diff --git a/man/freedombone-tests.1.gz b/man/freedombone-tests.1.gz index 4c52195d..bdbc094f 100644 Binary files a/man/freedombone-tests.1.gz and b/man/freedombone-tests.1.gz differ diff --git a/src/freedombone-addcert b/src/freedombone-addcert index 5579fb7e..7f23c0c7 100755 --- a/src/freedombone-addcert +++ b/src/freedombone-addcert @@ -170,10 +170,6 @@ if ! which openssl > /dev/null ;then exit 5689 fi -if [ ! -d /etc/ssl/mycerts ]; then - mkdir /etc/ssl/mycerts -fi - CERTFILE=$HOSTNAME function remove_cert_letsencrypt { @@ -310,13 +306,13 @@ function add_cert_selfsigned { CERTFILE="ca-$HOSTNAME" fi - openssl req -x509 "${EXTENSIONS}" -nodes -days 3650 -sha256 \ + # shellcheck disable=SC2086 + openssl req -x509 ${EXTENSIONS} -nodes -days 3650 -sha256 \ -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \ -newkey rsa:2048 -keyout "/etc/ssl/private/${CERTFILE}.key" \ -out "/etc/ssl/certs/${CERTFILE}.crt" chmod 400 "/etc/ssl/private/${CERTFILE}.key" chmod 640 "/etc/ssl/certs/${CERTFILE}.crt" - cp "/etc/ssl/certs/${CERTFILE}.crt" "/etc/ssl/mycerts" if [ "$PIN_CERTS" ]; then if ! "${PROJECT_NAME}-pin-cert" "$CERTFILE"; then @@ -340,12 +336,6 @@ function restart_web_server { fi } -function make_cert_bundle { - # Create a bundle of your certificates - cat /etc/ssl/mycerts/*.crt /etc/ssl/mycerts/*.pem > /etc/ssl/${PROJECT_NAME}-bundle.crt - tar -czvf /etc/ssl/${PROJECT_NAME}-certs.tar.gz /etc/ssl/mycerts/*.crt /etc/ssl/mycerts/*.pem -} - function create_cert { if [ "$remove_cert" ]; then remove_cert_letsencrypt @@ -362,6 +352,5 @@ function create_cert { create_cert generate_dh_params restart_web_server -make_cert_bundle exit 0 diff --git a/src/freedombone-app-irc b/src/freedombone-app-irc index 5e4e56df..5212f17d 100755 --- a/src/freedombone-app-irc +++ b/src/freedombone-app-irc @@ -523,6 +523,7 @@ function install_irc_server { if [[ "$(cert_exists "${DEFAULT_DOMAIN_NAME}")" == "0" ]]; then "${PROJECT_NAME}-addcert" -h ngircd --dhkey "${DH_KEYLENGTH}" function_check check_certificates + CHECK_HOSTNAME=ngircd check_certificates ngircd fi diff --git a/src/freedombone-app-xmpp b/src/freedombone-app-xmpp index a1b6ff53..568988da 100755 --- a/src/freedombone-app-xmpp +++ b/src/freedombone-app-xmpp @@ -973,6 +973,7 @@ function install_xmpp { if [ ! -f "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" ]; then if [ ! -f /etc/ssl/certs/xmpp.crt ]; then "${PROJECT_NAME}-addcert" -h xmpp --dhkey "${DH_KEYLENGTH}" + CHECK_HOSTNAME=xmpp check_certificates xmpp if [ ! -f /etc/ssl/certs/xmpp.crt ]; then echo $'Failed to create xmpp certificate' diff --git a/src/freedombone-base-email b/src/freedombone-base-email index 0c7e2e7d..b8959027 100755 --- a/src/freedombone-base-email +++ b/src/freedombone-base-email @@ -1068,6 +1068,7 @@ function configure_imap { if [[ "$(cert_exists dovecot)" == "0" ]]; then "${PROJECT_NAME}-addcert" -h dovecot --dhkey "$DH_KEYLENGTH" + CHECK_HOSTNAME=dovecot check_certificates dovecot fi diff --git a/src/freedombone-utils-passwords b/src/freedombone-utils-passwords index c289dfb4..fa5c8703 100755 --- a/src/freedombone-utils-passwords +++ b/src/freedombone-utils-passwords @@ -46,7 +46,7 @@ function enforce_good_passwords { fi apt-get -yq install libpam-cracklib - sed -i 's/password.*requisite.*pam_cracklib.so.*/password required pam_cracklib.so retry=2 dcredit=-4 ucredit=-1 ocredit=-1 lcredit=0 minlen=10 reject_username/g' /etc/pam.d/common-password + sed -i 's/password.*requisite.*pam_cracklib.so.*/password required pam_cracklib.so retry=2 dcredit=-1 ucredit=-1 ocredit=0 lcredit=0 minlen=10 reject_username/g' /etc/pam.d/common-password mark_completed "${FUNCNAME[0]}" } diff --git a/src/freedombone-utils-web b/src/freedombone-utils-web index 9d2c73cd..81bf3e1a 100755 --- a/src/freedombone-utils-web +++ b/src/freedombone-utils-web @@ -184,13 +184,14 @@ function test_domain_name { # Checks whether certificates were generated for the given hostname function check_certificates { if [ ! "$1" ]; then - return + echo $'No certificate name provided' + exit 3568736585683 fi USE_LETSENCRYPT='no' if [ "$2" ]; then USE_LETSENCRYPT="$2" fi - if [[ $USE_LETSENCRYPT == 'no' ]]; then + if [[ $USE_LETSENCRYPT == 'no' || "$ONION_ONLY" != 'no' ]]; then if [ ! -f "/etc/ssl/private/${1}.key" ]; then echo $"Private certificate for ${CHECK_HOSTNAME} was not created" exit 63959 @@ -239,17 +240,27 @@ function cert_exists { } function create_self_signed_cert { + if [ ! "${SITE_DOMAIN_NAME}" ]; then + echo $'No site domain specified for self signed cert' + exit 4638565385 + fi "${PROJECT_NAME}-addcert" -h "${SITE_DOMAIN_NAME}" --dhkey "${DH_KEYLENGTH}" function_check check_certificates check_certificates "${SITE_DOMAIN_NAME}" } function create_letsencrypt_cert { + if [ ! "${SITE_DOMAIN_NAME}" ]; then + echo $'No site domain specified for letsencrypt cert' + exit 246824624 + fi + if ! "${PROJECT_NAME}-addcert" -e "${SITE_DOMAIN_NAME}" -s "${LETSENCRYPT_SERVER}" --dhkey "${DH_KEYLENGTH}" --email "${MY_EMAIL_ADDRESS}"; then if [[ ${NO_SELF_SIGNED} == 'no' ]]; then echo $"Lets Encrypt failed for ${SITE_DOMAIN_NAME}, so try making a self-signed cert" "${PROJECT_NAME}-addcert" -h "${SITE_DOMAIN_NAME}" --dhkey "${DH_KEYLENGTH}" function_check check_certificates + CHECK_HOSTNAME="${SITE_DOMAIN_NAME}" check_certificates "${SITE_DOMAIN_NAME}" else echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME" @@ -263,6 +274,7 @@ function create_letsencrypt_cert { fi function_check check_certificates + CHECK_HOSTNAME="${SITE_DOMAIN_NAME}" check_certificates "${SITE_DOMAIN_NAME}" 'yes' } @@ -1004,6 +1016,7 @@ function email_install_tls { fi if [ ! -f /etc/ssl/certs/exim.dhparam ]; then "${PROJECT_NAME}-addcert" -h exim --dhkey "$DH_KEYLENGTH" + CHECK_HOSTNAME=exim check_certificates exim cp /etc/ssl/certs/exim.dhparam /etc/exim4 chown root:Debian-exim /etc/exim4/exim.dhparam