free
/
freedomboneeee
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Don't pin certs 

The guidelines on how to do this properly are just too confusing
This commit is contained in:
Bob Mottram 2016-08-10 10:27:14 +01:00
parent f25602ccd1
commit 0b6a12080d
4 changed files with 140 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/freedombone-addcert
View File

@ -38,6 +38,9 @@ COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt
source /usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-git source /usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-git
# Don't pin certs by default
PIN_CERTS=
HOSTNAME= HOSTNAME=
LETSENCRYPT_HOSTNAME= LETSENCRYPT_HOSTNAME=
COUNTRY_CODE="US" COUNTRY_CODE="US"
@ -177,6 +180,10 @@ do
shift shift
DH_KEYLENGTH=${1} DH_KEYLENGTH=${1}
;; ;;
--pin)
shift
PIN_CERTS=${1}
;;
*) *)
# unknown option # unknown option
;; ;;
@ -283,11 +290,13 @@ function add_cert_letsencrypt {
systemctl start nginx systemctl start nginx
if [ $PIN_CERTS ]; then
${PROJECT_NAME}-pin-cert $LETSENCRYPT_HOSTNAME ${PROJECT_NAME}-pin-cert $LETSENCRYPT_HOSTNAME
if [ ! "$?" = "0" ]; then if [ ! "$?" = "0" ]; then
echo $"Certificate for $LETSENCRYPT_HOSTNAME could not be pinned" echo $"Certificate for $LETSENCRYPT_HOSTNAME could not be pinned"
exit 62878 exit 62878
fi fi
fi
} }
function add_cert_selfsigned { function add_cert_selfsigned {
@ -303,11 +312,13 @@ function add_cert_selfsigned {
chmod 640 /etc/ssl/certs/${CERTFILE}.crt chmod 640 /etc/ssl/certs/${CERTFILE}.crt
cp /etc/ssl/certs/${CERTFILE}.crt /etc/ssl/mycerts cp /etc/ssl/certs/${CERTFILE}.crt /etc/ssl/mycerts
if [ $PIN_CERTS ]; then
${PROJECT_NAME}-pin-cert $CERTFILE ${PROJECT_NAME}-pin-cert $CERTFILE
if [ ! "$?" = "0" ]; then if [ ! "$?" = "0" ]; then
echo $"Certificate for $CERTFILE could not be pinned" echo $"Certificate for $CERTFILE could not be pinned"
exit 62879 exit 62879
fi fi
fi
} }
function generate_dh_params { function generate_dh_params {

4
src/freedombone-renew-cert
View File

@ -69,7 +69,7 @@ function renew_letsencrypt {
ln -s /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /etc/ssl/private/${HOSTNAME}.key ln -s /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /etc/ssl/private/${HOSTNAME}.key
ln -s /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /etc/ssl/certs/${HOSTNAME}.pem ln -s /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /etc/ssl/certs/${HOSTNAME}.pem
${PROJECT_NAME}-pin-cert $HOSTNAME ${PROJECT_NAME}-pin-cert $HOSTNAME remove
} }
function renew_startssl { function renew_startssl {
@ -169,7 +169,7 @@ function renew_startssl {
echo $"/etc/ssl/certs/$HOSTNAME.new.crt then run this command again." echo $"/etc/ssl/certs/$HOSTNAME.new.crt then run this command again."
echo '' echo ''
${PROJECT_NAME}-pin-cert $HOSTNAME ${PROJECT_NAME}-pin-cert $HOSTNAME remove
} }
while [[ $# > 1 ]] while [[ $# > 1 ]]

2
src/freedombone-restore-local
View File

@ -723,7 +723,7 @@ set_user_permissions
backup_unmount_drive backup_unmount_drive
# ensure that all TLS certificates are pinned # ensure that all TLS certificates are pinned
${PROJECT_NAME}-pin-cert all #${PROJECT_NAME}-pin-cert all
echo $"Restore from USB drive is complete. You can now unplug it." echo $"Restore from USB drive is complete. You can now unplug it."

2
src/freedombone-restore-remote
View File

@ -655,7 +655,7 @@ restore_apps remote
set_user_permissions set_user_permissions
# ensure that all TLS certificates are pinned # ensure that all TLS certificates are pinned
${PROJECT_NAME}-pin-cert all #${PROJECT_NAME}-pin-cert all
echo $"*** Remote restore was successful ***" echo $"*** Remote restore was successful ***"