clones: set unix socket to autoflush just in case

[girocco.git] / install.sh

#!/bin/sh
# The Girocco installation script
# We will OVERWRITE basedir!

set -e

[ -n "$MAKE" ] || MAKE="$(make -s gnu_make_command_name | grep '^gnu_make_command_name=' | sed 's/^[^=]*=//')"
if [ -z "$MAKE" ]; then
        echo "ERROR: cannot determine name of the GNU make command" >&2
        echo "Please set MAKE to the name of the GNU make executable" >&2
        exit 1
fi

# Run perl module checker
if [ ! -x toolbox/check-perl-modules.pl ]; then
        echo "ERROR: missing toolbox/check-perl-modules.pl!" >&2
        exit 1
fi
toolbox/check-perl-modules.pl

# What Config should we use?
[ -n "$GIROCCO_CONF" ] || GIROCCO_CONF=Girocco::Config
echo "*** Initializing using $GIROCCO_CONF..."

# First run Girocco::Config consistency checks
perl -I. -M$GIROCCO_CONF -e ''

. ./shlib.sh

owngroup=""
[ -z "$cfg_owning_group" ] || owngroup=":$cfg_owning_group"
if [ -n "$cfg_httpspushurl" -a -z "$cfg_certsdir" ]; then
        echo "ERROR: \$httpspushurl is set but \$certsdir is not!" >&2
        echo "ERROR: perhaps you have an incorrect Config.pm?" >&2
        exit 1
fi


echo "*** Checking for compiled utilities..."
if [ ! -x src/can_user_push ]; then
        echo "ERROR: src/can_user_push is not built! Did you _REALLY_ read INSTALL?" >&2
        echo "ERROR: perhaps you forgot to run make?" >&2
        exit 1
fi
if [ ! -x src/can_user_push_http ]; then
        echo "ERROR: src/can_user_push_http is not built! Did you _REALLY_ read INSTALL?" >&2
        echo "ERROR: perhaps you forgot to run make?" >&2
        exit 1
fi
if [ ! -x src/getent ]; then
        echo "ERROR: src/getent is not built! Did you _REALLY_ read INSTALL?" >&2
        echo "ERROR: perhaps you forgot to run make?" >&2
        exit 1
fi
if [ ! -x src/get_user_uuid ]; then
        echo "ERROR: src/get_user_uuid is not built! Did you _REALLY_ read INSTALL?" >&2
        echo "ERROR: perhaps you forgot to run make?" >&2
        exit 1
fi
if [ ! -x src/peek_packet ]; then
        echo "ERROR: src/peek_packet is not built! Did you _REALLY_ read INSTALL?" >&2
        echo "ERROR: perhaps you forgot to run make?" >&2
        exit 1
fi
if [ ! -x src/rangecgi ]; then
        echo "ERROR: src/rangecgi is not built! Did you _REALLY_ read INSTALL?" >&2
        echo "ERROR: perhaps you forgot to run make?" >&2
        exit 1
fi


echo "*** Checking for ezcert..."
if [ ! -f ezcert.git/CACreateCert ]; then
        echo "ERROR: ezcert.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
        exit 1
fi


echo "*** Checking for git..."
case "$cfg_git_bin" in /*) :;; *)
        echo 'ERROR: $Girocco::Config::git_bin must be set to an absolute path' >&2
        exit 1
esac
if [ ! -x "$cfg_git_bin" ]; then
        echo "ERROR: $cfg_git_bin does not exist or is not executable" >&2
        exit 1
fi
if ! git_version="$("$cfg_git_bin" version)"; then
        echo "ERROR: $cfg_git_bin version failed" >&2
        exit 1
fi
case "$git_version" in
        [Gg]"it version "*) :;;
        *)
                echo "ERROR: '$cfg_git_bin version' output does not start with 'git version '" >&2
                exit 1
esac
echo "Found $cfg_git_bin $git_version"
git_vernum="$(echo "$git_version" | sed -ne 's/^[^0-9]*\([0-9][0-9]*\(\.[0-9][0-9]*\)*\).*$/\1/p')"
echo "*** Checking Git $git_vernum for compatibility..."
if [ "$(vcmp "$git_vernum" 1.6.6)" -lt 0 ]; then
        echo 'ERROR: $Girocco::Config::git_bin must be at least Git version 1.6.6'
        exit 1
fi
if [ "$(vcmp "$git_vernum" 1.6.6.3)" -lt 0 ]; then
        echo 'WARNING: $Girocco::Config::git_bin version < 1.6.6.3, clients will not see useful error messages'
fi
if [ "$(vcmp "$git_vernum" 1.7.2)" -lt 0 ]; then
        echo 'WARNING: $Girocco::Config::git_bin version < 1.7.2, some Girocco functionality will be disabled'
fi
if [ -n "$cfg_mirror" -a "$(vcmp "$git_vernum" 1.7.5)" -lt 0 ]; then
        echo 'WARNING: $Girocco::Config::git_bin version < 1.7.5 and mirroring enabled, some sources can cause an infinite fetch loop'
fi
if [ "$(vcmp "$git_vernum" 1.7.6.6)" -lt 0 ]; then
        echo 'WARNING: $Girocco::Config::git_bin version < 1.7.6.6, performance may be degraded'
fi
if [ "$(uname -m 2>/dev/null)" = "x86_64" ] && [ "$(vcmp "$git_vernum" 1.7.11)" -ge 0 ]; then
        echo 'WARNING: $Girocco::Config::git_bin version >= 1.7.11 and x86_64, make sure Git built WITHOUT XDL_FAST_HASH'
        echo 'WARNING: See http://thread.gmane.org/gmane.comp.version-control.git/261638 for details'
fi
if [ "$(vcmp "$git_vernum" 1.8.4.2)" -ge 0 ] && [ -n "$cfg_mirror" -a "$(vcmp "$git_vernum" 2)" -lt 0 ]; then
        echo 'WARNING: $Girocco::Config::git_bin version >= 1.8.4.2 and < 2.0.0, git-daemon needs write access for shallow clones'
        echo 'WARNING: $Girocco::Config::git_bin version >= 1.8.4.2 and < 2.0.0, shallow clones will leave repository turds'
fi
if [ "$(vcmp "$git_vernum" 1.8.4.3)" -lt 0 ]; then
        echo 'WARNING: $Girocco::Config::git_bin version < 1.8.4.3, clients will not receive symref=HEAD:refs/heads/...'
fi
if [ "$(vcmp "$git_vernum" 2.1)" -lt 0 ]; then
        echo 'WARNING: $Girocco::Config::git_bin version < 2.1.0, pack bitmaps will not be available'
fi
if [ "$(vcmp "$git_vernum" 2.1)" -ge 0 ] && [ "$(vcmp "$git_vernum" 2.1.3)" -lt 0 ]; then
        echo 'WARNING: $Girocco::Config::git_bin version >= 2.1.0 and < 2.1.3, pack bitmaps may not be reliable, please upgrade to at least Git version 2.1.3'
fi
if [ "$(vcmp "$git_vernum" 2.2)" -ge 0 ] && [ "$(vcmp "$git_vernum" 2.3.2)" -lt 0 ]; then
        cat <<'EOT'

***
*** ERROR: $Girocco::Config::git_bin is set to an incompatible version of Git
***

Git versions starting with 2.2.0 and continuing up through 2.3.1 are incompatible
with Girocco due to various unresolved issues.  Please either downgrade to 2.1.4
or earlier or, more preferred, upgrade to 2.3.2 (ideally 2.3.10) or later.

In order to bypass this check you will have to modify install.sh in which case
USE THE SELECTED GIT BINARY AT YOUR OWN RISK!

EOT
        exit 1
fi
if [ "$(vcmp "$git_vernum" 2.3.3)" -lt 0 ]; then
        echo 'WARNING: $Girocco::Config::git_bin version < 2.3.3, performance will be sub-optimal'
fi
if [ "$(vcmp "$git_vernum" 2.3.10)" -lt 0 ]; then
        echo 'WARNING: $Girocco::Config::git_bin version < 2.3.10, security issues exist'
        cat <<'EOT'

***
*** IMPORTANT: $Girocco::Config::git_bin is set to a version of Git prior to 2.3.10
***

Besides the security fixes included in 2.3.9 and 2.3.10, versions prior to
2.2.0 may accidentally prune unreachable loose objects earlier than intended.
Since Git versions 2.2.0 through 2.3.1 are incompatible with Girocco, 2.3.3
includes a performance improvement and the only significant changes between
2.3.3 and 2.3.10 are the inclusion of the security updates, Git version 2.3.10
should be considered the absolute minimum version of Git to use when running
Girocco.

This is not enforced, but Git is easy to build from the git.git submodule and
upgrading to GIT VERSION 2.3.10 OR LATER IS HIGHLY RECOMMENDED.

EOT
fi
if [ -n "$cfg_mirror" -a "$cfg_mirror" != 0 ] && grep -q ns_parserr "$cfg_git_bin"; then
        cat <<'EOT'

***
*** WARNING: $Girocco::Config::git_bin is set to a questionable Git binary
***

You appear to have enabled mirroring and the Git binary you have selected
appears to contain an experimental patch that cannot be disabled.  This
patch can generate invalid network DNS traffic and/or cause long delays
when fetching using the "git:" protocol when no port number is specified.
It may also end up retrieving repsitory contents from a host other than
the one specified in the "git:" URL when the port is omitted.

You are advised to either build your own version of Git (the problem patch
is not part of the official Git repository) or disable mirroring (via the
$Girocco::Config:mirror setting) to avoid these potential problems.

USE THE SELECTED GIT BINARY AT YOUR OWN RISK!

EOT
fi


chown_make() {
        if [ "$LOGNAME" = root -a -n "$SUDO_USER" -a "$SUDO_USER" != root ]; then
                find "$@" -user root -print0 2>/dev/null | \
                xargs -0 chown "$SUDO_USER:$(id -gn "$SUDO_USER")"
        elif [ "$LOGNAME" = root -a -z "$SUDO_USER" -o "$SUDO_USER" = root ]; then
                echo "*** WARNING: running make as root w/o sudo may leave root-owned: $*"
        fi
}

echo "*** Setting up basedir..."
"$MAKE" --no-print-directory --silent apache.conf
chown_make apache.conf
"$MAKE" --no-print-directory --silent -C src
chown_make src
rm -fr "$cfg_basedir"
mkdir -p "$cfg_basedir" "$cfg_basedir/gitweb"
cp -pR Girocco jobd taskd html jobs toolbox hooks apache.conf shlib.sh bin screen "$cfg_basedir"
cp -p src/can_user_push src/can_user_push_http src/get_user_uuid src/peek_packet src/rangecgi \
        ezcert.git/CACreateCert cgi/authrequired.cgi "$cfg_basedir/bin"
cp -p gitweb/*.sh gitweb/*.perl "$cfg_basedir/gitweb"
[ -n "$cfg_httpspushurl" ] || rm -f "$cfg_basedir"/html/rootcert.html "$cfg_basedir"/html/httpspush.html
[ -n "$cfg_mob" ] || rm -f "$cfg_basedir"/html/mob.html

# Put the correct Config in place
[ "$GIROCCO_CONF" = "Girocco::Config" ] || cp "$(echo "$GIROCCO_CONF" | sed 's#::#/#g; s/$/.pm/')" "$cfg_basedir/Girocco/Config.pm"


echo "*** Preprocessing scripts..."
perl -I. -M$GIROCCO_CONF -i -p \
        -e 's/(?<!")\@basedir\@/"$Girocco::Config::basedir"/g;' \
        -e 's/(?<=")\@basedir\@/$Girocco::Config::basedir/g;' \
        -e 's/\@reporoot\@/"$Girocco::Config::reporoot"/g;' \
        -e 's/\@jailreporoot\@/"$Girocco::Config::jailreporoot"/g;' \
        -e 's/\@chroot\@/"$Girocco::Config::chroot"/g;' \
        -e 's/\@webadmurl\@/"$Girocco::Config::webadmurl"/g;' \
        -e 's/\@screen_acl_file\@/"$Girocco::Config::screen_acl_file"/g;' \
        -e 's/\@mob\@/"$Girocco::Config::mob"/g;' \
        -e 's/\@git_server_ua\@/"$Girocco::Config::git_server_ua"/g;' \
        -e 's/\@defined_git_server_ua\@/defined($Girocco::Config::git_server_ua)/ge;' \
        "$cfg_basedir"/jobs/*.sh "$cfg_basedir"/jobd/*.sh \
        "$cfg_basedir"/taskd/*.sh "$cfg_basedir"/gitweb/*.sh \
        "$cfg_basedir"/shlib.sh "$cfg_basedir"/hooks/* \
        "$cfg_basedir"/toolbox/*.sh "$cfg_basedir"/toolbox/*.pl \
        "$cfg_basedir"/toolbox/reports/*.sh \
        "$cfg_basedir"/bin/git-* "$cfg_basedir"/bin/*.sh \
        "$cfg_basedir"/bin/create-* "$cfg_basedir"/bin/update-* \
        "$cfg_basedir"/bin/authrequired.cgi "$cfg_basedir"/screen/*

# Dump all the cfg_ and defined_ variables to shlib_vars.sh
get_girocco_config_var_list > "$cfg_basedir"/shlib_vars.sh

if [ -n "$cfg_mirror" ]; then
        echo "--- Remember to start $cfg_basedir/taskd/taskd.pl"
fi
echo "--- Also remember to either start $cfg_basedir/jobd/jobd.sh, or add this"
echo "--- to the crontab of $cfg_mirror_user (adjust frequency on number of repos):"
echo "*/30 * * * * /usr/bin/nice -n 18 $cfg_basedir/jobd/jobd.sh -q --all-once"


echo "*** Setting up repository root..."
mkdir -p "$cfg_reporoot" "$cfg_reporoot/_recyclebin"
if [ "$cfg_owning_group" ]; then
        chgrp "$cfg_owning_group" "$cfg_reporoot" || echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_reporoot"
        chgrp "$cfg_owning_group" "$cfg_reporoot/_recyclebin" || echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_reporoot/_recyclebin"
fi
chmod 02775 "$cfg_reporoot" || echo "WARNING: Cannot chmod $cfg_reporoot properly"
chmod 02775 "$cfg_reporoot/_recyclebin" || echo "WARNING: Cannot chmod $cfg_reporoot/_recyclebin properly"


if [ -n "$cfg_chrooted" ]; then
        echo "*** Setting up chroot jail for pushing..."
        if [ "$(id -u)" -eq 0 ]; then
                ./jailsetup.sh
        else
                echo "WARNING: Skipping jail setup, not root"
        fi
fi


echo "*** Setting up jail configuration (project database)..."
[ "$(id -u)" -eq 0 ] || ./jailsetup.sh dbonly
mkdir -p "$cfg_chroot" "$cfg_chroot/etc"
touch "$cfg_chroot/etc/passwd" "$cfg_chroot/etc/group"
chown "$cfg_mirror_user""$owngroup" "$cfg_chroot/etc" ||
        echo "WARNING: Cannot chown $cfg_mirror_user$owngroup $cfg_chroot/etc"
chown "$cfg_cgi_user""$owngroup" "$cfg_chroot/etc/passwd" "$cfg_chroot/etc/group" ||
        echo "WARNING: Cannot chown $cfg_cgi_user$owngroup the files"
chmod g+w "$cfg_chroot/etc/passwd" "$cfg_chroot/etc/group" ||
        echo "WARNING: Cannot chmod g+w the etc/passwd and/or etc/group files"
chmod 02775 "$cfg_chroot/etc" || echo "WARNING: Cannot chmod 02775 $cfg_chroot/etc"

echo "*** Setting up gitweb from git.git..."
if [ ! -f git.git/Makefile ]; then
        echo "ERROR: git.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
        exit 1
fi
mkdir -p "$cfg_webroot" "$cfg_cgiroot"
(cd git.git && "$MAKE" --no-print-directory --silent NO_SUBDIR=: bindir="$(dirname "$cfg_git_bin")" \
        GITWEB_CONFIG="$cfg_basedir/gitweb/gitweb_config.perl" gitweb && \
        chown_make gitweb && \
        perl -pe 's/^(\s*use\s+warnings\s*;.*)$/#$1/' gitweb/gitweb.cgi > "$cfg_cgiroot"/gitweb.cgi.$$ && \
        chmod a+x "$cfg_cgiroot"/gitweb.cgi.$$ && \
        chown_make "$cfg_cgiroot"/gitweb.cgi.$$ && \
        mv -f "$cfg_cgiroot"/gitweb.cgi.$$ "$cfg_cgiroot"/gitweb.cgi && \
        cp gitweb/static/*.png gitweb/static/*.css gitweb/static/*.js "$cfg_webroot")


echo "*** Setting up git-browser from git-browser.git..."
if [ ! -f git-browser.git/git-browser.cgi ]; then
        echo "ERROR: git-browser.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
        exit 1
fi
mkdir -p "$cfg_webroot"/git-browser "$cfg_cgiroot"
(cd git-browser.git && \
        CFG="$cfg_basedir/gitweb/git-browser.conf" perl -pe \
        's/"git-browser\.conf"/"$ENV{"CFG"}"/' git-browser.cgi > "$cfg_cgiroot"/git-browser.cgi.$$ && \
        chmod a+x "$cfg_cgiroot"/git-browser.cgi.$$ && \
        chown_make "$cfg_cgiroot"/git-browser.cgi.$$ && \
        mv -f "$cfg_cgiroot"/git-browser.cgi.$$ "$cfg_cgiroot"/git-browser.cgi && \
        cp -r *.html *.js *.css js.lib "$cfg_webroot"/git-browser && \
        cp -r JSON "$cfg_cgiroot")
rm -f "$cfg_webroot"/git-browser/index.html
cat >"$cfg_basedir/gitweb"/git-browser.conf.$$ <<EOT
gitbin: $cfg_git_bin
warehouse: $cfg_reporoot
EOT
chown_make "$cfg_basedir/gitweb"/git-browser.conf.$$
mv -f "$cfg_basedir/gitweb"/git-browser.conf.$$ "$cfg_basedir/gitweb"/git-browser.conf
cat >"$cfg_webroot"/git-browser/GitConfig.js.$$ <<EOT
cfg_gitweb_url="$cfg_gitweburl/"
cfg_browsercgi_url="$cfg_webadmurl/git-browser.cgi"
EOT
chown_make "$cfg_webroot"/git-browser/GitConfig.js.$$
mv -f "$cfg_webroot"/git-browser/GitConfig.js.$$ "$cfg_webroot"/git-browser/GitConfig.js


echo "*** Setting up darcs-fast-export from bzr-fastimport.git..."
if [ ! -d bzr-fastimport.git/exporters/darcs/ ]; then
        echo "ERROR: bzr-fastimport.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
        exit 1
fi
mkdir -p "$cfg_basedir"/bin
cp bzr-fastimport.git/exporters/darcs/darcs-fast-export "$cfg_basedir"/bin


echo "*** Setting up hg-fast-export from fast-export.git..."
if [ ! -f fast-export.git/hg-fast-export.py -o ! -f fast-export.git/hg2git.py ]; then
        echo "ERROR: fast-export.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
        exit 1
fi
mkdir -p "$cfg_basedir"/bin
cp fast-export.git/hg-fast-export.py fast-export.git/hg2git.py "$cfg_basedir"/bin


echo "*** Setting up markdown from markdown.git..."
if [ ! -f markdown.git/Markdown.pl ]; then
        echo "ERROR: markdown.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
        exit 1
fi
mkdir -p "$cfg_basedir"/bin
cp markdown.git/Markdown.pl "$cfg_basedir"/bin


echo "*** Setting up our part of the website..."
mkdir -p "$cfg_webroot" "$cfg_cgiroot"
cp cgi/*.cgi "$cfg_cgiroot"
rm -f "$cfg_cgiroot"/authrequired.cgi
[ -z "$cfg_httpspushurl" ] || cp "$cfg_basedir"/bin/authrequired.cgi "$cfg_cgiroot"
[ -n "$cfg_httpspushurl" ] || rm -f "$cfg_cgiroot"/usercert.cgi
ln -fs "$cfg_basedir"/Girocco "$cfg_cgiroot"
[ -z "$cfg_webreporoot" ] || { rm -f "$cfg_webreporoot" && ln -s "$cfg_reporoot" "$cfg_webreporoot"; }
if [ -z "$cfg_httpspushurl" ]; then
        grep -v 'rootcert[.]html' gitweb/indextext.html > "$cfg_basedir/gitweb/indextext.html"
else
        cp gitweb/indextext.html "$cfg_basedir/gitweb"
fi
mv "$cfg_basedir"/html/*.css "$cfg_basedir"/html/*.js "$cfg_webroot"
cp mootools.js "$cfg_webroot"
cp htaccess "$cfg_webroot/.htaccess"
cp cgi/htaccess "$cfg_cgiroot/.htaccess"
cp git-favicon.ico "$cfg_webroot/favicon.ico"
cp robots.txt "$cfg_webroot"
cat gitweb/gitweb.css >>"$cfg_webroot"/gitweb.css


if [ -n "$cfg_httpspushurl" ]; then
        echo "*** Setting up SSL certificates..."
        bits=2048
        if [ "$cfg_rsakeylength" -gt "$bits" ] 2>/dev/null; then
            bits="$cfg_rsakeylength"
        fi
        mkdir -p "$cfg_certsdir"
        [ -d "$cfg_certsdir" ]
        wwwcertcn=
        if [ -e "$cfg_certsdir/girocco_www_crt.pem" ]; then
                wwwcertcn="$( \
                        openssl x509 -in "$cfg_certsdir/girocco_www_crt.pem" -noout -subject | \
                        sed -e 's,[^/]*,,' \
                )"
        fi
        wwwcertdns=
        if [ -n "$cfg_wwwcertaltnames" ]; then
                for dnsopt in $cfg_wwwcertaltnames; do
                        wwwcertdns="${wwwcertdns:+$wwwcertdns }--dns $dnsopt"
                done
        fi
        wwwcertdnsfile=
        if [ -r "$cfg_certsdir/girocco_www_crt.dns" ]; then
                wwwcertdnsfile="$(cat "$cfg_certsdir/girocco_www_crt.dns")"
        fi
        needroot=
        [ -e "$cfg_certsdir/girocco_client_crt.pem" -a \
        -e "$cfg_certsdir/girocco_client_key.pem" -a \
        -e "$cfg_certsdir/girocco_www_key.pem" -a \
        -e "$cfg_certsdir/girocco_www_crt.pem" -a "$wwwcertcn" = "/CN=$cfg_httpsdnsname" -a \
        -e "$cfg_certsdir/girocco_root_crt.pem" ] || needroot=1
        if [ -n "$needroot" -a ! -e "$cfg_certsdir/girocco_root_key.pem" ]; then
                rm -f "$cfg_certsdir/girocco_root_crt.pem" "$cfg_certsdir/girocco_root_key.pem"
                openssl genrsa -f4 -out "$cfg_certsdir/girocco_root_key.pem" $bits
                chmod 0600 "$cfg_certsdir/girocco_root_key.pem"
                rm -f "$cfg_certsdir/girocco_root_crt.pem"
                echo "Created new root key"
        fi
        if [ ! -e "$cfg_certsdir/girocco_root_crt.pem" ]; then
                ezcert.git/CACreateCert --root --key "$cfg_certsdir/girocco_root_key.pem" \
                        --out "$cfg_certsdir/girocco_root_crt.pem" "girocco $cfg_nickname root certificate"
                rm -f "$cfg_certsdir/girocco_www_crt.pem" "$cfg_certsdir/girocco_www_chain.pem"
                rm -f "$cfg_certsdir/girocco_client_crt.pem" "$cfg_certsdir/girocco_client_suffix.pem"
                rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
                rm -f "$cfg_chroot/etc/sshcerts"/*.pem
                echo "Created new root certificate"
        fi
        if [ ! -e "$cfg_certsdir/girocco_www_key.pem" ]; then
                openssl genrsa -f4 -out "$cfg_certsdir/girocco_www_key.pem" $bits
                chmod 0600 "$cfg_certsdir/girocco_www_key.pem"
                rm -f "$cfg_certsdir/girocco_www_crt.pem"
                echo "Created new www key"
        fi
        if [ ! -e "$cfg_certsdir/girocco_www_crt.pem" ] || \
                [ "$wwwcertcn" != "/CN=$cfg_httpsdnsname" ] || [ "$wwwcertdns" != "$wwwcertdnsfile" ]; then
                openssl rsa -in "$cfg_certsdir/girocco_www_key.pem" -pubout |
                ezcert.git/CACreateCert --server --key "$cfg_certsdir/girocco_root_key.pem" \
                        --cert "$cfg_certsdir/girocco_root_crt.pem" $wwwcertdns \
                        --out "$cfg_certsdir/girocco_www_crt.pem" "$cfg_httpsdnsname"
                printf '%s\n' "$wwwcertdns" > "$cfg_certsdir/girocco_www_crt.dns"
                echo "Created www certificate"
        fi
        if [ ! -e "$cfg_certsdir/girocco_www_chain.pem" ]; then
                cat "$cfg_certsdir/girocco_root_crt.pem" > "$cfg_certsdir/girocco_www_chain.pem"
                echo "Created www certificate chain file"
        fi
        if [ ! -e "$cfg_certsdir/girocco_client_key.pem" ]; then
                openssl genrsa -f4 -out "$cfg_certsdir/girocco_client_key.pem" $bits
                chmod 0640 "$cfg_certsdir/girocco_client_key.pem"
                rm -f "$cfg_certsdir/girocco_client_crt.pem"
                echo "Created new client key"
        fi
        if [ ! -e "$cfg_certsdir/girocco_client_crt.pem" ]; then
                openssl rsa -in "$cfg_certsdir/girocco_client_key.pem" -pubout |
                ezcert.git/CACreateCert --subca --key "$cfg_certsdir/girocco_root_key.pem" \
                        --cert "$cfg_certsdir/girocco_root_crt.pem" \
                        --out "$cfg_certsdir/girocco_client_crt.pem" "girocco $cfg_nickname client authority"
                rm -f "$cfg_certsdir/girocco_client_suffix.pem"
                rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
                rm -f "$cfg_chroot/etc/sshcerts"/*.pem
                echo "Created client certificate"
        fi
        if [ ! -e "$cfg_certsdir/girocco_client_suffix.pem" ]; then
                cat "$cfg_certsdir/girocco_client_crt.pem" > "$cfg_certsdir/girocco_client_suffix.pem"
                echo "Created client certificate suffix file"
        fi
        cat "$cfg_rootcert" > "$cfg_webroot/${cfg_nickname}_root_cert.pem"
        if [ -n "$cfg_mob" ]; then
                if [ ! -e "$cfg_certsdir/girocco_mob_user_key.pem" ]; then
                        openssl genrsa -f4 -out "$cfg_certsdir/girocco_mob_user_key.pem" $bits
                        chmod 0640 "$cfg_certsdir/girocco_client_key.pem"
                        rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
                        echo "Created new mob user key"
                fi
                if [ ! -e "$cfg_certsdir/girocco_mob_user_crt.pem" ]; then
                        openssl rsa -in "$cfg_mobuserkey" -pubout |
                        ezcert.git/CACreateCert --client --key "$cfg_clientkey" \
                                --cert "$cfg_clientcert" \
                                --out "$cfg_certsdir/girocco_mob_user_crt.pem" 'mob'
                        echo "Created mob user client certificate"
                fi
                cat "$cfg_mobuserkey" > "$cfg_webroot/${cfg_nickname}_mob_key.pem"
                cat "$cfg_mobusercert" "$cfg_clientcertsuffix" > "$cfg_webroot/${cfg_nickname}_mob_user.pem"
        else
                rm -f "$cfg_webroot/${cfg_nickname}_mob_key.pem" "$cfg_webroot/${cfg_nickname}_mob_user.pem"
        fi
else
        rm -f "$cfg_webroot/${cfg_nickname}_root_cert.pem"
        rm -f "$cfg_webroot/${cfg_nickname}_mob_key.pem" "$cfg_webroot/${cfg_nickname}_mob_user.pem"
fi


echo "*** Finalizing permissions..."
chown -R -h "$cfg_mirror_user""$owngroup" "$cfg_basedir" "$cfg_webroot" "$cfg_cgiroot"
[ -z "$cfg_httpspushurl" ] || chown -R -h "$cfg_mirror_user""$owngroup" "$cfg_certsdir"