Cerificate pinning
This commit is contained in:
Bob Mottram
parent
016b7ecd9e
commit
2a04c73d82
Binary file not shown.
|
|
@ -4325,7 +4325,7 @@ function configure_imap_client_certs {
|
|||
if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
|
||||
${PROJECT_NAME}-addcert -h $DEFAULT_DOMAIN_NAME --ca "" --dhkey $DH_KEYLENGTH
|
||||
else
|
||||
${PROJECT_NAME}-addcert -e $DEFAULT_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
|
||||
${PROJECT_NAME}-addcert -e $DEFAULT_DOMAIN_NAME -s $LETSENCRYPT_SERVER --ca "" --dhkey $DH_KEYLENGTH
|
||||
fi
|
||||
fi
|
||||
# CA configuration
|
||||
|
|
@ -6767,14 +6767,6 @@ function install_wiki {
|
|||
if [ -d /var/www/$WIKI_DOMAIN_NAME/htdocs ]; then
|
||||
rm -rf /var/www/$WIKI_DOMAIN_NAME/htdocs
|
||||
fi
|
||||
if [ ! -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam ]; then
|
||||
if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
|
||||
${PROJECT_NAME}-addcert -h $WIKI_DOMAIN_NAME --dhkey $DH_KEYLENGTH
|
||||
else
|
||||
${PROJECT_NAME}-addcert -e $WIKI_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
|
||||
fi
|
||||
check_certificates $WIKI_DOMAIN_NAME
|
||||
fi
|
||||
|
||||
ln -s /usr/share/dokuwiki /var/www/$WIKI_DOMAIN_NAME/htdocs
|
||||
|
||||
|
|
@ -7002,6 +6994,15 @@ function install_wiki {
|
|||
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
||||
echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
|
||||
|
||||
if [ ! -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam ]; then
|
||||
if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
|
||||
${PROJECT_NAME}-addcert -h $WIKI_DOMAIN_NAME --dhkey $DH_KEYLENGTH
|
||||
else
|
||||
${PROJECT_NAME}-addcert -e $WIKI_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
|
||||
fi
|
||||
check_certificates $WIKI_DOMAIN_NAME
|
||||
fi
|
||||
|
||||
configure_php
|
||||
|
||||
nginx_ensite $WIKI_DOMAIN_NAME
|
||||
|
|
@ -7090,15 +7091,6 @@ function install_blog {
|
|||
|
||||
chown -R www-data:www-data /var/www/$FULLBLOG_DOMAIN_NAME/htdocs
|
||||
|
||||
if [ ! -f /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam ]; then
|
||||
if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
|
||||
${PROJECT_NAME}-addcert -h $FULLBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
|
||||
else
|
||||
${PROJECT_NAME}-addcert -e $FULLBLOG_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
|
||||
fi
|
||||
check_certificates $FULLBLOG_DOMAIN_NAME
|
||||
fi
|
||||
|
||||
echo 'server {' > /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
||||
echo ' listen 80;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
||||
echo " root /var/www/$FULLBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
||||
|
|
@ -7272,6 +7264,15 @@ function install_blog {
|
|||
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
||||
echo '}' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
|
||||
|
||||
if [ ! -f /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam ]; then
|
||||
if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
|
||||
${PROJECT_NAME}-addcert -h $FULLBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
|
||||
else
|
||||
${PROJECT_NAME}-addcert -e $FULLBLOG_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
|
||||
fi
|
||||
check_certificates $FULLBLOG_DOMAIN_NAME
|
||||
fi
|
||||
|
||||
configure_php
|
||||
|
||||
# blog settings
|
||||
|
|
|
|||
|
|
@ -205,7 +205,14 @@ if [ $LETSENCRYPT_HOSTNAME ]; then
|
|||
ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
|
||||
|
||||
cp /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/mycerts/${LETSENCRYPT_HOSTNAME}.pem
|
||||
|
||||
systemctl start nginx
|
||||
|
||||
${PROJECT_NAME}-pin-cert $LETSENCRYPT_HOSTNAME
|
||||
if [ ! "$?" = "0" ]; then
|
||||
echo $"Certificate for $LETSENCRYPT_HOSTNAME could not be pinned"
|
||||
exit 62878
|
||||
fi
|
||||
else
|
||||
CERTFILE=$HOSTNAME
|
||||
if [[ $ORGANISATION == "Freedombone-CA" ]]; then
|
||||
|
|
@ -219,6 +226,12 @@ else
|
|||
chmod 400 /etc/ssl/private/${CERTFILE}.key
|
||||
chmod 640 /etc/ssl/certs/${CERTFILE}.crt
|
||||
cp /etc/ssl/certs/${CERTFILE}.crt /etc/ssl/mycerts
|
||||
|
||||
${PROJECT_NAME}-pin-cert $CERTFILE
|
||||
if [ ! "$?" = "0" ]; then
|
||||
echo $"Certificate for $CERTFILE could not be pinned"
|
||||
exit 62879
|
||||
fi
|
||||
fi
|
||||
|
||||
# generate DH params
|
||||
|
|
|
|||
|
|
@ -0,0 +1,60 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# .---. . .
|
||||
# | | |
|
||||
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
|
||||
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
|
||||
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
|
||||
#
|
||||
# Freedom in the Cloud
|
||||
#
|
||||
# Performs certificate pinning (HPKP) on a given domain name
|
||||
|
||||
# License
|
||||
# =======
|
||||
#
|
||||
# Copyright (C) 2015 Bob Mottram <bob@robotics.uk.to>
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
PROJECT_NAME='freedombone'
|
||||
|
||||
export TEXTDOMAIN=${PROJECT_NAME}-pin-cert
|
||||
export TEXTDOMAINDIR="/usr/share/locale"
|
||||
|
||||
DOMAIN_NAME=$1
|
||||
KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key
|
||||
SITE_FILENAME=/etc/nginx/sites-available/${DOMAIN_NAME}
|
||||
|
||||
if [ ! -f "$KEY_FILENAME" ]; then
|
||||
echo $"No certificate found for $DOMAIN_NAME"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -f "$SITE_FILENAME" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
KEY_HASH=$(openssl rsa -in $KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
|
||||
|
||||
PIN_HEADER="add_header Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; max-age=5184000; includeSubDomains';"
|
||||
if ! grep -q "add_header Public-Key-Pins" $SITE_FILENAME; then
|
||||
sed -i "/add_header Access-Control-Allow-Origin.*/a $PIN_HEADER" $SITE_FILENAME
|
||||
else
|
||||
sed -i "s/add_header Public-Key-Pins.*/$PIN_HEADER/g" $SITE_FILENAME
|
||||
fi
|
||||
|
||||
systemctl restart nginx
|
||||
|
||||
exit 0
|
||||
|
|
@ -73,6 +73,8 @@ function renew_letsencrypt {
|
|||
# Ensure that links are in place
|
||||
ln -s /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /etc/ssl/private/${HOSTNAME}.key
|
||||
ln -s /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /etc/ssl/certs/${HOSTNAME}.pem
|
||||
|
||||
${PROJECT_NAME}-pin-cert $HOSTNAME
|
||||
}
|
||||
|
||||
function renew_startssl {
|
||||
|
|
@ -171,6 +173,8 @@ function renew_startssl {
|
|||
echo $'Once you have retrieved the new public certificate paste it to:'
|
||||
echo $"/etc/ssl/certs/$HOSTNAME.new.crt then run this command again."
|
||||
echo ''
|
||||
|
||||
${PROJECT_NAME}-pin-cert $HOSTNAME
|
||||
}
|
||||
|
||||
while [[ $# > 1 ]]
|
||||
|
|
|
|||
Loading…
Reference in New Issue