From 0b6a12080d26afd8cf6b565cfa052548e1069803 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Wed, 10 Aug 2016 10:27:14 +0100 Subject: [PATCH] Don't pin certs The guidelines on how to do this properly are just too confusing --- src/freedombone-addcert | 261 +++++++++++++++++---------------- src/freedombone-renew-cert | 4 +- src/freedombone-restore-local | 2 +- src/freedombone-restore-remote | 2 +- 4 files changed, 140 insertions(+), 129 deletions(-) diff --git a/src/freedombone-addcert b/src/freedombone-addcert index 5b437ad7..23bcc194 100755 --- a/src/freedombone-addcert +++ b/src/freedombone-addcert @@ -38,6 +38,9 @@ COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt source /usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-git +# Don't pin certs by default +PIN_CERTS= + HOSTNAME= LETSENCRYPT_HOSTNAME= COUNTRY_CODE="US" @@ -59,40 +62,40 @@ MY_MIRRORS_PASSWORD= function read_repo_servers { if [ -f $CONFIGURATION_FILE ]; then - if grep -q "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE; then - FRIENDS_MIRRORS_SERVER=$(grep "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE; then - FRIENDS_MIRRORS_SSH_PORT=$(grep "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then - MY_MIRRORS_PASSWORD=$(grep "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then - FRIENDS_MIRRORS_PASSWORD=$(grep "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi + if grep -q "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE; then + FRIENDS_MIRRORS_SERVER=$(grep "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE; then + FRIENDS_MIRRORS_SSH_PORT=$(grep "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then + MY_MIRRORS_PASSWORD=$(grep "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then + FRIENDS_MIRRORS_PASSWORD=$(grep "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi fi if [ ! $FRIENDS_MIRRORS_SERVER ]; then - return + return fi if [ ${#FRIENDS_MIRRORS_SERVER} -lt 2 ]; then - return + return fi MAIN_COMMAND=/usr/local/bin/${PROJECT_NAME} if [ ! -f $MAIN_COMMAND ]; then - MAIN_COMMAND=/usr/bin/${PROJECT_NAME} + MAIN_COMMAND=/usr/bin/${PROJECT_NAME} fi REPOS=($(cat ${MAIN_COMMAND} | grep "_REPO=\"" | uniq -u | sed 's|${PROJECT_NAME}|'"${PROJECT_NAME}"'|g')) for line in "${REPOS[@]}" do - repo_name=$(echo "$line" | awk -F '=' '{print $1}') - mirrors_name=$(echo "$repo_name" | sed "s|_REPO||g" | awk '{print tolower($0)}') - friends_repo_url="ssh://mirrors@${FRIENDS_MIRRORS_SERVER}:${FRIENDS_MIRRORS_SSH_PORT}/home/mirrors/${mirrors_name}" - ${repo_name}="${friends_repo_url}" + repo_name=$(echo "$line" | awk -F '=' '{print $1}') + mirrors_name=$(echo "$repo_name" | sed "s|_REPO||g" | awk '{print tolower($0)}') + friends_repo_url="ssh://mirrors@${FRIENDS_MIRRORS_SERVER}:${FRIENDS_MIRRORS_SSH_PORT}/home/mirrors/${mirrors_name}" + ${repo_name}="${friends_repo_url}" done } @@ -125,69 +128,73 @@ do key="$1" case $key in - --help) - show_help - ;; - -h|--hostname) - shift - HOSTNAME="$1" - ;; - -e|--letsencrypt) - shift - LETSENCRYPT_HOSTNAME="$1" - ;; - --email) - shift - MY_EMAIL_ADDRESS="$1" - ;; - -s|--server) - shift - LETSENCRYPT_SERVER="$1" - ;; - -c|--country) - shift - COUNTRY_CODE="$1" - ;; - -a|--area) - shift - AREA="$1" - ;; - -l|--location) - shift - LOCATION="$1" - ;; - -o|--organisation) - shift - ORGANISATION="$1" - ;; - -u|--unit) - shift - UNIT="$1" - ;; - --ca) - shift - EXTENSIONS="-extensions v3_ca" - ORGANISATION="Freedombone-CA" - ;; - --nodh) - shift - NODH="true" - ;; - --dhkey) - shift - DH_KEYLENGTH=${1} - ;; - *) - # unknown option - ;; + --help) + show_help + ;; + -h|--hostname) + shift + HOSTNAME="$1" + ;; + -e|--letsencrypt) + shift + LETSENCRYPT_HOSTNAME="$1" + ;; + --email) + shift + MY_EMAIL_ADDRESS="$1" + ;; + -s|--server) + shift + LETSENCRYPT_SERVER="$1" + ;; + -c|--country) + shift + COUNTRY_CODE="$1" + ;; + -a|--area) + shift + AREA="$1" + ;; + -l|--location) + shift + LOCATION="$1" + ;; + -o|--organisation) + shift + ORGANISATION="$1" + ;; + -u|--unit) + shift + UNIT="$1" + ;; + --ca) + shift + EXTENSIONS="-extensions v3_ca" + ORGANISATION="Freedombone-CA" + ;; + --nodh) + shift + NODH="true" + ;; + --dhkey) + shift + DH_KEYLENGTH=${1} + ;; + --pin) + shift + PIN_CERTS=${1} + ;; + *) + # unknown option + ;; esac shift done if [ ! $HOSTNAME ]; then if [ ! $LETSENCRYPT_HOSTNAME ]; then - echo $'No hostname specified' - exit 5748 + echo $'No hostname specified' + exit 5748 fi fi @@ -207,35 +214,35 @@ function add_cert_letsencrypt { # obtain the email address for the admin user if [ ! $MY_EMAIL_ADDRESS ]; then - if [ -f $CONFIGURATION_FILE ]; then - if grep -q "MY_EMAIL_ADDRESS=" $CONFIGURATION_FILE; then - MY_EMAIL_ADDRESS=$(cat $CONFIGURATION_FILE | grep "MY_EMAIL_ADDRESS=" | awk -F '=' '{print $2}') + if [ -f $CONFIGURATION_FILE ]; then + if grep -q "MY_EMAIL_ADDRESS=" $CONFIGURATION_FILE; then + MY_EMAIL_ADDRESS=$(cat $CONFIGURATION_FILE | grep "MY_EMAIL_ADDRESS=" | awk -F '=' '{print $2}') + fi fi fi - fi if [ ! $MY_EMAIL_ADDRESS ]; then - if [ -f $COMPLETION_FILE ]; then - if grep -q "Admin user:" $COMPLETION_FILE; then - ADMIN_USER=$(cat $COMPLETION_FILE | grep "Admin user" | awk -F ':' '{print $2}') - MY_EMAIL_ADDRESS=$ADMIN_USER@$HOSTNAME + if [ -f $COMPLETION_FILE ]; then + if grep -q "Admin user:" $COMPLETION_FILE; then + ADMIN_USER=$(cat $COMPLETION_FILE | grep "Admin user" | awk -F ':' '{print $2}') + MY_EMAIL_ADDRESS=$ADMIN_USER@$HOSTNAME + fi fi fi - fi if [ ! -d $INSTALL_DIR ]; then - mkdir -p $INSTALL_DIR + mkdir -p $INSTALL_DIR fi cd $INSTALL_DIR # obtain the repo if [ ! -d ${INSTALL_DIR}/letsencrypt ]; then - git_clone $LETSENCRYPT_REPO ${INSTALL_DIR}/letsencrypt - if [ ! -d ${INSTALL_DIR}/letsencrypt ]; then - exit 76283 - fi + git_clone $LETSENCRYPT_REPO ${INSTALL_DIR}/letsencrypt + if [ ! -d ${INSTALL_DIR}/letsencrypt ]; then + exit 76283 + fi else - cd ${INSTALL_DIR}/letsencrypt - git_pull $LETSENCRYPT_REPO + cd ${INSTALL_DIR}/letsencrypt + git_pull $LETSENCRYPT_REPO fi # stop the web server @@ -244,38 +251,38 @@ function add_cert_letsencrypt { cd ${INSTALL_DIR}/letsencrypt ./letsencrypt-auto certonly --server $LETSENCRYPT_SERVER --standalone -d $LETSENCRYPT_HOSTNAME --renew-by-default --agree-tos --email $MY_EMAIL_ADDRESS if [ ! "$?" = "0" ]; then - echo $"Failed to install letsencrypt for domain $LETSENCRYPT_HOSTNAME" - systemctl start nginx - exit 63216 + echo $"Failed to install letsencrypt for domain $LETSENCRYPT_HOSTNAME" + systemctl start nginx + exit 63216 fi # replace some legacy filenames if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt ]; then - mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem + mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem fi if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt ]; then - mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem + mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem fi sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME # link the private key if [ -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key ]; then - if [ ! -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old ]; then - mv /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old - else - rm -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key - fi + if [ ! -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old ]; then + mv /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old + else + rm -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key + fi fi ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/privkey.pem /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key # link the public key if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem ]; then - if [ ! -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old ]; then - mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old - else - rm -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem - fi + if [ ! -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old ]; then + mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old + else + rm -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem + fi fi ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem @@ -283,44 +290,48 @@ function add_cert_letsencrypt { systemctl start nginx - ${PROJECT_NAME}-pin-cert $LETSENCRYPT_HOSTNAME - if [ ! "$?" = "0" ]; then - echo $"Certificate for $LETSENCRYPT_HOSTNAME could not be pinned" - exit 62878 + if [ $PIN_CERTS ]; then + ${PROJECT_NAME}-pin-cert $LETSENCRYPT_HOSTNAME + if [ ! "$?" = "0" ]; then + echo $"Certificate for $LETSENCRYPT_HOSTNAME could not be pinned" + exit 62878 + fi fi } function add_cert_selfsigned { if [[ $ORGANISATION == "Freedombone-CA" ]]; then - CERTFILE="ca-$HOSTNAME" + CERTFILE="ca-$HOSTNAME" fi openssl req -x509 ${EXTENSIONS} -nodes -days 3650 -sha256 \ - -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \ - -newkey rsa:4096 -keyout /etc/ssl/private/${CERTFILE}.key \ - -out /etc/ssl/certs/${CERTFILE}.crt + -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \ + -newkey rsa:4096 -keyout /etc/ssl/private/${CERTFILE}.key \ + -out /etc/ssl/certs/${CERTFILE}.crt chmod 400 /etc/ssl/private/${CERTFILE}.key chmod 640 /etc/ssl/certs/${CERTFILE}.crt cp /etc/ssl/certs/${CERTFILE}.crt /etc/ssl/mycerts - ${PROJECT_NAME}-pin-cert $CERTFILE - if [ ! "$?" = "0" ]; then - echo $"Certificate for $CERTFILE could not be pinned" - exit 62879 + if [ $PIN_CERTS ]; then + ${PROJECT_NAME}-pin-cert $CERTFILE + if [ ! "$?" = "0" ]; then + echo $"Certificate for $CERTFILE could not be pinned" + exit 62879 + fi fi } function generate_dh_params { if [ ! $NODH ]; then - if [ ! -f /etc/ssl/certs/${CERTFILE}.dhparam ]; then - ${PROJECT_NAME}-dhparam -h ${CERTFILE} --fast yes - fi + if [ ! -f /etc/ssl/certs/${CERTFILE}.dhparam ]; then + ${PROJECT_NAME}-dhparam -h ${CERTFILE} --fast yes + fi fi } function restart_web_server { if [ -f /etc/init.d/nginx ]; then - /etc/init.d/nginx reload + /etc/init.d/nginx reload fi } @@ -332,9 +343,9 @@ function make_cert_bundle { function create_cert { if [ $LETSENCRYPT_HOSTNAME ]; then - add_cert_letsencrypt + add_cert_letsencrypt else - add_cert_selfsigned + add_cert_selfsigned fi } diff --git a/src/freedombone-renew-cert b/src/freedombone-renew-cert index 70503a92..6e0a5205 100755 --- a/src/freedombone-renew-cert +++ b/src/freedombone-renew-cert @@ -69,7 +69,7 @@ function renew_letsencrypt { ln -s /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /etc/ssl/private/${HOSTNAME}.key ln -s /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /etc/ssl/certs/${HOSTNAME}.pem - ${PROJECT_NAME}-pin-cert $HOSTNAME + ${PROJECT_NAME}-pin-cert $HOSTNAME remove } function renew_startssl { @@ -169,7 +169,7 @@ function renew_startssl { echo $"/etc/ssl/certs/$HOSTNAME.new.crt then run this command again." echo '' - ${PROJECT_NAME}-pin-cert $HOSTNAME + ${PROJECT_NAME}-pin-cert $HOSTNAME remove } while [[ $# > 1 ]] diff --git a/src/freedombone-restore-local b/src/freedombone-restore-local index ed9ff6c8..1af58ab6 100755 --- a/src/freedombone-restore-local +++ b/src/freedombone-restore-local @@ -723,7 +723,7 @@ set_user_permissions backup_unmount_drive # ensure that all TLS certificates are pinned -${PROJECT_NAME}-pin-cert all +#${PROJECT_NAME}-pin-cert all echo $"Restore from USB drive is complete. You can now unplug it." diff --git a/src/freedombone-restore-remote b/src/freedombone-restore-remote index 1eac92de..d6043688 100755 --- a/src/freedombone-restore-remote +++ b/src/freedombone-restore-remote @@ -655,7 +655,7 @@ restore_apps remote set_user_permissions # ensure that all TLS certificates are pinned -${PROJECT_NAME}-pin-cert all +#${PROJECT_NAME}-pin-cert all echo $"*** Remote restore was successful ***"