Documented test.cacert.org
[cacert-infradocs.git] / docs / systems / test.rst
1 .. index::
2 single: Systems; test
3
4 ====
5 Test
6 ====
7
8 Purpose
9 =======
10
11 This is a test system for the software from cacertgit:`cacert-devel`'s
12 *release* branch running on www.cacert.org.
13
14 Application Links
15 -----------------
16
17 Application
18 https://test.cacert.org/
19
20 Administration
21 ==============
22
23 System Administration
24 ---------------------
25
26 * Primary: :ref:`people_wytze`
27 * Secondary: :ref:`people_jandd`
28
29
30 Application Administration
31 --------------------------
32
33 +------------------------+---------------------------------------+
34 | Application | Administrator(s) |
35 +========================+=======================================+
36 | CAcert web application | :ref:`people_dirk`, :ref:`people_ted` |
37 +------------------------+---------------------------------------+
38
39 Contact
40 -------
41
42 * test-admin@cacert.org
43
44 Additional People
45 -----------------
46
47 :ref:`people_dirk`, :ref:`people_gukk`, :ref:`people_mario`,
48 :ref:`people_mendel`, :ref:`people_neo` and :ref:`people_ted` have
49 :program:`sudo` access on that machine too.
50
51 Basics
52 ======
53
54 Physical Location
55 -----------------
56
57 This system is located in an :term:`LXC` container on physical machine
58 :doc:`infra02`.
59
60 Logical Location
61 ----------------
62
63 :IP Internet: :ip:v4:`213.154.225.248`
64 :IP Intranet: :ip:v4:`172.16.2.248`
65 :IP Internal: :ip:v4:`10.0.0.248`
66 :MAC address: :mac:`00:ff:91:10:5d:cd` (eth0)
67
68 .. todo:: setup IPv6 for test
69
70 .. seealso::
71
72 See :doc:`../network`
73
74 DNS
75 ---
76
77 .. index::
78 single: DNS records; test
79
80 ====================== ======== ============================================
81 Name Type Content
82 ====================== ======== ============================================
83 test.cacert.org. IN A 213.154.225.248
84 test.cacert.org. IN SSHFP 1 1 11BCB0AB4D1FD39547426D9527B88AFB8FF85209
85 test.cacert.org. IN SSHFP 2 1 3414C17E5AE898B2F5DB7B3DDF9E34C2F5E816AC
86 test.intra.cacert.org. IN A 172.16.2.248
87 test.infra.cacert.org. IN A 10.0.0.248
88 ====================== ======== ============================================
89
90 .. seealso::
91
92 See :wiki:`SystemAdministration/Procedures/DNSChanges`
93
94 Operating System
95 ----------------
96
97 .. index::
98 single: Debian GNU/Linux; Jessie
99 single: Debian GNU/Linux; 8.11
100
101 * Debian GNU/Linux 8.11
102
103 Applicable Documentation
104 ------------------------
105
106 There is no additional documentation for this system.
107
108 Services
109 ========
110
111 Listening services
112 ------------------
113
114 +----------+---------+---------+-------------------------------------------+
115 | Port | Service | Origin | Purpose |
116 +==========+=========+=========+===========================================+
117 | 22/tcp | ssh | ANY | admin console access |
118 +----------+---------+---------+-------------------------------------------+
119 | 25/tcp | smtp | local | mail delivery to local MTA |
120 +----------+---------+---------+-------------------------------------------+
121 | 80/tcp | http | ANY | Apache httpd for http://test.cacert.org/ |
122 +----------+---------+---------+-------------------------------------------+
123 | 123/tcp | ntp | local | network time protocol server |
124 | 123/udp | | | |
125 +----------+---------+---------+-------------------------------------------+
126 | 143/tcp | imap | testmgr | Dovecot IMAP server |
127 +----------+---------+---------+-------------------------------------------+
128 | 443/tcp | https | ANY | Apache httpd for https://test.cacert.org/ |
129 +----------+---------+---------+-------------------------------------------+
130 | 993/tcp | imaps | testmgr | Dovecot IMAP server |
131 +----------+---------+---------+-------------------------------------------+
132 | 3306/tcp | mysql | local | MySQL database for ... |
133 +----------+---------+---------+-------------------------------------------+
134 | 5666/tcp | nrpe | monitor | remote monitoring service |
135 +----------+---------+---------+-------------------------------------------+
136
137 Running services
138 ----------------
139
140 .. index::
141 single: Apache
142 single: MySQL
143 single: Postfix
144 single: atop
145 single: client.pl
146 single: cron
147 single: dovecot
148 single: nrpe
149 single: ntpd
150 single: openssh
151 single: rsyslog
152 single: signer.pl
153 single: socat
154
155 +----------------+--------------------------------+----------------------------------------+
156 | Service | Usage | Start mechanism |
157 +================+================================+========================================+
158 | Apache httpd | Webserver for the CAcert | init script |
159 | | web application | :file:`/etc/init.d/apache2` |
160 +----------------+--------------------------------+----------------------------------------+
161 | MySQL | MySQL database server | init script |
162 | | for the CAcert web application | :file:`/etc/init.d/mysql` |
163 +----------------+--------------------------------+----------------------------------------+
164 | Postfix | SMTP server for local mail | init script |
165 | | submission | :file:`/etc/init.d/postfix` |
166 +----------------+--------------------------------+----------------------------------------+
167 | atop | atop process accounting top | init script |
168 | | | :file:`/etc/init.d/atop` |
169 +----------------+--------------------------------+----------------------------------------+
170 | client.pl | CAcert signer client | init script |
171 | | | :file:`/etc/init.d/commmodule` |
172 +----------------+--------------------------------+----------------------------------------+
173 | cron | job scheduler | init script |
174 | | | :file:`/etc/init.d/cron` |
175 +----------------+--------------------------------+----------------------------------------+
176 | dovecot | Dovecot IMAP server | init script |
177 | | | :file:`/etc/init.d/dovecot` |
178 +----------------+--------------------------------+----------------------------------------+
179 | Nagios NRPE | remote monitoring | init script |
180 | server | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
181 | | :doc:`monitor` | |
182 +----------------+--------------------------------+----------------------------------------+
183 | ntpd | Network time protocol server | init script |
184 | | | :file:`/etc/init.d/ntp` |
185 +----------------+--------------------------------+----------------------------------------+
186 | openssh server | ssh daemon for remote | init script :file:`/etc/init.d/ssh` |
187 | | administration | |
188 +----------------+--------------------------------+----------------------------------------+
189 | rsyslog | syslog daemon | init script |
190 | | | :file:`/etc/init.d/syslog` |
191 +----------------+--------------------------------+----------------------------------------+
192 | server.pl | CAcert signer server | init script |
193 | | | :file:`/etc/init.d/commmodule-signer` |
194 +----------------+--------------------------------+----------------------------------------+
195 | socat | Emulate serial connection | entry in |
196 | | between CAcert signer | :file:`/etc/rc.local` that executes |
197 | | client and server | :file:`/usr/local/sbin/socat-signer` |
198 | | | inside a :program:`screen` session |
199 +----------------+--------------------------------+----------------------------------------+
200
201 Databases
202 ---------
203
204 +-------+--------+------------------------+
205 | RDBMS | Name | Used for |
206 +=======+========+========================+
207 | MySQL | cacert | CAcert web application |
208 +-------+--------+------------------------+
209
210 Connected Systems
211 -----------------
212
213 * :doc:`monitor`
214 * :doc:`testmgr` has access to imap and MySQL
215
216 Outbound network connections
217 ----------------------------
218
219 * :doc:`infra02` as resolving nameserver
220 * :doc:`proxyout` as HTTP proxy for APT and Github
221 * crl.cacert.org (rsync) for getting CRLs
222 * ocsp.cacert.org (HTTP and HTTPS) for OCSP queries
223 * arbitrary Internet SMTP servers for outgoing mail
224
225 Security
226 ========
227
228 .. add the MD5 fingerprints of the SSH host keys
229
230 .. sshkeys::
231 :RSA: fd:19:a1:64:ae:ef:c2:50:a2:be:a4:c5:9f:f7:9d:98
232 :DSA: 1c:8c:39:5e:9e:0b:db:8e:c3:66:89:e3:3d:94:5e:13
233 :ECDSA: ac:fb:c8:88:d1:dd:e5:38:99:34:7b:29:54:e1:f2:f1
234
235 .. todo:: add ED25519 key for test
236
237 Dedicated user roles
238 --------------------
239
240 .. If the system has some dedicated user groups besides the sudo group used for
241 administration it should be documented here Regular operating system groups
242 should not be documented
243
244 +--------------+----------------------------+
245 | User | Purpose |
246 +==============+============================+
247 | cacertmail | IMAP mailbox user |
248 +--------------+----------------------------+
249 | cacertsigner | User for the CAcert signer |
250 +--------------+----------------------------+
251
252 .. todo::
253
254 clarify why the signer software on test is currently running as the root
255 user
256
257 The directory :file:`/home/cacert/` is owned by root. The signer is running
258 from :file:`/home/signer/cacert-devel/CommModule/server.pl` the client is
259 running from :file:`/home/cacert/www/CommModule/client.pl`. Both are running as
260 root. Currently no process uses the *cacertsigner* user.
261
262 Non-distribution packages and modifications
263 -------------------------------------------
264
265 Apache httpd is running in a chroot :file:`/home/cacert/`, the configuration in
266 :file:`/etc/apache2` as well as the system binaries are not used. The Apache
267 httpd binary seems to be relatively up-to-date.
268
269 The CAcert web application code as well as the CAcert signer client code come
270 from :cacertgit:`cacert-devel`'s *release* branch.
271
272 The signer in :file:`/home/signer/cacert-devel/CommModule/server.pl` has a few
273 uncommitted manual modifications. And the whole working copy in
274 `/home/signer/cacert-devel` is based on an old repository at
275 git://git-cacert.it-sls.de/cacert-devel.git that is no longer available. The
276 last commit in the working copy is::
277
278 commit 2262fe14e4bf1e0afb4ab7f9340e18a9f281ddfe
279 Merge: c33bbc5 a3d0b8a
280 Author: Michael Tänzer <neo@nhng.de>
281 Date: Wed Apr 10 00:03:42 2013 +0200
282
283 Merge branch 'bug-1159' into signer
284
285 .. todo::
286
287 integrate or revert the changes to server.pl on test, use the current
288 *release* branch version from :cacertgit:`cacert-devel`
289
290 Risk assessments on critical packages
291 -------------------------------------
292
293 The operating system on this container is no longer supported. The PHP version
294 in the file:`/home/cacert/` chroot is 5.6.38 which is no longer supported
295 upstream
296
297 Critical Configuration items
298 ============================
299
300 Keys and X.509 certificates
301 ---------------------------
302
303 .. sslcert:: cats.test.cacert.org
304 :altnames: DNS:cats.test.cacert.org
305 :certfile: /home/cacert/etc/ssl/certs/cats_test_cacert_org.crt
306 :keyfile: /home/cacert/etc/ssl/private/cats_test_cacert_org.pem
307 :serial: 50D3
308 :expiration: Sep 28 13:47:31 2019 GMT
309 :sha1fp: 6C:03:0D:4F:91:56:EA:74:A4:E4:70:4A:91:B1:4C:A3:99:CC:9C:4B
310 :issuer: CAcert Testserver Root
311
312 .. sslcert:: mgr.test.cacert.org
313 :altnames: DNS:mgr.test.cacert.org
314 :certfile: /home/cacert/etc/ssl/certs/mgr_test_cacert_org.crt
315 :keyfile: /home/cacert/etc/ssl/private/mgr_test_cacert_org.pem
316 :serial: 50D2
317 :expiration: Sep 28 13:47:31 2019 GMT
318 :sha1fp: C2:4B:F2:00:9B:A0:61:57:27:14:1C:08:47:50:6A:41:5B:D2:6F:05
319 :issuer: CAcert Testserver Root
320
321 .. sslcert:: secure.test.cacert.org
322 :altnames: DNS:secure.test.cacert.org
323 :certfile: /home/cacert/etc/ssl/certs/secure_test_cacert_org.crt
324 :keyfile: /home/cacert/etc/ssl/private/secure_test_cacert_org.pem
325 :serial: 50D1
326 :expiration: Sep 28 13:47:30 2019 GMT
327 :sha1fp: 95:9A:3A:1B:C2:03:D6:90:F5:01:4A:F7:52:62:2D:B8:61:BD:B7:4B
328 :issuer: CAcert Testserver Root
329
330 .. sslcert:: test.cacert.org (dovecot)
331 :certfile: /etc/dovecot/dovecot.pem
332 :keyfile: /etc/dovecot/private/dovecot.pem
333 :serial: C362AEFE86DA5BFE
334 :expiration: Jun 26 12:38:31 2024 GMT
335 :sha1fp: 1E:60:68:36:53:BC:95:A8:35:AC:A0:38:09:69:29:74:10:52:04:1A
336 :issuer: test.cacert.org
337
338 .. sslcert:: test.cacert.org
339 :altnames: DNS:test.cacert.org
340 :certfile: /home/cacert/etc/ssl/certs/test_cacert_org.crt
341 :keyfile: /home/cacert/etc/ssl/private/cacert.pem
342 :serial: 50D0
343 :expiration: Sep 28 13:47:30 2019 GMT
344 :sha1fp: 94:FE:B0:94:F6:7C:F2:E2:57:75:49:05:17:86:99:5C:CE:40:24:AD
345 :issuer: CAcert Testserver Root
346
347 **CA certificates on test**:
348
349 .. sslcert:: CAcert Testserver Root
350 :certfile: /etc/ssl/CA/cacert.crt
351 :keyfile: /etc/ssl/CA/cacert.pem
352 :serial: 00
353 :expiration: Mar 26 20:45:20 2021 GMT
354 :sha1fp: 5B:26:E7:61:8C:C1:A1:EB:F3:E1:28:22:03:7A:D6:9B:55:53:C3:9B
355 :issuer: CAcert Testserver Root
356
357 .. sslcert:: CAcert Testserver Root
358 :certfile: /etc/ssl/CA/root_256.crt
359 :keyfile: /etc/ssl/CA/cacert.pem
360 :serial: 0F
361 :expiration: Mar 26 20:45:20 2021 GMT
362 :sha1fp: 5E:7E:EE:06:07:0A:F6:A1:49:F9:E1:B1:13:14:D8:C2:A3:3C:07:52
363 :issuer: CAcert Testserver Root
364
365 .. sslcert:: CAcert Testserver Class 3
366 :altnames:
367 :certfile: /etc/ssl/class3/cacert.md5.crt
368 :keyfile: /etc/ssl/class3/cacert.pem
369 :serial: 01
370 :expiration: Mar 26 22:06:10 2021 GMT
371 :sha1fp: F5:72:FF:19:C8:B5:3C:7C:29:1A:8D:90:92:09:5F:DD:24:C6:F8:41
372 :issuer: CAcert Testserver Root
373
374 .. sslcert:: CAcert Testserver Class 3
375 :altnames:
376 :certfile: /etc/ssl/class3/cacert.crt
377 :keyfile: /etc/ssl/class3/cacert.pem
378 :serial: 101B
379 :expiration: Apr 28 18:25:09 2021 GMT
380 :sha1fp: 52:F9:80:58:5F:55:A0:F6:51:F0:A2:BC:75:20:FE:2C:48:96:79:55
381 :issuer: CAcert Testserver Root
382
383 .. note::
384
385 There are two directories :file:`/etc/root3/` and :file:`/etc/root4/` that
386 are supported by the signer but do not contain actual keys and certificates.
387
388 .. seealso::
389
390 * :wiki:`SystemAdministration/CertificateList`
391
392 openssl configuration for the signer server
393 -------------------------------------------
394
395 There are some openssl configuration files that are used by the server.pl
396 signer that are stored in :file:`/etc/ssl/{caname}-{purpose}.cnf`.
397
398 .. todo::
399
400 check whether the openssl configuration files on test are equal to those in
401 http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/
402
403 Apache httpd configuration
404 --------------------------
405
406 Apache httpd is running in a chroot :file:`/home/cacert/` its configuration is
407 stored in :file:`/home/cacert/etc/apache2`.
408
409 Postfix configuration
410 ---------------------
411
412 Postfix configuration is stored in :file:`/etc/postfix`.
413
414 Postfix is configured to accept mail for ``test.cacert.org`` and ``localhost``
415 all mail is delivered to the mailbox of the *cacertmail* user in
416 :file:`/var/mail/cacertmail` via :file:`/etc/postfix/virtual.regexp`.
417
418 Dovecot configuration
419 ---------------------
420
421 Dovecot is configured to use pam for authentication and to support SSL and IMAP
422 and to use mbox style mailboxes in /var/mail/%u in the following files:
423
424 - :file:`/etc/dovecot/conf.d/10-auth.conf`
425 - :file:`/etc/dovecot/conf.d/10-mail.conf`
426 - :file:`/etc/dovecot/conf.d/20-imap.conf`
427 - :file:`/etc/dovecot/conf.d/auth-system.conf`
428
429 .. note::
430
431 dovecot uses an old self-signed certificate for test.cacert.org
432
433 Tasks
434 =====
435
436 Planned
437 -------
438
439 .. todo::
440
441 Upgrade test to Debian Stretch when the software is ready.
442
443 Changes
444 =======
445
446 System Future
447 -------------
448
449 .. * No plans
450
451 Additional documentation
452 ========================
453
454 .. seealso::
455
456 * :wiki:`PostfixConfiguration`
457 * https://codedocs.cacert.org/
458
459 References
460 ----------
461
462 Apache httpd documentation
463 http://httpd.apache.org/docs/2.4/
464 Apache Debian wiki page
465 https://wiki.debian.org/Apache
466 Dovecot documentation
467 https://wiki2.dovecot.org/FrontPage
468 openssl documentation
469 https://www.openssl.org/docs/
470 Postfix documentation
471 http://www.postfix.org/documentation.html
472 Postfix Debian wiki page
473 https://wiki.debian.org/Postfix