initsite.in

#!/usr/bin/perl -w
#
# GENIPUBLIC-COPYRIGHT
# Copyright (c) 2008-2011 University of Utah and the Flux Group.
# All rights reserved.
#
use strict;
use English;
use Getopt::Std;

#
# Initialize an emulab to act as a protogeni emulab. Add optional -c
# option if this is a clearinghouse.
# 
sub usage()
{
    print "Usage: initpgenisite [-c]\n";
    exit(1);
}
my $optlist = "c";
my $asch    = 0;
my $cflag   = "";

#
# Configure variables
#
my $TB		  = "@prefix@";
my $TBOPS         = "@TBOPSEMAIL@";
my $TBLOGS        = "@TBLOGSEMAIL@";
my $OURDOMAIN     = "@OURDOMAIN@";
my $PGENIDOMAIN   = "@PROTOGENI_DOMAIN@";
my $PGENISUPPORT  = @PROTOGENI_SUPPORT@;
my $PROTOGENI_RPCNAME = "@PROTOGENI_RPCNAME@";
my $PROTOGENI_RPCPORT = "@PROTOGENI_RPCPORT@";
my $PROTOGENI_URL = "@PROTOGENI_URL@";
my $geniuserid    = "geniuser";
my $geniprojid    = "GeniSlices";
my $PROTOUSER	  = "elabman";
my $NEWUSER	  = "$TB/sbin/newuser";
my $NEWPROJ	  = "$TB/sbin/newproj";
my $MKPROJ	  = "$TB/sbin/mkproj";
my $TBACCT	  = "$TB/sbin/tbacct";
my $ADDAUTHORITY  = "$TB/sbin/protogeni/addauthority";
my $GETCACERTS    = "$TB/sbin/protogeni/getcacerts";
my $POSTCRL       = "$TB/sbin/protogeni/postcrl";
my $GENCRL        = "$TB/sbin/protogeni/gencrl";
my $GENCRLBUNDLE  = "$TB/sbin/protogeni/gencrlbundle";
my $MKSYSCERT	  = "$TB/sbin/mksyscert";
my $MKUSERCERT	  = "$TB/sbin/mkusercert";
my $BATCHEXP      = "$TB/bin/batchexp";
my $WAP           = "$TB/sbin/withadminprivs";
my $SACERT	  = "$TB/etc/genisa.pem";
my $CMCERT	  = "$TB/etc/genicm.pem";
my $CHCERT	  = "$TB/etc/genich.pem";
my $SESCERT	  = "$TB/etc/genises.pem";
my $RPCCERT	  = "$TB/etc/genirpc.pem";
my $SUDO	  = "/usr/local/bin/sudo";
my $MYSQL         = "/usr/local/bin/mysql";
my $MYSQLADMIN    = "/usr/local/bin/mysqladmin";
my $MYSQLSHOW     = "/usr/local/bin/mysqlshow";
my $MYSQLDUMP     = "/usr/local/bin/mysqldump";
my $PKG_INFO      = "/usr/sbin/pkg_info";
my $FETCH	  = "/usr/bin/fetch";
my $OPENSSL       = "/usr/bin/openssl";
my $APACHE_START  = "@APACHE_START_COMMAND@";
my $APACHE_CONF   = "@INSTALL_APACHE_CONFIG@/httpd.conf";
my $APACHE_FLAGS  = ("@APACHE_VERSION@" == "22" ?
		     "apache22_flags" : "apache_flags");

# un-taint path
$ENV{'PATH'} = '/bin:/usr/bin:/usr/local/bin:/usr/site/bin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};

# Protos
sub fatal($);
sub UpdateCert($$$$);

#
# Turn off line buffering on output
#
$| = 1; 

# Load the Testbed support stuff.
use lib "@prefix@/lib";
use libtestbed;
use libdb qw(TBSetSiteVar TBOPSPID DBQueryFatal);
use emutil qw(TBGetUniqueIndex);
use User;
use Project;
use Experiment;
use OSinfo;

if ($UID != 0) {
    fatal("Must be root to run this script\n");
}

#
# Check args.
#
my %options = ();
if (! getopts($optlist, \%options)) {
    usage();
}
if (defined($options{"c"})) {
    $asch  = 1;
    $cflag = "-c";
}

#
# People seem to miss this.
#
if ($PGENIDOMAIN =~ /^unknown/i) {
    print STDERR "Please define PROTOGENI_DOMAIN in your defs file!\n";
    print STDERR "Then reconfig,rebuild,reinstall, then try this again.\n";
    exit(1);
}

#
# Check for (and update) an old (pre-URN) root certificate.
#
system( "$OPENSSL x509 -text -noout < $TB/etc/emulab.pem | " .
	"grep -q -i URI:urn:publicid:IDN" );
if( $? == -1 ) {
    die( "could not inspect root certificate $TB/etc/emulab.pem" );
} elsif( $? & 0x7F ) {
    die( "unexpected signal while inspecting root certificate" );
} elsif( $? ) {
    # grep returned non-zero exit code (indicating no matches): this is
    # an old certificate, so regenerate it.
    my $extfile = "/tmp/$$"; # not worth trying to be secure
    open( EXTFILE, "> $extfile" ) or die "can't open $extfile";
    print EXTFILE "subjectAltName=URI:urn:publicid:IDN+${OURDOMAIN}+authority+root\n";
    print EXTFILE "issuerAltName=URI:urn:publicid:IDN+${OURDOMAIN}+authority+root\n";
    close EXTFILE;

    print "Adding URN to root certificate...\n";

    my $originalfile = "$TB/etc/emulab.pem.orig";
    -f $originalfile and
	die( "refusing to overwrite $originalfile" );
    rename( "$TB/etc/emulab.pem", "$originalfile" ) or
	die( "could not rename root certificate" );

    my $serial = TBGetUniqueIndex( "user_sslcerts" );
    # Save the new certificate to a temporary file: OpenSSL will reuse the
    # plain text from the old certificate instead of the current version,
    # so we regenerate the whole thing once we've finished to avoid
    # horrible confusion.
    system( "$OPENSSL x509 -days 2000 -text -extfile $extfile " .
	    "-set_serial $serial -signkey $TB/etc/emulab.key " .
	    "< $originalfile > $TB/etc/emulab.tmp" );

    # For some reason, OpenSSL can return non-zero even when the certificate
    # generation succeeded.  Check the output file instead.
    if( !( -s "$TB/etc/emulab.tmp" ) ) {
	rename( "$originalfile", "$TB/etc/emulab.pem" );
	die( "could not generate new root certificate" );	    
    }

    # Regenerate the certificate, so that the comments are up to date.
    system( "$OPENSSL x509 -text < $TB/etc/emulab.tmp > $TB/etc/emulab.pem" );
    unlink( "$TB/etc/emulab.tmp" );

    print "Root certificate updated.  You will need to send the new\n";
    print "certificate to the clearing house.\n";

    unlink( "$TB/etc/.federated" );
}

#
# Have you sent in your certificate to Utah?
#
if (!$asch && ! -e "$TB/etc/.federated") {
    my $done = 0;
    my $federated = 0;

    while (!$done) {
	print "Have you sent in your root certificate to Utah? [y/n]: ";

	$_ = <STDIN>;
	if ($_ =~ /^(y|yes)$/i) {
	    $federated = 1;
	    $done = 1;
	}
	elsif ($_ =~ /^(n|no)$/i) {
	    $federated = 0;
	    $done = 1;
	}
    }
    if ($federated) {
	system("/usr/bin/touch $TB/etc/.federated");
    }
    else {
	print "Please email $TB/etc/emulab.pem to testbed-ops\@flux.utah.edu";
	print "\n";
	print "This is a public key, so no harm in sending it in email.\n";
	print "Once you hear back from Utah, please rerun this script.\n";
	exit(1);
    }
}

#
# Packages.
#
my %packlist =
    ("libxml2>=2.6.26"       => "/usr/ports/textproc/libxml2",
     "p5-Frontier-RPC"       => "/usr/ports/net/p5-Frontier-RPC",
     "p5-XML-LibXML>=1.70"   => "/usr/ports/textproc/p5-XML-LibXML",
     "xmlsec1"               => "/usr/ports/security/xmlsec1",
     "p5-Crypt-SSLeay>=0.57" => "/usr/ports/security/p5-Crypt-SSLeay",
     "p5-Crypt-OpenSSL-X509" => "/usr/ports/security/p5-Crypt-OpenSSL-X509",
     "p5-Crypt-X509"         => "/usr/ports/security/p5-Crypt-X509",
     "xerces-c2>=2.7.0"      => "/usr/ports/textproc/xerces-c2",
     "p5-XML-SemanticDiff"   => "/usr/ports/textproc/p5-XML-SemanticDiff",
     );
my $needpkgs = 0;

foreach my $pkgname (sort(keys(%packlist))) {
    my $pkgdir = $packlist{$pkgname};
    
    print STDERR "Checking for package $pkgname\n";

    next
	if (system("$PKG_INFO -E '${pkgname}*' >/dev/null") == 0);

    print STDERR "Please install $pkgdir\n";
    $needpkgs++;
}
if ($needpkgs) {
    print STDERR "Then return to this script and start again.\n";
    exit(1);
}

#
# crossdomain.xml is needed to allow the flash client to talk to
# this host.
#

my $crosstext = <<'CROSSEND';
<?xml version="1.0"?>
<cross-domain-policy>
    <site-control permitted-cross-domain-policies="all"/>
</cross-domain-policy>
CROSSEND

open CROSS_OUT, ">$TB/www/crossdomain.xml"
    or fatal("Could not create $TB/www/crossdomain.xml");
print CROSS_OUT $crosstext;
close CROSS_OUT;

chmod(0644, "$TB/www/crossdomain.xml");

if (! -e "$TB/www/protogeni") {
    mkdir("$TB/www/protogeni", 0775)
	or fatal("Could not mkdir $TB/www/protogeni");
}

$crosstext = <<'CROSSEND';
<?xml version="1.0"?>
<cross-domain-policy>
    <allow-access-from domain="*.emulab.net" />
    <allow-access-from domain="*.protogeni.net" />
</cross-domain-policy>
CROSSEND

open CROSS_OUT, ">$TB/www/protogeni/crossdomain.xml"
    or fatal("Could not create $TB/www/protogeni/crossdomain.xml");
print CROSS_OUT $crosstext;
close CROSS_OUT;

chmod(0644, "$TB/www/protogeni/crossdomain.xml");

my $FLASH_LINE = "flashpolicy stream tcp  nowait          root    /bin/echo               /bin/echo '<cross-domain-policy> <site-control permitted-cross-domain-policies=\"master-only\"/> <allow-access-from domain=\"*\" to-ports=\"80,443,$PROTOGENI_RPCPORT\"/> </cross-domain-policy>'";

my $restartinetd = 0;

if (system("egrep -q -s 'flashpolicy' /etc/services")) {
    print "Please add 'flashpolicy     843/tcp' to /etc/services\n";
    $restartinetd++;
}
if (system("egrep -q -s 'flashpolicy' /etc/inetd.conf")) {
    print "Please add \n$FLASH_LINE\n to /etc/services\n";
    $restartinetd++;
}
if ($restartinetd) {
    print "Then restart inetd and rerun this script.\n";
    exit(1);
}
#
# The web server needs to do client authentication, for the geni xmlrpc
# interface. A bundle of CA certs from the trusted roots (emulabs) will
# be used. This bundle will periodically update as sites come online.
#
if (! -e "$TB/etc/genica.bundle") {
    system("/bin/cp $TB/etc/emulab.pem $TB/etc/genica.bundle") == 0
	or fatal("Could not initialize $TB/etc/genica.bundle");
}
if (! -e "$TB/etc/genicrl.bundle") {
    system("/usr/bin/touch $TB/etc/genicrl.bundle") == 0
	or fatal("Could not initialize $TB/etc/genicrl.bundle");
}

if ($asch) {
    if (! -e "$TB/www/genica.bundle") {
	system("/bin/cp $TB/etc/emulab.pem $TB/www/genica.bundle") == 0
	    or fatal("Could not initialize $TB/www/genica.bundle");
    }
    chmod(0644, "$TB/www/genica.bundle");

    # CRL 
    if (! -e "$TB/www/genicrl.bundle") {
	system("/usr/bin/touch $TB/www/genicrl.bundle") == 0
	    or fatal("Could not initialize $TB/www/genicrl.bundle");
    }
    chmod(0644, "$TB/www/genicrl.bundle");

    #
    # This is a pain. xmlsec1 cannot deal with a bundle of certs and so we
    # need to split up the bundle into a directory of certs. I hope to deal
    # with this at some point.
    #
    if (! -e "$TB/etc/genicacerts") {
	mkdir("$TB/etc/genicacerts", 0755)
	    or fatal("Could not mkdir $TB/etc/genicacerts");
    }
    system("/bin/cp $TB/etc/emulab.pem $TB/etc/genicacerts") == 0
	or fatal("Could not initialize $TB/etc/genicacerts");
}
if (! -e "$TB/lib/ssl/syscert.cnf" ||
    system( "grep -q protogeni_oids \"$TB/lib/ssl/syscert.cnf\"" ) != 0 ) {
    print "Please go to the ssl subdir of your build tree and do:\n";
    print "    sudo gmake install-conf\n";
    print "Then rerun this script\n";
    exit(1);
}
#
# I do not understand where this file comes from.
#
if (! -e "$TB/ssl/index.txt.attr" ||
    system("egrep -q -s 'no' $TB/ssl/index.txt.attr")) {
    system("echo 'unique_subject = no' > $TB/ssl/index.txt.attr") == 0
	or fatal("Could not update $TB/ssl/index.txt.attr");
}

my $restartapache = 0;

if (system("egrep -q -s 'PGENI' $APACHE_CONF")) {
    print "Please go to the apache subdir of your build tree and do:\n";
    print "    gmake\n";
    print "    sudo gmake install\n";
    $restartapache++;
}
if (system("egrep -q -s 'DPGENI' /etc/rc.conf")) {
    print "Please add '$APACHE_FLAGS=\"-DSSL -DPGENI\"' to /etc/rc.conf\n";
    $restartapache++;
}
if ($restartapache) {
    print "Then restart apache:\n";
    print "    sudo $APACHE_START restart\n";
    print "Then rerun this script\n";
    exit(1);
}

#
# On the clients, we have to get the bundle from Utah website and
# then break it up for xmlsec (see above). We use a script for this
# since the clients need to do this everytime a new client is added.
# This script restarts apache.
#
if (!$asch) {
    system("$GETCACERTS -l -p") == 0
	or fatal("Could not get CA bundle from Utah");

    #
    # This cron entry will autoupdate the CA/CRL certs by getting them from
    # Utah.
    #
    if (system("egrep -q -s '$GETCACERTS' /etc/crontab")) {
	print "Please add this line to /etc/crontab:\n\n";
	print "13  4  *  *	*  root  $GETCACERTS\n\n";
	print "Then rerun this script\n";
	exit(1);
    }
}
else {
    #
    # But on the clearinghouse, we have to generate the CRL bundle for 
    # downloading by remote sites.
    #
    if (system("egrep -q -s '$GENCRLBUNDLE' /etc/crontab")) {
	print "Please add this line to /etc/crontab:\n\n";
	print "10  4  *  *  *  root  $GENCRLBUNDLE\n\n";
	print "Then rerun this script\n";
	exit(1);
    }
}

#
# user/project that slices (experiments) belong to.
#
my $geniuser = User->Lookup($geniuserid);
if (!defined($geniuser)) {
    fatal("Need to do an install in the protogeni/etc directory.")
	if (! -e "$TB/etc/protogeni/geniuser.xml");

    print "Creating Geni pseudo user ...\n";
    system("$SUDO -u $PROTOUSER $WAP $NEWUSER $TB/etc/protogeni/geniuser.xml");
    fatal("Could not create geni user")
	if ($?);

    system("$SUDO -u $PROTOUSER $WAP $TBACCT verify $geniuserid");
    fatal("Could not verify geni user")
	if ($?);

    $geniuser = User->Lookup($geniuserid);    
    fatal("Could not lookup $geniuserid")
	if (!defined($geniuser));
}
my $geniproj = Project->Lookup($geniprojid);
if (!defined($geniproj)) {
    fatal("Need to do an install")
	if (! -e "$TB/etc/protogeni/geniproj.xml");

    print "Creating Geni slices project ...\n";
    system("$SUDO -u $PROTOUSER $WAP $NEWPROJ $TB/etc/protogeni/geniproj.xml");
    fatal("Could not create geni project")
	if ($?);

    system("$SUDO -u $PROTOUSER $WAP $MKPROJ -s $geniprojid");
    fatal("Could not approve geni project")
	if ($?);

    $geniproj = Project->Lookup($geniprojid);
    fatal("Could not lookup $geniprojid")
	if (!defined($geniproj));
}
$geniuser->Refresh();
$geniproj->Refresh();

# Create an encrypted certificate for the test scripts.
my $sslcert;
$geniuser->SSLCert(1, \$sslcert);
if (!defined($sslcert)) {
    my $passwd = substr(TBGenSecretKey(), 0, 10);
    system("$SUDO -u $PROTOUSER $WAP $MKUSERCERT -p '$passwd' $geniuserid");
    fatal("Could not create encrypted certificate for geni user")
	if ($?);
}

#
# Need this fake type for now.
#
my $osinfo = OSinfo->Lookup(TBOPSPID(), "RHL-STD");
if (!defined($osinfo)) {
    fatal("No RHL-STD OSID in the ops project!");
}
my $osid = $osinfo->osid();

DBQueryFatal("replace into node_types (type,class,isvirtnode,isdynamic) ".
	     "values ('pcfake','pcvm',1,1)");
DBQueryFatal("replace into node_type_attributes ".
	     "(type,attrkey,attrvalue,attrtype) values ".
	     "('pcfake','rebootable','1','boolean')");
DBQueryFatal("replace into node_type_attributes ".
	     "(type,attrkey,attrvalue,attrtype) values ".
	     "('pcfake','default_osid','$osid','integer')");

#
# Databases.
#
print "Creating Databases ...\n";
foreach my $dbname ("geni", "geni-ch", "geni-cm") {
    if (system("$MYSQLSHOW $dbname >/dev/null 2>/dev/null")) {
	system("$MYSQLADMIN create $dbname") == 0
	    or fatal("Could not create DB: $dbname");
    }
    if (system("$MYSQLDUMP -d $dbname geni_users >/dev/null 2>/dev/null")) {
	system("$MYSQL $dbname < $TB/etc/protogeni/protogeni.sql") == 0
	    or fatal("Could not initialize DB: $dbname");
    }
}

foreach my $dbname( "geni", "geni-ch", "geni-cm" ) {
    system( "$MYSQL -e \"UPDATE geni_authorities SET type='ses' WHERE " .
	    "hrn LIKE '%.ses' AND type='';\" $dbname" ) == 0
	    or fatal( "Could not update SES type: $dbname" );
}

#
# Now we can load the libraries.
#
require Genixmlrpc;
require GeniRegistry;

#
# Generate the certs we need.
#
if (! -e $CMCERT) {
    print "Creating CM certificate ...\n";
    system("$SUDO -u $PROTOUSER $MKSYSCERT -o $CMCERT ".
	   "  -u $PROTOGENI_URL/cm " .
	   "  -i urn:publicid:IDN+${OURDOMAIN}+authority+cm " .
	   "$PGENIDOMAIN.cm") == 0
	   or fatal("Could not generate $CMCERT");
}
if (! -e $SACERT) {
    print "Creating SA certificate ...\n";
    system("$SUDO -u $PROTOUSER $MKSYSCERT -o $SACERT ".
	   "  -u $PROTOGENI_URL/sa " .
	   "  -i urn:publicid:IDN+${OURDOMAIN}+authority+sa " .
	   "$PGENIDOMAIN.sa") == 0
	   or fatal("Could not generate $SACERT");
}
if (! -e $SESCERT) {
    print "Creating SES certificate ...\n";
    system("$SUDO -u $PROTOUSER $MKSYSCERT -o $SESCERT ".
	   "  -u $PROTOGENI_URL/ses " .
	   "  -i urn:publicid:IDN+${OURDOMAIN}+authority+ses " .
	   "$PGENIDOMAIN.ses") == 0
	   or fatal("Could not generate $SESCERT");
}
if (! -e $RPCCERT) {
    print "Creating RPC server certificate ...\n";
    system("$SUDO -u $PROTOUSER $MKSYSCERT -o $RPCCERT ".
	   "'ProtoGENI RPC Server' $PROTOGENI_RPCNAME") == 0
	   or fatal("Could not generate $SESCERT");
}
if ($asch) {
    if (! -e $CHCERT) {
	print "Creating CH certificate ...\n";
	system("$SUDO -u $PROTOUSER $MKSYSCERT -o $CHCERT ".
	       "  -u $PROTOGENI_URL/ch " .
	       "  -i urn:publicid:IDN+${OURDOMAIN}+authority+ch " .
	       "$PGENIDOMAIN.ch") == 0
	       or fatal("Could not generate $CHCERT");
    }
    UpdateCert( $CHCERT, "$PROTOGENI_URL/ch",
		"urn:publicid:IDN+${OURDOMAIN}+authority+ch",
		"$PGENIDOMAIN.ch" );
    #
    # Copy the CH certificate out to the web interface, but only the public
    # key of course. 
    #
    my $chcertificate = GeniCertificate->LoadFromFile($CHCERT);
    fatal("Could not load certificate from $CHCERT")
	if (!defined($chcertificate));
    
    my $certfile = $chcertificate->WriteToFile();
    if (system("$SUDO /bin/mv $certfile $TB/www/genich.pem")) {
	$chcertificate->Delete();
	unlink($certfile);
	fatal("Could not mv $certfile to $TB/www/genich.pem");
    }
    chmod(0644, "$TB/www/genich.pem");

    #
    # Add the cert to the DB directly.
    #
    system("$ADDAUTHORITY -c $CHCERT ma") == 0
	or fatal("Could not add MA certificate");
}
else {
    #
    # Grab the CH certificate from Utah. Only one for now.
    #
    print "Fetching clearinghouse certificate from Utah ...\n";
    system("$FETCH -q -o $CHCERT http://boss.emulab.net/genich.pem") == 0
	or fatal("Could not fetch clearinghouse certificate from Utah");
}

#
# Update obsolete (pre-URN) certificates.
#
UpdateCert( $CMCERT, "$PROTOGENI_URL/cm",
	    "urn:publicid:IDN+${OURDOMAIN}+authority+cm",
	    "$PGENIDOMAIN.cm" );
UpdateCert( $SACERT, "$PROTOGENI_URL/sa",
	    "urn:publicid:IDN+${OURDOMAIN}+authority+sa",
	    "$PGENIDOMAIN.sa" );
UpdateCert( $SESCERT, "$PROTOGENI_URL/ses",
	    "urn:publicid:IDN+${OURDOMAIN}+authority+ses",
	    "$PGENIDOMAIN.ses" );

#
# Load the SA cert to act as caller context.
#
my $certificate = GeniCertificate->LoadFromFile($SACERT);
if (!defined($certificate)) {
    fatal("Could not load certificate from $SACERT\n");
}
my $context = Genixmlrpc->Context($certificate);
if (!defined($context)) {
    fatal("Could not create context to talk to clearinghouse");
}

#
# Note that we had to send the clearinghouse $TB/etc/emulab.pem so they
# know about this new site. That is sent out of band (email).
#
print "Getting credential to talk to clearinghouse ...\n";
my $credential = GeniRegistry::ClearingHouse->GetCredential($context);
if (!defined($credential)) {
    fatal("Could not get credential to talk to clearinghouse");
}
my $clearinghouse = GeniRegistry::ClearingHouse->Create($context,
							$credential);
if (!defined($clearinghouse)) {
    fatal("Could not create a clearinghouse client");
}

#
# Add certs to the local SA database.
#
system("$ADDAUTHORITY $SACERT sa") == 0
    or fatal("Could not add SA certificate");
system("$ADDAUTHORITY $CMCERT cm") == 0
    or fatal("Could not add CM certificate");
system("$ADDAUTHORITY $SESCERT ses") == 0
    or fatal("Could not add SES certificate");

#
# Add certs to the local CM database.
#
system("$ADDAUTHORITY -a $SACERT sa") == 0
    or fatal("Could not add SA certificate to CM DB");
system("$ADDAUTHORITY -a $CMCERT cm") == 0
    or fatal("Could not add CM certificate to CM DB");

#
# Register our certs at the clearinghouse.
#
print "Registering SA cert at the clearinghouse.\n";
if ($clearinghouse->Register("SA", $certificate->cert())) {
    fatal("Could not register SA cert at the clearinghouse");
}
my $cmcert = GeniCertificate->LoadFromFile($CMCERT);
if (!defined($cmcert)) {
    fatal("Could not load certificate from $CMCERT\n");
}
print "Registering CM cert at the clearinghouse.\n";
if ($clearinghouse->Register("CM", $cmcert->cert())) {
    fatal("Could not register CM cert at the clearinghouse");
}
my $sescert = GeniCertificate->LoadFromFile($SESCERT);
if (!defined($sescert)) {
    fatal("Could not load certificate from $SESCERT\n");
}
# Don't treat SES registration failure as a fatal error quite yet, until
# we're certain that server-side support exists everywhere.
print "Registering SES cert at the clearinghouse.\n";
if ($clearinghouse->Register("SES", $sescert->cert())) {
    print("Warning: could not register SES cert at the clearinghouse\n");
}

#
# Local SiteVars to hold the UUIDs.
#
TBSetSiteVar('protogeni/sa_uuid', $certificate->uuid());
TBSetSiteVar('protogeni/cm_uuid', $cmcert->uuid());
TBSetSiteVar('protogeni/ses_uuid', $sescert->uuid());

exit(0);

sub fatal($)
{
    my ($msg) = @_;

    die("*** $0:\n".
	"    $msg\n");
}

# Add a URN to old certificates.  (This is horrible, mainly because
# we want to reuse the same private keys.)
sub UpdateCert($$$$)
{
    my ($cert, $url, $urn, $hrn) = @_;

    if( system( "$OPENSSL x509 -text -noout < $cert | " .
		"grep -q -i URI:urn:publicid:IDN" ) ) {
	my $extfile = "/tmp/$$.ext"; # not worth trying to be secure
	my $keyfile = "/tmp/$$.key";
	my $uuid = qx{$OPENSSL x509 -subject -noout < $cert};

	die "could not read subject from $cert"
	    unless defined( $uuid );
	die "no UUID found in subject"
	    unless $uuid =~ /CN=([-a-f0-9]+)/;
	$uuid = $1;

	open( OLDFILE, "< $cert" ) or die "can't open $cert";
	open( NEWFILE, "> $keyfile" ) or die "can't open $keyfile";
	while( <OLDFILE> ) {
	    print NEWFILE;
	    last if /-----END RSA PRIVATE KEY-----/;
	}
	close OLDFILE;
	close NEWFILE;

	print "Adding URN to $cert...\n";

	my $originalfile = "${cert}.orig";
	-f $originalfile and
	    die( "refusing to overwrite $originalfile" );
	rename( "$cert", "$originalfile" ) or
	    die( "could not rename $cert" );

	system("$SUDO -u $PROTOUSER $MKSYSCERT -o $cert ".
	       "  -u $url -i $urn -k $keyfile $hrn $uuid" ) == 0
	       or fatal("Could not generate $cert");
    }
}