Don't pin certs

The guidelines on how to do this properly are just too confusing
This commit is contained in:
Bob Mottram 2016-08-10 10:27:14 +01:00
parent f25602ccd1
commit 0b6a12080d
4 changed files with 140 additions and 129 deletions

View File

@ -38,6 +38,9 @@ COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt
source /usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-git
# Don't pin certs by default
PIN_CERTS=
HOSTNAME=
LETSENCRYPT_HOSTNAME=
COUNTRY_CODE="US"
@ -59,40 +62,40 @@ MY_MIRRORS_PASSWORD=
function read_repo_servers {
if [ -f $CONFIGURATION_FILE ]; then
if grep -q "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE; then
FRIENDS_MIRRORS_SERVER=$(grep "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE; then
FRIENDS_MIRRORS_SSH_PORT=$(grep "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then
MY_MIRRORS_PASSWORD=$(grep "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then
FRIENDS_MIRRORS_PASSWORD=$(grep "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE; then
FRIENDS_MIRRORS_SERVER=$(grep "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE; then
FRIENDS_MIRRORS_SSH_PORT=$(grep "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then
MY_MIRRORS_PASSWORD=$(grep "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then
FRIENDS_MIRRORS_PASSWORD=$(grep "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
fi
if [ ! $FRIENDS_MIRRORS_SERVER ]; then
return
return
fi
if [ ${#FRIENDS_MIRRORS_SERVER} -lt 2 ]; then
return
return
fi
MAIN_COMMAND=/usr/local/bin/${PROJECT_NAME}
if [ ! -f $MAIN_COMMAND ]; then
MAIN_COMMAND=/usr/bin/${PROJECT_NAME}
MAIN_COMMAND=/usr/bin/${PROJECT_NAME}
fi
REPOS=($(cat ${MAIN_COMMAND} | grep "_REPO=\"" | uniq -u | sed 's|${PROJECT_NAME}|'"${PROJECT_NAME}"'|g'))
for line in "${REPOS[@]}"
do
repo_name=$(echo "$line" | awk -F '=' '{print $1}')
mirrors_name=$(echo "$repo_name" | sed "s|_REPO||g" | awk '{print tolower($0)}')
friends_repo_url="ssh://mirrors@${FRIENDS_MIRRORS_SERVER}:${FRIENDS_MIRRORS_SSH_PORT}/home/mirrors/${mirrors_name}"
${repo_name}="${friends_repo_url}"
repo_name=$(echo "$line" | awk -F '=' '{print $1}')
mirrors_name=$(echo "$repo_name" | sed "s|_REPO||g" | awk '{print tolower($0)}')
friends_repo_url="ssh://mirrors@${FRIENDS_MIRRORS_SERVER}:${FRIENDS_MIRRORS_SSH_PORT}/home/mirrors/${mirrors_name}"
${repo_name}="${friends_repo_url}"
done
}
@ -125,69 +128,73 @@ do
key="$1"
case $key in
--help)
show_help
;;
-h|--hostname)
shift
HOSTNAME="$1"
;;
-e|--letsencrypt)
shift
LETSENCRYPT_HOSTNAME="$1"
;;
--email)
shift
MY_EMAIL_ADDRESS="$1"
;;
-s|--server)
shift
LETSENCRYPT_SERVER="$1"
;;
-c|--country)
shift
COUNTRY_CODE="$1"
;;
-a|--area)
shift
AREA="$1"
;;
-l|--location)
shift
LOCATION="$1"
;;
-o|--organisation)
shift
ORGANISATION="$1"
;;
-u|--unit)
shift
UNIT="$1"
;;
--ca)
shift
EXTENSIONS="-extensions v3_ca"
ORGANISATION="Freedombone-CA"
;;
--nodh)
shift
NODH="true"
;;
--dhkey)
shift
DH_KEYLENGTH=${1}
;;
*)
# unknown option
;;
--help)
show_help
;;
-h|--hostname)
shift
HOSTNAME="$1"
;;
-e|--letsencrypt)
shift
LETSENCRYPT_HOSTNAME="$1"
;;
--email)
shift
MY_EMAIL_ADDRESS="$1"
;;
-s|--server)
shift
LETSENCRYPT_SERVER="$1"
;;
-c|--country)
shift
COUNTRY_CODE="$1"
;;
-a|--area)
shift
AREA="$1"
;;
-l|--location)
shift
LOCATION="$1"
;;
-o|--organisation)
shift
ORGANISATION="$1"
;;
-u|--unit)
shift
UNIT="$1"
;;
--ca)
shift
EXTENSIONS="-extensions v3_ca"
ORGANISATION="Freedombone-CA"
;;
--nodh)
shift
NODH="true"
;;
--dhkey)
shift
DH_KEYLENGTH=${1}
;;
--pin)
shift
PIN_CERTS=${1}
;;
*)
# unknown option
;;
esac
shift
done
if [ ! $HOSTNAME ]; then
if [ ! $LETSENCRYPT_HOSTNAME ]; then
echo $'No hostname specified'
exit 5748
echo $'No hostname specified'
exit 5748
fi
fi
@ -207,35 +214,35 @@ function add_cert_letsencrypt {
# obtain the email address for the admin user
if [ ! $MY_EMAIL_ADDRESS ]; then
if [ -f $CONFIGURATION_FILE ]; then
if grep -q "MY_EMAIL_ADDRESS=" $CONFIGURATION_FILE; then
MY_EMAIL_ADDRESS=$(cat $CONFIGURATION_FILE | grep "MY_EMAIL_ADDRESS=" | awk -F '=' '{print $2}')
if [ -f $CONFIGURATION_FILE ]; then
if grep -q "MY_EMAIL_ADDRESS=" $CONFIGURATION_FILE; then
MY_EMAIL_ADDRESS=$(cat $CONFIGURATION_FILE | grep "MY_EMAIL_ADDRESS=" | awk -F '=' '{print $2}')
fi
fi
fi
fi
if [ ! $MY_EMAIL_ADDRESS ]; then
if [ -f $COMPLETION_FILE ]; then
if grep -q "Admin user:" $COMPLETION_FILE; then
ADMIN_USER=$(cat $COMPLETION_FILE | grep "Admin user" | awk -F ':' '{print $2}')
MY_EMAIL_ADDRESS=$ADMIN_USER@$HOSTNAME
if [ -f $COMPLETION_FILE ]; then
if grep -q "Admin user:" $COMPLETION_FILE; then
ADMIN_USER=$(cat $COMPLETION_FILE | grep "Admin user" | awk -F ':' '{print $2}')
MY_EMAIL_ADDRESS=$ADMIN_USER@$HOSTNAME
fi
fi
fi
fi
if [ ! -d $INSTALL_DIR ]; then
mkdir -p $INSTALL_DIR
mkdir -p $INSTALL_DIR
fi
cd $INSTALL_DIR
# obtain the repo
if [ ! -d ${INSTALL_DIR}/letsencrypt ]; then
git_clone $LETSENCRYPT_REPO ${INSTALL_DIR}/letsencrypt
if [ ! -d ${INSTALL_DIR}/letsencrypt ]; then
exit 76283
fi
git_clone $LETSENCRYPT_REPO ${INSTALL_DIR}/letsencrypt
if [ ! -d ${INSTALL_DIR}/letsencrypt ]; then
exit 76283
fi
else
cd ${INSTALL_DIR}/letsencrypt
git_pull $LETSENCRYPT_REPO
cd ${INSTALL_DIR}/letsencrypt
git_pull $LETSENCRYPT_REPO
fi
# stop the web server
@ -244,38 +251,38 @@ function add_cert_letsencrypt {
cd ${INSTALL_DIR}/letsencrypt
./letsencrypt-auto certonly --server $LETSENCRYPT_SERVER --standalone -d $LETSENCRYPT_HOSTNAME --renew-by-default --agree-tos --email $MY_EMAIL_ADDRESS
if [ ! "$?" = "0" ]; then
echo $"Failed to install letsencrypt for domain $LETSENCRYPT_HOSTNAME"
systemctl start nginx
exit 63216
echo $"Failed to install letsencrypt for domain $LETSENCRYPT_HOSTNAME"
systemctl start nginx
exit 63216
fi
# replace some legacy filenames
if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt ]; then
mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
fi
if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt ]; then
mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
fi
sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME
sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME
# link the private key
if [ -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key ]; then
if [ ! -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old ]; then
mv /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old
else
rm -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key
fi
if [ ! -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old ]; then
mv /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old
else
rm -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key
fi
fi
ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/privkey.pem /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key
# link the public key
if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem ]; then
if [ ! -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old ]; then
mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old
else
rm -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
fi
if [ ! -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old ]; then
mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old
else
rm -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
fi
fi
ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
@ -283,44 +290,48 @@ function add_cert_letsencrypt {
systemctl start nginx
${PROJECT_NAME}-pin-cert $LETSENCRYPT_HOSTNAME
if [ ! "$?" = "0" ]; then
echo $"Certificate for $LETSENCRYPT_HOSTNAME could not be pinned"
exit 62878
if [ $PIN_CERTS ]; then
${PROJECT_NAME}-pin-cert $LETSENCRYPT_HOSTNAME
if [ ! "$?" = "0" ]; then
echo $"Certificate for $LETSENCRYPT_HOSTNAME could not be pinned"
exit 62878
fi
fi
}
function add_cert_selfsigned {
if [[ $ORGANISATION == "Freedombone-CA" ]]; then
CERTFILE="ca-$HOSTNAME"
CERTFILE="ca-$HOSTNAME"
fi
openssl req -x509 ${EXTENSIONS} -nodes -days 3650 -sha256 \
-subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \
-newkey rsa:4096 -keyout /etc/ssl/private/${CERTFILE}.key \
-out /etc/ssl/certs/${CERTFILE}.crt
-subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \
-newkey rsa:4096 -keyout /etc/ssl/private/${CERTFILE}.key \
-out /etc/ssl/certs/${CERTFILE}.crt
chmod 400 /etc/ssl/private/${CERTFILE}.key
chmod 640 /etc/ssl/certs/${CERTFILE}.crt
cp /etc/ssl/certs/${CERTFILE}.crt /etc/ssl/mycerts
${PROJECT_NAME}-pin-cert $CERTFILE
if [ ! "$?" = "0" ]; then
echo $"Certificate for $CERTFILE could not be pinned"
exit 62879
if [ $PIN_CERTS ]; then
${PROJECT_NAME}-pin-cert $CERTFILE
if [ ! "$?" = "0" ]; then
echo $"Certificate for $CERTFILE could not be pinned"
exit 62879
fi
fi
}
function generate_dh_params {
if [ ! $NODH ]; then
if [ ! -f /etc/ssl/certs/${CERTFILE}.dhparam ]; then
${PROJECT_NAME}-dhparam -h ${CERTFILE} --fast yes
fi
if [ ! -f /etc/ssl/certs/${CERTFILE}.dhparam ]; then
${PROJECT_NAME}-dhparam -h ${CERTFILE} --fast yes
fi
fi
}
function restart_web_server {
if [ -f /etc/init.d/nginx ]; then
/etc/init.d/nginx reload
/etc/init.d/nginx reload
fi
}
@ -332,9 +343,9 @@ function make_cert_bundle {
function create_cert {
if [ $LETSENCRYPT_HOSTNAME ]; then
add_cert_letsencrypt
add_cert_letsencrypt
else
add_cert_selfsigned
add_cert_selfsigned
fi
}

View File

@ -69,7 +69,7 @@ function renew_letsencrypt {
ln -s /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /etc/ssl/private/${HOSTNAME}.key
ln -s /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /etc/ssl/certs/${HOSTNAME}.pem
${PROJECT_NAME}-pin-cert $HOSTNAME
${PROJECT_NAME}-pin-cert $HOSTNAME remove
}
function renew_startssl {
@ -169,7 +169,7 @@ function renew_startssl {
echo $"/etc/ssl/certs/$HOSTNAME.new.crt then run this command again."
echo ''
${PROJECT_NAME}-pin-cert $HOSTNAME
${PROJECT_NAME}-pin-cert $HOSTNAME remove
}
while [[ $# > 1 ]]

View File

@ -723,7 +723,7 @@ set_user_permissions
backup_unmount_drive
# ensure that all TLS certificates are pinned
${PROJECT_NAME}-pin-cert all
#${PROJECT_NAME}-pin-cert all
echo $"Restore from USB drive is complete. You can now unplug it."

View File

@ -655,7 +655,7 @@ restore_apps remote
set_user_permissions
# ensure that all TLS certificates are pinned
${PROJECT_NAME}-pin-cert all
#${PROJECT_NAME}-pin-cert all
echo $"*** Remote restore was successful ***"