install.sh

   1 #!/bin/sh
   2 # The Girocco installation script
   3 # We will OVERWRITE basedir!
   4
   5 set -e
   6
   7 if [ -z "$MAKE" ]; then
   8         echo "ERROR: MAKE not set" >&2
   9         echo "Please run install.sh using 'make install'" >&2
  10         echo "or set MAKE to the name of the GNU make executable" >&2
  11         exit 1
  12 fi
  13
  14 # Run perl module checker
  15 if [ ! -x toolbox/check-perl-modules.pl ]; then
  16         echo "ERROR: missing toolbox/check-perl-modules.pl!" >&2
  17         exit 1
  18 fi
  19 toolbox/check-perl-modules.pl
  20
  21 # What Config should we use?
  22 [ -n "$GIROCCO_CONF" ] || GIROCCO_CONF=Girocco::Config
  23 echo "*** Initializing using $GIROCCO_CONF..."
  24
  25 # First run Girocco::Config consistency checks
  26 perl -I. -M$GIROCCO_CONF -e ''
  27
  28 . ./shlib.sh
  29
  30 owngroup=""
  31 [ -z "$cfg_owning_group" ] || owngroup=":$cfg_owning_group"
  32 if [ -n "$cfg_httpspushurl" -a -z "$cfg_certsdir" ]; then
  33         echo "ERROR: \$httpspushurl is set but \$certsdir is not!" >&2
  34         echo "ERROR: perhaps you have an incorrect Config.pm?" >&2
  35         exit 1
  36 fi
  37
  38
  39 echo "*** Checking for compiled utilities..."
  40 if [ ! -x src/can_user_push ]; then
  41         echo "ERROR: src/can_user_push is not built! Did you _REALLY_ read INSTALL?" >&2
  42         echo "ERROR: perhaps you forgot to run make?" >&2
  43         exit 1
  44 fi
  45 if [ ! -x src/can_user_push_http ]; then
  46         echo "ERROR: src/can_user_push_http is not built! Did you _REALLY_ read INSTALL?" >&2
  47         echo "ERROR: perhaps you forgot to run make?" >&2
  48         exit 1
  49 fi
  50 if [ ! -x src/getent ]; then
  51         echo "ERROR: src/getent is not built! Did you _REALLY_ read INSTALL?" >&2
  52         echo "ERROR: perhaps you forgot to run make?" >&2
  53         exit 1
  54 fi
  55 if [ ! -x src/get_user_uuid ]; then
  56         echo "ERROR: src/get_user_uuid is not built! Did you _REALLY_ read INSTALL?" >&2
  57         echo "ERROR: perhaps you forgot to run make?" >&2
  58         exit 1
  59 fi
  60 if [ ! -x src/peek_packet ]; then
  61         echo "ERROR: src/peek_packet is not built! Did you _REALLY_ read INSTALL?" >&2
  62         echo "ERROR: perhaps you forgot to run make?" >&2
  63         exit 1
  64 fi
  65
  66
  67 echo "*** Checking for ezcert..."
  68 if [ ! -f ezcert.git/CACreateCert ]; then
  69         echo "ERROR: ezcert.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
  70         exit 1
  71 fi
  72
  73
  74 echo "*** Checking for git..."
  75 case "$cfg_git_bin" in /*) :;; *)
  76         echo 'ERROR: $Girocco::Config::git_bin must be set to an absolute path' >&2
  77         exit 1
  78 esac
  79 if [ ! -x "$cfg_git_bin" ]; then
  80         echo "ERROR: $cfg_git_bin does not exist or is not executable" >&2
  81         exit 1
  82 fi
  83 if ! git_version="$("$cfg_git_bin" version)"; then
  84         echo "ERROR: $cfg_git_bin version failed" >&2
  85         exit 1
  86 fi
  87 case "$git_version" in
  88         [Gg]"it version "*) :;;
  89         *)
  90                 echo "ERROR: '$cfg_git_bin version' output does not start with 'git version '" >&2
  91                 exit 1
  92 esac
  93 echo "Found $cfg_git_bin $git_version"
  94 git_vernum="$(echo "$git_version" | sed -ne 's/^[^0-9]*\([0-9][0-9]*\(\.[0-9][0-9]*\)*\).*$/\1/p')"
  95 echo "*** Checking Git $git_vernum for compatibility..."
  96 if [ "$(vcmp "$git_vernum" 1.6.6)" -lt 0 ]; then
  97         echo 'ERROR: $Girocco::Config::git_bin must be at least Git version 1.6.6'
  98         exit 1
  99 fi
 100 if [ "$(vcmp "$git_vernum" 1.6.6.3)" -lt 0 ]; then
 101         echo 'WARNING: $Girocco::Config::git_bin version < 1.6.6.3, clients will not see useful error messages'
 102 fi
 103 if [ "$(vcmp "$git_vernum" 1.7.2)" -lt 0 ]; then
 104         echo 'WARNING: $Girocco::Config::git_bin version < 1.7.2, some Girocco functionality will be disabled'
 105 fi
 106 if [ -n "$cfg_mirror" -a "$(vcmp "$git_vernum" 1.7.5)" -lt 0 ]; then
 107         echo 'WARNING: $Girocco::Config::git_bin version < 1.7.5 and mirroring enabled, some sources can cause an infinite fetch loop'
 108 fi
 109 if [ "$(vcmp "$git_vernum" 1.7.6.6)" -lt 0 ]; then
 110         echo 'WARNING: $Girocco::Config::git_bin version < 1.7.6.6, performance may be degraded'
 111 fi
 112 if [ "$(uname -m 2>/dev/null)" = "x86_64" ] && [ "$(vcmp "$git_vernum" 1.7.11)" -ge 0 ]; then
 113         echo 'WARNING: $Girocco::Config::git_bin version >= 1.7.11 and x86_64, make sure Git built WITHOUT XDL_FAST_HASH'
 114         echo 'WARNING: See http://thread.gmane.org/gmane.comp.version-control.git/261638 for details'
 115 fi
 116 if [ "$(vcmp "$git_vernum" 1.8.4.2)" -ge 0 ] && [ -n "$cfg_mirror" -a "$(vcmp "$git_vernum" 2)" -lt 0 ]; then
 117         echo 'WARNING: $Girocco::Config::git_bin version >= 1.8.4.2 and < 2.0.0, git-daemon needs write access for shallow clones'
 118         echo 'WARNING: $Girocco::Config::git_bin version >= 1.8.4.2 and < 2.0.0, shallow clones will leave repository turds'
 119 fi
 120 if [ "$(vcmp "$git_vernum" 1.8.4.3)" -lt 0 ]; then
 121         echo 'WARNING: $Girocco::Config::git_bin version < 1.8.4.3, clients will not receive symref=HEAD:refs/heads/...'
 122 fi
 123 if [ "$(vcmp "$git_vernum" 2.1)" -lt 0 ]; then
 124         echo 'WARNING: $Girocco::Config::git_bin version < 2.1.0, pack bitmaps will not be available'
 125 fi
 126 if [ "$(vcmp "$git_vernum" 2.1)" -ge 0 ] && [ "$(vcmp "$git_vernum" 2.1.3)" -lt 0 ]; then
 127         echo 'WARNING: $Girocco::Config::git_bin version >= 2.1.0 and < 2.1.3, pack bitmaps may not be reliable, please upgrade to at least Git version 2.1.3'
 128 fi
 129 if [ -n "$cfg_mirror" -a "$cfg_mirror" != 0 ] && grep -q ns_parserr "$cfg_git_bin"; then
 130         cat <<'EOT'
 131
 132 ***
 133 *** WARNING: $Girocco::Config:git_bin is set to a questionable Git binary
 134 ***
 135
 136 You appear to have enabled mirroring and the Git binary you have selected
 137 appears to contain an experimental patch that cannot be disabled.  This
 138 patch can generate invalid network DNS traffic and/or cause long delays
 139 when fetching using the "git:" protocol when no port number is specified.
 140 It may also end up retrieving repsitory contents from a host other than
 141 the one specified in the "git:" URL when the port is omitted.
 142
 143 You are advised to either build your own version of Git (the problem patch
 144 is not part of the official Git repository) or disable mirroring (via the
 145 $Girocco::Config:mirror setting) to avoid these potential problems.
 146
 147 USE THE SELECTED GIT BINARY AT YOUR OWN RISK!
 148
 149 EOT
 150 fi
 151
 152
 153 chown_make() {
 154         if [ "$LOGNAME" = root -a -n "$SUDO_USER" -a "$SUDO_USER" != root ]; then
 155                 find "$@" -user root -print0 2>/dev/null | \
 156                 xargs $(: | xargs echo -r) -0 chown "$SUDO_USER:$(id -gn "$SUDO_USER")"
 157         elif [ "$LOGNAME" = root -a -z "$SUDO_USER" -o "$SUDO_USER" = root ]; then
 158                 echo "*** WARNING: running make as root w/o sudo may leave root-owned: $*"
 159         fi
 160 }
 161
 162 echo "*** Setting up basedir..."
 163 "$MAKE" --no-print-directory --quiet apache.conf
 164 chown_make apache.conf
 165 "$MAKE" --no-print-directory --quiet -C src
 166 chown_make src
 167 rm -fr "$cfg_basedir"
 168 mkdir -p "$cfg_basedir"
 169 cp -pR Girocco jobd taskd gitweb html jobs toolbox hooks apache.conf shlib.sh bin screen "$cfg_basedir"
 170 cp -p src/can_user_push src/can_user_push_http src/get_user_uuid src/peek_packet \
 171         ezcert.git/CACreateCert cgi/authrequired.cgi "$cfg_basedir/bin"
 172 [ -n "$cfg_httpspushurl" ] || rm -f "$cfg_basedir"/html/rootcert.html "$cfg_basedir"/html/httpspush.html
 173 [ -n "$cfg_mob" ] || rm -f "$cfg_basedir"/html/mob.html
 174
 175 # Put the correct Config in place
 176 [ "$GIROCCO_CONF" = "Girocco::Config" ] || cp "$(echo "$GIROCCO_CONF" | sed 's#::#/#g; s/$/.pm/')" "$cfg_basedir/Girocco/Config.pm"
 177
 178
 179 echo "*** Preprocessing scripts..."
 180 perl -I. -M$GIROCCO_CONF -i -p \
 181         -e 's/(?<!")\@basedir\@/"$Girocco::Config::basedir"/g;' \
 182         -e 's/(?<=")\@basedir\@/$Girocco::Config::basedir/g;' \
 183         -e 's/\@reporoot\@/"$Girocco::Config::reporoot"/g;' \
 184         -e 's/\@jailreporoot\@/"$Girocco::Config::jailreporoot"/g;' \
 185         -e 's/\@chroot\@/"$Girocco::Config::chroot"/g;' \
 186         -e 's/\@webadmurl\@/"$Girocco::Config::webadmurl"/g;' \
 187         -e 's/\@screen_acl_file\@/"$Girocco::Config::screen_acl_file"/g;' \
 188         -e 's/\@mob\@/"$Girocco::Config::mob"/g;' \
 189         -e 's/\@git_server_ua\@/"$Girocco::Config::git_server_ua"/g;' \
 190         -e 's/\@defined_git_server_ua\@/defined($Girocco::Config::git_server_ua)/ge;' \
 191         "$cfg_basedir"/jobs/*.sh "$cfg_basedir"/jobd/*.sh \
 192         "$cfg_basedir"/taskd/*.sh "$cfg_basedir"/gitweb/*.sh \
 193         "$cfg_basedir"/shlib.sh "$cfg_basedir"/hooks/* \
 194         "$cfg_basedir"/toolbox/*.sh "$cfg_basedir"/toolbox/*.pl \
 195         "$cfg_basedir"/toolbox/reports/*.sh \
 196         "$cfg_basedir"/bin/git-* \
 197         "$cfg_basedir"/bin/create-* "$cfg_basedir"/bin/update-* \
 198         "$cfg_basedir"/bin/authrequired.cgi "$cfg_basedir"/screen/*
 199
 200 # Dump all the cfg_ and defined_ variables to shlib_vars.sh
 201 get_girocco_config_var_list > "$cfg_basedir"/shlib_vars.sh
 202
 203 if [ -n "$cfg_mirror" ]; then
 204         echo "--- Remember to start $cfg_basedir/taskd/taskd.pl"
 205 fi
 206 echo "--- Also remember to either start $cfg_basedir/jobd/jobd.sh, or add this"
 207 echo "--- to the crontab of $cfg_mirror_user (adjust frequency on number of repos):"
 208 echo "*/30 * * * * /usr/bin/nice -n 18 $cfg_basedir/jobd/jobd.sh -q --all-once"
 209
 210
 211 echo "*** Setting up repository root..."
 212 mkdir -p "$cfg_reporoot" "$cfg_reporoot-recyclebin"
 213 if [ "$cfg_owning_group" ]; then
 214         chgrp "$cfg_owning_group" "$cfg_reporoot" || echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_reporoot"
 215         chgrp "$cfg_owning_group" "$cfg_reporoot-recyclebin" || echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_reporoot-recyclebin"
 216 fi
 217 chmod 02775 "$cfg_reporoot" || echo "WARNING: Cannot chmod $cfg_reporoot properly"
 218 chmod 02775 "$cfg_reporoot-recyclebin" || echo "WARNING: Cannot chmod $cfg_reporoot-recyclebin properly"
 219
 220
 221 if [ -n "$cfg_chrooted" ]; then
 222         echo "*** Setting up chroot jail for pushing..."
 223         if [ "$(id -u)" -eq 0 ]; then
 224                 ./jailsetup.sh
 225         else
 226                 echo "WARNING: Skipping jail setup, not root"
 227         fi
 228 fi
 229
 230
 231 echo "*** Setting up jail configuration (project database)..."
 232 [ "$(id -u)" -eq 0 ] || ./jailsetup.sh dbonly
 233 mkdir -p "$cfg_chroot" "$cfg_chroot/etc"
 234 touch "$cfg_chroot/etc/passwd" "$cfg_chroot/etc/group"
 235 chown "$cfg_mirror_user""$owngroup" "$cfg_chroot/etc" ||
 236         echo "WARNING: Cannot chown $cfg_mirror_user$owngroup $cfg_chroot/etc"
 237 chown "$cfg_cgi_user""$owngroup" "$cfg_chroot/etc/passwd" "$cfg_chroot/etc/group" ||
 238         echo "WARNING: Cannot chown $cfg_cgi_user$owngroup the files"
 239 chmod g+w "$cfg_chroot/etc/passwd" "$cfg_chroot/etc/group" ||
 240         echo "WARNING: Cannot chmod g+w the etc/passwd and/or etc/group files"
 241 chmod 02775 "$cfg_chroot/etc" || echo "WARNING: Cannot chmod 02775 $cfg_chroot/etc"
 242
 243 echo "*** Setting up gitweb from git.git..."
 244 if [ ! -f git.git/Makefile ]; then
 245         echo "ERROR: git.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
 246         exit 1
 247 fi
 248 mkdir -p "$cfg_webroot" "$cfg_cgiroot"
 249 (cd git.git && "$MAKE" --no-print-directory --quiet NO_SUBDIR=: bindir="$(dirname "$cfg_git_bin")" gitweb && \
 250         chown_make gitweb && \
 251         perl -pe 's/^(\s*use\s+warnings\s*;.*)$/#$1/' gitweb/gitweb.cgi > "$cfg_cgiroot"/gitweb.cgi.$$ && \
 252         chmod a+x "$cfg_cgiroot"/gitweb.cgi.$$ && \
 253         chown_make "$cfg_cgiroot"/gitweb.cgi.$$ && \
 254         mv -f "$cfg_cgiroot"/gitweb.cgi.$$ "$cfg_cgiroot"/gitweb.cgi && \
 255         cp gitweb/static/*.png gitweb/static/*.css gitweb/static/*.js "$cfg_webroot")
 256
 257
 258 echo "*** Setting up git-browser from git-browser.git..."
 259 if [ ! -f git-browser.git/git-browser.cgi ]; then
 260         echo "ERROR: git-browser.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
 261         exit 1
 262 fi
 263 mkdir -p "$cfg_webroot"/git-browser "$cfg_cgiroot"
 264 (cd git-browser.git && cp git-browser.cgi "$cfg_cgiroot" \
 265         && cp -r *.html *.js *.css js.lib JSON "$cfg_webroot"/git-browser)
 266 rm -f "$cfg_webroot"/git-browser/index.html
 267 ln -sf "$cfg_webroot/git-browser/JSON" "$cfg_cgiroot"
 268 cat >"$cfg_cgiroot"/git-browser.conf <<EOT
 269 gitbin: $cfg_git_bin
 270 warehouse: $cfg_reporoot
 271 EOT
 272 cat >"$cfg_webroot"/git-browser/GitConfig.js <<EOT
 273 cfg_gitweb_url="$cfg_gitweburl/"
 274 cfg_browsercgi_url="$cfg_webadmurl/git-browser.cgi"
 275 EOT
 276
 277
 278 echo "*** Setting up darcs-fast-export from bzr-fastimport.git..."
 279 if [ ! -d bzr-fastimport.git/exporters/darcs/ ]; then
 280         echo "ERROR: bzr-fastimport.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
 281         exit 1
 282 fi
 283 mkdir -p "$cfg_basedir"/bin
 284 cp bzr-fastimport.git/exporters/darcs/darcs-fast-export "$cfg_basedir"/bin
 285
 286
 287 echo "*** Setting up hg-fast-export from fast-export.git..."
 288 if [ ! -f fast-export.git/hg-fast-export.py -o ! -f fast-export.git/hg2git.py ]; then
 289         echo "ERROR: fast-export.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
 290         exit 1
 291 fi
 292 mkdir -p "$cfg_basedir"/bin
 293 cp fast-export.git/hg-fast-export.py fast-export.git/hg2git.py "$cfg_basedir"/bin
 294
 295
 296 echo "*** Setting up our part of the website..."
 297 mkdir -p "$cfg_webroot" "$cfg_cgiroot"
 298 cp cgi/*.cgi gitweb/gitweb_config.perl "$cfg_cgiroot"
 299 rm -f "$cfg_cgiroot"/authrequired.cgi
 300 [ -z "$cfg_httpspushurl" ] || cp "$cfg_basedir"/bin/authrequired.cgi "$cfg_cgiroot"
 301 [ -n "$cfg_httpspushurl" ] || rm -f "$cfg_cgiroot"/usercert.cgi
 302 ln -fs "$cfg_basedir"/Girocco "$cfg_cgiroot"
 303 [ -z "$cfg_webreporoot" ] || { rm -f "$cfg_webreporoot" && ln -s "$cfg_reporoot" "$cfg_webreporoot"; }
 304 if [ -z "$cfg_httpspushurl" ]; then
 305         grep -v 'rootcert[.]html' gitweb/indextext.html > "$cfg_webroot/indextext.html"
 306 else
 307         cp gitweb/indextext.html "$cfg_webroot"
 308 fi
 309 mv "$cfg_basedir"/html/*.css "$cfg_basedir"/html/*.js "$cfg_webroot"
 310 cp mootools.js "$cfg_webroot"
 311 cp htaccess "$cfg_webroot/.htaccess"
 312 cp git-favicon.ico "$cfg_webroot/favicon.ico"
 313 cp robots.txt "$cfg_webroot"
 314 cat gitweb/gitweb.css >>"$cfg_webroot"/gitweb.css
 315
 316
 317 if [ -n "$cfg_httpspushurl" ]; then
 318         echo "*** Setting up SSL certificates..."
 319         bits=2048
 320         if [ "$cfg_rsakeylength" -gt "$bits" ] 2>/dev/null; then
 321             bits="$cfg_rsakeylength"
 322         fi
 323         mkdir -p "$cfg_certsdir"
 324         [ -d "$cfg_certsdir" ]
 325         wwwcertcn=
 326         if [ -e "$cfg_certsdir/girocco_www_crt.pem" ]; then
 327                 wwwcertcn="$( \
 328                         openssl x509 -in "$cfg_certsdir/girocco_www_crt.pem" -noout -subject | \
 329                         sed -e 's,[^/]*,,' \
 330                 )"
 331         fi
 332         wwwcertdns=
 333         if [ -n "$cfg_wwwcertaltnames" ]; then
 334                 for dnsopt in $cfg_wwwcertaltnames; do
 335                         wwwcertdns="${wwwcertdns:+$wwwcertdns }--dns $dnsopt"
 336                 done
 337         fi
 338         wwwcertdnsfile=
 339         if [ -r "$cfg_certsdir/girocco_www_crt.dns" ]; then
 340                 wwwcertdnsfile="$(cat "$cfg_certsdir/girocco_www_crt.dns")"
 341         fi
 342         needroot=
 343         [ -e "$cfg_certsdir/girocco_client_crt.pem" -a \
 344         -e "$cfg_certsdir/girocco_client_key.pem" -a \
 345         -e "$cfg_certsdir/girocco_www_key.pem" -a \
 346         -e "$cfg_certsdir/girocco_www_crt.pem" -a "$wwwcertcn" = "/CN=$cfg_httpsdnsname" -a \
 347         -e "$cfg_certsdir/girocco_root_crt.pem" ] || needroot=1
 348         if [ -n "$needroot" -a ! -e "$cfg_certsdir/girocco_root_key.pem" ]; then
 349                 rm -f "$cfg_certsdir/girocco_root_crt.pem" "$cfg_certsdir/girocco_root_key.pem"
 350                 openssl genrsa -f4 -out "$cfg_certsdir/girocco_root_key.pem" $bits
 351                 chmod 0600 "$cfg_certsdir/girocco_root_key.pem"
 352                 rm -f "$cfg_certsdir/girocco_root_crt.pem"
 353                 echo "Created new root key"
 354         fi
 355         if [ ! -e "$cfg_certsdir/girocco_root_crt.pem" ]; then
 356                 ezcert.git/CACreateCert --root --key "$cfg_certsdir/girocco_root_key.pem" \
 357                         --out "$cfg_certsdir/girocco_root_crt.pem" "girocco $cfg_nickname root certificate"
 358                 rm -f "$cfg_certsdir/girocco_www_crt.pem" "$cfg_certsdir/girocco_www_chain.pem"
 359                 rm -f "$cfg_certsdir/girocco_client_crt.pem" "$cfg_certsdir/girocco_client_suffix.pem"
 360                 rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
 361                 rm -f "$cfg_chroot/etc/sshcerts"/*.pem
 362                 echo "Created new root certificate"
 363         fi
 364         if [ ! -e "$cfg_certsdir/girocco_www_key.pem" ]; then
 365                 openssl genrsa -f4 -out "$cfg_certsdir/girocco_www_key.pem" $bits
 366                 chmod 0600 "$cfg_certsdir/girocco_www_key.pem"
 367                 rm -f "$cfg_certsdir/girocco_www_crt.pem"
 368                 echo "Created new www key"
 369         fi
 370         if [ ! -e "$cfg_certsdir/girocco_www_crt.pem" ] || \
 371                 [ "$wwwcertcn" != "/CN=$cfg_httpsdnsname" ] || [ "$wwwcertdns" != "$wwwcertdnsfile" ]; then
 372                 openssl rsa -in "$cfg_certsdir/girocco_www_key.pem" -pubout |
 373                 ezcert.git/CACreateCert --server --key "$cfg_certsdir/girocco_root_key.pem" \
 374                         --cert "$cfg_certsdir/girocco_root_crt.pem" $wwwcertdns \
 375                         --out "$cfg_certsdir/girocco_www_crt.pem" "$cfg_httpsdnsname"
 376                 printf '%s\n' "$wwwcertdns" > "$cfg_certsdir/girocco_www_crt.dns"
 377                 echo "Created www certificate"
 378         fi
 379         if [ ! -e "$cfg_certsdir/girocco_www_chain.pem" ]; then
 380                 cat "$cfg_certsdir/girocco_root_crt.pem" > "$cfg_certsdir/girocco_www_chain.pem"
 381                 echo "Created www certificate chain file"
 382         fi
 383         if [ ! -e "$cfg_certsdir/girocco_client_key.pem" ]; then
 384                 openssl genrsa -f4 -out "$cfg_certsdir/girocco_client_key.pem" $bits
 385                 chmod 0640 "$cfg_certsdir/girocco_client_key.pem"
 386                 rm -f "$cfg_certsdir/girocco_client_crt.pem"
 387                 echo "Created new client key"
 388         fi
 389         if [ ! -e "$cfg_certsdir/girocco_client_crt.pem" ]; then
 390                 openssl rsa -in "$cfg_certsdir/girocco_client_key.pem" -pubout |
 391                 ezcert.git/CACreateCert --subca --key "$cfg_certsdir/girocco_root_key.pem" \
 392                         --cert "$cfg_certsdir/girocco_root_crt.pem" \
 393                         --out "$cfg_certsdir/girocco_client_crt.pem" "girocco $cfg_nickname client authority"
 394                 rm -f "$cfg_certsdir/girocco_client_suffix.pem"
 395                 rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
 396                 rm -f "$cfg_chroot/etc/sshcerts"/*.pem
 397                 echo "Created client certificate"
 398         fi
 399         if [ ! -e "$cfg_certsdir/girocco_client_suffix.pem" ]; then
 400                 cat "$cfg_certsdir/girocco_client_crt.pem" > "$cfg_certsdir/girocco_client_suffix.pem"
 401                 echo "Created client certificate suffix file"
 402         fi
 403         cat "$cfg_rootcert" > "$cfg_webroot/${cfg_nickname}_root_cert.pem"
 404         if [ -n "$cfg_mob" ]; then
 405                 if [ ! -e "$cfg_certsdir/girocco_mob_user_key.pem" ]; then
 406                         openssl genrsa -f4 -out "$cfg_certsdir/girocco_mob_user_key.pem" $bits
 407                         chmod 0640 "$cfg_certsdir/girocco_client_key.pem"
 408                         rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
 409                         echo "Created new mob user key"
 410                 fi
 411                 if [ ! -e "$cfg_certsdir/girocco_mob_user_crt.pem" ]; then
 412                         openssl rsa -in "$cfg_mobuserkey" -pubout |
 413                         ezcert.git/CACreateCert --client --key "$cfg_clientkey" \
 414                                 --cert "$cfg_clientcert" \
 415                                 --out "$cfg_certsdir/girocco_mob_user_crt.pem" 'mob'
 416                         echo "Created mob user client certificate"
 417                 fi
 418                 cat "$cfg_mobuserkey" > "$cfg_webroot/${cfg_nickname}_mob_key.pem"
 419                 cat "$cfg_mobusercert" "$cfg_clientcertsuffix" > "$cfg_webroot/${cfg_nickname}_mob_user.pem"
 420         else
 421                 rm -f "$cfg_webroot/${cfg_nickname}_mob_key.pem" "$cfg_webroot/${cfg_nickname}_mob_user.pem"
 422         fi
 423 else
 424         rm -f "$cfg_webroot/${cfg_nickname}_root_cert.pem"
 425         rm -f "$cfg_webroot/${cfg_nickname}_mob_key.pem" "$cfg_webroot/${cfg_nickname}_mob_user.pem"
 426 fi
 427
 428
 429 echo "*** Finalizing permissions..."
 430 chown -R -h "$cfg_mirror_user""$owngroup" "$cfg_basedir" "$cfg_webroot" "$cfg_cgiroot"
 431 [ -z "$cfg_httpspushurl" ] || chown -R -h "$cfg_mirror_user""$owngroup" "$cfg_certsdir"