444cf87fcb3bd344e8c3783c6aa423e6492d938e
[cacert-infradocs.git] / docs / systems / test3.rst
1 .. index::
2 single: Systems; test3
3
4 =====
5 Test3
6 =====
7
8 Purpose
9 =======
10
11 This is a test system for testing a version of the CAcert application software
12 revised to run with php-7.0 on Debian Stretch. When these tests are succesful,
13 the other test servers and the production server running on www.cacert.org can
14 be upgraded tot Debian Stretch. After that this server can probably be scrapped again.
15
16 Application Links
17 -----------------
18
19 Application via HTTP:
20 http://test3.cacert.org:14980/
21
22 Application via HTTPS:
23 https://test3.cacert.org:14943/
24
25
26 Administration
27 ==============
28
29 System Administration
30 ---------------------
31
32 * Primary: :ref:`people_wytze`
33 * Secondary: :ref:`people_jandd`
34
35
36 Application Administration
37 --------------------------
38
39 +------------------------+---------------------------------------+
40 | Application | Administrator(s) |
41 +========================+=======================================+
42 | CAcert web application | :ref:`people_dirk`, :ref:`people_ted` |
43 +------------------------+---------------------------------------+
44
45 Contact
46 -------
47
48 * test-admin@cacert.org
49
50 Additional People
51 -----------------
52
53 :ref:`people_dirk`, :ref:`people_gukk`, :ref:`people_mario`,
54 :ref:`people_mendel`, :ref:`people_neo` and :ref:`people_ted` have
55 :program:`sudo` access on that machine too.
56
57 Basics
58 ======
59
60 Physical Location
61 -----------------
62
63 This system is located in an :term:`LXC` container on physical machine
64 :doc:`infra02`.
65
66 Logical Location
67 ----------------
68
69 :IP Internet: :ip:v4:`213.154.225.248`
70 :IP Intranet: :ip:v4:`172.16.2.149`
71 :IP Internal: :ip:v4:`10.0.0.149`
72 :IPv6: :ip:v6:`2001:7b8:616:162:2::149`
73 :MAC address: :mac:`00:ff:ce:d1:22:1d` (eth0)
74
75 Because this system is sharing its IPv4 internet address with test.cacert.org,
76 there are some special mappings in the infra02 firewall to get access to this system:
77
78 * test,cacert.org port 14922 maps to test3 port 22 (ssh)
79 * test.cacert.org port 14980 maps to test3 port 80 (http)
80 * test.cacert.org port 14943 maps to test3 port 443 (https)
81
82 .. seealso::
83
84 See :doc:`../network`
85
86 DNS
87 ---
88
89 .. index::
90 single: DNS records; Test3
91
92 ======================== ======== ============================================
93 Name Type Content
94 ======================== ======== ============================================
95 test3.cacert.org. IN A 213.154.225.248
96 secure.test3.cacert.org. IN CNAME test3.cacert.org
97 www.test3.cacert.org. IN CNAME test3.cacert.org
98 test3.cacert.org. IN SSHFP 1 1 39fd3b77396529f83e095ff09c59994c47d9e0d3
99 test3.cacert.org. IN SSHFP 1 2 680fe134289e79678f7eaa5689fdce3db5efed9f6ebefd5bcfadce04a96475c1
100 test3.cacert.org. IN SSHFP 2 1 70f5730c127bd701fc5c4baba329e93346a975c1
101 test3.cacert.org. IN SSHFP 2 2 364252b906aec15a00994620d5c90c0f692a41cbc8c6f3bfc229149511209328
102 test3.cacert.org. IN SSHFP 3 1 e4d81b532dc90ebb6d087ae732ce016b87945ebd
103 test3.cacert.org. IN SSHFP 3 2 71b5aedcc999e6ffc0f90eeb9254c8771ddaa6a4981cf55e8e2228f6bdee64ce
104 test3.cacert.org. IN SSHFP 4 1 50b22453f5c8d845895bacccbc1fc325d033f65d
105 test3.cacert.org. IN SSHFP 4 1 a928b84465769480d70dfc5ecd3af2e4cdb192ee11d1cffc4f31ea1fbed09d41
106 test.infra.cacert.org. IN A 10.0.0.149
107 ======================== ======== ============================================
108
109 .. todo:: add AAAA record for IPv6 address
110 .. todo:: add intra.cacert.org. A record
111
112 .. seealso::
113
114 See :wiki:`SystemAdministration/Procedures/DNSChanges`
115
116 Operating System
117 ----------------
118
119 .. index::
120 single: Debian GNU/Linux; Stretch
121 single: Debian GNU/Linux; 9.6
122
123 * Debian GNU/Linux 9.6
124
125 Applicable Documentation
126 ------------------------
127
128 Notes about installing the CAcert application on test3.cacert.org.
129
130 * Starting point is a Debian Stretch LXC setup from Jan Dittberner
131
132 * install the following packages (and their dependencies):
133
134 .. code-block:: bash
135
136 $ sudo apt-get install \
137 apache2 php7.0 php7.0-gmp php7.0-mysql php7.0-gd php7.0-recode php7.0-mbstring \
138 default-mysql-server gettext locales locales-all recode \
139 dnsutils whois locate rcs screen make ca-cacert \
140 libdevice-serialport-perl libfile-counterfile-perl xdelta
141
142 * enable the CAcert root certificates for normal operation via:
143
144 .. code-block:: bash
145
146 $ sudo dpkg-reconfigure ca-certificates
147
148 * create empty cacert database:
149
150 .. code-block:: bash
151
152 $ sudo mysql
153 > CREATE DATABASE cacert;
154 > GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES ON cacert.* TO 'cacert'@'localhost' IDENTIFIED BY 'klodder';
155 > \q
156
157 * dump current cacert database on test.cacert.org:
158
159 .. code-block:: bash
160
161 $ mysqldump -u cacert -p --single-transaction cacert >BACKUP
162
163 * copy over cacert database BACKUP from test.cacert.org to test3.cacert.org
164
165 * import the database backup into the empty cacert database:
166
167 .. code-block:: bash
168
169 $ mysql -u cacert -p cacert <BACKUP
170
171 * copy scripts :file:`/etc/rc.local` and :file:`/usr/local/sbin/socat` from test.cacert.org
172
173 * copy signer files with :file:`collect-signer-files` script from test.cacert.org
174
175 * make small adjustmenst to scripts and install signer stuff in :file:`/etc`
176
177 * generate certificates for test.cacert.org based on CAcert test root with
178 :file:`~wytze/local/localcerts` script (using the locally installed signer config)
179
180 * copy :file:`/root/chroot` from test.cacert.org
181
182 * use updated :file:`mkchrootenv` script from
183 http://svn.cacert.org/CAcert/SystemAdministration/webdb/mkchrootenv
184 to setup :file:`/home/cacert`
185
186 * create :file:`/home/cacert/www/includes/mysql.php` from :file:`mysql.php.sample` prototype
187
188 * install commmodule client from :file:`/home/cacert/www/CommModule` in :file:`/etc/init.d`
189
190 * copy :file:`/etc/init.d/apache2` script to :file:`/etc/init.d/apache2-cacert` and modify
191 it to use chroot to the :file:`/home/cacert` environment:
192
193 .. code-block:: text
194
195 --- apache2 2018-04-05 18:32:55.000000000 +0000
196 +++ apache2-cacert 2018-11-20 16:05:38.740396894 +0000
197 @@ -1,22 +1,26 @@
198 #!/bin/sh
199 ### BEGIN INIT INFO
200 -# Provides: apache2
201 +# Provides: apache2-cacert
202 # Required-Start: $local_fs $remote_fs $network $syslog $named
203 # Required-Stop: $local_fs $remote_fs $network $syslog $named
204 # Default-Start: 2 3 4 5
205 # Default-Stop: 0 1 6
206 # X-Interactive: true
207 -# Short-Description: Apache2 web server
208 +# Short-Description: Apache2 web server for CAcert
209 # Description: Start the web server
210 # This script will start the apache2 web server.
211 ### END INIT INFO
212
213 -DESC="Apache httpd web server"
214 +DESC="Apache httpd web server for CAcert"
215 NAME=apache2
216 DAEMON=/usr/sbin/$NAME
217
218 +CHRDIR=/home/cacert/
219 +CHROOT="/usr/sbin/chroot ${CHRDIR}"
220 +
221 SCRIPTNAME="${0##*/}"
222 SCRIPTNAME="${SCRIPTNAME##[KS][0-9][0-9]}"
223 +SCRIPTNAME=apache2
224 if [ -n "$APACHE_CONFDIR" ] ; then
225 if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then
226 DIR_SUFFIX="${APACHE_CONFDIR##/etc/apache2-}"
227 @@ -53,8 +57,8 @@
228
229
230 # Now, set defaults:
231 -APACHE2CTL="$ENV apache2ctl"
232 -PIDFILE=$(. $APACHE_ENVVARS && echo $APACHE_PID_FILE)
233 +APACHE2CTL="${CHROOT} $ENV apache2ctl"
234 +PIDFILE=$(. ${CHRDIR}$APACHE_ENVVARS && echo ${CHRDIR}$APACHE_PID_FILE)
235 APACHE2_INIT_MESSAGE=""
236
237 CONFTEST_OUTFILE=
238
239 * disable startup of :file:`apache2` and enable startup of :file:`apache2-cacert`:
240
241 .. code-block:: bash
242
243 $ sudo update-rc.d apache2 remove
244 $ sudo update-rc.d apache2-cacert defaults
245
246 Services
247 ========
248
249 Listening services
250 ------------------
251
252 +----------+---------+---------+--------------------------------------------+
253 | Port | Service | Origin | Purpose |
254 +==========+=========+=========+============================================+
255 | 22/tcp | ssh | ANY | admin console access |
256 +----------+---------+---------+--------------------------------------------+
257 | 25/tcp | smtp | local | mail delivery to local MTA |
258 +----------+---------+---------+--------------------------------------------+
259 | 80/tcp | http | ANY | Apache httpd for http://test3.cacert.org/ |
260 +----------+---------+---------+--------------------------------------------+
261 | 443/tcp | https | ANY | Apache httpd for https://test3.cacert.org/ |
262 +----------+---------+---------+--------------------------------------------+
263 | 3306/tcp | mysql | local | MySQL database for ... |
264 +----------+---------+---------+--------------------------------------------+
265
266 Running services
267 ----------------
268
269 .. index::
270 single: Apache
271 single: MySQL
272 single: Postfix
273 single: client.pl
274 single: cron
275 single: openssh
276 single: Puppet agent
277 single: rsyslog
278 single: server.pl
279 single: socat
280
281 +----------------+--------------------------------+----------------------------------------+
282 | Service | Usage | Start mechanism |
283 +================+================================+========================================+
284 | Apache httpd | Webserver for the CAcert | init script |
285 | | web application | :file:`/etc/init.d/apache2-cacert` |
286 +----------------+--------------------------------+----------------------------------------+
287 | MySQL | MariaDB database server | init script |
288 | | for the CAcert web application | :file:`/etc/init.d/mysql` |
289 +----------------+--------------------------------+----------------------------------------+
290 | Postfix | SMTP server for local mail | init script |
291 | | submission | :file:`/etc/init.d/postfix` |
292 +----------------+--------------------------------+----------------------------------------+
293 | client.pl | CAcert signer client | init script |
294 | | | :file:`/etc/init.d/commmodule` |
295 +----------------+--------------------------------+----------------------------------------+
296 | cron | job scheduler | init script |
297 | | | :file:`/etc/init.d/cron` |
298 +----------------+--------------------------------+----------------------------------------+
299 | openssh server | ssh daemon for remote | init script :file:`/etc/init.d/ssh` |
300 | | administration | |
301 +----------------+--------------------------------+----------------------------------------+
302 | Puppet agent | configuration | init script |
303 | | management agent | :file:`/etc/init.d/puppet` |
304 +----------------+--------------------------------+----------------------------------------+
305 | rsyslog | syslog daemon | init script |
306 | | | :file:`/etc/init.d/syslog` |
307 +----------------+--------------------------------+----------------------------------------+
308 | server.pl | CAcert signer server | init script |
309 | | | :file:`/etc/init.d/commmodule-signer` |
310 +----------------+--------------------------------+----------------------------------------+
311 | socat | Emulate serial connection | entry in |
312 | | between CAcert signer | :file:`/etc/rc.local` that executes |
313 | | client and server | :file:`/usr/local/sbin/socat-signer` |
314 | | | inside a :program:`screen` session |
315 +----------------+--------------------------------+----------------------------------------+
316
317 Databases
318 ---------
319
320 +-------+--------+------------------------+
321 | RDBMS | Name | Used for |
322 +=======+========+========================+
323 | MySQL | cacert | CAcert web application |
324 +-------+--------+------------------------+
325
326 Connected Systems
327 -----------------
328
329 * (future) :doc:`monitor`
330 * (future) :doc:`testmgr` has access to imap and MySQL
331
332 Outbound network connections
333 ----------------------------
334
335 * :doc:`infra02` as resolving nameserver
336 * :doc:`puppet` (tcp/8140) as Puppet master
337 * :doc:`proxyout` as HTTP proxy for APT and Github
338 * crl.cacert.org (rsync) for getting CRLs
339 * ocsp.cacert.org (HTTP and HTTPS) for OCSP queries
340 * translations.cacert.org (HTTP and HTTPS) for obtaining fresh translations
341 * arbitrary Internet SMTP servers for outgoing mail
342
343 Security
344 ========
345
346 .. sshkeys::
347 :RSA: SHA256:aA/hNCieeWePfqpWif3OPbXv7Z9uvv1bz63OBKlkdcE MD5:ff:56:e4:71:17:f0:6c:27:d9:a8:bc:45:c6:f9:3e:57
348 :DSA: SHA256:NkJSuQauwVoAmUYg1ckMD2kqQcvIxvO/wikUlREgkyg MD5:d3:88:96:39:08:bd:71:97:37:99:7c:a7:99:30:4d:e4
349 :ECDSA: SHA256:cbWu3MmZ5v/A+Q7rklTIdx3apqSYHPVejiIo9r3uZM4 MD5:96:65:fe:5a:4d:e6:b0:31:01:b8:4a:40:62:4a:86:61
350 :ED25519: SHA256:qSi4RGV2lIDXDfxezTry5M2xku4R0c/8TzHqH77QnUE MD5:20:10:47:d4:b8:04:e5:ed:2a:10:65:31:79:66:fc:c3
351
352 Dedicated user roles
353 --------------------
354
355 .. If the system has some dedicated user groups besides the sudo group used for
356 administration it should be documented here Regular operating system groups
357 should not be documented
358
359 +--------------+----------------------------+
360 | User | Purpose |
361 +==============+============================+
362 | cacertmail | IMAP mailbox user |
363 +--------------+----------------------------+
364
365 .. todo::
366
367 clarify why the signer software on test3 is currently running as the root
368 user
369
370 The directory :file:`/home/cacert/` is owned by root. The signer is running
371 from :file:`/home/signer/www/CommModule/server.pl` the client is
372 running from :file:`/home/cacert/www/CommModule/client.pl`. Both are running as
373 root. Currently no process uses the *cacertsigner* user.
374
375 Non-distribution packages and modifications
376 -------------------------------------------
377
378 The setup is similar to :doc:`test`.
379
380 Risk assessments on critical packages
381 -------------------------------------
382
383 The operating system is up-to-date
384
385 Critical Configuration items
386 ============================
387
388 Keys and X.509 certificates
389 ---------------------------
390
391 .. sslcert:: secure.test3.cacert.org
392 :altnames: DNS:secure.test3.cacert.org
393 :certfile: /home/cacert/etc/ssl/certs/secure_test3_cacert_org.crt
394 :keyfile: /home/cacert/etc/ssl/private/secure_test3_cacert_org.pem
395 :serial: 50DA
396 :expiration: Nov 20 09:29:36 2019 GMT
397 :sha1fp: BA:C8:CB:B8:EB:DF:24:A8:A3:7A:D4:45:86:86:E5:01:97:F7:88:29
398 :issuer: CAcert Testserver Root
399
400 .. sslcert:: test3.cacert.org
401 :altnames: DNS:test3.cacert.org
402 :certfile: /home/cacert/etc/ssl/certs/test3_cacert_org.crt
403 :keyfile: /home/cacert/etc/ssl/private/test3_cacert_org.pem
404 :serial: 50D9
405 :expiration: Nov 20 09:29:35 2019 GMT
406 :sha1fp: F2:3C:3A:74:DE:33:69:6C:7E:EF:E4:D1:D1:51:CC:7B:5F:37:BF:2E
407 :issuer: CAcert Testserver Root
408
409 **CA certificates on test3**:
410
411 These test root certficates are copies from the ones on
412 :doc:`test`
413
414 .. note::
415
416 There are two directories :file:`/etc/root3/` and :file:`/etc/root4/` that
417 are supported by the signer but do not contain actual keys and certificates.
418
419 .. seealso::
420
421 * :wiki:`SystemAdministration/CertificateList`
422
423 openssl configuration for the signer server
424 -------------------------------------------
425
426 There are some openssl configuration files that are used by the server.pl
427 signer that are stored in :file:`/etc/ssl/{caname}-{purpose}.cnf`.
428
429 These files are modified with respect to the reference version in
430 http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/,
431 the modifications involve recent development patches (CRL serial numbers)
432 and test server adjustments (copied over from test.cacert.org).
433
434 Apache httpd configuration
435 --------------------------
436
437 Apache httpd is running in a chroot :file:`/home/cacert/` its configuration is
438 stored in :file:`/home/cacert/etc/apache2`.
439
440 Postfix configuration
441 ---------------------
442
443 Postfix configuration is stored in :file:`/etc/postfix`.
444
445 Postfix is configured to accept mail for ``test3.cacert.org`` and ``localhost``
446 all mail is delivered to the mailbox of the *cacertmail* user in
447 :file:`/var/mail/cacertmail` via :file:`/etc/postfix/virtual.regexp`.
448
449 Tasks
450 =====
451
452 Planned
453 -------
454
455 .. todo:: implement git workflows for updates maybe using :doc:`jenkins`
456
457 Changes
458 =======
459
460 System Future
461 -------------
462
463 .. * No plans
464
465 Additional documentation
466 ========================
467
468 .. seealso::
469
470 * :wiki:`PostfixConfiguration`
471 * https://codedocs.cacert.org/
472
473 References
474 ----------
475
476 Apache httpd documentation
477 http://httpd.apache.org/docs/2.4/
478 Apache Debian wiki page
479 https://wiki.debian.org/Apache
480 openssl documentation
481 https://www.openssl.org/docs/
482 Postfix documentation
483 http://www.postfix.org/documentation.html
484 Postfix Debian wiki page
485 https://wiki.debian.org/Postfix