Add sudo and examples

2025-07-02 17:23:34 +02:00 · 2015-05-15 17:20:59 +03:00 · 2015-05-15 17:20:59 +03:00 · 936c570e1f
commit 936c570e1f
parent 379834bf72
3 changed files with 15 additions and 21 deletions
--- a/app/models/certificate.rb
+++ b/app/models/certificate.rb
@ -152,7 +152,7 @@ class Certificate < ActiveRecord::Base
    end

    def reload_apache
-      `/etc/init.d/apache2 reload`
+      `sudo /etc/init.d/apache2 reload`
    end
  end
 end
--- a/config/application-example.yml
+++ b/config/application-example.yml
@ -13,7 +13,7 @@ devise_secret: 'please-change-it-you-can-generate-it-with-rake-secret'

 # Admin server configuration:
 openssl_config_path: '/etc/ssl/openssl.cnf'
-crl_path:     '/home/registry/registry/shared/ca/crl/crl.pem'
+crl_dir:     '/home/registry/registry/shared/ca/crl'
 ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
 ca_key_path:  '/home/registry/registry/shared/ca/private/ca.key.pem'
 ca_key_password: 'your-root-key-password'
--- a/doc/certificates.md
+++ b/doc/certificates.md
@ -207,32 +207,26 @@ Cleanup:

    rm Juur-SK.pem.crt EE_Certification_Centre_Root_CA.pem.crt ESTEID-SK_2007.pem.crt ESTEID-SK_2011.pem.crt

-From registry's bin directory, copy update-crl script to somewhere else (so it won't get overwritten during deploys). Configure `CRL_PATH` in the script.
+Make sure you have this line in application.yml:

-    sudo ./update-crl
+    crl_dir: '/home/registry/registry/shared/ca/crl'

-Edit root's crontab:
+In rails console:

-    sudo crontab -e
+    Certificate.update_crl

-Add:
+Update whenever:

-    00 01,13 * * * path-to-your-script
+    

+Configure apache:

-Apache reload without password
------------------------------
-
-Registrant and Registrar both should be able to reload Apache without password in order
-to refresh certificate deprication list for PKI and ID card.
-
-Example /etc/sudoers.d/apache2-no-password
-
-    username ALL=(ALL:ALL) ALL, NOPASSWD:/etc/init.d/apache2
-
-If this file is not preset, please create it with 'visudo'. All other edits should be done
-alse with 'visudo'
-
+    <Location /registrant/id>
+        SSLVerifyClient require
+        Options Indexes FollowSymLinks MultiViews
+        SSLVerifyDepth 2
+        SSLOptions +StdEnvVars +ExportCertData
+    </Location>

 Development env
 ---------------