0f9ac650d3b0cf64e6407b31260c1d9e243db905
[cacert-infradocs.git] / docs / systems / test.rst
1 .. index::
2 single: Systems; test
3
4 ====
5 Test
6 ====
7
8 Purpose
9 =======
10
11 This is a test system for the software from cacertgit:`cacert-devel`'s
12 *release* branch running on www.cacert.org.
13
14 Application Links
15 -----------------
16
17 Application
18 https://test.cacert.org/
19
20 Administration
21 ==============
22
23 System Administration
24 ---------------------
25
26 * Primary: :ref:`people_wytze`
27 * Secondary: :ref:`people_jandd`
28
29
30 Application Administration
31 --------------------------
32
33 +------------------------+---------------------------------------+
34 | Application | Administrator(s) |
35 +========================+=======================================+
36 | CAcert web application | :ref:`people_dirk`, :ref:`people_ted` |
37 +------------------------+---------------------------------------+
38
39 Contact
40 -------
41
42 * test-admin@cacert.org
43
44 Additional People
45 -----------------
46
47 :ref:`people_dirk`, :ref:`people_gukk`, :ref:`people_mario`,
48 :ref:`people_mendel`, :ref:`people_neo` and :ref:`people_ted` have
49 :program:`sudo` access on that machine too.
50
51 Basics
52 ======
53
54 Physical Location
55 -----------------
56
57 This system is located in an :term:`LXC` container on physical machine
58 :doc:`infra02`.
59
60 Logical Location
61 ----------------
62
63 :IP Internet: :ip:v4:`213.154.225.248`
64 :IP Intranet: :ip:v4:`172.16.2.248`
65 :IP Internal: :ip:v4:`10.0.0.248`
66 :IPv6: :ip:v6:`2001:7b8:616:162:2::248`
67 :MAC address: :mac:`00:ff:91:10:5d:cd` (eth0)
68
69 .. seealso::
70
71 See :doc:`../network`
72
73 DNS
74 ---
75
76 .. index::
77 single: DNS records; Test
78
79 ====================== ======== ============================================
80 Name Type Content
81 ====================== ======== ============================================
82 test.cacert.org. IN A 213.154.225.248
83 test.cacert.org. IN SSHFP 1 1 11BCB0AB4D1FD39547426D9527B88AFB8FF85209
84 test.cacert.org. IN SSHFP 2 1 3414C17E5AE898B2F5DB7B3DDF9E34C2F5E816AC
85 test.intra.cacert.org. IN A 172.16.2.248
86 test.infra.cacert.org. IN A 10.0.0.248
87 ====================== ======== ============================================
88
89 .. todo:: add AAAA record for IPv6 address
90
91 .. seealso::
92
93 See :wiki:`SystemAdministration/Procedures/DNSChanges`
94
95 Operating System
96 ----------------
97
98 .. index::
99 single: Debian GNU/Linux; Jessie
100 single: Debian GNU/Linux; 8.11
101
102 * Debian GNU/Linux 8.11
103
104 Applicable Documentation
105 ------------------------
106
107 There is no additional documentation for this system.
108
109 Services
110 ========
111
112 Listening services
113 ------------------
114
115 +----------+---------+---------+-------------------------------------------+
116 | Port | Service | Origin | Purpose |
117 +==========+=========+=========+===========================================+
118 | 22/tcp | ssh | ANY | admin console access |
119 +----------+---------+---------+-------------------------------------------+
120 | 25/tcp | smtp | local | mail delivery to local MTA |
121 +----------+---------+---------+-------------------------------------------+
122 | 80/tcp | http | ANY | Apache httpd for http://test.cacert.org/ |
123 +----------+---------+---------+-------------------------------------------+
124 | 123/tcp | ntp | local | network time protocol server |
125 | 123/udp | | | |
126 +----------+---------+---------+-------------------------------------------+
127 | 143/tcp | imap | testmgr | Dovecot IMAP server |
128 +----------+---------+---------+-------------------------------------------+
129 | 443/tcp | https | ANY | Apache httpd for https://test.cacert.org/ |
130 +----------+---------+---------+-------------------------------------------+
131 | 993/tcp | imaps | testmgr | Dovecot IMAP server |
132 +----------+---------+---------+-------------------------------------------+
133 | 3306/tcp | mysql | local | MySQL database for ... |
134 +----------+---------+---------+-------------------------------------------+
135 | 5666/tcp | nrpe | monitor | remote monitoring service |
136 +----------+---------+---------+-------------------------------------------+
137
138 Running services
139 ----------------
140
141 .. index::
142 single: Apache
143 single: MySQL
144 single: Postfix
145 single: atop
146 single: client.pl
147 single: cron
148 single: dovecot
149 single: nrpe
150 single: ntpd
151 single: openssh
152 single: rsyslog
153 single: signer.pl
154 single: socat
155
156 +----------------+--------------------------------+----------------------------------------+
157 | Service | Usage | Start mechanism |
158 +================+================================+========================================+
159 | Apache httpd | Webserver for the CAcert | init script |
160 | | web application | :file:`/etc/init.d/apache2` |
161 +----------------+--------------------------------+----------------------------------------+
162 | MySQL | MySQL database server | init script |
163 | | for the CAcert web application | :file:`/etc/init.d/mysql` |
164 +----------------+--------------------------------+----------------------------------------+
165 | Postfix | SMTP server for local mail | init script |
166 | | submission | :file:`/etc/init.d/postfix` |
167 +----------------+--------------------------------+----------------------------------------+
168 | atop | atop process accounting top | init script |
169 | | | :file:`/etc/init.d/atop` |
170 +----------------+--------------------------------+----------------------------------------+
171 | client.pl | CAcert signer client | init script |
172 | | | :file:`/etc/init.d/commmodule` |
173 +----------------+--------------------------------+----------------------------------------+
174 | cron | job scheduler | init script |
175 | | | :file:`/etc/init.d/cron` |
176 +----------------+--------------------------------+----------------------------------------+
177 | dovecot | Dovecot IMAP server | init script |
178 | | | :file:`/etc/init.d/dovecot` |
179 +----------------+--------------------------------+----------------------------------------+
180 | Nagios NRPE | remote monitoring | init script |
181 | server | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
182 | | :doc:`monitor` | |
183 +----------------+--------------------------------+----------------------------------------+
184 | ntpd | Network time protocol server | init script |
185 | | | :file:`/etc/init.d/ntp` |
186 +----------------+--------------------------------+----------------------------------------+
187 | openssh server | ssh daemon for remote | init script :file:`/etc/init.d/ssh` |
188 | | administration | |
189 +----------------+--------------------------------+----------------------------------------+
190 | rsyslog | syslog daemon | init script |
191 | | | :file:`/etc/init.d/syslog` |
192 +----------------+--------------------------------+----------------------------------------+
193 | server.pl | CAcert signer server | init script |
194 | | | :file:`/etc/init.d/commmodule-signer` |
195 +----------------+--------------------------------+----------------------------------------+
196 | socat | Emulate serial connection | entry in |
197 | | between CAcert signer | :file:`/etc/rc.local` that executes |
198 | | client and server | :file:`/usr/local/sbin/socat-signer` |
199 | | | inside a :program:`screen` session |
200 +----------------+--------------------------------+----------------------------------------+
201
202 Databases
203 ---------
204
205 +-------+--------+------------------------+
206 | RDBMS | Name | Used for |
207 +=======+========+========================+
208 | MySQL | cacert | CAcert web application |
209 +-------+--------+------------------------+
210
211 Connected Systems
212 -----------------
213
214 * :doc:`monitor`
215 * :doc:`testmgr` has access to imap and MySQL
216
217 Outbound network connections
218 ----------------------------
219
220 * :doc:`infra02` as resolving nameserver
221 * :doc:`proxyout` as HTTP proxy for APT and Github
222 * crl.cacert.org (rsync) for getting CRLs
223 * ocsp.cacert.org (HTTP and HTTPS) for OCSP queries
224 * arbitrary Internet SMTP servers for outgoing mail
225
226 Security
227 ========
228
229 .. todo:: add the SHA-256 fingerprints of the SSH host keys
230
231 .. sshkeys::
232 :RSA: fd:19:a1:64:ae:ef:c2:50:a2:be:a4:c5:9f:f7:9d:98
233 :DSA: 1c:8c:39:5e:9e:0b:db:8e:c3:66:89:e3:3d:94:5e:13
234 :ECDSA: ac:fb:c8:88:d1:dd:e5:38:99:34:7b:29:54:e1:f2:f1
235
236 .. todo:: add ED25519 key for test
237
238 Dedicated user roles
239 --------------------
240
241 .. If the system has some dedicated user groups besides the sudo group used for
242 administration it should be documented here Regular operating system groups
243 should not be documented
244
245 +--------------+----------------------------+
246 | User | Purpose |
247 +==============+============================+
248 | cacertmail | IMAP mailbox user |
249 +--------------+----------------------------+
250 | cacertsigner | User for the CAcert signer |
251 +--------------+----------------------------+
252
253 .. todo::
254
255 clarify why the signer software on test is currently running as the root
256 user
257
258 The directory :file:`/home/cacert/` is owned by root. The signer is running
259 from :file:`/home/signer/cacert-devel/CommModule/server.pl` the client is
260 running from :file:`/home/cacert/www/CommModule/client.pl`. Both are running as
261 root. Currently no process uses the *cacertsigner* user.
262
263 Non-distribution packages and modifications
264 -------------------------------------------
265
266 Apache httpd is running in a chroot :file:`/home/cacert/`, the configuration in
267 :file:`/etc/apache2` as well as the system binaries are not used. The Apache
268 httpd binary seems to be relatively up-to-date.
269
270 The CAcert web application code as well as the CAcert signer client code come
271 from :cacertgit:`cacert-devel`'s *release* branch.
272
273 The signer in :file:`/home/signer/cacert-devel/CommModule/server.pl` has a few
274 uncommitted manual modifications. And the whole working copy in
275 `/home/signer/cacert-devel` is based on an old repository at
276 git://git-cacert.it-sls.de/cacert-devel.git that is no longer available. The
277 last commit in the working copy is::
278
279 commit 2262fe14e4bf1e0afb4ab7f9340e18a9f281ddfe
280 Merge: c33bbc5 a3d0b8a
281 Author: Michael Tänzer <neo@nhng.de>
282 Date: Wed Apr 10 00:03:42 2013 +0200
283
284 Merge branch 'bug-1159' into signer
285
286 .. todo::
287
288 integrate or revert the changes to server.pl on test, use the current
289 *release* branch version from :cacertgit:`cacert-devel`
290
291 Risk assessments on critical packages
292 -------------------------------------
293
294 The operating system on this container is no longer supported. The PHP version
295 in the file:`/home/cacert/` chroot is 5.6.38 which is no longer supported
296 upstream
297
298 Critical Configuration items
299 ============================
300
301 Keys and X.509 certificates
302 ---------------------------
303
304 .. sslcert:: cats.test.cacert.org
305 :altnames: DNS:cats.test.cacert.org
306 :certfile: /home/cacert/etc/ssl/certs/cats_test_cacert_org.crt
307 :keyfile: /home/cacert/etc/ssl/private/cats_test_cacert_org.pem
308 :serial: 50D3
309 :expiration: Sep 28 13:47:31 2019 GMT
310 :sha1fp: 6C:03:0D:4F:91:56:EA:74:A4:E4:70:4A:91:B1:4C:A3:99:CC:9C:4B
311 :issuer: CAcert Testserver Root
312
313 .. sslcert:: mgr.test.cacert.org
314 :altnames: DNS:mgr.test.cacert.org
315 :certfile: /home/cacert/etc/ssl/certs/mgr_test_cacert_org.crt
316 :keyfile: /home/cacert/etc/ssl/private/mgr_test_cacert_org.pem
317 :serial: 50D2
318 :expiration: Sep 28 13:47:31 2019 GMT
319 :sha1fp: C2:4B:F2:00:9B:A0:61:57:27:14:1C:08:47:50:6A:41:5B:D2:6F:05
320 :issuer: CAcert Testserver Root
321
322 .. sslcert:: secure.test.cacert.org
323 :altnames: DNS:secure.test.cacert.org
324 :certfile: /home/cacert/etc/ssl/certs/secure_test_cacert_org.crt
325 :keyfile: /home/cacert/etc/ssl/private/secure_test_cacert_org.pem
326 :serial: 50D1
327 :expiration: Sep 28 13:47:30 2019 GMT
328 :sha1fp: 95:9A:3A:1B:C2:03:D6:90:F5:01:4A:F7:52:62:2D:B8:61:BD:B7:4B
329 :issuer: CAcert Testserver Root
330
331 .. sslcert:: test.cacert.org (dovecot)
332 :certfile: /etc/dovecot/dovecot.pem
333 :keyfile: /etc/dovecot/private/dovecot.pem
334 :serial: C362AEFE86DA5BFE
335 :expiration: Jun 26 12:38:31 2024 GMT
336 :sha1fp: 1E:60:68:36:53:BC:95:A8:35:AC:A0:38:09:69:29:74:10:52:04:1A
337 :issuer: test.cacert.org
338
339 .. sslcert:: test.cacert.org
340 :altnames: DNS:test.cacert.org
341 :certfile: /home/cacert/etc/ssl/certs/test_cacert_org.crt
342 :keyfile: /home/cacert/etc/ssl/private/cacert.pem
343 :serial: 50D0
344 :expiration: Sep 28 13:47:30 2019 GMT
345 :sha1fp: 94:FE:B0:94:F6:7C:F2:E2:57:75:49:05:17:86:99:5C:CE:40:24:AD
346 :issuer: CAcert Testserver Root
347
348 **CA certificates on test**:
349
350 .. sslcert:: CAcert Testserver Root
351 :certfile: /etc/ssl/CA/cacert.crt
352 :keyfile: /etc/ssl/CA/cacert.pem
353 :serial: 00
354 :expiration: Mar 26 20:45:20 2021 GMT
355 :sha1fp: 5B:26:E7:61:8C:C1:A1:EB:F3:E1:28:22:03:7A:D6:9B:55:53:C3:9B
356 :issuer: CAcert Testserver Root
357
358 .. sslcert:: CAcert Testserver Root
359 :certfile: /etc/ssl/CA/root_256.crt
360 :keyfile: /etc/ssl/CA/cacert.pem
361 :serial: 0F
362 :expiration: Mar 26 20:45:20 2021 GMT
363 :sha1fp: 5E:7E:EE:06:07:0A:F6:A1:49:F9:E1:B1:13:14:D8:C2:A3:3C:07:52
364 :issuer: CAcert Testserver Root
365
366 .. sslcert:: CAcert Testserver Class 3
367 :altnames:
368 :certfile: /etc/ssl/class3/cacert.md5.crt
369 :keyfile: /etc/ssl/class3/cacert.pem
370 :serial: 01
371 :expiration: Mar 26 22:06:10 2021 GMT
372 :sha1fp: F5:72:FF:19:C8:B5:3C:7C:29:1A:8D:90:92:09:5F:DD:24:C6:F8:41
373 :issuer: CAcert Testserver Root
374
375 .. sslcert:: CAcert Testserver Class 3
376 :altnames:
377 :certfile: /etc/ssl/class3/cacert.crt
378 :keyfile: /etc/ssl/class3/cacert.pem
379 :serial: 101B
380 :expiration: Apr 28 18:25:09 2021 GMT
381 :sha1fp: 52:F9:80:58:5F:55:A0:F6:51:F0:A2:BC:75:20:FE:2C:48:96:79:55
382 :issuer: CAcert Testserver Root
383
384 .. note::
385
386 There are two directories :file:`/etc/root3/` and :file:`/etc/root4/` that
387 are supported by the signer but do not contain actual keys and certificates.
388
389 .. seealso::
390
391 * :wiki:`SystemAdministration/CertificateList`
392
393 openssl configuration for the signer server
394 -------------------------------------------
395
396 There are some openssl configuration files that are used by the server.pl
397 signer that are stored in :file:`/etc/ssl/{caname}-{purpose}.cnf`.
398
399 .. todo::
400
401 check whether the openssl configuration files on test are equal to those in
402 http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/
403
404 Apache httpd configuration
405 --------------------------
406
407 Apache httpd is running in a chroot :file:`/home/cacert/` its configuration is
408 stored in :file:`/home/cacert/etc/apache2`.
409
410 Postfix configuration
411 ---------------------
412
413 Postfix configuration is stored in :file:`/etc/postfix`.
414
415 Postfix is configured to accept mail for ``test.cacert.org`` and ``localhost``
416 all mail is delivered to the mailbox of the *cacertmail* user in
417 :file:`/var/mail/cacertmail` via :file:`/etc/postfix/virtual.regexp`.
418
419 Dovecot configuration
420 ---------------------
421
422 Dovecot is configured to use pam for authentication and to support SSL and IMAP
423 and to use mbox style mailboxes in /var/mail/%u in the following files:
424
425 - :file:`/etc/dovecot/conf.d/10-auth.conf`
426 - :file:`/etc/dovecot/conf.d/10-mail.conf`
427 - :file:`/etc/dovecot/conf.d/20-imap.conf`
428 - :file:`/etc/dovecot/conf.d/auth-system.conf`
429
430 .. note::
431
432 dovecot uses an old self-signed certificate for test.cacert.org
433
434 Tasks
435 =====
436
437 Planned
438 -------
439
440 .. todo::
441
442 Upgrade test to Debian Stretch when the software is ready.
443
444 Changes
445 =======
446
447 System Future
448 -------------
449
450 .. * No plans
451
452 Additional documentation
453 ========================
454
455 .. seealso::
456
457 * :wiki:`PostfixConfiguration`
458 * https://codedocs.cacert.org/
459
460 References
461 ----------
462
463 Apache httpd documentation
464 http://httpd.apache.org/docs/2.4/
465 Apache Debian wiki page
466 https://wiki.debian.org/Apache
467 Dovecot documentation
468 https://wiki2.dovecot.org/FrontPage
469 openssl documentation
470 https://www.openssl.org/docs/
471 Postfix documentation
472 http://www.postfix.org/documentation.html
473 Postfix Debian wiki page
474 https://wiki.debian.org/Postfix