#!/bin/sh

# Sudoers
#--------

/usr/sbin/addsudo /usr/bin/openssl app-certificate-manager-core

# ssl-cert group handling
#------------------------

if [ ! -e /var/clearos/certificate_manager/permissions_updated.v2 ]; then
    logger -p local6.notice -t installer "app-certificate-manager - updating ssl-cert permissions"
    find /etc/clearos/certificate_manager.d -not -group ssl-cert -exec chgrp ssl-cert  '{}' \;
    find /etc/clearos/certificate_manager.d -not -user root -exec chown root  '{}' \;
    find /etc/clearos/certificate_manager.d -type f -exec chmod 0640  '{}' \;
    chmod 644 /etc/clearos/certificate_manager.d/defaults.conf 2>/dev/null
    touch /var/clearos/certificate_manager/permissions_updated.v2
fi

# Generate temporary system certificates
#---------------------------------------
#
# We need to generate certificates for daemons.  An administrator may
# later create their own CA and system certificates, but this process
# will do in the interim.

KEY=/etc/pki/CA/bootstrap.key
CRT=/etc/pki/CA/bootstrap.crt
SSLCONF=/etc/pki/CA/openssl.cnf

if ( [ ! -s "$KEY" ] || [ ! -s $CRT ] ); then
    # Determine our hostname
    if [ -f /etc/hostname ]; then
        HOSTNAME=`cat /etc/hostname`
    elif [ -f /etc/sysconfig/network ]; then
        HOSTNAME=`grep "HOSTNAME=" /etc/sysconfig/network | sed 's/HOSTNAME=//g' | sed 's/"//g'`
    fi

    if [ -z "$HOSTNAME" ]; then
        HOSTNAME="server.lan"
    fi

    umask 77

    sed -e "s/^CN .*/CN = $HOSTNAME/" $SSLCONF > /var/tmp/openssl.cnf.$$

    # Generate keys
    logger -p local6.notice -t installer "app-certificate-manager - creating bootstrap key"
    /usr/bin/openssl genrsa -out $KEY 2048 2>/dev/null

    logger -p local6.notice -t installer "app-certificate-manager - creating bootstrap certificate"
    /usr/bin/openssl req -new -key $KEY -x509 -out $CRT -config /var/tmp/openssl.cnf.$$ \
            -days 3000 -set_serial `date "+%s"` 2>/dev/null

    # Fix file permissions and ownership
    chown root.root $KEY $CRT /var/tmp/openssl.cnf.$$
    chmod 640 $KEY $CRT
    rm -f /var/tmp/openssl.cnf.$$
fi

# Update master slave config
#---------------------------

/usr/clearos/apps/certificate_manager/deploy/master-slave

# Remove experimental default certificate
#----------------------------------------

if [ -e /etc/clearos/certificate_manager.d/_default_.crt ]; then
    rm -f /etc/clearos/certificate_manager.d/_default_.crt
fi

if [ -e /etc/clearos/certificate_manager.d/_default_.key ]; then
    rm -f /etc/clearos/certificate_manager.d/_default_.key
fi
