Don't pin certs
The guidelines on how to do this properly are just too confusing
This commit is contained in:
parent
f25602ccd1
commit
0b6a12080d
|
@ -38,6 +38,9 @@ COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt
|
|||
|
||||
source /usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-git
|
||||
|
||||
# Don't pin certs by default
|
||||
PIN_CERTS=
|
||||
|
||||
HOSTNAME=
|
||||
LETSENCRYPT_HOSTNAME=
|
||||
COUNTRY_CODE="US"
|
||||
|
@ -59,40 +62,40 @@ MY_MIRRORS_PASSWORD=
|
|||
|
||||
function read_repo_servers {
|
||||
if [ -f $CONFIGURATION_FILE ]; then
|
||||
if grep -q "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE; then
|
||||
FRIENDS_MIRRORS_SERVER=$(grep "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
|
||||
fi
|
||||
if grep -q "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE; then
|
||||
FRIENDS_MIRRORS_SSH_PORT=$(grep "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
|
||||
fi
|
||||
if grep -q "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then
|
||||
MY_MIRRORS_PASSWORD=$(grep "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
|
||||
fi
|
||||
if grep -q "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then
|
||||
FRIENDS_MIRRORS_PASSWORD=$(grep "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
|
||||
fi
|
||||
if grep -q "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE; then
|
||||
FRIENDS_MIRRORS_SERVER=$(grep "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
|
||||
fi
|
||||
if grep -q "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE; then
|
||||
FRIENDS_MIRRORS_SSH_PORT=$(grep "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
|
||||
fi
|
||||
if grep -q "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then
|
||||
MY_MIRRORS_PASSWORD=$(grep "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
|
||||
fi
|
||||
if grep -q "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then
|
||||
FRIENDS_MIRRORS_PASSWORD=$(grep "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ! $FRIENDS_MIRRORS_SERVER ]; then
|
||||
return
|
||||
return
|
||||
fi
|
||||
if [ ${#FRIENDS_MIRRORS_SERVER} -lt 2 ]; then
|
||||
return
|
||||
return
|
||||
fi
|
||||
|
||||
MAIN_COMMAND=/usr/local/bin/${PROJECT_NAME}
|
||||
if [ ! -f $MAIN_COMMAND ]; then
|
||||
MAIN_COMMAND=/usr/bin/${PROJECT_NAME}
|
||||
MAIN_COMMAND=/usr/bin/${PROJECT_NAME}
|
||||
fi
|
||||
|
||||
REPOS=($(cat ${MAIN_COMMAND} | grep "_REPO=\"" | uniq -u | sed 's|${PROJECT_NAME}|'"${PROJECT_NAME}"'|g'))
|
||||
|
||||
for line in "${REPOS[@]}"
|
||||
do
|
||||
repo_name=$(echo "$line" | awk -F '=' '{print $1}')
|
||||
mirrors_name=$(echo "$repo_name" | sed "s|_REPO||g" | awk '{print tolower($0)}')
|
||||
friends_repo_url="ssh://mirrors@${FRIENDS_MIRRORS_SERVER}:${FRIENDS_MIRRORS_SSH_PORT}/home/mirrors/${mirrors_name}"
|
||||
${repo_name}="${friends_repo_url}"
|
||||
repo_name=$(echo "$line" | awk -F '=' '{print $1}')
|
||||
mirrors_name=$(echo "$repo_name" | sed "s|_REPO||g" | awk '{print tolower($0)}')
|
||||
friends_repo_url="ssh://mirrors@${FRIENDS_MIRRORS_SERVER}:${FRIENDS_MIRRORS_SSH_PORT}/home/mirrors/${mirrors_name}"
|
||||
${repo_name}="${friends_repo_url}"
|
||||
done
|
||||
}
|
||||
|
||||
|
@ -125,69 +128,73 @@ do
|
|||
key="$1"
|
||||
|
||||
case $key in
|
||||
--help)
|
||||
show_help
|
||||
;;
|
||||
-h|--hostname)
|
||||
shift
|
||||
HOSTNAME="$1"
|
||||
;;
|
||||
-e|--letsencrypt)
|
||||
shift
|
||||
LETSENCRYPT_HOSTNAME="$1"
|
||||
;;
|
||||
--email)
|
||||
shift
|
||||
MY_EMAIL_ADDRESS="$1"
|
||||
;;
|
||||
-s|--server)
|
||||
shift
|
||||
LETSENCRYPT_SERVER="$1"
|
||||
;;
|
||||
-c|--country)
|
||||
shift
|
||||
COUNTRY_CODE="$1"
|
||||
;;
|
||||
-a|--area)
|
||||
shift
|
||||
AREA="$1"
|
||||
;;
|
||||
-l|--location)
|
||||
shift
|
||||
LOCATION="$1"
|
||||
;;
|
||||
-o|--organisation)
|
||||
shift
|
||||
ORGANISATION="$1"
|
||||
;;
|
||||
-u|--unit)
|
||||
shift
|
||||
UNIT="$1"
|
||||
;;
|
||||
--ca)
|
||||
shift
|
||||
EXTENSIONS="-extensions v3_ca"
|
||||
ORGANISATION="Freedombone-CA"
|
||||
;;
|
||||
--nodh)
|
||||
shift
|
||||
NODH="true"
|
||||
;;
|
||||
--dhkey)
|
||||
shift
|
||||
DH_KEYLENGTH=${1}
|
||||
;;
|
||||
*)
|
||||
# unknown option
|
||||
;;
|
||||
--help)
|
||||
show_help
|
||||
;;
|
||||
-h|--hostname)
|
||||
shift
|
||||
HOSTNAME="$1"
|
||||
;;
|
||||
-e|--letsencrypt)
|
||||
shift
|
||||
LETSENCRYPT_HOSTNAME="$1"
|
||||
;;
|
||||
--email)
|
||||
shift
|
||||
MY_EMAIL_ADDRESS="$1"
|
||||
;;
|
||||
-s|--server)
|
||||
shift
|
||||
LETSENCRYPT_SERVER="$1"
|
||||
;;
|
||||
-c|--country)
|
||||
shift
|
||||
COUNTRY_CODE="$1"
|
||||
;;
|
||||
-a|--area)
|
||||
shift
|
||||
AREA="$1"
|
||||
;;
|
||||
-l|--location)
|
||||
shift
|
||||
LOCATION="$1"
|
||||
;;
|
||||
-o|--organisation)
|
||||
shift
|
||||
ORGANISATION="$1"
|
||||
;;
|
||||
-u|--unit)
|
||||
shift
|
||||
UNIT="$1"
|
||||
;;
|
||||
--ca)
|
||||
shift
|
||||
EXTENSIONS="-extensions v3_ca"
|
||||
ORGANISATION="Freedombone-CA"
|
||||
;;
|
||||
--nodh)
|
||||
shift
|
||||
NODH="true"
|
||||
;;
|
||||
--dhkey)
|
||||
shift
|
||||
DH_KEYLENGTH=${1}
|
||||
;;
|
||||
--pin)
|
||||
shift
|
||||
PIN_CERTS=${1}
|
||||
;;
|
||||
*)
|
||||
# unknown option
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
if [ ! $HOSTNAME ]; then
|
||||
if [ ! $LETSENCRYPT_HOSTNAME ]; then
|
||||
echo $'No hostname specified'
|
||||
exit 5748
|
||||
echo $'No hostname specified'
|
||||
exit 5748
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -207,35 +214,35 @@ function add_cert_letsencrypt {
|
|||
|
||||
# obtain the email address for the admin user
|
||||
if [ ! $MY_EMAIL_ADDRESS ]; then
|
||||
if [ -f $CONFIGURATION_FILE ]; then
|
||||
if grep -q "MY_EMAIL_ADDRESS=" $CONFIGURATION_FILE; then
|
||||
MY_EMAIL_ADDRESS=$(cat $CONFIGURATION_FILE | grep "MY_EMAIL_ADDRESS=" | awk -F '=' '{print $2}')
|
||||
if [ -f $CONFIGURATION_FILE ]; then
|
||||
if grep -q "MY_EMAIL_ADDRESS=" $CONFIGURATION_FILE; then
|
||||
MY_EMAIL_ADDRESS=$(cat $CONFIGURATION_FILE | grep "MY_EMAIL_ADDRESS=" | awk -F '=' '{print $2}')
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
if [ ! $MY_EMAIL_ADDRESS ]; then
|
||||
if [ -f $COMPLETION_FILE ]; then
|
||||
if grep -q "Admin user:" $COMPLETION_FILE; then
|
||||
ADMIN_USER=$(cat $COMPLETION_FILE | grep "Admin user" | awk -F ':' '{print $2}')
|
||||
MY_EMAIL_ADDRESS=$ADMIN_USER@$HOSTNAME
|
||||
if [ -f $COMPLETION_FILE ]; then
|
||||
if grep -q "Admin user:" $COMPLETION_FILE; then
|
||||
ADMIN_USER=$(cat $COMPLETION_FILE | grep "Admin user" | awk -F ':' '{print $2}')
|
||||
MY_EMAIL_ADDRESS=$ADMIN_USER@$HOSTNAME
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ! -d $INSTALL_DIR ]; then
|
||||
mkdir -p $INSTALL_DIR
|
||||
mkdir -p $INSTALL_DIR
|
||||
fi
|
||||
cd $INSTALL_DIR
|
||||
|
||||
# obtain the repo
|
||||
if [ ! -d ${INSTALL_DIR}/letsencrypt ]; then
|
||||
git_clone $LETSENCRYPT_REPO ${INSTALL_DIR}/letsencrypt
|
||||
if [ ! -d ${INSTALL_DIR}/letsencrypt ]; then
|
||||
exit 76283
|
||||
fi
|
||||
git_clone $LETSENCRYPT_REPO ${INSTALL_DIR}/letsencrypt
|
||||
if [ ! -d ${INSTALL_DIR}/letsencrypt ]; then
|
||||
exit 76283
|
||||
fi
|
||||
else
|
||||
cd ${INSTALL_DIR}/letsencrypt
|
||||
git_pull $LETSENCRYPT_REPO
|
||||
cd ${INSTALL_DIR}/letsencrypt
|
||||
git_pull $LETSENCRYPT_REPO
|
||||
fi
|
||||
|
||||
# stop the web server
|
||||
|
@ -244,38 +251,38 @@ function add_cert_letsencrypt {
|
|||
cd ${INSTALL_DIR}/letsencrypt
|
||||
./letsencrypt-auto certonly --server $LETSENCRYPT_SERVER --standalone -d $LETSENCRYPT_HOSTNAME --renew-by-default --agree-tos --email $MY_EMAIL_ADDRESS
|
||||
if [ ! "$?" = "0" ]; then
|
||||
echo $"Failed to install letsencrypt for domain $LETSENCRYPT_HOSTNAME"
|
||||
systemctl start nginx
|
||||
exit 63216
|
||||
echo $"Failed to install letsencrypt for domain $LETSENCRYPT_HOSTNAME"
|
||||
systemctl start nginx
|
||||
exit 63216
|
||||
fi
|
||||
|
||||
# replace some legacy filenames
|
||||
if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt ]; then
|
||||
mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
|
||||
mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
|
||||
fi
|
||||
if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt ]; then
|
||||
mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
|
||||
mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
|
||||
fi
|
||||
sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME
|
||||
sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME
|
||||
|
||||
# link the private key
|
||||
if [ -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key ]; then
|
||||
if [ ! -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old ]; then
|
||||
mv /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old
|
||||
else
|
||||
rm -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key
|
||||
fi
|
||||
if [ ! -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old ]; then
|
||||
mv /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old
|
||||
else
|
||||
rm -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key
|
||||
fi
|
||||
fi
|
||||
ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/privkey.pem /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key
|
||||
|
||||
# link the public key
|
||||
if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem ]; then
|
||||
if [ ! -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old ]; then
|
||||
mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old
|
||||
else
|
||||
rm -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
|
||||
fi
|
||||
if [ ! -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old ]; then
|
||||
mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old
|
||||
else
|
||||
rm -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
|
||||
fi
|
||||
fi
|
||||
ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
|
||||
|
||||
|
@ -283,44 +290,48 @@ function add_cert_letsencrypt {
|
|||
|
||||
systemctl start nginx
|
||||
|
||||
${PROJECT_NAME}-pin-cert $LETSENCRYPT_HOSTNAME
|
||||
if [ ! "$?" = "0" ]; then
|
||||
echo $"Certificate for $LETSENCRYPT_HOSTNAME could not be pinned"
|
||||
exit 62878
|
||||
if [ $PIN_CERTS ]; then
|
||||
${PROJECT_NAME}-pin-cert $LETSENCRYPT_HOSTNAME
|
||||
if [ ! "$?" = "0" ]; then
|
||||
echo $"Certificate for $LETSENCRYPT_HOSTNAME could not be pinned"
|
||||
exit 62878
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function add_cert_selfsigned {
|
||||
if [[ $ORGANISATION == "Freedombone-CA" ]]; then
|
||||
CERTFILE="ca-$HOSTNAME"
|
||||
CERTFILE="ca-$HOSTNAME"
|
||||
fi
|
||||
|
||||
openssl req -x509 ${EXTENSIONS} -nodes -days 3650 -sha256 \
|
||||
-subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \
|
||||
-newkey rsa:4096 -keyout /etc/ssl/private/${CERTFILE}.key \
|
||||
-out /etc/ssl/certs/${CERTFILE}.crt
|
||||
-subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \
|
||||
-newkey rsa:4096 -keyout /etc/ssl/private/${CERTFILE}.key \
|
||||
-out /etc/ssl/certs/${CERTFILE}.crt
|
||||
chmod 400 /etc/ssl/private/${CERTFILE}.key
|
||||
chmod 640 /etc/ssl/certs/${CERTFILE}.crt
|
||||
cp /etc/ssl/certs/${CERTFILE}.crt /etc/ssl/mycerts
|
||||
|
||||
${PROJECT_NAME}-pin-cert $CERTFILE
|
||||
if [ ! "$?" = "0" ]; then
|
||||
echo $"Certificate for $CERTFILE could not be pinned"
|
||||
exit 62879
|
||||
if [ $PIN_CERTS ]; then
|
||||
${PROJECT_NAME}-pin-cert $CERTFILE
|
||||
if [ ! "$?" = "0" ]; then
|
||||
echo $"Certificate for $CERTFILE could not be pinned"
|
||||
exit 62879
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function generate_dh_params {
|
||||
if [ ! $NODH ]; then
|
||||
if [ ! -f /etc/ssl/certs/${CERTFILE}.dhparam ]; then
|
||||
${PROJECT_NAME}-dhparam -h ${CERTFILE} --fast yes
|
||||
fi
|
||||
if [ ! -f /etc/ssl/certs/${CERTFILE}.dhparam ]; then
|
||||
${PROJECT_NAME}-dhparam -h ${CERTFILE} --fast yes
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function restart_web_server {
|
||||
if [ -f /etc/init.d/nginx ]; then
|
||||
/etc/init.d/nginx reload
|
||||
/etc/init.d/nginx reload
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -332,9 +343,9 @@ function make_cert_bundle {
|
|||
|
||||
function create_cert {
|
||||
if [ $LETSENCRYPT_HOSTNAME ]; then
|
||||
add_cert_letsencrypt
|
||||
add_cert_letsencrypt
|
||||
else
|
||||
add_cert_selfsigned
|
||||
add_cert_selfsigned
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
|
@ -69,7 +69,7 @@ function renew_letsencrypt {
|
|||
ln -s /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /etc/ssl/private/${HOSTNAME}.key
|
||||
ln -s /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /etc/ssl/certs/${HOSTNAME}.pem
|
||||
|
||||
${PROJECT_NAME}-pin-cert $HOSTNAME
|
||||
${PROJECT_NAME}-pin-cert $HOSTNAME remove
|
||||
}
|
||||
|
||||
function renew_startssl {
|
||||
|
@ -169,7 +169,7 @@ function renew_startssl {
|
|||
echo $"/etc/ssl/certs/$HOSTNAME.new.crt then run this command again."
|
||||
echo ''
|
||||
|
||||
${PROJECT_NAME}-pin-cert $HOSTNAME
|
||||
${PROJECT_NAME}-pin-cert $HOSTNAME remove
|
||||
}
|
||||
|
||||
while [[ $# > 1 ]]
|
||||
|
|
|
@ -723,7 +723,7 @@ set_user_permissions
|
|||
backup_unmount_drive
|
||||
|
||||
# ensure that all TLS certificates are pinned
|
||||
${PROJECT_NAME}-pin-cert all
|
||||
#${PROJECT_NAME}-pin-cert all
|
||||
|
||||
echo $"Restore from USB drive is complete. You can now unplug it."
|
||||
|
||||
|
|
|
@ -655,7 +655,7 @@ restore_apps remote
|
|||
set_user_permissions
|
||||
|
||||
# ensure that all TLS certificates are pinned
|
||||
${PROJECT_NAME}-pin-cert all
|
||||
#${PROJECT_NAME}-pin-cert all
|
||||
|
||||
echo $"*** Remote restore was successful ***"
|
||||
|
||||
|
|
Loading…
Reference in New Issue