From 41bb72e04374a3f125dfdefdfae0f67fd5014f5c Mon Sep 17 00:00:00 2001 From: Martin Lensment Date: Tue, 17 Feb 2015 10:42:12 +0200 Subject: [PATCH] Revert user cert --- CHANGELOG.md | 91 ----------------------------- app/models/api_user.rb | 2 +- app/views/admin/api_users/show.haml | 8 +-- 3 files changed, 5 insertions(+), 96 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 79f0cc390..a742e960c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,94 +1,3 @@ -12.02.2015 - -Go to registry shared folder and setup CA directory tree: -``` -mkdir ca -cd ca -mkdir certs crl newcerts private -chmod 700 private -touch index.txt -echo 1000 > serial -``` - -Generate the root key (prompts for pass phrase): -``` -openssl genrsa -aes256 -out private/ca.key.pem 4096 -``` - -Configure OpenSSL: -``` -sudo su - -cd /etc/ssl/ -cp openssl.cnf openssl.cnf.bak -nano openssl.cnf -exit -``` - -Make sure the following options are in place: -``` -[ CA_default ] -# Where everything is kept -dir = /home/registry/registry/shared/ca - -[ usr_cert ] -# These extensions are added when 'ca' signs a request. -basicConstraints=CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment -nsComment = "OpenSSL Generated Certificate" -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer - -[ v3_ca ] -# Extensions for a typical CA -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer -basicConstraints = CA:true -keyUsage = cRLSign, keyCertSign - -[ policy_match ] -countryName = optional -stateOrProvinceName = optional -organizationName = optional -organizationalUnitName = optional -commonName = optional -emailAddress = optional -``` - -Issue the root certificate (prompts for additional data): -``` -openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.cert.pem -chmod 444 certs/ca.cert.pem -``` - -Configure EPP virtual host: -``` -sudo nano /etc/apache2/sites-enabled/epp.conf -``` - -Replace this line: -``` -SSLVerifyClient optional_no_ca -``` - -With these lines: -``` - SSLVerifyClient require - SSLVerifyDepth 1 - SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem -``` - -Reload apache: -``` -sudo /etc/init.d/apache2 reload -``` - -Configure application.yml to match the CA settings: -``` -ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.cert.pem' -ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem' -ca_key_password: 'registryalpha' -``` - 20.01.2015 * Added dedicated mina cron:setup and mina cron:clear for manual cron management. diff --git a/app/models/api_user.rb b/app/models/api_user.rb index fe0368125..a067d00f1 100644 --- a/app/models/api_user.rb +++ b/app/models/api_user.rb @@ -9,7 +9,7 @@ class ApiUser < User validates :username, :password, :registrar, presence: true validates :username, uniqueness: true - before_save :create_crt, if: -> (au) { au.csr_changed? } + # before_save :create_crt, if: -> (au) { au.csr_changed? } attr_accessor :registrar_typeahead diff --git a/app/views/admin/api_users/show.haml b/app/views/admin/api_users/show.haml index 63ffc3952..f8f09a701 100644 --- a/app/views/admin/api_users/show.haml +++ b/app/views/admin/api_users/show.haml @@ -43,7 +43,7 @@ %dd - %dt= t('crt') - - if @api_user.csr - %dd= link_to(t('download'), download_crt_admin_api_user_path) - - else - %dd - + / - if @api_user.csr + / %dd= link_to(t('download'), download_crt_admin_api_user_path) + / - else + / %dd -