From 9901cdcbb45ea92b40d35293cbf89c8c2a3ec051 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 31 Mar 2015 20:22:42 +0100 Subject: [PATCH] Separate command for making self-signed certificates --- Makefile | 4 ++ debian/source/include-binaries | 1 + man/freedombone-addcert.1.gz | Bin 0 -> 453 bytes src/freedombone | 65 ++++-------------- src/freedombone-addcert | 116 +++++++++++++++++++++++++++++++++ 5 files changed, 135 insertions(+), 51 deletions(-) create mode 100644 man/freedombone-addcert.1.gz create mode 100755 src/freedombone-addcert diff --git a/Makefile b/Makefile index 08326517..a2cad073 100644 --- a/Makefile +++ b/Makefile @@ -16,6 +16,7 @@ install: install -m 755 src/${APP}-remote ${DESTDIR}${PREFIX}/bin install -m 755 src/${APP}-config ${DESTDIR}${PREFIX}/bin install -m 755 src/${APP}-sec ${DESTDIR}${PREFIX}/bin + install -m 755 src/${APP}-addcert ${DESTDIR}${PREFIX}/bin mkdir -m 755 -p ${DESTDIR}${PREFIX}/share/man/man1 install -m 644 man/${APP}.1.gz ${DESTDIR}${PREFIX}/share/man/man1 install -m 644 man/${APP}-prep.1.gz ${DESTDIR}${PREFIX}/share/man/man1 @@ -23,6 +24,7 @@ install: install -m 644 man/${APP}-remote.1.gz ${DESTDIR}${PREFIX}/share/man/man1 install -m 644 man/${APP}-config.1.gz ${DESTDIR}${PREFIX}/share/man/man1 install -m 644 man/${APP}-sec.1.gz ${DESTDIR}${PREFIX}/share/man/man1 + install -m 644 man/${APP}-addcert.1.gz ${DESTDIR}${PREFIX}/share/man/man1 uninstall: rm -f ${PREFIX}/share/man/man1/${APP}.1.gz rm -f ${PREFIX}/share/man/man1/${APP}-prep.1.gz @@ -30,6 +32,7 @@ uninstall: rm -f ${PREFIX}/share/man/man1/${APP}-remote.1.gz rm -f ${PREFIX}/share/man/man1/${APP}-config.1.gz rm -f ${PREFIX}/share/man/man1/${APP}-sec.1.gz + rm -f ${PREFIX}/share/man/man1/${APP}-addcert.1.gz rm -rf ${PREFIX}/share/${APP} rm -f ${PREFIX}/bin/${APP} rm -f ${PREFIX}/bin/${APP}-prep @@ -37,6 +40,7 @@ uninstall: rm -f ${PREFIX}/bin/${APP}-remote rm -f ${PREFIX}/bin/${APP}-config rm -f ${PREFIX}/bin/${APP}-sec + rm -f ${PREFIX}/bin/${APP}-addcert clean: rm -f \#* \.#* debian/*.substvars debian/*.log rm -fr deb.* debian/${APP} diff --git a/debian/source/include-binaries b/debian/source/include-binaries index 72ee8586..3753fb54 100644 --- a/debian/source/include-binaries +++ b/debian/source/include-binaries @@ -4,3 +4,4 @@ man/freedombone-client.1.gz man/freedombone-remote.1.gz man/freedombone-config.1.gz man/freedombone-sec.1.gz +man/freedombone-addcert.1.gz diff --git a/man/freedombone-addcert.1.gz b/man/freedombone-addcert.1.gz new file mode 100644 index 0000000000000000000000000000000000000000..aaa922952c4d267855a78cf83f7d66d990206ce5 GIT binary patch literal 453 zcmV;$0XqI4iwFSk@)}hD1BH-JkJB&^#qa(Uqg*&8VY@>?qOd;!sVvYJKWHM<`%On|jBy@#3{Xou1p+W=!%$7~vl6`Yi& zHd=aQAPe`XjI{&5RsOYE&Y;1k3eN=<|H?g*NyQ$<24LuPn&P<9kD z4B7A_D9JU_8opKrC}BQZT;2RQjJ?(=ZIMQF?mTDT%57qfjn znTHJ($3Cb#7+5w4hQ~rcIR70?h)sW@lwEg(BMqRX1=%qH_oz*MgwSSwDWI1w^muf9 zP0#l8u)ZDk6pYo-ggLxOGHAW;d7P$=@$H}zO@~xTZkyx9NO4AH!_&{%$n8y*pPk;}6KE4U8dM#UuSV vw1@2FYgM~N`#|4|iu>vF7c>RAJ#zkV?s`NuJ_85dzq7+>X~%K`uZl*!%J literal 0 HcmV?d00001 diff --git a/src/freedombone b/src/freedombone index 20956feb..7b8c286c 100755 --- a/src/freedombone +++ b/src/freedombone @@ -1594,7 +1594,7 @@ function create_backup_script { echo "if [ ! -f $BACKUP_CERTIFICATE ]; then" >> /usr/bin/$BACKUP_SCRIPT_NAME echo ' echo "Creating backup key"' >> /usr/bin/$BACKUP_SCRIPT_NAME - echo ' makecert backup' >> /usr/bin/$BACKUP_SCRIPT_NAME + echo ' freedombone-addcert -h backup' >> /usr/bin/$BACKUP_SCRIPT_NAME echo 'fi' >> /usr/bin/$BACKUP_SCRIPT_NAME echo '' >> /usr/bin/$BACKUP_SCRIPT_NAME @@ -2898,7 +2898,7 @@ function backup_to_friends_servers { echo "if [ ! -f $BACKUP_CERTIFICATE ]; then" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo ' echo "Creating backup key"' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME - echo ' makecert backup' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo ' freedombone-addcert -h backup' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo 'fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo '' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME @@ -5131,42 +5131,6 @@ function configure_internet_protocol { echo 'configure_internet_protocol' >> $COMPLETION_FILE } -function script_to_make_self_signed_certificates { - if grep -Fxq "script_to_make_self_signed_certificates" $COMPLETION_FILE; then - return - fi - echo '#!/bin/bash' > /usr/bin/makecert - echo 'HOSTNAME=$1' >> /usr/bin/makecert - echo 'COUNTRY_CODE="US"' >> /usr/bin/makecert - echo 'AREA="Free Speech Zone"' >> /usr/bin/makecert - echo 'LOCATION="Freedomville"' >> /usr/bin/makecert - echo 'ORGANISATION="Freedombone"' >> /usr/bin/makecert - echo 'UNIT="Freedombone Unit"' >> /usr/bin/makecert - echo 'if ! which openssl > /dev/null ;then' >> /usr/bin/makecert - echo ' echo "$0: openssl is not installed, exiting" 1>&2' >> /usr/bin/makecert - echo ' exit 1' >> /usr/bin/makecert - echo 'fi' >> /usr/bin/makecert - echo 'openssl req -x509 -nodes -days 3650 -sha256 -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" -newkey rsa:4096 -keyout /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/certs/$HOSTNAME.crt' >> /usr/bin/makecert - echo 'openssl dhparam -check -text -5 1024 -out /etc/ssl/certs/$HOSTNAME.dhparam' >> /usr/bin/makecert - echo 'chmod 400 /etc/ssl/private/$HOSTNAME.key' >> /usr/bin/makecert - echo 'chmod 640 /etc/ssl/certs/$HOSTNAME.crt' >> /usr/bin/makecert - echo 'chmod 640 /etc/ssl/certs/$HOSTNAME.dhparam' >> /usr/bin/makecert - echo 'if [ -f /etc/init.d/nginx ]; then' >> /usr/bin/makecert - echo ' /etc/init.d/nginx reload' >> /usr/bin/makecert - echo 'fi' >> /usr/bin/makecert - echo '# add the public certificate to a separate directory' >> /usr/bin/makecert - echo '# so that we can redistribute it easily' >> /usr/bin/makecert - echo 'if [ ! -d /etc/ssl/mycerts ]; then' >> /usr/bin/makecert - echo ' mkdir /etc/ssl/mycerts' >> /usr/bin/makecert - echo 'fi' >> /usr/bin/makecert - echo 'cp /etc/ssl/certs/$HOSTNAME.crt /etc/ssl/mycerts' >> /usr/bin/makecert - echo '# Create a bundle of your certificates' >> /usr/bin/makecert - echo 'cat /etc/ssl/mycerts/*.crt > /etc/ssl/freedombone-bundle.crt' >> /usr/bin/makecert - echo 'tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt' >> /usr/bin/makecert - chmod +x /usr/bin/makecert - echo 'script_to_make_self_signed_certificates' >> $COMPLETION_FILE -} - function configure_email { if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" ]]; then return @@ -5214,7 +5178,7 @@ function configure_email { # make a tls certificate for email if [ ! -f /etc/ssl/certs/exim.dhparam ]; then - makecert exim + freedombone-addcert -h exim check_certificates exim fi cp /etc/ssl/private/exim.key /etc/exim4 @@ -5440,7 +5404,7 @@ function configure_imap { fi if [ ! -f /etc/ssl/certs/dovecot.dhparam ]; then - makecert dovecot + freedombone-addcert -h dovecot check_certificates dovecot fi chown root:dovecot /etc/ssl/certs/dovecot.* @@ -6785,7 +6749,7 @@ quit" > $INSTALL_DIR/batch.sql configure_php if [ ! -f /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.dhparam ]; then - makecert $OWNCLOUD_DOMAIN_NAME + freedombone-addcert -h $OWNCLOUD_DOMAIN_NAME check_certificates $OWNCLOUD_DOMAIN_NAME fi @@ -7028,7 +6992,7 @@ quit" > $INSTALL_DIR/batch.sql configure_php if [ ! -f /etc/ssl/certs/$GIT_DOMAIN_NAME.dhparam ]; then - makecert $GIT_DOMAIN_NAME + freedombone-addcert -h $GIT_DOMAIN_NAME check_certificates $GIT_DOMAIN_NAME fi @@ -7059,7 +7023,7 @@ function install_xmpp { fi if [ ! -f /etc/ssl/certs/xmpp.dhparam ]; then - makecert xmpp + freedombone-addcert -h xmpp check_certificates xmpp fi chown prosody:prosody /etc/ssl/private/xmpp.key @@ -7183,7 +7147,7 @@ function install_irc_server { fi if [ ! -f /etc/ssl/certs/ngircd.dhparam ]; then - makecert ngircd + freedombone-addcert -h ngircd check_certificates ngircd fi @@ -7273,7 +7237,7 @@ function install_wiki { rm -rf /var/www/$WIKI_DOMAIN_NAME/htdocs fi if [ ! -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam ]; then - makecert $WIKI_DOMAIN_NAME + freedombone-addcert -h $WIKI_DOMAIN_NAME check_certificates $WIKI_DOMAIN_NAME fi @@ -7558,7 +7522,7 @@ function install_blog { chown -R www-data:www-data /var/www/$FULLBLOG_DOMAIN_NAME/htdocs if [ ! -f /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam ]; then - makecert $FULLBLOG_DOMAIN_NAME + freedombone-addcert -h $FULLBLOG_DOMAIN_NAME check_certificates $FULLBLOG_DOMAIN_NAME fi @@ -7923,7 +7887,7 @@ quit" > $INSTALL_DIR/batch.sql configure_php if [ ! -f /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.dhparam ]; then - makecert $MICROBLOG_DOMAIN_NAME + freedombone-addcert -h $MICROBLOG_DOMAIN_NAME check_certificates $MICROBLOG_DOMAIN_NAME fi @@ -8191,7 +8155,7 @@ quit" > $INSTALL_DIR/batch.sql configure_php if [ ! -f /etc/ssl/certs/$REDMATRIX_DOMAIN_NAME.dhparam ]; then - makecert $REDMATRIX_DOMAIN_NAME + freedombone-addcert -h $REDMATRIX_DOMAIN_NAME check_certificates $REDMATRIX_DOMAIN_NAME fi @@ -8508,7 +8472,7 @@ function install_mediagoblin { echo '}' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME if [ ! -f /etc/ssl/certs/$MEDIAGOBLIN_DOMAIN_NAME.dhparam ]; then - makecert $MEDIAGOBLIN_DOMAIN_NAME + freedombone-addcert -h $MEDIAGOBLIN_DOMAIN_NAME check_certificates $MEDIAGOBLIN_DOMAIN_NAME fi @@ -8917,7 +8881,7 @@ function install_voip { # Make an ssl cert for the server if [ ! -f /etc/ssl/certs/mumble.dhparam ]; then - makecert mumble + freedombone-addcert -h mumble check_certificates mumble fi @@ -9034,7 +8998,6 @@ remove_instructions_from_motd check_hwrng search_for_attached_usb_drive regenerate_ssh_keys -script_to_make_self_signed_certificates create_upgrade_script route_outgoing_traffic_through_tor install_watchdog_script diff --git a/src/freedombone-addcert b/src/freedombone-addcert new file mode 100755 index 00000000..442383ae --- /dev/null +++ b/src/freedombone-addcert @@ -0,0 +1,116 @@ +#!/bin/bash +# A script for creating self-signed certificates on Debian + +# License +# ======= +# +# Copyright (C) 2015 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +HOSTNAME= +COUNTRY_CODE="US" +AREA="Free Speech Zone" +LOCATION="Freedomville" +ORGANISATION="Freedombone" +UNIT="Freedombone Unit" + +function show_help { + echo '' + echo 'freedombone-addcert -h [hostname] -c [country code] -a [area] -l [location]' + echo ' -o [organisation] -u [unit]' + echo '' + echo 'Creates a self-signed certificate for the given hostname' + echo '' + echo ' --help Show help' + echo ' -h --hostname [name] Hostname' + echo ' -c --country [code] Optional country code (eg. US, GB, etc)' + echo ' -a --area [description] Optional area description' + echo ' -l --location [locn] Optional location name' + echo ' -o --organisation [name] Optional organisation name' + echo ' -u --unit [name] Optional unit name' + echo '' + exit 0 +} + +while [[ $# > 1 ]] +do +key="$1" + +case $key in + --help) + show_help + ;; + -h|--hostname) + shift + HOSTNAME="$1" + ;; + -c|--country) + shift + COUNTRY_CODE="$1" + ;; + -a|--area) + shift + AREA="$1" + ;; + -l|--location) + shift + LOCATION="$1" + ;; + -o|--organisation) + shift + ORGANISATION="$1" + ;; + -u|--unit) + shift + UNIT="$1" + ;; + *) + # unknown option + ;; +esac +shift +done + +if [ ! $HOSTNAME ]; then + echo 'No hostname specified' + exit 5748 +fi + +if ! which openssl > /dev/null ;then + echo "$0: openssl is not installed, exiting" 1>&2 + exit 5689 +fi + +openssl req -x509 -nodes -days 3650 -sha256 -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" -newkey rsa:4096 -keyout /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/certs/$HOSTNAME.crt +openssl dhparam -check -text -5 1024 -out /etc/ssl/certs/$HOSTNAME.dhparam +chmod 400 /etc/ssl/private/$HOSTNAME.key +chmod 640 /etc/ssl/certs/$HOSTNAME.crt +chmod 640 /etc/ssl/certs/$HOSTNAME.dhparam + +if [ -f /etc/init.d/nginx ]; then + /etc/init.d/nginx reload +fi + +# add the public certificate to a separate directory +# so that we can redistribute it easily +if [ ! -d /etc/ssl/mycerts ]; then + mkdir /etc/ssl/mycerts +fi +cp /etc/ssl/certs/$HOSTNAME.crt /etc/ssl/mycerts + +# Create a bundle of your certificates +cat /etc/ssl/mycerts/*.crt > /etc/ssl/freedombone-bundle.crt +tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt +exit 0