feat(system/services/taskserver): Integrate Let's Encrypt certificates

The current setup now runs the `taskserver.vhack.eu` domain with a
Let's Encrypt certificate and additionally uses a self-signed CA
certificate to validate clients.

The shell scripts used to generate the CA certificate and the derived
client certificate (and keys) are taken nearly unmodified from the
upstream repository [1].

[1]: https://github.com/GothenburgBitFactory/taskserver/tree/9794cff61e56bdfb193c6aa4cebb57970ac68aef/pki

1 files changed, 54 insertions, 0 deletions

diff --git a/system/services/taskserver/certs/generate.client b/system/services/taskserver/certs/generate.client
new file mode 100755
index 0000000..976cb82
--- /dev/null
+++ b/system/services/taskserver/certs/generate.client
@@ -0,0 +1,54 @@
+#!/bin/sh
+
+# Take the correct binary to create the certificates
+CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null)
+if [ -z "$CERTTOOL" ]
+then
+  echo "ERROR: No certtool found" >&2
+  exit 1
+fi
+
+. ./vars
+
+NAME=client
+if [ $# -gt 0 ]
+then
+  NAME=$1
+fi
+
+if ! [ -f ${NAME}.key.pem ]
+then
+  # Create a client key.
+  $CERTTOOL \
+    --generate-privkey \
+    --sec-param $SEC_PARAM \
+    --outfile ${NAME}.key.pem
+fi
+
+chmod 600 ${NAME}.key.pem
+
+if ! [ -f ${NAME}.template ]
+then
+  # Sign a client cert with the key.
+  cat <<EOF >${NAME}.template
+organization = $ORGANIZATION
+cn = $CN
+expiration_days = $EXPIRATION_DAYS
+tls_www_client
+encryption_key
+signing_key
+EOF
+fi
+
+if ! [ -f ${NAME}.cert.pem ] || [ ${NAME}.template -nt ${NAME}.cert.pem ]
+then
+  $CERTTOOL \
+    --generate-certificate \
+    --load-privkey ${NAME}.key.pem \
+    --load-ca-certificate ca.cert.pem \
+    --load-ca-privkey ca.key.pem \
+    --template ${NAME}.template \
+    --outfile ${NAME}.cert.pem
+fi
+
+chmod 600 ${NAME}.cert.pem