summaryrefslogtreecommitdiff
path: root/sbin/e2guardian-setup-sslmitm
blob: cfde66f8bf183fe5a5cce755a5984b7e7d0946ee (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/bin/bash

# Copyright (C) 2018 by Mike Gabriel <mike.gabriel@it-zukunft-schule.de>

# This script is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This script is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the
# Free Software Foundation, Inc.,
# 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.

set -e

NULL=""
E2G_SSLDIR=/etc/e2guardian/ssl/
E2G_GENCERTDIR=/var/lib/e2guardian/generatedcerts

mkdir -p ${E2G_SSLDIR}
chmod 0755 ${E2G_SSLDIR}
chown root:root ${E2G_SSLDIR}

# Create fake CA
openssl genrsa 4096 > ${E2G_SSLDIR}/ca.key
chmod o-rwx ${E2G_SSLDIR}/ca.key
chown root:e2guardian ${E2G_SSLDIR}/ca.key

openssl req -new			\
            -x509			\
            -days 3650			\
            -sha256			\
            -key ${E2G_SSLDIR}/ca.key	\
            -out ${E2G_SSLDIR}/ca.crt	\
            ${NULL}

# Convert to DER format
openssl x509 -in ${E2G_SSLDIR}/ca.crt	\
             -outform DER		\
             -out ${E2G_SSLDIR}/ca.der	\
             ${NULL}

# create e2guardian's secret key
openssl genrsa 4096 > ${E2G_SSLDIR}/e2guardian.key
chmod o-rwx ${E2G_SSLDIR}/e2guardian.key
chown root:e2guardian ${E2G_SSLDIR}/e2guardian.key


# Create generatedcerts dir...
mkdir -p ${E2G_GENCERTDIR}
chown e2guardian:e2guardian ${E2G_GENCERTDIR}
chmod go-rwx ${E2G_GENCERTDIR} -Rfv

echo "###"
echo "### All preparations done..."
echo "###"
echo "### Now read /usr/share/doc/e2guardian/ssl_mitm ..."
echo "###"
echo "### and set..."
echo
echo "/etc/e2guardian/e2guardian.conf:"
echo
echo '```'
echo "enablessl = on"
echo "cacertificatepath = '${E2G_SSLDIR}/ca.crt'"
echo "caprivatekeypath = '${E2G_SSLDIR}/ca.key'"
echo "certprivatekeypath = '${E2G_SSLDIR}/e2guardian.key'"
echo "generatedcertpath = '${E2G_GENCERTDIR}'"
echo '```'
echo
echo "###"
echo "### and set..."
echo
echo "/etc/e2guardian/e2guardianf1.conf:"
echo
echo '```'
echo "sslmitm = on"
echo '```'
echo
echo
echo "Finally, copy '${E2G_SSLDIR}/ca.crt' and 'ca.der' to TJENER as"
echo "/etc/debian-edu/www/E2Guardian-ca.crt and E2Guardian-ca.der."
echo