.crt.pem \
|
||||
-in certs/test.cacert.localhost.csr.pem \
|
||||
-out certs/test.cacert.localhost.crt.pem \
|
||||
-rand_serial \
|
||||
-extensions server_ext \
|
||||
-batch
|
||||
openssl ca -config ca.cnf \
|
||||
-name class3_ca \
|
||||
-in certs/secure.test.cacert.org.csr.pem \
|
||||
-out certs/secure.test.cacert.org.crt.pem \
|
||||
-in certs/secure.test.cacert.localhost.csr.pem \
|
||||
-out certs/secure.test.cacert.localhost.crt.pem \
|
||||
-rand_serial \
|
||||
-extensions server_ext \
|
||||
-batch
|
||||
|
|
Loading…
Reference in a new issue