From e50c764d7d11deb754b07fd69473393778526ef4 Mon Sep 17 00:00:00 2001
From: Jonas Smedegaard <dr@jones.dk>
Date: Fri, 1 Jul 2005 11:21:40 +0000
Subject: Fix force-creating host cert. Improved error handling.

---
 localmksslcerts | 55 +++++++++++++++++++++++++++++--------------------------
 1 file changed, 29 insertions(+), 26 deletions(-)

(limited to 'localmksslcerts')

diff --git a/localmksslcerts b/localmksslcerts
index fe17a78..15fa798 100755
--- a/localmksslcerts
+++ b/localmksslcerts
@@ -3,7 +3,7 @@
 # /usr/local/sbin/localmksslcerts
 # Copyright 2001-2004 Jonas Smedegaard <dr@jones.dk>
 #
-# $Id: localmksslcerts,v 1.15 2004-12-28 22:06:51 jonas Exp $
+# $Id: localmksslcerts,v 1.16 2005-07-01 11:21:40 jonas Exp $
 #
 # Generate certificates for mail (and other) servers
 # Based on uw-imapd-ssl post-install script
@@ -119,34 +119,13 @@ for val in cn state loc; do
 done
 
 if [ -n "$cert" ]; then
-	if [ ! -f /etc/ssl/certs/$fqdn.pem ] || [ ! -f /etc/ssl/private/$fqdn.pem ]; then
+	if [ ! -s /etc/ssl/certs/$fqdn.pem ] || [ ! -s /etc/ssl/private/$fqdn.pem ]; then
+		echo "WARNING: Host certificate for \"$fqdn\" missing..."
 		if [ -z "$cacert" ]; then
-			echo "ERROR: Host certificate for \"$fqdn\" missing!"
+			echo "ERROR: The \"--cacert\" option is required when making a host certificate!"
 			exit 1
 		fi
-		if [ ! -r /etc/ssl/certs/$cacert.pem ] || [ ! -r /etc/ssl/private/$cacert.pem ]; then
-			if [ -n "$makeca" ]; then
-				# Generate private key for CA certificate
-				cd /etc/ssl/private
-#FIXME: Make strength configurable
-				openssl genrsa -des3 -out $cacert.pem 1024
-				chown root:root $cacert.pem
-				chmod 0400 $cacert.pem
-				# Generate and pre-fill certification request
-				cd /etc/ssl/certs
-#FIXME: Make validity configurable
-				openssl req -new \
-					-key /etc/ssl/private/$cacert.pem \
-					-x509 -days 1095 \
-					-out $cacert.pem
-				# Add hash to certified public certificate and cleanup
-				ln -sf $cacert.pem `openssl x509 -noout -hash -in $cacert.pem`.0
-			else
-				echo "ERROR: CAcert (certifying authority certificate) missing!"
-				exit 1
-			fi
-		fi
-		echo "Generating host certificate for \"$fqdn\"..."
+		# Cleaning up - if allowed
 		for file in /etc/ssl/private/$fqdn.pem /etc/ssl/certs/$fqdn.csr /etc/ssl/certs/$fqdn.pem; do
 			if [ -e $file ]; then
 				if [ -n "$force" ]; then
@@ -157,6 +136,30 @@ if [ -n "$cert" ]; then
 				fi
 			fi
 		done
+		if [ ! -s /etc/ssl/certs/$cacert.pem ] || [ ! -s /etc/ssl/private/$cacert.pem ]; then
+			echo "WARNING: CAcert (certifying authority certificate) missing..."
+			if [ -z "$makeca" ]; then
+				echo "ERROR: The \"--makeca\" option is required when making a CAcert!"
+				exit 1
+			fi
+			# Generate private key for CA certificate
+			echo "Generating CAcert \"$cacert\"..."
+			cd /etc/ssl/private
+#FIXME: Make strength configurable
+			openssl genrsa -des3 -out $cacert.pem 1024
+			chown root:root $cacert.pem
+			chmod 0400 $cacert.pem
+			# Generate and pre-fill certification request
+			cd /etc/ssl/certs
+#FIXME: Make validity configurable
+			openssl req -new \
+				-key /etc/ssl/private/$cacert.pem \
+				-x509 -days 1095 \
+				-out $cacert.pem
+			# Add hash to certified public certificate and cleanup
+			ln -sf $cacert.pem `openssl x509 -noout -hash -in $cacert.pem`.0
+		fi
+		echo "Generating host certificate for \"$fqdn\"..."
 		# Generate private key for host certificate
 		cd /etc/ssl/private
 		openssl genrsa -out $fqdn.pem
-- 
cgit v1.2.3