From 466841179feacb0e929cf2f0a1481d9fa60d2374 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0imon=20Luka=C5=A1=C3=ADk?= <isimluk@fedoraproject.org>
Date: Tue, 18 Apr 2017 14:18:43 +0200
Subject: [PATCH] Generate new certificate when the default one is not present

This allows us to remove default certificate.

https://access.redhat.com/security/cve/CVE-2016-4457

Disscussed in depth at https://bugzilla.redhat.com/show_bug.cgi?id=1340877
---
 initialize_appliance.sh | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/initialize_appliance.sh b/initialize_appliance.sh
index 99e39c8..1e5b0f3 100755
--- a/initialize_appliance.sh
+++ b/initialize_appliance.sh
@@ -1,3 +1,12 @@
 #!/bin/bash
+set -e -o pipefail
 
-[[ ! -f "/var/www/miq/vmdb/certs/v2_key" ]] && appliance_console_cli --key
+KEYPATH="/var/www/miq/vmdb/certs"
+
+[[ ! -f "$KEYPATH/v2_key" ]] && appliance_console_cli --key
+
+CERT="$KEYPATH/server.cer"
+KEY="$CERT.key"
+if [ ! -f "$CERT" -a ! -f "$KEY" ]; then
+  (umask 077 ; openssl req -x509 -newkey rsa -days 1095 -keyout $KEY -out $CERT -subj "/CN=server" -nodes -batch)
+fi