Update certificate information for test.cacert.org.
[cacert-infradocs.git] / docs / systems / test.rst
1 .. index::
2 single: Systems; test
3
4 ====
5 Test
6 ====
7
8 Purpose
9 =======
10
11 This is a test system for the software from cacertgit:`cacert-devel`'s
12 *release* branch running on www.cacert.org.
13
14 Application Links
15 -----------------
16
17 Application
18 https://test.cacert.org/
19
20 Administration
21 ==============
22
23 System Administration
24 ---------------------
25
26 * Primary: :ref:`people_wytze`
27 * Secondary: :ref:`people_jandd`
28
29
30 Application Administration
31 --------------------------
32
33 +------------------------+---------------------------------------+
34 | Application | Administrator(s) |
35 +========================+=======================================+
36 | CAcert web application | :ref:`people_dirk`, :ref:`people_ted` |
37 +------------------------+---------------------------------------+
38
39 Contact
40 -------
41
42 * test-admin@cacert.org
43
44 Additional People
45 -----------------
46
47 :ref:`people_dirk`, :ref:`people_gukk`, :ref:`people_mario`,
48 :ref:`people_mendel`, :ref:`people_neo` and :ref:`people_ted` have
49 :program:`sudo` access on that machine too.
50
51 Basics
52 ======
53
54 Physical Location
55 -----------------
56
57 This system is located in an :term:`LXC` container on physical machine
58 :doc:`infra02`.
59
60 Logical Location
61 ----------------
62
63 :IP Internet: :ip:v4:`213.154.225.248`
64 :IP Intranet: :ip:v4:`172.16.2.248`
65 :IP Internal: :ip:v4:`10.0.0.248`
66 :IPv6: :ip:v6:`2001:7b8:616:162:2::248`
67 :MAC address: :mac:`00:ff:91:10:5d:cd` (eth0)
68
69 .. seealso::
70
71 See :doc:`../network`
72
73 .. index::
74 single: Monitoring; Test
75
76 Monitoring
77 ----------
78
79 :internal checks: :monitor:`test.infra.cacert.org`
80
81 DNS
82 ---
83
84 .. index::
85 single: DNS records; Test
86
87 ====================== ======== ============================================
88 Name Type Content
89 ====================== ======== ============================================
90 test.cacert.org. IN A 213.154.225.248
91 test.cacert.org. IN SSHFP 1 1 11BCB0AB4D1FD39547426D9527B88AFB8FF85209
92 test.cacert.org. IN SSHFP 2 1 3414C17E5AE898B2F5DB7B3DDF9E34C2F5E816AC
93 test.intra.cacert.org. IN A 172.16.2.248
94 test.infra.cacert.org. IN A 10.0.0.248
95 ====================== ======== ============================================
96
97 .. todo:: add AAAA record for IPv6 address
98
99 .. seealso::
100
101 See :wiki:`SystemAdministration/Procedures/DNSChanges`
102
103 Operating System
104 ----------------
105
106 .. index::
107 single: Debian GNU/Linux; Jessie
108 single: Debian GNU/Linux; 8.11
109
110 * Debian GNU/Linux 8.11
111
112 Services
113 ========
114
115 Listening services
116 ------------------
117
118 +----------+---------+---------+-------------------------------------------+
119 | Port | Service | Origin | Purpose |
120 +==========+=========+=========+===========================================+
121 | 22/tcp | ssh | ANY | admin console access |
122 +----------+---------+---------+-------------------------------------------+
123 | 25/tcp | smtp | local | mail delivery to local MTA |
124 +----------+---------+---------+-------------------------------------------+
125 | 80/tcp | http | ANY | Apache httpd for http://test.cacert.org/ |
126 +----------+---------+---------+-------------------------------------------+
127 | 123/tcp | ntp | local | network time protocol server |
128 | 123/udp | | | |
129 +----------+---------+---------+-------------------------------------------+
130 | 143/tcp | imap | testmgr | Dovecot IMAP server |
131 +----------+---------+---------+-------------------------------------------+
132 | 443/tcp | https | ANY | Apache httpd for https://test.cacert.org/ |
133 +----------+---------+---------+-------------------------------------------+
134 | 993/tcp | imaps | testmgr | Dovecot IMAP server |
135 +----------+---------+---------+-------------------------------------------+
136 | 3306/tcp | mysql | local | MySQL database for ... |
137 +----------+---------+---------+-------------------------------------------+
138 | 5666/tcp | nrpe | monitor | remote monitoring service |
139 +----------+---------+---------+-------------------------------------------+
140
141 Running services
142 ----------------
143
144 .. index::
145 single: Apache
146 single: MySQL
147 single: Postfix
148 single: atop
149 single: client.pl
150 single: cron
151 single: dovecot
152 single: nrpe
153 single: ntpd
154 single: openssh
155 single: rsyslog
156 single: signer.pl
157 single: socat
158
159 +----------------+--------------------------------+----------------------------------------+
160 | Service | Usage | Start mechanism |
161 +================+================================+========================================+
162 | Apache httpd | Webserver for the CAcert | init script |
163 | | web application | :file:`/etc/init.d/apache2` |
164 +----------------+--------------------------------+----------------------------------------+
165 | MySQL | MySQL database server | init script |
166 | | for the CAcert web application | :file:`/etc/init.d/mysql` |
167 +----------------+--------------------------------+----------------------------------------+
168 | Postfix | SMTP server for local mail | init script |
169 | | submission | :file:`/etc/init.d/postfix` |
170 +----------------+--------------------------------+----------------------------------------+
171 | atop | atop process accounting top | init script |
172 | | | :file:`/etc/init.d/atop` |
173 +----------------+--------------------------------+----------------------------------------+
174 | client.pl | CAcert signer client | init script |
175 | | | :file:`/etc/init.d/commmodule` |
176 +----------------+--------------------------------+----------------------------------------+
177 | cron | job scheduler | init script |
178 | | | :file:`/etc/init.d/cron` |
179 +----------------+--------------------------------+----------------------------------------+
180 | dovecot | Dovecot IMAP server | init script |
181 | | | :file:`/etc/init.d/dovecot` |
182 +----------------+--------------------------------+----------------------------------------+
183 | Nagios NRPE | remote monitoring | init script |
184 | server | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
185 | | :doc:`monitor` | |
186 +----------------+--------------------------------+----------------------------------------+
187 | ntpd | Network time protocol server | init script |
188 | | | :file:`/etc/init.d/ntp` |
189 +----------------+--------------------------------+----------------------------------------+
190 | openssh server | ssh daemon for remote | init script :file:`/etc/init.d/ssh` |
191 | | administration | |
192 +----------------+--------------------------------+----------------------------------------+
193 | rsyslog | syslog daemon | init script |
194 | | | :file:`/etc/init.d/syslog` |
195 +----------------+--------------------------------+----------------------------------------+
196 | server.pl | CAcert signer server | init script |
197 | | | :file:`/etc/init.d/commmodule-signer` |
198 +----------------+--------------------------------+----------------------------------------+
199 | socat | Emulate serial connection | entry in |
200 | | between CAcert signer | :file:`/etc/rc.local` that executes |
201 | | client and server | :file:`/usr/local/sbin/socat-signer` |
202 | | | inside a :program:`screen` session |
203 +----------------+--------------------------------+----------------------------------------+
204
205 Databases
206 ---------
207
208 +-------+--------+------------------------+
209 | RDBMS | Name | Used for |
210 +=======+========+========================+
211 | MySQL | cacert | CAcert web application |
212 +-------+--------+------------------------+
213
214 Connected Systems
215 -----------------
216
217 * :doc:`monitor`
218 * :doc:`testmgr` has access to imap and MySQL
219
220 Outbound network connections
221 ----------------------------
222
223 * :doc:`infra02` as resolving nameserver
224 * :doc:`proxyout` as HTTP proxy for APT and Github
225 * crl.cacert.org (rsync) for getting CRLs
226 * ocsp.cacert.org (HTTP and HTTPS) for OCSP queries
227 * arbitrary Internet SMTP servers for outgoing mail
228
229 Security
230 ========
231
232 .. todo:: add the SHA-256 fingerprints of the SSH host keys
233
234 .. sshkeys::
235 :RSA: fd:19:a1:64:ae:ef:c2:50:a2:be:a4:c5:9f:f7:9d:98
236 :DSA: 1c:8c:39:5e:9e:0b:db:8e:c3:66:89:e3:3d:94:5e:13
237 :ECDSA: ac:fb:c8:88:d1:dd:e5:38:99:34:7b:29:54:e1:f2:f1
238
239 .. todo:: add ED25519 key for test
240
241 Dedicated user roles
242 --------------------
243
244 .. If the system has some dedicated user groups besides the sudo group used for
245 administration it should be documented here Regular operating system groups
246 should not be documented
247
248 +--------------+----------------------------+
249 | User | Purpose |
250 +==============+============================+
251 | cacertmail | IMAP mailbox user |
252 +--------------+----------------------------+
253 | cacertsigner | User for the CAcert signer |
254 +--------------+----------------------------+
255
256 .. todo::
257
258 clarify why the signer software on test is currently running as the root
259 user
260
261 The directory :file:`/home/cacert/` is owned by root. The signer is running
262 from :file:`/home/signer/cacert-devel/CommModule/server.pl` the client is
263 running from :file:`/home/cacert/www/CommModule/client.pl`. Both are running as
264 root. Currently no process uses the *cacertsigner* user.
265
266 Non-distribution packages and modifications
267 -------------------------------------------
268
269 Apache httpd is running in a chroot :file:`/home/cacert/`, the configuration in
270 :file:`/etc/apache2` as well as the system binaries are not used. The Apache
271 httpd binary seems to be relatively up-to-date.
272
273 The CAcert web application code as well as the CAcert signer client code come
274 from :cacertgit:`cacert-devel`'s *release* branch.
275
276 The signer in :file:`/home/signer/cacert-devel/CommModule/server.pl` has a few
277 uncommitted manual modifications. And the whole working copy in
278 `/home/signer/cacert-devel` is based on an old repository at
279 git://git-cacert.it-sls.de/cacert-devel.git that is no longer available. The
280 last commit in the working copy is::
281
282 commit 2262fe14e4bf1e0afb4ab7f9340e18a9f281ddfe
283 Merge: c33bbc5 a3d0b8a
284 Author: Michael Tänzer <neo@nhng.de>
285 Date: Wed Apr 10 00:03:42 2013 +0200
286
287 Merge branch 'bug-1159' into signer
288
289 .. todo::
290
291 integrate or revert the changes to server.pl on test, use the current
292 *release* branch version from :cacertgit:`cacert-devel`
293
294 Risk assessments on critical packages
295 -------------------------------------
296
297 The operating system on this container is no longer supported. The PHP version
298 in the file:`/home/cacert/` chroot is 5.6.38 which is no longer supported
299 upstream
300
301 Critical Configuration items
302 ============================
303
304 Keys and X.509 certificates
305 ---------------------------
306
307 .. sslcert:: cats.test.cacert.org
308 :altnames: DNS:cats.test.cacert.org
309 :certfile: /home/cacert/etc/ssl/certs/cats_test_cacert_org.crt
310 :keyfile: /home/cacert/etc/ssl/private/cats_test_cacert_org.pem
311 :serial: 50DD
312 :expiration: Oct 4 07:07:08 2020 GMT
313 :sha1fp: 3C:93:F3:83:25:AA:99:7A:65:A0:69:EF:41:FE:DF:EB:01:F1:2F:6F
314 :issuer: CAcert Testserver Root
315
316 .. sslcert:: mgr.test.cacert.org
317 :altnames: DNS:mgr.test.cacert.org
318 :certfile: /home/cacert/etc/ssl/certs/mgr_test_cacert_org.crt
319 :keyfile: /home/cacert/etc/ssl/private/mgr_test_cacert_org.pem
320 :serial: 50DC
321 :expiration: Oct 4 07:07:08 2020 GMT
322 :sha1fp: ED:44:E6:4C:C2:D3:E1:32:3D:2F:03:9F:19:DD:F3:B1:18:32:60:F6
323 :issuer: CAcert Testserver Root
324
325 .. sslcert:: secure.test.cacert.org
326 :altnames: DNS:secure.test.cacert.org
327 :certfile: /home/cacert/etc/ssl/certs/secure_test_cacert_org.crt
328 :keyfile: /home/cacert/etc/ssl/private/secure_test_cacert_org.pem
329 :serial: 50DB
330 :expiration: Oct 4 07:07:08 2020 GMT
331 :sha1fp: FB:83:D6:AF:6E:12:C7:94:D5:5A:2C:27:28:49:D3:65:6E:AE:90:FA
332 :issuer: CAcert Testserver Root
333
334 .. sslcert:: test.cacert.org (dovecot)
335 :certfile: /etc/dovecot/dovecot.pem
336 :keyfile: /etc/dovecot/private/dovecot.pem
337 :serial: C362AEFE86DA5BFE
338 :expiration: Jun 26 12:38:31 2024 GMT
339 :sha1fp: 1E:60:68:36:53:BC:95:A8:35:AC:A0:38:09:69:29:74:10:52:04:1A
340 :issuer: test.cacert.org
341
342 .. sslcert:: test.cacert.org
343 :altnames: DNS:test.cacert.org
344 :certfile: /home/cacert/etc/ssl/certs/test_cacert_org.crt
345 :keyfile: /home/cacert/etc/ssl/private/cacert.pem
346 :serial: 50DA
347 :expiration: Oct 4 07:07:08 2020 GMT
348 :sha1fp: 86:A9:00:E3:31:96:B9:8A:FC:83:00:F0:AE:02:8A:20:57:2D:8F:A1
349 :issuer: CAcert Testserver Root
350
351 **CA certificates on test**:
352
353 .. sslcert:: CAcert Testserver Root
354 :certfile: /etc/ssl/CA/cacert.crt
355 :keyfile: /etc/ssl/CA/cacert.pem
356 :serial: 00
357 :expiration: Mar 26 20:45:20 2021 GMT
358 :sha1fp: 5B:26:E7:61:8C:C1:A1:EB:F3:E1:28:22:03:7A:D6:9B:55:53:C3:9B
359 :issuer: CAcert Testserver Root
360
361 .. sslcert:: CAcert Testserver Root
362 :certfile: /etc/ssl/CA/root_256.crt
363 :keyfile: /etc/ssl/CA/cacert.pem
364 :serial: 0F
365 :expiration: Mar 26 20:45:20 2021 GMT
366 :sha1fp: 5E:7E:EE:06:07:0A:F6:A1:49:F9:E1:B1:13:14:D8:C2:A3:3C:07:52
367 :issuer: CAcert Testserver Root
368
369 .. sslcert:: CAcert Testserver Class 3
370 :altnames:
371 :certfile: /etc/ssl/class3/cacert.md5.crt
372 :keyfile: /etc/ssl/class3/cacert.pem
373 :serial: 01
374 :expiration: Mar 26 22:06:10 2021 GMT
375 :sha1fp: F5:72:FF:19:C8:B5:3C:7C:29:1A:8D:90:92:09:5F:DD:24:C6:F8:41
376 :issuer: CAcert Testserver Root
377
378 .. sslcert:: CAcert Testserver Class 3
379 :altnames:
380 :certfile: /etc/ssl/class3/cacert.crt
381 :keyfile: /etc/ssl/class3/cacert.pem
382 :serial: 101B
383 :expiration: Apr 28 18:25:09 2021 GMT
384 :sha1fp: 52:F9:80:58:5F:55:A0:F6:51:F0:A2:BC:75:20:FE:2C:48:96:79:55
385 :issuer: CAcert Testserver Root
386
387 .. note::
388
389 There are two directories :file:`/etc/root3/` and :file:`/etc/root4/` that
390 are supported by the signer but do not contain actual keys and certificates.
391
392 .. seealso::
393
394 * :wiki:`SystemAdministration/CertificateList`
395
396 openssl configuration for the signer server
397 -------------------------------------------
398
399 There are some openssl configuration files that are used by the server.pl
400 signer that are stored in :file:`/etc/ssl/{caname}-{purpose}.cnf`.
401
402 .. todo::
403
404 check whether the openssl configuration files on test are equal to those in
405 http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/
406
407 Apache httpd configuration
408 --------------------------
409
410 Apache httpd is running in a chroot :file:`/home/cacert/` its configuration is
411 stored in :file:`/home/cacert/etc/apache2`.
412
413 Postfix configuration
414 ---------------------
415
416 Postfix configuration is stored in :file:`/etc/postfix`.
417
418 Postfix is configured to accept mail for ``test.cacert.org`` and ``localhost``
419 all mail is delivered to the mailbox of the *cacertmail* user in
420 :file:`/var/mail/cacertmail` via :file:`/etc/postfix/virtual.regexp`.
421
422 Dovecot configuration
423 ---------------------
424
425 Dovecot is configured to use pam for authentication and to support SSL and IMAP
426 and to use mbox style mailboxes in /var/mail/%u in the following files:
427
428 - :file:`/etc/dovecot/conf.d/10-auth.conf`
429 - :file:`/etc/dovecot/conf.d/10-mail.conf`
430 - :file:`/etc/dovecot/conf.d/20-imap.conf`
431 - :file:`/etc/dovecot/conf.d/auth-system.conf`
432
433 .. note::
434
435 dovecot uses an old self-signed certificate for test.cacert.org
436
437 Tasks
438 =====
439
440 Changes
441 =======
442
443 Planned
444 -------
445
446 .. todo::
447
448 Upgrade test to Debian Stretch when the software is ready.
449
450
451 System Future
452 -------------
453
454 .. * No plans
455
456 Additional documentation
457 ========================
458
459 .. seealso::
460
461 * :wiki:`PostfixConfiguration`
462 * https://codedocs.cacert.org/
463
464 References
465 ----------
466
467 Apache httpd documentation
468 http://httpd.apache.org/docs/2.4/
469 Apache Debian wiki page
470 https://wiki.debian.org/Apache
471 Dovecot documentation
472 https://wiki2.dovecot.org/FrontPage
473 openssl documentation
474 https://www.openssl.org/docs/
475 Postfix documentation
476 http://www.postfix.org/documentation.html
477 Postfix Debian wiki page
478 https://wiki.debian.org/Postfix