Merge branch 'master' of ssh://git.cacert.org/var/cache/git/cacert-infradocs
[cacert-infradocs.git] / docs / systems / test3.rst
1 .. index::
2 <<<<<<< HEAD
3 single: Systems; test3
4 =======
5 single: Systems; test
6 >>>>>>> e9bf1298af30076e32dc5bdd7cc87ca75f6eb09b
7
8 =====
9 Test3
10 =====
11
12 Purpose
13 =======
14
15 <<<<<<< HEAD
16 This is a test system for testing a version of the CAcert application software
17 revised to run with php-7.0 on Debian Stretch. When these tests are succesful,
18 the other test servers and the production server running on www.cacert.org can
19 be upgraded tot Debian Stretch. After that this server can probably be scrapped again.
20 =======
21 This is a test system for the software from cacertgit:`cacert-devel`'s
22 *release* branch running on www.cacert.org.
23 >>>>>>> e9bf1298af30076e32dc5bdd7cc87ca75f6eb09b
24
25 Application Links
26 -----------------
27
28 <<<<<<< HEAD
29 Application via HTTP:
30 http://test3.cacert.org:14980/
31
32 Application via HTTPS:
33 https://test3.cacert.org:14943/
34
35 =======
36 Application
37 https://test3.cacert.org:14943/
38 >>>>>>> e9bf1298af30076e32dc5bdd7cc87ca75f6eb09b
39
40 Administration
41 ==============
42
43 System Administration
44 ---------------------
45
46 * Primary: :ref:`people_wytze`
47 * Secondary: :ref:`people_jandd`
48
49
50 Application Administration
51 --------------------------
52
53 <<<<<<< HEAD
54 +------------------------+---------------------------------------+
55 | Application | Administrator(s) |
56 +========================+=======================================+
57 | CAcert web application | :ref:`people_dirk`, :ref:`people_ted` |
58 +------------------------+---------------------------------------+
59 =======
60 +------------------------+---------------------------------------+
61 | Application | Administrator(s) |
62 +========================+=======================================+
63 | CAcert web application | :ref:`people_dirk`, :ref:`people_ted` |
64 +------------------------+---------------------------------------+
65 >>>>>>> e9bf1298af30076e32dc5bdd7cc87ca75f6eb09b
66
67 Contact
68 -------
69
70 * test-admin@cacert.org
71
72 Additional People
73 -----------------
74
75 :ref:`people_dirk`, :ref:`people_gukk`, :ref:`people_mario`,
76 :ref:`people_mendel`, :ref:`people_neo` and :ref:`people_ted` have
77 :program:`sudo` access on that machine too.
78
79 Basics
80 ======
81
82 Physical Location
83 -----------------
84
85 This system is located in an :term:`LXC` container on physical machine
86 :doc:`infra02`.
87
88 Logical Location
89 ----------------
90
91 :IP Internet: :ip:v4:`213.154.225.248`
92 <<<<<<< HEAD
93 :IP Intranet: :ip:v4:`172.16.2.248`
94 :IP Internal: :ip:v4:`10.0.0.149`
95 :IPv6 Internet: :ip:v6:`2001:7b8:616:162:2::149`
96 :MAC address: :mac:`00:ff:ce:d1:22:1d` (eth0)
97
98 Because this system is sharing its IPv4 internet and intranet addresses with test.cacert.org,
99 there are some special mappings in the infra02 firewall to get access to this system:
100
101 * test,cacert.org port 14922 maps to test3 port 22 (ssh)
102 * test.cacert.org port 14980 maps to test3 port 80 (http)
103 * test.cacert.org port 14943 maps to test3 port 443 (https)
104
105 =======
106 :IP Intranet: :ip:v4:`172.16.2.149`
107 :IP Internal: :ip:v4:`10.0.0.149`
108 :IPv6: :ip:v6:`2001:7b8:616:162:2::149`
109 :MAC address: :mac:`00:ff:ce:d1:22:1d` (eth0)
110
111 >>>>>>> e9bf1298af30076e32dc5bdd7cc87ca75f6eb09b
112 .. seealso::
113
114 See :doc:`../network`
115
116 DNS
117 ---
118
119 .. index::
120 <<<<<<< HEAD
121 single: DNS records; test
122
123 ======================== ======== ============================================
124 Name Type Content
125 ======================== ======== ============================================
126 test3.cacert.org. IN A 213.154.225.248
127 secure.test3.cacert.org. IN CNAME test3.cacert.org
128 www.test3.cacert.org. IN CNAME test3.cacert.org
129 test3.cacert.org. IN SSHFP 1 1 39fd3b77396529f83e095ff09c59994c47d9e0d3
130 test3.cacert.org. IN SSHFP 1 2 680fe134289e79678f7eaa5689fdce3db5efed9f6ebefd5bcfadce04a96475c1
131 test3.cacert.org. IN SSHFP 2 1 70f5730c127bd701fc5c4baba329e93346a975c1
132 test3.cacert.org. IN SSHFP 2 2 364252b906aec15a00994620d5c90c0f692a41cbc8c6f3bfc229149511209328
133 test3.cacert.org. IN SSHFP 3 1 e4d81b532dc90ebb6d087ae732ce016b87945ebd
134 test3.cacert.org. IN SSHFP 3 2 71b5aedcc999e6ffc0f90eeb9254c8771ddaa6a4981cf55e8e2228f6bdee64ce
135 test3.cacert.org. IN SSHFP 4 1 50b22453f5c8d845895bacccbc1fc325d033f65d
136 test3.cacert.org. IN SSHFP 4 1 a928b84465769480d70dfc5ecd3af2e4cdb192ee11d1cffc4f31ea1fbed09d41
137 test3.intra.cacert.org. IN A 172.16.2.248
138 test.infra.cacert.org. IN A 10.0.0.149
139 ======================== ======== ============================================
140 =======
141 single: DNS records; Test3
142
143 ======================= ======== ====================================================================
144 Name Type Content
145 ======================= ======== ====================================================================
146 test3.cacert.org. IN SSHFP 1 1 39FD3B77396529F83E095FF09C59994C47D9E0D3
147 test3.cacert.org. IN SSHFP 1 2 680FE134289E79678F7EAA5689FDCE3DB5EFED9F6EBEFD5BCFADCE04A96475C1
148 test3.cacert.org. IN SSHFP 2 1 70F5730C127BD701FC5C4BABA329E93346A975C1
149 test3.cacert.org. IN SSHFP 2 2 364252B906AEC15A00994620D5C90C0F692A41CBC8C6F3BFC229149511209328
150 test3.cacert.org. IN SSHFP 3 1 E4D81B532DC90EBB6D087AE732CE016B87945EBD
151 test3.cacert.org. IN SSHFP 3 2 71B5AEDCC999E6FFC0F90EEB9254C8771DDAA6A4981CF55E8E2228F6BDEE64CE
152 test3.cacert.org. IN SSHFP 4 1 50B22453F5C8D845895BACCCBC1FC325D033F65D
153 test3.cacert.org. IN SSHFP 4 2 A928B84465769480D70DFC5ECD3AF2E4CDB192EE11D1CFFC4F31EA1FBED09D41
154 test3.cacert.org. IN A 213.154.225.248
155 test3.infra.cacert.org. IN A 10.0.0.149
156 ======================= ======== ====================================================================
157
158 .. todo:: add AAAA record for IPv6 address
159 .. todo:: add intra.cacert.org. A record
160 >>>>>>> e9bf1298af30076e32dc5bdd7cc87ca75f6eb09b
161
162 .. seealso::
163
164 See :wiki:`SystemAdministration/Procedures/DNSChanges`
165
166 Operating System
167 ----------------
168
169 .. index::
170 single: Debian GNU/Linux; Stretch
171 single: Debian GNU/Linux; 9.6
172
173 * Debian GNU/Linux 9.6
174
175 Applicable Documentation
176 ------------------------
177
178 <<<<<<< HEAD
179 Notes about installing the CAcert application on test3.cacert.org.
180
181 * Starting point is a Debian Stretch LXC setup from Jan Dittberner
182
183 * install the following packages (and their dependencies):
184
185 .. code-block:: bash
186
187 $ sudo apt-get install \
188 apache2 php7.0 php7.0-gmp php7.0-mysql php7.0-gd php7.0-recode php7.0-mbstring \
189 default-mysql-server gettext locales locales-all recode \
190 dnsutils whois locate rcs screen make ca-cacert \
191 libdevice-serialport-perl libfile-counterfile-perl xdelta
192
193 * enable the CAcert root certificates for normal operation via:
194
195 .. code-block:: bash
196
197 $ sudo dpkg-reconfigure ca-certificates
198
199 * create empty cacert database:
200
201 .. code-block:: bash
202
203 $ sudo mysql
204 > CREATE DATABASE cacert;
205 > GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES ON cacert.* TO 'cacert'@'localhost' IDENTIFIED BY 'klodder';
206 > \q
207
208 * dump current cacert database on test.cacert.org:
209
210 .. code-block:: bash
211
212 $ mysqldump -u cacert -p --single-transaction cacert >BACKUP
213
214 * copy over cacert database BACKUP from test.cacert.org to test3.cacert.org
215
216 * import the database backup into the empty cacert database:
217
218 .. code-block:: bash
219
220 $ mysql -u cacert -p cacert <BACKUP
221
222 * copy scripts :file:`/etc/rc.local` and :file:`/usr/local/sbin/socat` from test.cacert.org
223
224 * copy signer files with :file:`collect-signer-files` script from test.cacert.org
225
226 * make small adjustmenst to scripts and install signer stuff in :file:`/etc`
227
228 * generate certificates for test.cacert.org based on CAcert test root with
229 :file:`~wytze/local/localcerts` script (using the locally installed signer config)
230
231 * copy :file:`/root/chroot` from test.cacert.org
232
233 * use updated :file:`mkchrootenv` script from
234 http://svn.cacert.org/CAcert/SystemAdministration/webdb/mkchrootenv
235 to setup :file:`/home/cacert`
236
237 * create :file:`/home/cacert/www/includes/mysql.php` from :file:`mysql.php.sample` prototype
238
239 * install commmodule client from :file:`/home/cacert/www/CommModule` in :file:`/etc/init.d`
240
241 * copy :file:`/etc/init.d/apache2` script to :file:`/etc/init.d/apache2-cacert` and modify
242 it to use chroot to the :file:`/home/cacert` environment:
243
244 .. code-block:: text
245
246 --- apache2 2018-04-05 18:32:55.000000000 +0000
247 +++ apache2-cacert 2018-11-20 16:05:38.740396894 +0000
248 @@ -1,22 +1,26 @@
249 #!/bin/sh
250 ### BEGIN INIT INFO
251 -# Provides: apache2
252 +# Provides: apache2-cacert
253 # Required-Start: $local_fs $remote_fs $network $syslog $named
254 # Required-Stop: $local_fs $remote_fs $network $syslog $named
255 # Default-Start: 2 3 4 5
256 # Default-Stop: 0 1 6
257 # X-Interactive: true
258 -# Short-Description: Apache2 web server
259 +# Short-Description: Apache2 web server for CAcert
260 # Description: Start the web server
261 # This script will start the apache2 web server.
262 ### END INIT INFO
263
264 -DESC="Apache httpd web server"
265 +DESC="Apache httpd web server for CAcert"
266 NAME=apache2
267 DAEMON=/usr/sbin/$NAME
268
269 +CHRDIR=/home/cacert/
270 +CHROOT="/usr/sbin/chroot ${CHRDIR}"
271 +
272 SCRIPTNAME="${0##*/}"
273 SCRIPTNAME="${SCRIPTNAME##[KS][0-9][0-9]}"
274 +SCRIPTNAME=apache2
275 if [ -n "$APACHE_CONFDIR" ] ; then
276 if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then
277 DIR_SUFFIX="${APACHE_CONFDIR##/etc/apache2-}"
278 @@ -53,8 +57,8 @@
279
280
281 # Now, set defaults:
282 -APACHE2CTL="$ENV apache2ctl"
283 -PIDFILE=$(. $APACHE_ENVVARS && echo $APACHE_PID_FILE)
284 +APACHE2CTL="${CHROOT} $ENV apache2ctl"
285 +PIDFILE=$(. ${CHRDIR}$APACHE_ENVVARS && echo ${CHRDIR}$APACHE_PID_FILE)
286 APACHE2_INIT_MESSAGE=""
287
288 CONFTEST_OUTFILE=
289
290 * disable startup of :file:`apache2` and enable startup of :file:`apache2-cacert`:
291
292 .. code-block:: bash
293
294 $ sudo update-rc.d apache2 remove
295 $ sudo update-rc.d apache2-cacert defaults
296 =======
297 There is no additional documentation for this system.
298 >>>>>>> e9bf1298af30076e32dc5bdd7cc87ca75f6eb09b
299
300 Services
301 ========
302
303 Listening services
304 ------------------
305
306 <<<<<<< HEAD
307 +----------+---------+---------+--------------------------------------------+
308 | Port | Service | Origin | Purpose |
309 +==========+=========+=========+============================================+
310 | 22/tcp | ssh | ANY | admin console access |
311 +----------+---------+---------+--------------------------------------------+
312 | 25/tcp | smtp | local | mail delivery to local MTA |
313 +----------+---------+---------+--------------------------------------------+
314 | 80/tcp | http | ANY | Apache httpd for http://test3.cacert.org/ |
315 +----------+---------+---------+--------------------------------------------+
316 | 443/tcp | https | ANY | Apache httpd for https://test3.cacert.org/ |
317 +----------+---------+---------+--------------------------------------------+
318 | 3306/tcp | mysql | local | MySQL database for ... |
319 +----------+---------+---------+--------------------------------------------+
320 =======
321 +----------+---------+---------+-------------------------------------------+
322 | Port | Service | Origin | Purpose |
323 +==========+=========+=========+===========================================+
324 | 22/tcp | ssh | ANY | admin console access |
325 +----------+---------+---------+-------------------------------------------+
326 | 25/tcp | smtp | local | mail delivery to local MTA |
327 +----------+---------+---------+-------------------------------------------+
328 | 80/tcp | http | ANY | Apache httpd for http://test.cacert.org/ |
329 +----------+---------+---------+-------------------------------------------+
330 | 123/tcp | ntp | local | network time protocol server |
331 | 123/udp | | | |
332 +----------+---------+---------+-------------------------------------------+
333 | 143/tcp | imap | testmgr | Dovecot IMAP server |
334 +----------+---------+---------+-------------------------------------------+
335 | 443/tcp | https | ANY | Apache httpd for https://test.cacert.org/ |
336 +----------+---------+---------+-------------------------------------------+
337 | 993/tcp | imaps | testmgr | Dovecot IMAP server |
338 +----------+---------+---------+-------------------------------------------+
339 | 3306/tcp | mysql | local | MySQL database for ... |
340 +----------+---------+---------+-------------------------------------------+
341 | 5666/tcp | nrpe | monitor | remote monitoring service |
342 +----------+---------+---------+-------------------------------------------+
343 >>>>>>> e9bf1298af30076e32dc5bdd7cc87ca75f6eb09b
344
345 Running services
346 ----------------
347
348 .. index::
349 single: Apache
350 single: MySQL
351 single: Postfix
352 <<<<<<< HEAD
353 single: client.pl
354 single: cron
355 single: openssh
356 =======
357 single: atop
358 single: client.pl
359 single: cron
360 single: dovecot
361 single: nrpe
362 single: ntpd
363 single: openssh
364 single: puppet agent
365 >>>>>>> e9bf1298af30076e32dc5bdd7cc87ca75f6eb09b
366 single: rsyslog
367 single: signer.pl
368 single: socat
369
370 +----------------+--------------------------------+----------------------------------------+
371 | Service | Usage | Start mechanism |
372 +================+================================+========================================+
373 | Apache httpd | Webserver for the CAcert | init script |
374 <<<<<<< HEAD
375 | | web application | :file:`/etc/init.d/apache2-cacert` |
376 +----------------+--------------------------------+----------------------------------------+
377 | MySQL | MariaDB database server | init script |
378 =======
379 | | web application | :file:`/etc/init.d/apache2` |
380 +----------------+--------------------------------+----------------------------------------+
381 | MySQL | MySQL database server | init script |
382 >>>>>>> e9bf1298af30076e32dc5bdd7cc87ca75f6eb09b
383 | | for the CAcert web application | :file:`/etc/init.d/mysql` |
384 +----------------+--------------------------------+----------------------------------------+
385 | Postfix | SMTP server for local mail | init script |
386 | | submission | :file:`/etc/init.d/postfix` |
387 +----------------+--------------------------------+----------------------------------------+
388 <<<<<<< HEAD
389 =======
390 | atop | atop process accounting top | init script |
391 | | | :file:`/etc/init.d/atop` |
392 +----------------+--------------------------------+----------------------------------------+
393 >>>>>>> e9bf1298af30076e32dc5bdd7cc87ca75f6eb09b
394 | client.pl | CAcert signer client | init script |
395 | | | :file:`/etc/init.d/commmodule` |
396 +----------------+--------------------------------+----------------------------------------+
397 | cron | job scheduler | init script |
398 | | | :file:`/etc/init.d/cron` |
399 +----------------+--------------------------------+----------------------------------------+
400 <<<<<<< HEAD
401 | openssh server | ssh daemon for remote | init script :file:`/etc/init.d/ssh` |
402 | | administration | |
403 +----------------+--------------------------------+----------------------------------------+
404 =======
405 | dovecot | Dovecot IMAP server | init script |
406 | | | :file:`/etc/init.d/dovecot` |
407 +----------------+--------------------------------+----------------------------------------+
408 | Nagios NRPE | remote monitoring | init script |
409 | server | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
410 | | :doc:`monitor` | |
411 +----------------+--------------------------------+----------------------------------------+
412 | ntpd | Network time protocol server | init script |
413 | | | :file:`/etc/init.d/ntp` |
414 +----------------+--------------------------------+----------------------------------------+
415 | openssh server | ssh daemon for remote | init script :file:`/etc/init.d/ssh` |
416 | | administration | |
417 +----------------+--------------------------------+----------------------------------------+
418 | Puppet agent | configuration | init script |
419 | | management agent | :file:`/etc/init.d/puppet` |
420 +----------------+--------------------------------+----------------------------------------+
421 >>>>>>> e9bf1298af30076e32dc5bdd7cc87ca75f6eb09b
422 | rsyslog | syslog daemon | init script |
423 | | | :file:`/etc/init.d/syslog` |
424 +----------------+--------------------------------+----------------------------------------+
425 | server.pl | CAcert signer server | init script |
426 | | | :file:`/etc/init.d/commmodule-signer` |
427 +----------------+--------------------------------+----------------------------------------+
428 | socat | Emulate serial connection | entry in |
429 | | between CAcert signer | :file:`/etc/rc.local` that executes |
430 | | client and server | :file:`/usr/local/sbin/socat-signer` |
431 | | | inside a :program:`screen` session |
432 +----------------+--------------------------------+----------------------------------------+
433
434 Databases
435 ---------
436
437 +-------+--------+------------------------+
438 | RDBMS | Name | Used for |
439 +=======+========+========================+
440 | MySQL | cacert | CAcert web application |
441 +-------+--------+------------------------+
442
443 Connected Systems
444 -----------------
445
446 <<<<<<< HEAD
447 * (future) :doc:`monitor`
448 * (future) :doc:`testmgr` has access to imap and MySQL
449 =======
450 * :doc:`monitor`
451 * :doc:`testmgr` has access to imap and MySQL
452 >>>>>>> e9bf1298af30076e32dc5bdd7cc87ca75f6eb09b
453
454 Outbound network connections
455 ----------------------------
456
457 * :doc:`infra02` as resolving nameserver
458 <<<<<<< HEAD
459 * :doc:`proxyout` as HTTP proxy for APT and Github
460 * crl.cacert.org (rsync) for getting CRLs
461 * ocsp.cacert.org (HTTP and HTTPS) for OCSP queries
462 * translations.cacert.org (HTTP and HTTPS) for obtaining fresh translations
463 =======
464 * :doc:`puppet` (tcp/8140) as Puppet master
465 * :doc:`proxyout` as HTTP proxy for APT and Github
466 * crl.cacert.org (rsync) for getting CRLs
467 * ocsp.cacert.org (HTTP and HTTPS) for OCSP queries
468 >>>>>>> e9bf1298af30076e32dc5bdd7cc87ca75f6eb09b
469 * arbitrary Internet SMTP servers for outgoing mail
470
471 Security
472 ========
473
474 <<<<<<< HEAD
475 .. add the MD5 fingerprints of the SSH host keys
476
477 .. todo:: add RSA, DSA, ECDSA, ED25519 keys for test
478 =======
479 .. sshkeys::
480 :RSA: SHA256:aA/hNCieeWePfqpWif3OPbXv7Z9uvv1bz63OBKlkdcE MD5:ff:56:e4:71:17:f0:6c:27:d9:a8:bc:45:c6:f9:3e:57
481 :DSA: SHA256:NkJSuQauwVoAmUYg1ckMD2kqQcvIxvO/wikUlREgkyg MD5:d3:88:96:39:08:bd:71:97:37:99:7c:a7:99:30:4d:e4
482 :ECDSA: SHA256:cbWu3MmZ5v/A+Q7rklTIdx3apqSYHPVejiIo9r3uZM4 MD5:96:65:fe:5a:4d:e6:b0:31:01:b8:4a:40:62:4a:86:61
483 :ED25519: SHA256:qSi4RGV2lIDXDfxezTry5M2xku4R0c/8TzHqH77QnUE MD5:20:10:47:d4:b8:04:e5:ed:2a:10:65:31:79:66:fc:c3
484 >>>>>>> e9bf1298af30076e32dc5bdd7cc87ca75f6eb09b
485
486 Dedicated user roles
487 --------------------
488
489 .. If the system has some dedicated user groups besides the sudo group used for
490 administration it should be documented here Regular operating system groups
491 should not be documented
492
493 +--------------+----------------------------+
494 | User | Purpose |
495 +==============+============================+
496 | cacertmail | IMAP mailbox user |
497 +--------------+----------------------------+
498
499 .. todo::
500
501 <<<<<<< HEAD
502 clarify why the signer software on test is currently running as the root
503 user
504
505 The directory :file:`/home/cacert/` is owned by root. The signer is running
506 from :file:`/home/signer/www/CommModule/server.pl` the client is
507 running from :file:`/home/cacert/www/CommModule/client.pl`. Both are running as
508 root. Currently no process uses the *cacertsigner* user.
509
510 Non-distribution packages and modifications
511 -------------------------------------------
512
513 Apache httpd is running in a chroot :file:`/home/cacert/`, the configuration in
514 :file:`/etc/apache2` as well as the system binaries are not used. The Apache
515 httpd binary in the chroot environment is kept up to date with the system binary.
516
517 The CAcert web application code as well as the CAcert signer client code come
518 from the official CAcert tar ball.
519
520 The signer in :file:`/home/signer/www/CommModule/server.pl` has some minor
521 uncommitted manual modifications.
522 =======
523 clarify why the signer software on test3 is currently running as the root
524 user
525
526 Non-distribution packages and modifications
527 -------------------------------------------
528
529 The setup is similar to :doc:`test`.
530
531 Risk assessments on critical packages
532 -------------------------------------
533
534 The operating system is up-to-date
535 >>>>>>> e9bf1298af30076e32dc5bdd7cc87ca75f6eb09b
536
537 Critical Configuration items
538 ============================
539
540 Keys and X.509 certificates
541 ---------------------------
542
543 <<<<<<< HEAD
544 .. sslcert:: secure.test3.cacert.org
545 :altnames: DNS:secure.test3.cacert.org
546 :certfile: /home/cacert/etc/ssl/certs/secure_test3_cacert_org.crt
547 :keyfile: /home/cacert/etc/ssl/private/secure_test3_cacert_org.pem
548 :serial: 50DA
549 :expiration: Nov 20 09:29:36 2019 GMT
550 :sha1fp: BA:C8:CB:B8:EB:DF:24:A8:A3:7A:D4:45:86:86:E5:01:97:F7:88:29
551 :issuer: CAcert Testserver Root
552
553 .. sslcert:: test3.cacert.org
554 :altnames: DNS:test3.cacert.org
555 :certfile: /home/cacert/etc/ssl/certs/test3_cacert_org.crt
556 :keyfile: /home/cacert/etc/ssl/private/test3_cacert_org.pem
557 :serial: 50D9
558 :expiration: Nov 20 09:29:35 2019 GMT
559 :sha1fp: F2:3C:3A:74:DE:33:69:6C:7E:EF:E4:D1:D1:51:CC:7B:5F:37:BF:2E
560 :issuer: CAcert Testserver Root
561
562 **CA certificates on test3**:
563
564 These test root certficates are copies from the ones on
565 :doc:`test`
566
567 .. note::
568
569 There are two directories :file:`/etc/root3/` and :file:`/etc/root4/` that
570 are supported by the signer but do not contain actual keys and certificates.
571 =======
572 .. todo:: document certificates on test3
573 >>>>>>> e9bf1298af30076e32dc5bdd7cc87ca75f6eb09b
574
575 .. seealso::
576
577 * :wiki:`SystemAdministration/CertificateList`
578
579 <<<<<<< HEAD
580 openssl configuration for the signer server
581 -------------------------------------------
582
583 There are some openssl configuration files that are used by the server.pl
584 signer that are stored in :file:`/etc/ssl/{caname}-{purpose}.cnf`.
585
586 These files are modified with respect to the reference version in
587 http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/,
588 the modifications involve recent development patches (CRL serial numbers)
589 and test server adjustments (copied over from test.cacert.org).
590
591 Apache httpd configuration
592 --------------------------
593
594 Apache httpd is running in a chroot :file:`/home/cacert/` its configuration is
595 stored in :file:`/home/cacert/etc/apache2`.
596
597 Postfix configuration
598 ---------------------
599
600 Postfix configuration is stored in :file:`/etc/postfix`.
601
602 Postfix is configured to accept mail for ``test3.cacert.org`` and ``localhost``
603 all mail is delivered to the mailbox of the *cacertmail* user in
604 :file:`/var/mail/cacertmail` via :file:`/etc/postfix/virtual.regexp`.
605 =======
606 .. todo:: document openssl configuration for the signer server on test3
607
608 .. todo:: document Apache httpd configuration on test3
609
610 .. todo:: document Postfix configuration on test3
611
612 .. todo:: document Dovecot configuration
613
614 Tasks
615 =====
616
617 Planned
618 -------
619
620 .. todo:: implement git workflows for updates maybe using :doc:`jenkins`
621
622 Changes
623 =======
624
625 System Future
626 -------------
627
628 .. * No plans
629 >>>>>>> e9bf1298af30076e32dc5bdd7cc87ca75f6eb09b
630
631 Additional documentation
632 ========================
633
634 .. seealso::
635
636 * :wiki:`PostfixConfiguration`
637 * https://codedocs.cacert.org/
638
639 References
640 ----------
641
642 Apache httpd documentation
643 http://httpd.apache.org/docs/2.4/
644 Apache Debian wiki page
645 https://wiki.debian.org/Apache
646 <<<<<<< HEAD
647 =======
648 Dovecot documentation
649 https://wiki2.dovecot.org/FrontPage
650 >>>>>>> e9bf1298af30076e32dc5bdd7cc87ca75f6eb09b
651 openssl documentation
652 https://www.openssl.org/docs/
653 Postfix documentation
654 http://www.postfix.org/documentation.html
655 Postfix Debian wiki page
656 https://wiki.debian.org/Postfix