Don't pin certs
The guidelines on how to do this properly are just too confusing
This commit is contained in:
Bob Mottram
parent
f25602ccd1
commit
0b6a12080d
|
|
@ -38,6 +38,9 @@ COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt
|
|||
|
||||
source /usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-git
|
||||
|
||||
# Don't pin certs by default
|
||||
PIN_CERTS=
|
||||
|
||||
HOSTNAME=
|
||||
LETSENCRYPT_HOSTNAME=
|
||||
COUNTRY_CODE="US"
|
||||
|
|
@ -177,6 +180,10 @@ do
|
|||
shift
|
||||
DH_KEYLENGTH=${1}
|
||||
;;
|
||||
--pin)
|
||||
shift
|
||||
PIN_CERTS=${1}
|
||||
;;
|
||||
*)
|
||||
# unknown option
|
||||
;;
|
||||
|
|
@ -283,11 +290,13 @@ function add_cert_letsencrypt {
|
|||
|
||||
systemctl start nginx
|
||||
|
||||
if [ $PIN_CERTS ]; then
|
||||
${PROJECT_NAME}-pin-cert $LETSENCRYPT_HOSTNAME
|
||||
if [ ! "$?" = "0" ]; then
|
||||
echo $"Certificate for $LETSENCRYPT_HOSTNAME could not be pinned"
|
||||
exit 62878
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function add_cert_selfsigned {
|
||||
|
|
@ -303,11 +312,13 @@ function add_cert_selfsigned {
|
|||
chmod 640 /etc/ssl/certs/${CERTFILE}.crt
|
||||
cp /etc/ssl/certs/${CERTFILE}.crt /etc/ssl/mycerts
|
||||
|
||||
if [ $PIN_CERTS ]; then
|
||||
${PROJECT_NAME}-pin-cert $CERTFILE
|
||||
if [ ! "$?" = "0" ]; then
|
||||
echo $"Certificate for $CERTFILE could not be pinned"
|
||||
exit 62879
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function generate_dh_params {
|
||||
|
|
|
|||
|
|
@ -69,7 +69,7 @@ function renew_letsencrypt {
|
|||
ln -s /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /etc/ssl/private/${HOSTNAME}.key
|
||||
ln -s /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /etc/ssl/certs/${HOSTNAME}.pem
|
||||
|
||||
${PROJECT_NAME}-pin-cert $HOSTNAME
|
||||
${PROJECT_NAME}-pin-cert $HOSTNAME remove
|
||||
}
|
||||
|
||||
function renew_startssl {
|
||||
|
|
@ -169,7 +169,7 @@ function renew_startssl {
|
|||
echo $"/etc/ssl/certs/$HOSTNAME.new.crt then run this command again."
|
||||
echo ''
|
||||
|
||||
${PROJECT_NAME}-pin-cert $HOSTNAME
|
||||
${PROJECT_NAME}-pin-cert $HOSTNAME remove
|
||||
}
|
||||
|
||||
while [[ $# > 1 ]]
|
||||
|
|
|
|||
|
|
@ -723,7 +723,7 @@ set_user_permissions
|
|||
backup_unmount_drive
|
||||
|
||||
# ensure that all TLS certificates are pinned
|
||||
${PROJECT_NAME}-pin-cert all
|
||||
#${PROJECT_NAME}-pin-cert all
|
||||
|
||||
echo $"Restore from USB drive is complete. You can now unplug it."
|
||||
|
||||
|
|
|
|||
|
|
@ -655,7 +655,7 @@ restore_apps remote
|
|||
set_user_permissions
|
||||
|
||||
# ensure that all TLS certificates are pinned
|
||||
${PROJECT_NAME}-pin-cert all
|
||||
#${PROJECT_NAME}-pin-cert all
|
||||
|
||||
echo $"*** Remote restore was successful ***"
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue