Certificate provisioning for apache webservers
This is a script, written in Ruby that will automatically provision apache webservers with the required certificates.
It is able to detect if the web server is running multiple virtual hosts and it will request a certificate for every web site that has SSL enabled. It will also check on every run, if the certificates are about to expire and if this is the case, it will automatically renew the certificates and will update the apache configuration
PGP Command Line Version required (min): 10.0.0
PGP Universal Server Version required (min): 3.0.0
Script language: Ruby
Developed for platform: Linux
Platforms the script will work on: Linux, Unix, Windows
REQUIREMENTS: ------------- * A reachable Universal server * An SSL-enabled Apache installation, on linux. - Working configuration files for apache, with at least one SSL host. Multiple SSL hosts are recommended, on separate IP addresses. * A licensed PGP Command Line on the same machine as the apache server. SETUP: ------ * Copy the script cert_provision.rb to the target linux box. * Edit the "config" section at the top of the script to match the IP or hostname of the KMS server, where to find the httpd.conf file(s), etc. * Run an authenticated PGP Command Line KMS command and tell it to cache the authentication cookie. E.g.,: pgp --usp-server 172.16.101.10 --usp-search-mak 'NOT(EQ(NAME,""))' --brief \ --usp-cache-auth --auth-username usp-user --auth-passphrase passphrase The script assumes an authentication cookie exists. If it does not, it will fail with permission errors. Also note that the USP server string given on this command has to match the one in the config file; it is not sufficient that they resolve to the same machine. TESTING/DEMO ------------ * For testing recognition of a valid existing configuration, just run the script (as root) on the existing config. If the cert/key are valid, they should be recognized (and assuming verbose mode, it will be displayed). * For testing missing keys or certs, remove either a key or a cert (or both) from one of the configured hosts. Run the script. A new cert and key should be configured and put in place. * For testing expired certs, place an expired cert in the right place for that host. Run the script, and make sure the certificate gets replaced. * Any time a cert is issued, the httpd process will be restarted, so the virtual host should come up, and should be working, as soon as the script finishes.