From 4c9aedc873ab8fb15f07467492ff6de1821e805b Mon Sep 17 00:00:00 2001
From: "Kyle J. McKay" <mackyle@gmail.com>
Date: Wed, 19 Jun 2013 10:27:48 -0700
Subject: [PATCH] Add basic https push support

When enabled (Config.pm $httpspushurl set), certificates will be
automatically created at install time.

Currently only https pushing for the mob user is supported.
---
 .gitmodules           |   3 ++
 Girocco/Config.pm     |  56 +++++++++++++++++++++--
 apache.conf           |  92 ++++++++++++++++++++++++++++++++++++++
 cgi/html.cgi          |  18 +++++---
 ezcert.git            |   1 +
 gitweb/indextext.html |   5 ++-
 hooks/update          |   5 ++-
 html/mob.html         |  65 +++++++++++++++++++++++++++
 html/rootcert.html    |  77 ++++++++++++++++++++++++++++++++
 install.sh            | 120 +++++++++++++++++++++++++++++++++++++++++++++++++-
 jailsetup.sh          |   9 ++--
 11 files changed, 431 insertions(+), 20 deletions(-)
 create mode 160000 ezcert.git
 create mode 100644 html/rootcert.html

diff --git a/.gitmodules b/.gitmodules
index 30746e9..27422e7 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -7,3 +7,6 @@
 [submodule "bzr-fastimport.git"]
 	path = bzr-fastimport.git
 	url = git://repo.or.cz/bzr-fastimport/rorcz.git
+[submodule "ezcert.git"]
+	path = ezcert.git
+	url = git://repo.or.cz/ezcert.git
diff --git a/Girocco/Config.pm b/Girocco/Config.pm
index 3edff10..cd2a103 100644
--- a/Girocco/Config.pm
+++ b/Girocco/Config.pm
@@ -71,6 +71,12 @@ our $min_gc_interval = 604800; # 1 week
 # This will get COMPLETELY OVERWRITTEN by each make install!!!
 our $basedir = '/home/repo/repomgr';
 
+# Path where the automatically generated non-user certificates will be stored
+# (The per-user certificates are always stored in $chroot/etc/sshcerts/)
+# This is preserved by each make install and MUST NOT be under $basedir!
+# Not used unless $httpspushurl is defined
+our $certsdir = '/home/repo/certs';
+
 # The repository collection
 # "$reporoot-recyclebin" will also be created for use by toolbox/trash-project.pl
 our $reporoot = "/srv/git";
@@ -94,6 +100,38 @@ our $cgiroot = "/home/repo/WWW";
 our $webreporoot = "/home/repo/WWW/r";
 
 
+## Certificates (only used if $httpspushurl is defined)
+
+# path to root certificate (undef to use automatic root cert)
+# this certificate is made available for easy download and should be whatever
+# the root certificate is for the https certificate being used by the web server
+our $rootcert = undef;
+
+# The certificate to sign user push client authentication certificates with (undef for auto)
+# The automatically generated certificate should always be fine
+our $clientcert = undef;
+
+# The private key for $clientcert (undef for auto)
+# The automatically generated key should always be fine
+our $clientkey = undef;
+
+# The client certificate chain suffix (a pemseq file to append to user client certs) (undef for auto)
+# The automatically generated chain should always be fine
+# This suffix will also be appended to the $mobusercert before making it available for download
+our $clientcertsuffix = undef;
+
+# The mob user certificate signed by $clientcert (undef for auto)
+# The automatically generated certificate should always be fine
+# Not used unless $mob is set to 'mob'
+# The $clientcertsuffix will be appended before making $mobusercert available for download
+our $mobusercert = undef;
+
+# The private key for $mobusercert (undef for auto)
+# The automatically generated key should always be fine
+# Not used unless $mob is set to 'mob'
+our $mobuserkey = undef;
+
+
 ## URL addresses
 
 # URL of the gitweb.cgi script (must be in pathinfo mode)
@@ -112,6 +150,8 @@ our $htmlurl = "http://repo.or.cz/h";
 our $httppullurl = "http://repo.or.cz/r";
 
 # HTTPS push URL of the repository collection (undef if N/A)
+# If this is defined, the openssl command must be available
+# Normally this should be set to $httppullurl with http: replaced with https:
 our $httpspushurl = undef;
 
 # Git URL of the repository collection (undef if N/A)
@@ -119,7 +159,7 @@ our $httpspushurl = undef;
 # do this particular thing for you.)
 our $gitpullurl = "git://repo.or.cz";
 
-# Pushy URL of the repository collection (undef if N/A)
+# Pushy SSH URL of the repository collection (undef if N/A)
 our $pushurl = "ssh://repo.or.cz/$jailreporoot";
 
 # URL of gitweb of this Girocco instance (set to undef if you're not nice
@@ -239,13 +279,23 @@ $jailreporoot =~ s,^/+,,;
 ($reporoot) or die "Girocco::Config \$reporoot must be set";
 ($jailreporoot) or die "Girocco::Config \$jailreporoot must be set";
 (not $mob or $mob eq 'mob') or die "Girocco::Config \$mob must be undef (or '') or 'mob'";
+$rootcert = "$certsdir/girocco_root_crt.pem" if $httpspushurl && !$rootcert;
+$clientcert = "$certsdir/girocco_client_crt.pem" if $httpspushurl && !$clientcert;
+$clientkey = "$certsdir/girocco_client_key.pem" if $httpspushurl && !$clientkey;
+$clientcertsuffix = "$certsdir/girocco_client_suffix.pem" if $httpspushurl && !$clientcertsuffix;
+$mobusercert = "$certsdir/girocco_mob_user_crt.pem" if $httpspushurl && $mob && !$mobusercert;
+$mobuserkey = "$certsdir/girocco_mob_user_key.pem" if $httpspushurl && $mob && !$mobuserkey;
+our $mobpushurl = $pushurl;
+$mobpushurl =~ s,^ssh://,ssh://mob@,i if $mobpushurl;
+our $httpsdnsname = ($httpspushurl =~ m,https://([A-Za-z0-9.-]+),i) ? lc($1) : undef if $httpspushurl;
 ($mirror or $push) or die "Girocco::Config: neither \$mirror nor \$push is set?!";
-(not $push or ($pushurl or $gitpullurl or $httppullurl)) or die "Girocco::Config: no pull URL is set";
-(not $push or $pushurl) or die "Girocco::Config: \$push set but \$pushurl is undef";
+(not $push or ($pushurl or $httpspushurl or $gitpullurl or $httppullurl)) or die "Girocco::Config: no pull URL is set";
+(not $push or ($pushurl or $httpspushurl)) or die "Girocco::Config: \$push set but \$pushurl and \$httpspushurl are undef";
 (not $mirror or $mirror_user) or die "Girocco::Config: \$mirror set but \$mirror_user is undef";
 ($manage_users == $chrooted) or die "Girocco::Config: \$manage_users and \$chrooted must be set to the same value";
 (not $chrooted or $permission_control ne 'ACL') or die "Girocco::Config: resolving uids for ACL not supported when using chroot";
 (grep { $permission_control eq $_ } qw(Group Hooks)) or die "Girocco::Config: \$permission_control must be set to Group or Hooks";
 ($chrooted or not $mob) or die "Girocco::Config: mob user supported only in the chrooted mode";
+(not $httpspushurl or $httpsdnsname) or die "Girocco::Config invalid \$httpspushurl does not start with https://domainname";
 
 1;
diff --git a/apache.conf b/apache.conf
index 3463696..60bdb1c 100644
--- a/apache.conf
+++ b/apache.conf
@@ -32,6 +32,8 @@
 		Allow from all
 		Satisfy all
 	</Directory>
+
+	# Change this to use a git-http-backend not in /usr/lib/git-core/
 	<Directory /usr/lib/git-core>
 		Options None
 		AllowOverride None
@@ -46,8 +48,98 @@
 	SetEnv GIT_PROJECT_ROOT /srv/git
 	SetEnv GIT_HTTP_EXPORT_ALL 1
 
+	# By default non-smart HTTP fetch access will be allowed, however
+	# by defining SmartHTTPOnly (or changing the sense of the IfDefine tests)
+	# non-smart HTTP requests can be denied directly by the web server
+
+	<IfDefine !SmartHTTPOnly>
+	# These accelerate non-smart HTTP access to loose objects and packs
 	AliasMatch ^/r/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$		/srv/git/$1
 	AliasMatch ^/r/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$	/srv/git/$1
+	</IfDefine>
+
+	<IfDefine SmartHTTPOnly>
+	# Disable non-smart HTTP access
+	RewriteEngine On
+	RewriteCond %{REQUEST_METHOD} !^POST$
+	RewriteRule ^/r/.*(?<!/info/refs)$ - [F]
+	RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
+	RewriteRule ^/r/.*/info/refs$ - [F]
+	</IfDefine>
+
+	# Change this to use a git-http-backend not in /usr/lib/git-core/
 	ScriptAlias /r/ /usr/lib/git-core/git-http-backend/
 
 </VirtualHost>
+
+
+# This comments out the following so this file can be used as-is
+<IfDefine DummyThatIsNotDefined>
+
+
+# This is example configuration of an https virtualhost running Girocco, as set
+# up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
+# It is not essential for Girocco to use a special virtualhost, however.
+# The Config.pm $httpspushurl variable needs to be defined to properly enable
+# https pushing.
+<VirtualHost *:443>
+
+	# These certificate files will all be automatically generated, but the
+	# paths here may need to be corrected to match the paths
+	# (especially $certsdir) from Config.pm
+
+	SSLCertificateFile /home/repo/certs/girocco_www_crt.pem
+	SSLCertificateKeyFile /home/repo/certs/girocco_www_key.pem
+	SSLCertificateChainFile /home/repo/certs/girocco_www_chain.pem
+	# when using a paid www server cert, only the above three lines should
+	# be changed.  Changing any of the below two lines (other than updating
+	# the paths to match $certsdir) will likely break https client auth
+	SSLCACertificateFile /home/repo/certs/girocco_root_crt.pem
+	SSLCADNRequestFile /home/repo/certs/girocco_client_crt.pem
+
+	SSLVerifyDepth 3
+	SSLOptions +FakeBasicAuth +StrictRequire
+	SSLEngine on
+	<Location />
+		SSLRequireSSL
+	</Location>
+
+	# This configuration allows fetching over https without a certificate
+	# while always requiring a certificate for pushing over https
+	RewriteEngine On
+	SSLVerifyClient optional
+	RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
+	RewriteRule ^/r/.*/info/refs$ - [env=client_auth_required:1]
+	RewriteRule ^/r/.*/git-receive-pack$ - [env=client_auth_required:1]
+	RewriteCond %{ENV:client_auth_required} 1
+	RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
+	RewriteRule .* %{REQUEST_URI} [R=401]
+	<LocationMatch ^/r/>
+		Order deny,allow
+		Deny from env=client_auth_required
+		SSLOptions +FakeBasicAuth
+		AuthName "Git Client Authentication"
+		AuthType Basic
+		AuthBasicProvider anon
+		Anonymous *
+		Require valid-user
+		Satisfy any
+	</LocationMatch>
+
+	# *** IMPORTANT ***
+	#
+	# ALL the entire contents from the <VirtualHost *:80> section at
+	# the top of this file must be copied here.
+	#
+	# To avoid this duplication, the contents of the <VirtualHost *:80>
+	# section above can be moved to a separate file and then included
+	# both here and in the <VirtualHost *:80> section using an Include
+	# directive.  Be careful not to place the new include file in one of the
+	# directories the standard apache configuration blindly includes all
+	# files from.
+
+</VirtualHost>
+
+
+# End commenting
+</IfDefine>
diff --git a/cgi/html.cgi b/cgi/html.cgi
index a206bda..2c108f1 100755
--- a/cgi/html.cgi
+++ b/cgi/html.cgi
@@ -13,9 +13,11 @@ use Girocco::Config;
 # Ultra-trivial templating engine;
 # /^@section=SECTION
 # /^@heading=HEADING
-# /^@header		produces HTML header based on @section and @heading
-# /@@gitweburl@@/	substitute for gitweburl configuration variable
-
+# /^@header			produces HTML header based on @section and @heading
+# /@@gitweburl@@/		substitute for gitweburl configuration variable
+# /@@ifmob@@...@@end@@/		remove unless mob defined
+# /@@ifssh@@...@@end@@/		remove unless pushurl defined
+# /@@ifhttps@@...@@end@@/	remove unless httpspushurl defined
 
 my $pathinfo = $ENV{PATH_INFO};
 $pathinfo =~ s,^/,,;
@@ -39,7 +41,13 @@ if ($pathinfo =~ /\.png$/) {
 
 my ($gcgi, $section, $heading);
 
-while (<TEMPLATE>) {
+my $template=join('', <TEMPLATE>);
+close TEMPLATE;
+$template =~ s/@\@ifmob@\@(.*?)@\@end@\@/$Girocco::Config::mob?$1:''/ges;
+$template =~ s/@\@ifssh@\@(.*?)@\@end@\@/$Girocco::Config::pushurl?$1:''/ges;
+$template =~ s/@\@ifhttps@\@(.*?)@\@end@\@/$Girocco::Config::httpspushurl?$1:''/ges;
+
+foreach (split(/\n/, $template)) {
 	chomp;
 	if (s/^\@section=//) {
 		$section = $_;
@@ -56,6 +64,4 @@ while (<TEMPLATE>) {
 	}
 }
 
-close TEMPLATE;
-
 $gcgi and $gcgi->srcname("html/$pathinfo");
diff --git a/ezcert.git b/ezcert.git
new file mode 160000
index 0000000..3d15d5d
--- /dev/null
+++ b/ezcert.git
@@ -0,0 +1 @@
+Subproject commit 3d15d5d23d055ae2e0f28c9ae3f1fe31405717c0
diff --git a/gitweb/indextext.html b/gitweb/indextext.html
index f0ee6e2..ad48111 100644
--- a/gitweb/indextext.html
+++ b/gitweb/indextext.html
@@ -15,7 +15,10 @@ smooth as you would like...</p>
 <p>If your cgidir is not in site root, you will have to adjust the three
 links below manually:</p>
 
-<p align="center"><a href="/regproj.cgi">Register project</a> | <a href="/reguser.cgi">Register user</a> | <a href="/edituser.cgi">Update user email/SSH keys</a></p>
+<p align="center"><a href="/regproj.cgi">Register project</a> |
+<a href="/reguser.cgi">Register user</a> |
+<a href="/h/rootcert.html">Root certificate</a> |
+<a href="/edituser.cgi">Update user email/SSH keys</a></p>
 
 <div class="forkinfo">
 How to grab a project?  Simply <code>git clone git://repo.or.cz/project.git</code>.<br />
diff --git a/hooks/update b/hooks/update
index 846f353..f22abf0 100755
--- a/hooks/update
+++ b/hooks/update
@@ -11,6 +11,7 @@ if ! [ -x /usr/bin/perl ]; then
 
 	reporoot=/@jailreporoot@
 	webadmurl=@webadmurl@
+	mob=@mob@
 	proj="$(pwd)"; proj="${proj#$reporoot/}"; projbare="${proj%.git}"
 
 	if ! [ -f .nofetch ]; then
@@ -24,7 +25,7 @@ if ! [ -x /usr/bin/perl ]; then
 		exit 3
 	fi
 
-	if [ -e /var/run/mob -a "$LOGNAME" = "mob" ]; then
+	if [ "$mob" = "mob" -a "$LOGNAME" = "mob" ]; then
 		if [ x"$1" != x"refs/heads/mob" ]; then
 			echo "The mob user may push only to the 'mob' branch, sorry" >&2
 			exit 1
@@ -79,7 +80,7 @@ if [ -n "$GIT_PROJECT_ROOT" ]; then
 		exit 3
 	fi
 
-	if [ -e "$cfg_chroot/var/run/mob" -a "$authuser" = "mob" ]; then
+	if [ "$cfg_mob" = "mob" -a "$authuser" = "mob" ]; then
 		if [ x"$1" != x"refs/heads/mob" ]; then
 			echo "The mob user may push only to the 'mob' branch, sorry" >&2
 			exit 1
diff --git a/html/mob.html b/html/mob.html
index d732e49..b79d656 100644
--- a/html/mob.html
+++ b/html/mob.html
@@ -50,3 +50,68 @@ pushout of the <tt>mob</tt> branch.</p>
 <p>Just commit on the <tt>mob</tt> branch you've checked out and
 <code>git push</code> when the time is ripe. 
 Have fun and enjoy, you are making the history!</p>
+
+<h2>In Detail Examples</h2>
+
+@@ifssh@@
+<h3>Pushing to the mob branch with ssh</h3>
+
+Nothing special is needed except to remember to set the mob user name in the push url:
+
+<blockquote><pre>
+cd /tmp
+git clone -b mob @@gitpullurl@@/mobexample.git
+cd mobexample
+git remote set-url --push origin @@mobpushurl@@/mobexample.git
+echo 'It worked!' >> example.txt
+git add example.txt
+git commit -m 'example commit'
+git push origin mob
+</pre></blockquote>
+
+<p>Note that it&#x2019;s not strictly necessary to fetch with the git protocol, the ssh protocol can also be used for fetching.</p>
+@@end@@
+
+@@ifhttps@@
+<h3 id="httpsmobpush">Pushing to the mob branch with https</h3>
+
+<p>In order to push with https, several things will be needed first:</p>
+
+<ol>
+<li>The @@nickname@@ root certificate
+<p>This can be fetched from <a href="/@@nickname@@_root_cert.pem">here</a> and will be assumed to be saved to <tt>/tmp/@@nickname@@_root_cert.pem</tt> in the push example.  See also the <a href="/h/rootcert.html">Root Certificate Information</a>.</p>
+<pre>
+cd /tmp &amp;&amp; curl -O @@gitwebfiles@@/@@nickname@@_root_cert.pem
+</pre></li>
+
+<li>The mob user certificate
+<p>This can be fetched from <a href="/@@nickname@@_mob_user.pem">here</a> and will be assumed to be saved to <tt>/tmp/@@nickname@@_mob_user.pem</tt> in the push example.</p>
+<pre>
+cd /tmp &amp;&amp; curl -O @@gitwebfiles@@/@@nickname@@_mob_user.pem
+</pre></li>
+
+<li>The mob user private key
+<p>This can be fetched from <a href="/@@nickname@@_mob_key.pem">here</a> and will be assumed to be saved to <tt>/tmp/@@nickname@@_mob_key.pem</tt> in the push example.  Normally, of course, private keys are never shared, but as described above, since everyone is allowed to push to the mob branch the private key for the mob user must be shared with everyone.</p>
+<pre>
+cd /tmp &amp;&amp; curl -O @@gitwebfiles@@/@@nickname@@_mob_key.pem
+</pre></li>
+</ol>
+
+<p>With the prerequisites out of the way, here&#x2019;s the mob ssh example redone to use the smart http protocol:</p>
+
+<blockquote><pre>
+cd /tmp
+git clone -b mob @@httppullurl@@/mobexample.git
+cd mobexample
+git config http.sslCAInfo /tmp/@@nickname@@_root_cert.pem
+git config http.sslCert /tmp/@@nickname@@_mob_user.pem
+git config http.sslKey /tmp/@@nickname@@_mob_key.pem
+git remote set-url --push origin @@httpspushurl@@/mobexample.git
+echo 'It worked!' >> example.txt
+git add example.txt
+git commit -m 'example commit'
+git push origin mob
+</pre></blockquote>
+
+<p>Note that it&#x2019;s not strictly necessary to fetch with the http protocol, the https protocol can also be used for fetching but when initially cloning the repository it can be a bother to get the two certificates and the key set properly without a project-specific place to configure them yet.  See the output of <tt>git config help</tt> for more information about configuring certificates and keys.</p>
+@@end@@
diff --git a/html/rootcert.html b/html/rootcert.html
new file mode 100644
index 0000000..ef1c7ac
--- /dev/null
+++ b/html/rootcert.html
@@ -0,0 +1,77 @@
+@section=site guide
+@heading=Root Certificate
+@header
+
+<!-- This file is preprocessed by cgi/html.cgi -->
+
+
+<p>This site provides https support in order to support the Git smart HTTP
+push protocol.</p>
+
+<p>This obviously requires this site to have an SSL server certificate.  In order
+to avoid the hassle (and the cost) of getting an SSL server certificate that
+has been signed by a root certificate already included (and trusted) by your
+browser, this site uses its own root certificate.</p>
+
+<p>The root certificate for this site is available from:</p>
+<blockquote>
+<a href="/@@nickname@@_root_cert.pem">here</a>
+</blockquote>
+
+<p>A side effect of using an unrecognized root certificate is that Git may
+complain with an error such as:</p>
+<blockquote>
+<tt>error: server certificate verification failed</tt>
+</blockquote>
+
+<p>To see this error in action, simply execute this git command:</p>
+<blockquote><pre>
+git ls-remote @@httpspushurl@@/girocco.git
+</pre></blockquote>
+
+<p>Instead of downloading the server&#x2019;s root certificate, server certificate verification may be disabled with one of these techniques:</p>
+
+<ol>
+<li>Set the <tt>GIT_SSL_NO_VERIFY</tt> environment variable like so:
+<pre>
+GIT_SSL_NO_VERIFY=1 git ls-remote @@httpspushurl@@/girocco.git
+</pre></li>
+
+<li>Temporarily set the git configuration variable <tt>http.sslVerify</tt> like so:
+<pre>
+git -c http.sslVerify=false \
+ls-remote @@httpspushurl@@/girocco.git
+</pre></li>
+</ol>
+
+<p>Or, after downloading the root certificate for this site, the error may be
+avoided through various methods by specifying the root certificate.
+For each of these methods, the root certificate will be assumed to be in the
+file <tt>/tmp/@@nickname@@_root_cert.pem</tt>.</p>
+
+<ol>
+<li>Set the <tt>GIT_SSL_CAINFO</tt> environment variable before running git like so:
+<pre>
+GIT_SSL_CAINFO=/tmp/@@nickname@@_root_cert.pem \
+git ls-remote @@httpspushurl@@/girocco.git
+</pre></li>
+
+<li>Temporarily set the git configuration variable <tt>http.sslCAInfo</tt> like so:
+<pre>
+git -c http.sslCAInfo=/tmp/@@nickname@@_root_cert.pem \
+ls-remote @@httpspushurl@@/girocco.git
+</pre></li>
+
+<li>Configure the git <tt>http.sslCAInfo</tt> variable like so:
+<pre>
+git config http.sslCAInfo /tmp/@@nickname@@_root_cert.pem
+</pre>
+<p>Note that this technique works best after the repository has already been cloned
+or initialized.</p></li>
+</ol>
+
+<p>For further details see the <tt>git help config</tt> output.</p>
+
+@@ifmob@@
+<p>For information on how to push to the mob branch using https see <a href="/h/mob.html#httpsmobpush">here</a>.</p>
+@@end@@
diff --git a/install.sh b/install.sh
index be881bf..f421e84 100755
--- a/install.sh
+++ b/install.sh
@@ -15,6 +15,11 @@ perl -I. -M$GIROCCO_CONF -e ''
 
 owngroup=""
 [ -z "$cfg_owning_group" ] || owngroup=":$cfg_owning_group"
+if [ -n "$cfg_httpspushurl" -a -z "$cfg_certsdir" ]; then
+	echo "ERROR: \$httpspushurl is set but \$certsdir is not!" >&2
+	echo "ERROR: perhaps you have an incorrect Config.pm?" >&2
+	exit 1;
+fi
 
 
 echo "*** Checking for compiled utilities..."
@@ -25,11 +30,20 @@ if [ ! -f src/can_user_push ]; then
 fi
 
 
+echo "*** Checking for ezcert..."
+if [ ! -f ezcert.git/CACreateCert ]; then
+	echo "ERROR: ezcert.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
+	exit 1;
+fi
+
+
 echo "*** Setting up basedir..."
 rm -fr "$cfg_basedir"
 mkdir -p "$cfg_basedir"
 cp -pR Girocco jobd taskd gitweb html jobs toolbox hooks apache.conf shlib.sh bin screen "$cfg_basedir"
 cp -p src/can_user_push "$cfg_basedir/bin"
+[ -n "$cfg_httpspushurl" ] || rm -f "$cfg_basedir"/html/rootcert.html "$cfg_basedir"/html/httpspush.html
+[ -n "$cfg_mob" ] || rm -f "$cfg_basedir"/html/mob.html
 
 # Put the correct Config in place
 [ "$GIROCCO_CONF" = "Girocco::Config" ] || cp "$(echo "$GIROCCO_CONF" | sed 's#::#/#g; s/$/.pm/')" "$cfg_basedir/Girocco/Config.pm"
@@ -40,7 +54,7 @@ perl -I. -M$GIROCCO_CONF -i -p \
 	-e 's/(?<!")\@basedir\@/"$Girocco::Config::basedir"/g;' -e 's/(?<=")\@basedir\@/$Girocco::Config::basedir/g;' \
 	-e 's/\@reporoot\@/"$Girocco::Config::reporoot"/g;' -e 's/\@jailreporoot\@/"$Girocco::Config::jailreporoot"/g;' \
 	-e 's/\@webadmurl\@/"$Girocco::Config::webadmurl"/g;' -e 's/\@screen_acl_file\@/"$Girocco::Config::screen_acl_file"/g;' \
-	"$cfg_basedir"/jobs/*.sh "$cfg_basedir"/jobd/*.sh \
+	-e 's/\@mob\@/"$Girocco::Config::mob"/g;' "$cfg_basedir"/jobs/*.sh "$cfg_basedir"/jobd/*.sh \
 	"$cfg_basedir"/taskd/*.sh "$cfg_basedir"/gitweb/*.sh "$cfg_basedir"/shlib.sh "$cfg_basedir"/hooks/* \
 	"$cfg_basedir"/toolbox/* "$cfg_basedir"/bin/git-shell-verify "$cfg_basedir"/screen/*
 
@@ -128,7 +142,11 @@ mkdir -p "$cfg_webroot" "$cfg_cgiroot"
 cp cgi/*.cgi gitweb/gitweb_config.perl "$cfg_cgiroot"
 ln -fs "$cfg_basedir"/Girocco "$cfg_cgiroot"
 [ -z "$cfg_webreporoot" ] || { rm -f "$cfg_webreporoot" && ln -s "$cfg_reporoot" "$cfg_webreporoot"; }
-cp gitweb/indextext.html "$cfg_webroot"
+if [ -z "$cfg_httpspushurl" ]; then
+	grep -v 'rootcert[.]html' gitweb/indextext.html > "$cfg_webroot/indextext.html"
+else
+	cp gitweb/indextext.html "$cfg_webroot"
+fi
 mv "$cfg_basedir"/html/*.css "$cfg_basedir"/html/*.js "$cfg_webroot"
 cp mootools.js "$cfg_webroot"
 cp htaccess "$cfg_webroot/.htaccess"
@@ -136,5 +154,103 @@ cp git-favicon.ico "$cfg_webroot/favicon.ico"
 cp robots.txt "$cfg_webroot"
 cat gitweb/gitweb.css >>"$cfg_webroot"/gitweb.css
 
+
+if [ -n "$cfg_httpspushurl" ]; then
+	echo "*** Setting up SSL certificates..."
+	mkdir -p "$cfg_certsdir"
+	[ -d "$cfg_certsdir" ]
+	wwwcertcn=
+	if [ -e "$cfg_certsdir/girocco_www_crt.pem" ]; then
+		wwwcertcn="$( \
+			openssl x509 -in "$cfg_certsdir/girocco_www_crt.pem" -noout -subject | \
+			sed -e 's,[^/]*,,' \
+		)"
+	fi
+	needroot=
+	[ -e "$cfg_certsdir/girocco_client_crt.pem" -a \
+	-e "$cfg_certsdir/girocco_client_key.pem" -a \
+	-e "$cfg_certsdir/girocco_www_key.pem" -a \
+	-e "$cfg_certsdir/girocco_www_crt.pem" -a "$wwwcertcn" = "/CN=$cfg_httpsdnsname" -a \
+	-e "$cfg_certsdir/girocco_root_crt.pem" ] || needroot=1
+	if [ -n "$needroot" -a ! -e "$cfg_certsdir/girocco_root_key.pem" ]; then
+		rm -f "$cfg_certsdir/girocco_root_crt.pem" "$cfg_certsdir/girocco_root_key.pem"
+		openssl genrsa -f4 -out "$cfg_certsdir/girocco_root_key.pem" 2048
+		chmod 0600 "$cfg_certsdir/girocco_root_key.pem"
+		rm -f "$cfg_certsdir/girocco_root_crt.pem"
+		echo "Created new root key"
+	fi
+	if [ ! -e "$cfg_certsdir/girocco_root_crt.pem" ]; then
+		ezcert.git/CACreateCert --root --key "$cfg_certsdir/girocco_root_key.pem" \
+			--out "$cfg_certsdir/girocco_root_crt.pem" "girocco $cfg_nickname root certificate"
+		rm -f "$cfg_certsdir/girocco_www_crt.pem" "$cfg_certsdir/girocco_www_chain.pem"
+		rm -f "$cfg_certsdir/girocco_client_crt.pem" "$cfg_certsdir/girocco_client_suffix.pem"
+		rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
+		rm -f "$cfg_chroot/etc/sshcerts"/*.pem
+		echo "Created new root certificate"
+	fi
+	if [ ! -e "$cfg_certsdir/girocco_www_key.pem" ]; then
+		openssl genrsa -f4 -out "$cfg_certsdir/girocco_www_key.pem" 2048
+		chmod 0600 "$cfg_certsdir/girocco_www_key.pem"
+		rm -f "$cfg_certsdir/girocco_www_crt.pem"
+		echo "Created new www key"
+	fi
+	if [ ! -e "$cfg_certsdir/girocco_www_crt.pem" -o "$wwwcertcn" != "/CN=$cfg_httpsdnsname" ]; then
+		openssl rsa -in "$cfg_certsdir/girocco_www_key.pem" -pubout |
+		ezcert.git/CACreateCert --server --key "$cfg_certsdir/girocco_root_key.pem" \
+			--cert "$cfg_certsdir/girocco_root_crt.pem" \
+			--out "$cfg_certsdir/girocco_www_crt.pem" "$cfg_httpsdnsname"
+		echo "Created www certificate"
+	fi
+	if [ ! -e "$cfg_certsdir/girocco_www_chain.pem" ]; then
+		cat "$cfg_certsdir/girocco_root_crt.pem" > "$cfg_certsdir/girocco_www_chain.pem"
+		echo "Created www certificate chain file"
+	fi
+	if [ ! -e "$cfg_certsdir/girocco_client_key.pem" ]; then
+		openssl genrsa -f4 -out "$cfg_certsdir/girocco_client_key.pem" 2048
+		chmod 0640 "$cfg_certsdir/girocco_client_key.pem"
+		rm -f "$cfg_certsdir/girocco_client_crt.pem"
+		echo "Created new client key"
+	fi
+	if [ ! -e "$cfg_certsdir/girocco_client_crt.pem" ]; then
+		openssl rsa -in "$cfg_certsdir/girocco_client_key.pem" -pubout |
+		ezcert.git/CACreateCert --subca --key "$cfg_certsdir/girocco_root_key.pem" \
+			--cert "$cfg_certsdir/girocco_root_crt.pem" \
+			--out "$cfg_certsdir/girocco_client_crt.pem" "girocco $cfg_nickname client authority"
+		rm -f "$cfg_certsdir/girocco_client_suffix.pem"
+		rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
+		rm -f "$cfg_chroot/etc/sshcerts"/*.pem
+		echo "Created client certificate"
+	fi
+	if [ ! -e "$cfg_certsdir/girocco_client_suffix.pem" ]; then
+		cat "$cfg_certsdir/girocco_client_crt.pem" > "$cfg_certsdir/girocco_client_suffix.pem"
+		echo "Created client certificate suffix file"
+	fi
+        cat "$cfg_rootcert" > "$cfg_webroot/${cfg_nickname}_root_cert.pem"
+	if [ -n "$cfg_mob" ]; then
+		if [ ! -e "$cfg_certsdir/girocco_mob_user_key.pem" ]; then
+			openssl genrsa -f4 -out "$cfg_certsdir/girocco_mob_user_key.pem" 2048
+			chmod 0640 "$cfg_certsdir/girocco_client_key.pem"
+			rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
+			echo "Created new mob user key"
+		fi
+		if [ ! -e "$cfg_certsdir/girocco_mob_user_crt.pem" ]; then
+			openssl rsa -in "$cfg_mobuserkey" -pubout |
+			ezcert.git/CACreateCert --client --key "$cfg_clientkey" \
+				--cert "$cfg_clientcert" \
+				--out "$cfg_certsdir/girocco_mob_user_crt.pem" 'mob'
+			echo "Created mob user client certificate"
+		fi
+		cat "$cfg_mobuserkey" > "$cfg_webroot/${cfg_nickname}_mob_key.pem"
+		cat "$cfg_mobusercert" "$cfg_clientcertsuffix" > "$cfg_webroot/${cfg_nickname}_mob_user.pem"
+	else
+		rm -f "$cfg_webroot/${cfg_nickname}_mob_key.pem" "$cfg_webroot/${cfg_nickname}_mob_user.pem"
+	fi
+else
+	rm -f "$cfg_webroot/${cfg_nickname}_root_cert.pem"
+	rm -f "$cfg_webroot/${cfg_nickname}_mob_key.pem" "$cfg_webroot/${cfg_nickname}_mob_user.pem"
+fi
+
+
 echo "*** Finalizing permissions..."
 chown -R -h "$cfg_mirror_user""$owngroup" "$cfg_basedir" "$cfg_webroot" "$cfg_cgiroot"
+[ -z "$cfg_httpspushurl" ] || chown -R -h "$cfg_mirror_user""$owngroup" "$cfg_certsdir"
diff --git a/jailsetup.sh b/jailsetup.sh
index 6655564..07c296f 100755
--- a/jailsetup.sh
+++ b/jailsetup.sh
@@ -32,12 +32,14 @@ ln -s lib lib64
 # Set up basic user/group configuration; if there is any already,
 # we hope it's the same numbers and users.
 
+mobpass=''
+[ -n "$cfg_mob" ] || mobpass='x'
 if [ ! -s etc/passwd ]; then
 	cat >etc/passwd <<EOT
 sshd:x:101:65534:priviledge separation:/var/run/sshd:/bin/false
 $cfg_cgi_user:x:$(getent passwd "$cfg_cgi_user" | cut -d : -f 3-5):/:/bin/true
 $cfg_mirror_user:x:$(getent passwd "$cfg_mirror_user" | cut -d : -f 3-5):/:/bin/true
-mob::65538:$(getent group "$cfg_owning_group" | cut -d : -f 3):the mob:/:/bin/git-shell-verify
+mob:$mobpass:65538:$(getent group "$cfg_owning_group" | cut -d : -f 3):the mob:/:/bin/git-shell-verify
 EOT
 fi
 
@@ -55,11 +57,6 @@ mknod dev/random c 1 8
 mknod dev/urandom c 1 9
 chmod a+rw dev/null dev/zero dev/random dev/urandom
 
-# Set up mob user:
-touch var/run/mob
-chown 65538 var/run/mob
-chmod 0 var/run/mob
-
 # Set up sshd configuration:
 mkdir -p var/run/sshd
 mkdir -p etc/sshkeys
-- 
2.11.4.GIT