install.sh

   1 #!/bin/sh
   2 # The Girocco installation script
   3 # We will OVERWRITE basedir!
   4
   5 set -e
   6
   7 if [ -z "$MAKE" ]; then
   8         echo "ERROR: MAKE not set" >&2
   9         echo "Please run install.sh using 'make install'" >&2
  10         echo "or set MAKE to the name of the GNU make executable" >&2
  11         exit 1
  12 fi
  13
  14 # Run perl module checker
  15 if [ ! -x toolbox/check-perl-modules.pl ]; then
  16         echo "ERROR: missing toolbox/check-perl-modules.pl!" >&2
  17         exit 1
  18 fi
  19 toolbox/check-perl-modules.pl
  20
  21 # What Config should we use?
  22 [ -n "$GIROCCO_CONF" ] || GIROCCO_CONF=Girocco::Config
  23 echo "*** Initializing using $GIROCCO_CONF..."
  24
  25 # First run Girocco::Config consistency checks
  26 perl -I. -M$GIROCCO_CONF -e ''
  27
  28 . ./shlib.sh
  29
  30 owngroup=""
  31 [ -z "$cfg_owning_group" ] || owngroup=":$cfg_owning_group"
  32 if [ -n "$cfg_httpspushurl" -a -z "$cfg_certsdir" ]; then
  33         echo "ERROR: \$httpspushurl is set but \$certsdir is not!" >&2
  34         echo "ERROR: perhaps you have an incorrect Config.pm?" >&2
  35         exit 1
  36 fi
  37
  38
  39 echo "*** Checking for compiled utilities..."
  40 if [ ! -x src/can_user_push ]; then
  41         echo "ERROR: src/can_user_push is not built! Did you _REALLY_ read INSTALL?" >&2
  42         echo "ERROR: perhaps you forgot to run make?" >&2
  43         exit 1
  44 fi
  45 if [ ! -x src/can_user_push_http ]; then
  46         echo "ERROR: src/can_user_push_http is not built! Did you _REALLY_ read INSTALL?" >&2
  47         echo "ERROR: perhaps you forgot to run make?" >&2
  48         exit 1
  49 fi
  50 if [ ! -x src/getent ]; then
  51         echo "ERROR: src/getent is not built! Did you _REALLY_ read INSTALL?" >&2
  52         echo "ERROR: perhaps you forgot to run make?" >&2
  53         exit 1
  54 fi
  55 if [ ! -x src/get_user_uuid ]; then
  56         echo "ERROR: src/get_user_uuid is not built! Did you _REALLY_ read INSTALL?" >&2
  57         echo "ERROR: perhaps you forgot to run make?" >&2
  58         exit 1
  59 fi
  60 if [ ! -x src/peek_packet ]; then
  61         echo "ERROR: src/peek_packet is not built! Did you _REALLY_ read INSTALL?" >&2
  62         echo "ERROR: perhaps you forgot to run make?" >&2
  63         exit 1
  64 fi
  65
  66
  67 echo "*** Checking for ezcert..."
  68 if [ ! -f ezcert.git/CACreateCert ]; then
  69         echo "ERROR: ezcert.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
  70         exit 1
  71 fi
  72
  73
  74 echo "*** Checking for git..."
  75 case "$cfg_git_bin" in /*) :;; *)
  76         echo 'ERROR: $Girocco::Config::git_bin must be set to an absolute path' >&2
  77         exit 1
  78 esac
  79 if [ ! -x "$cfg_git_bin" ]; then
  80         echo "ERROR: $cfg_git_bin does not exist or is not executable" >&2
  81         exit 1
  82 fi
  83 if ! git_version="$("$cfg_git_bin" version)"; then
  84         echo "ERROR: $cfg_git_bin version failed" >&2
  85         exit 1
  86 fi
  87 case "$git_version" in
  88         [Gg]"it version "*) :;;
  89         *)
  90                 echo "ERROR: '$cfg_git_bin version' output does not start with 'git version '" >&2
  91                 exit 1
  92 esac
  93 echo "Found $cfg_git_bin $git_version"
  94 git_vernum="$(echo "$git_version" | sed -ne 's/^[^0-9]*\([0-9][0-9]*\(\.[0-9][0-9]*\)*\).*$/\1/p')"
  95 echo "*** Checking Git $git_vernum for compatibility..."
  96 if [ "$(vcmp "$git_vernum" 1.6.6)" -lt 0 ]; then
  97         echo 'ERROR: $Girocco::Config::git_bin must be at least Git version 1.6.6'
  98         exit 1
  99 fi
 100 if [ "$(vcmp "$git_vernum" 1.6.6.3)" -lt 0 ]; then
 101         echo 'WARNING: $Girocco::Config::git_bin version < 1.6.6.3, clients will not see useful error messages'
 102 fi
 103 if [ "$(vcmp "$git_vernum" 1.7.2)" -lt 0 ]; then
 104         echo 'WARNING: $Girocco::Config::git_bin version < 1.7.2, some Girocco functionality will be disabled'
 105 fi
 106 if [ -n "$cfg_mirror" -a "$(vcmp "$git_vernum" 1.7.5)" -lt 0 ]; then
 107         echo 'WARNING: $Girocco::Config::git_bin version < 1.7.5 and mirroring enabled, some sources can cause an infinite fetch loop'
 108 fi
 109 if [ "$(vcmp "$git_vernum" 1.7.6.6)" -lt 0 ]; then
 110         echo 'WARNING: $Girocco::Config::git_bin version < 1.7.6.6, performance may be degraded'
 111 fi
 112 if [ "$(uname -m 2>/dev/null)" = "x86_64" ] && [ "$(vcmp "$git_vernum" 1.7.11)" -ge 0 ]; then
 113         echo 'WARNING: $Girocco::Config::git_bin version >= 1.7.11 and x86_64, make sure Git built WITHOUT XDL_FAST_HASH'
 114         echo 'WARNING: See http://thread.gmane.org/gmane.comp.version-control.git/261638 for details'
 115 fi
 116 if [ "$(vcmp "$git_vernum" 1.8.4.2)" -ge 0 ] && [ -n "$cfg_mirror" -a "$(vcmp "$git_vernum" 2)" -lt 0 ]; then
 117         echo 'WARNING: $Girocco::Config::git_bin version >= 1.8.4.2 and < 2.0.0, git-daemon needs write access for shallow clones'
 118         echo 'WARNING: $Girocco::Config::git_bin version >= 1.8.4.2 and < 2.0.0, shallow clones will leave repository turds'
 119 fi
 120 if [ "$(vcmp "$git_vernum" 1.8.4.3)" -lt 0 ]; then
 121         echo 'WARNING: $Girocco::Config::git_bin version < 1.8.4.3, clients will not receive symref=HEAD:refs/heads/...'
 122 fi
 123 if [ "$(vcmp "$git_vernum" 2.1)" -lt 0 ]; then
 124         echo 'WARNING: $Girocco::Config::git_bin version < 2.1.0, pack bitmaps will not be available'
 125 fi
 126 if [ "$(vcmp "$git_vernum" 2.1)" -ge 0 ] && [ "$(vcmp "$git_vernum" 2.1.3)" -lt 0 ]; then
 127         echo 'WARNING: $Girocco::Config::git_bin version >= 2.1.0 and < 2.1.3, pack bitmaps may not be reliable, please upgrade to at least Git version 2.1.3'
 128 fi
 129 if [ -n "$cfg_mirror" -a "$cfg_mirror" != 0 ] && grep -q ns_parserr "$cfg_git_bin"; then
 130         cat <<'EOT'
 131
 132 ***
 133 *** WARNING: $Girocco::Config:git_bin is set to a questionable Git binary
 134 ***
 135
 136 You appear to have enabled mirroring and the Git binary you have selected
 137 appears to contain an experimental patch that cannot be disabled.  This
 138 patch can generate invalid network DNS traffic and/or cause long delays
 139 when fetching using the "git:" protocol when no port number is specified.
 140 It may also end up retrieving repsitory contents from a host other than
 141 the one specified in the "git:" URL when the port is omitted.
 142
 143 You are advised to either build your own version of Git (the problem patch
 144 is not part of the official Git repository) or disable mirroring (via the
 145 $Girocco::Config:mirror setting) to avoid these potential problems.
 146
 147 USE THE SELECTED GIT BINARY AT YOUR OWN RISK!
 148
 149 EOT
 150 fi
 151
 152
 153 chown_make() {
 154         if [ "$LOGNAME" = root -a -n "$SUDO_USER" -a "$SUDO_USER" != root ]; then
 155                 find "$@" -user root -print0 2>/dev/null | \
 156                 xargs $(: | xargs echo -r) -0 chown "$SUDO_USER:$(id -gn "$SUDO_USER")"
 157         elif [ "$LOGNAME" = root -a -z "$SUDO_USER" -o "$SUDO_USER" = root ]; then
 158                 echo "*** WARNING: running make as root w/o sudo may leave root-owned: $*"
 159         fi
 160 }
 161
 162 echo "*** Setting up basedir..."
 163 "$MAKE" --no-print-directory --quiet apache.conf
 164 chown_make apache.conf
 165 "$MAKE" --no-print-directory --quiet -C src
 166 chown_make src
 167 rm -fr "$cfg_basedir"
 168 mkdir -p "$cfg_basedir"
 169 cp -pR Girocco jobd taskd gitweb html jobs toolbox hooks apache.conf shlib.sh bin screen "$cfg_basedir"
 170 cp -p src/can_user_push src/can_user_push_http src/get_user_uuid src/peek_packet \
 171         ezcert.git/CACreateCert cgi/authrequired.cgi "$cfg_basedir/bin"
 172 [ -n "$cfg_httpspushurl" ] || rm -f "$cfg_basedir"/html/rootcert.html "$cfg_basedir"/html/httpspush.html
 173 [ -n "$cfg_mob" ] || rm -f "$cfg_basedir"/html/mob.html
 174
 175 # Put the correct Config in place
 176 [ "$GIROCCO_CONF" = "Girocco::Config" ] || cp "$(echo "$GIROCCO_CONF" | sed 's#::#/#g; s/$/.pm/')" "$cfg_basedir/Girocco/Config.pm"
 177
 178
 179 echo "*** Preprocessing scripts..."
 180 perl -I. -M$GIROCCO_CONF -i -p \
 181         -e 's/(?<!")\@basedir\@/"$Girocco::Config::basedir"/g;' \
 182         -e 's/(?<=")\@basedir\@/$Girocco::Config::basedir/g;' \
 183         -e 's/\@reporoot\@/"$Girocco::Config::reporoot"/g;' \
 184         -e 's/\@jailreporoot\@/"$Girocco::Config::jailreporoot"/g;' \
 185         -e 's/\@chroot\@/"$Girocco::Config::chroot"/g;' \
 186         -e 's/\@webadmurl\@/"$Girocco::Config::webadmurl"/g;' \
 187         -e 's/\@screen_acl_file\@/"$Girocco::Config::screen_acl_file"/g;' \
 188         -e 's/\@mob\@/"$Girocco::Config::mob"/g;' \
 189         -e 's/\@git_server_ua\@/"$Girocco::Config::git_server_ua"/g;' \
 190         -e 's/\@defined_git_server_ua\@/defined($Girocco::Config::git_server_ua)/ge;' \
 191         "$cfg_basedir"/jobs/*.sh "$cfg_basedir"/jobd/*.sh \
 192         "$cfg_basedir"/taskd/*.sh "$cfg_basedir"/gitweb/*.sh \
 193         "$cfg_basedir"/shlib.sh "$cfg_basedir"/hooks/* \
 194         "$cfg_basedir"/toolbox/*.sh "$cfg_basedir"/toolbox/*.pl \
 195         "$cfg_basedir"/toolbox/reports/*.sh \
 196         "$cfg_basedir"/bin/git-* \
 197         "$cfg_basedir"/bin/create-* "$cfg_basedir"/bin/update-* \
 198         "$cfg_basedir"/bin/authrequired.cgi "$cfg_basedir"/screen/*
 199
 200 # Dump all the cfg_ and defined_ variables to shlib_vars.sh
 201 get_girocco_config_var_list > "$cfg_basedir"/shlib_vars.sh
 202
 203 if [ -n "$cfg_mirror" ]; then
 204         echo "--- Remember to start $cfg_basedir/taskd/taskd.pl"
 205 fi
 206 echo "--- Also remember to either start $cfg_basedir/jobd/jobd.sh, or add this"
 207 echo "--- to the crontab of $cfg_mirror_user (adjust frequency on number of repos):"
 208 echo "*/30 * * * * /usr/bin/nice -n 18 $cfg_basedir/jobd/jobd.sh -q --all-once"
 209
 210
 211 echo "*** Setting up repository root..."
 212 mkdir -p "$cfg_reporoot" "$cfg_reporoot-recyclebin"
 213 if [ "$cfg_owning_group" ]; then
 214         chgrp "$cfg_owning_group" "$cfg_reporoot" || echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_reporoot"
 215         chgrp "$cfg_owning_group" "$cfg_reporoot-recyclebin" || echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_reporoot-recyclebin"
 216 fi
 217 chmod 02775 "$cfg_reporoot" || echo "WARNING: Cannot chmod $cfg_reporoot properly"
 218 chmod 02775 "$cfg_reporoot-recyclebin" || echo "WARNING: Cannot chmod $cfg_reporoot-recyclebin properly"
 219
 220
 221 if [ -n "$cfg_chrooted" ]; then
 222         echo "*** Setting up chroot jail for pushing..."
 223         if [ "$(id -u)" -eq 0 ]; then
 224                 ./jailsetup.sh
 225         else
 226                 echo "WARNING: Skipping jail setup, not root"
 227         fi
 228 fi
 229
 230
 231 echo "*** Setting up jail configuration (project database)..."
 232 [ "$(id -u)" -eq 0 ] || ./jailsetup.sh dbonly
 233 mkdir -p "$cfg_chroot" "$cfg_chroot/etc"
 234 touch "$cfg_chroot/etc/passwd" "$cfg_chroot/etc/group"
 235 chown "$cfg_mirror_user""$owngroup" "$cfg_chroot/etc" ||
 236         echo "WARNING: Cannot chown $cfg_mirror_user$owngroup $cfg_chroot/etc"
 237 chown "$cfg_cgi_user""$owngroup" "$cfg_chroot/etc/passwd" "$cfg_chroot/etc/group" ||
 238         echo "WARNING: Cannot chown $cfg_cgi_user$owngroup the files"
 239 chmod g+w "$cfg_chroot/etc/passwd" "$cfg_chroot/etc/group" ||
 240         echo "WARNING: Cannot chmod g+w the etc/passwd and/or etc/group files"
 241 chmod 02775 "$cfg_chroot/etc" || echo "WARNING: Cannot chmod 02775 $cfg_chroot/etc"
 242
 243 echo "*** Setting up gitweb from git.git..."
 244 if [ ! -f git.git/Makefile ]; then
 245         echo "ERROR: git.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
 246         exit 1
 247 fi
 248 mkdir -p "$cfg_webroot" "$cfg_cgiroot"
 249 (cd git.git && "$MAKE" --no-print-directory --quiet NO_SUBDIR=: bindir="$(dirname "$cfg_git_bin")" gitweb && \
 250         chown_make gitweb && \
 251         cp gitweb/gitweb.cgi "$cfg_cgiroot" && \
 252         cp gitweb/static/*.png gitweb/static/*.css gitweb/static/*.js "$cfg_webroot")
 253
 254
 255 echo "*** Setting up git-browser from git-browser.git..."
 256 if [ ! -f git-browser.git/git-browser.cgi ]; then
 257         echo "ERROR: git-browser.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
 258         exit 1
 259 fi
 260 mkdir -p "$cfg_webroot"/git-browser "$cfg_cgiroot"
 261 (cd git-browser.git && cp git-browser.cgi "$cfg_cgiroot" \
 262         && cp -r *.html *.js *.css js.lib JSON "$cfg_webroot"/git-browser)
 263 rm -f "$cfg_webroot"/git-browser/index.html
 264 ln -sf "$cfg_webroot/git-browser/JSON" "$cfg_cgiroot"
 265 cat >"$cfg_cgiroot"/git-browser.conf <<EOT
 266 gitbin: $cfg_git_bin
 267 warehouse: $cfg_reporoot
 268 EOT
 269 cat >"$cfg_webroot"/git-browser/GitConfig.js <<EOT
 270 cfg_gitweb_url="$cfg_gitweburl/"
 271 cfg_browsercgi_url="$cfg_webadmurl/git-browser.cgi"
 272 EOT
 273
 274
 275 echo "*** Setting up darcs-fast-export from bzr-fastimport.git..."
 276 if [ ! -d bzr-fastimport.git/exporters/darcs/ ]; then
 277         echo "ERROR: bzr-fastimport.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
 278         exit 1
 279 fi
 280 mkdir -p "$cfg_basedir"/bin
 281 cp bzr-fastimport.git/exporters/darcs/darcs-fast-export "$cfg_basedir"/bin
 282
 283
 284 echo "*** Setting up hg-fast-export from fast-export.git..."
 285 if [ ! -f fast-export.git/hg-fast-export.py -o ! -f fast-export.git/hg2git.py ]; then
 286         echo "ERROR: fast-export.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
 287         exit 1
 288 fi
 289 mkdir -p "$cfg_basedir"/bin
 290 cp fast-export.git/hg-fast-export.py fast-export.git/hg2git.py "$cfg_basedir"/bin
 291
 292
 293 echo "*** Setting up our part of the website..."
 294 mkdir -p "$cfg_webroot" "$cfg_cgiroot"
 295 cp cgi/*.cgi gitweb/gitweb_config.perl "$cfg_cgiroot"
 296 rm -f "$cfg_cgiroot"/authrequired.cgi
 297 [ -z "$cfg_httpspushurl" ] || cp "$cfg_basedir"/bin/authrequired.cgi "$cfg_cgiroot"
 298 [ -n "$cfg_httpspushurl" ] || rm -f "$cfg_cgiroot"/usercert.cgi
 299 ln -fs "$cfg_basedir"/Girocco "$cfg_cgiroot"
 300 [ -z "$cfg_webreporoot" ] || { rm -f "$cfg_webreporoot" && ln -s "$cfg_reporoot" "$cfg_webreporoot"; }
 301 if [ -z "$cfg_httpspushurl" ]; then
 302         grep -v 'rootcert[.]html' gitweb/indextext.html > "$cfg_webroot/indextext.html"
 303 else
 304         cp gitweb/indextext.html "$cfg_webroot"
 305 fi
 306 mv "$cfg_basedir"/html/*.css "$cfg_basedir"/html/*.js "$cfg_webroot"
 307 cp mootools.js "$cfg_webroot"
 308 cp htaccess "$cfg_webroot/.htaccess"
 309 cp git-favicon.ico "$cfg_webroot/favicon.ico"
 310 cp robots.txt "$cfg_webroot"
 311 cat gitweb/gitweb.css >>"$cfg_webroot"/gitweb.css
 312
 313
 314 if [ -n "$cfg_httpspushurl" ]; then
 315         echo "*** Setting up SSL certificates..."
 316         bits=2048
 317         if [ "$cfg_rsakeylength" -gt "$bits" ] 2>/dev/null; then
 318             bits="$cfg_rsakeylength"
 319         fi
 320         mkdir -p "$cfg_certsdir"
 321         [ -d "$cfg_certsdir" ]
 322         wwwcertcn=
 323         if [ -e "$cfg_certsdir/girocco_www_crt.pem" ]; then
 324                 wwwcertcn="$( \
 325                         openssl x509 -in "$cfg_certsdir/girocco_www_crt.pem" -noout -subject | \
 326                         sed -e 's,[^/]*,,' \
 327                 )"
 328         fi
 329         wwwcertdns=
 330         if [ -n "$cfg_wwwcertaltnames" ]; then
 331                 for dnsopt in $cfg_wwwcertaltnames; do
 332                         wwwcertdns="${wwwcertdns:+$wwwcertdns }--dns $dnsopt"
 333                 done
 334         fi
 335         wwwcertdnsfile=
 336         if [ -r "$cfg_certsdir/girocco_www_crt.dns" ]; then
 337                 wwwcertdnsfile="$(cat "$cfg_certsdir/girocco_www_crt.dns")"
 338         fi
 339         needroot=
 340         [ -e "$cfg_certsdir/girocco_client_crt.pem" -a \
 341         -e "$cfg_certsdir/girocco_client_key.pem" -a \
 342         -e "$cfg_certsdir/girocco_www_key.pem" -a \
 343         -e "$cfg_certsdir/girocco_www_crt.pem" -a "$wwwcertcn" = "/CN=$cfg_httpsdnsname" -a \
 344         -e "$cfg_certsdir/girocco_root_crt.pem" ] || needroot=1
 345         if [ -n "$needroot" -a ! -e "$cfg_certsdir/girocco_root_key.pem" ]; then
 346                 rm -f "$cfg_certsdir/girocco_root_crt.pem" "$cfg_certsdir/girocco_root_key.pem"
 347                 openssl genrsa -f4 -out "$cfg_certsdir/girocco_root_key.pem" $bits
 348                 chmod 0600 "$cfg_certsdir/girocco_root_key.pem"
 349                 rm -f "$cfg_certsdir/girocco_root_crt.pem"
 350                 echo "Created new root key"
 351         fi
 352         if [ ! -e "$cfg_certsdir/girocco_root_crt.pem" ]; then
 353                 ezcert.git/CACreateCert --root --key "$cfg_certsdir/girocco_root_key.pem" \
 354                         --out "$cfg_certsdir/girocco_root_crt.pem" "girocco $cfg_nickname root certificate"
 355                 rm -f "$cfg_certsdir/girocco_www_crt.pem" "$cfg_certsdir/girocco_www_chain.pem"
 356                 rm -f "$cfg_certsdir/girocco_client_crt.pem" "$cfg_certsdir/girocco_client_suffix.pem"
 357                 rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
 358                 rm -f "$cfg_chroot/etc/sshcerts"/*.pem
 359                 echo "Created new root certificate"
 360         fi
 361         if [ ! -e "$cfg_certsdir/girocco_www_key.pem" ]; then
 362                 openssl genrsa -f4 -out "$cfg_certsdir/girocco_www_key.pem" $bits
 363                 chmod 0600 "$cfg_certsdir/girocco_www_key.pem"
 364                 rm -f "$cfg_certsdir/girocco_www_crt.pem"
 365                 echo "Created new www key"
 366         fi
 367         if [ ! -e "$cfg_certsdir/girocco_www_crt.pem" ] || \
 368                 [ "$wwwcertcn" != "/CN=$cfg_httpsdnsname" ] || [ "$wwwcertdns" != "$wwwcertdnsfile" ]; then
 369                 openssl rsa -in "$cfg_certsdir/girocco_www_key.pem" -pubout |
 370                 ezcert.git/CACreateCert --server --key "$cfg_certsdir/girocco_root_key.pem" \
 371                         --cert "$cfg_certsdir/girocco_root_crt.pem" $wwwcertdns \
 372                         --out "$cfg_certsdir/girocco_www_crt.pem" "$cfg_httpsdnsname"
 373                 printf '%s\n' "$wwwcertdns" > "$cfg_certsdir/girocco_www_crt.dns"
 374                 echo "Created www certificate"
 375         fi
 376         if [ ! -e "$cfg_certsdir/girocco_www_chain.pem" ]; then
 377                 cat "$cfg_certsdir/girocco_root_crt.pem" > "$cfg_certsdir/girocco_www_chain.pem"
 378                 echo "Created www certificate chain file"
 379         fi
 380         if [ ! -e "$cfg_certsdir/girocco_client_key.pem" ]; then
 381                 openssl genrsa -f4 -out "$cfg_certsdir/girocco_client_key.pem" $bits
 382                 chmod 0640 "$cfg_certsdir/girocco_client_key.pem"
 383                 rm -f "$cfg_certsdir/girocco_client_crt.pem"
 384                 echo "Created new client key"
 385         fi
 386         if [ ! -e "$cfg_certsdir/girocco_client_crt.pem" ]; then
 387                 openssl rsa -in "$cfg_certsdir/girocco_client_key.pem" -pubout |
 388                 ezcert.git/CACreateCert --subca --key "$cfg_certsdir/girocco_root_key.pem" \
 389                         --cert "$cfg_certsdir/girocco_root_crt.pem" \
 390                         --out "$cfg_certsdir/girocco_client_crt.pem" "girocco $cfg_nickname client authority"
 391                 rm -f "$cfg_certsdir/girocco_client_suffix.pem"
 392                 rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
 393                 rm -f "$cfg_chroot/etc/sshcerts"/*.pem
 394                 echo "Created client certificate"
 395         fi
 396         if [ ! -e "$cfg_certsdir/girocco_client_suffix.pem" ]; then
 397                 cat "$cfg_certsdir/girocco_client_crt.pem" > "$cfg_certsdir/girocco_client_suffix.pem"
 398                 echo "Created client certificate suffix file"
 399         fi
 400         cat "$cfg_rootcert" > "$cfg_webroot/${cfg_nickname}_root_cert.pem"
 401         if [ -n "$cfg_mob" ]; then
 402                 if [ ! -e "$cfg_certsdir/girocco_mob_user_key.pem" ]; then
 403                         openssl genrsa -f4 -out "$cfg_certsdir/girocco_mob_user_key.pem" $bits
 404                         chmod 0640 "$cfg_certsdir/girocco_client_key.pem"
 405                         rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
 406                         echo "Created new mob user key"
 407                 fi
 408                 if [ ! -e "$cfg_certsdir/girocco_mob_user_crt.pem" ]; then
 409                         openssl rsa -in "$cfg_mobuserkey" -pubout |
 410                         ezcert.git/CACreateCert --client --key "$cfg_clientkey" \
 411                                 --cert "$cfg_clientcert" \
 412                                 --out "$cfg_certsdir/girocco_mob_user_crt.pem" 'mob'
 413                         echo "Created mob user client certificate"
 414                 fi
 415                 cat "$cfg_mobuserkey" > "$cfg_webroot/${cfg_nickname}_mob_key.pem"
 416                 cat "$cfg_mobusercert" "$cfg_clientcertsuffix" > "$cfg_webroot/${cfg_nickname}_mob_user.pem"
 417         else
 418                 rm -f "$cfg_webroot/${cfg_nickname}_mob_key.pem" "$cfg_webroot/${cfg_nickname}_mob_user.pem"
 419         fi
 420 else
 421         rm -f "$cfg_webroot/${cfg_nickname}_root_cert.pem"
 422         rm -f "$cfg_webroot/${cfg_nickname}_mob_key.pem" "$cfg_webroot/${cfg_nickname}_mob_user.pem"
 423 fi
 424
 425
 426 echo "*** Finalizing permissions..."
 427 chown -R -h "$cfg_mirror_user""$owngroup" "$cfg_basedir" "$cfg_webroot" "$cfg_cgiroot"
 428 [ -z "$cfg_httpspushurl" ] || chown -R -h "$cfg_mirror_user""$owngroup" "$cfg_certsdir"