diff options
author | Soispha <soispha@vhack.eu> | 2023-10-04 20:11:42 +0200 |
---|---|---|
committer | Soispha <soispha@vhack.eu> | 2023-10-16 17:20:00 +0200 |
commit | 1dd6f8d3b4d7dc93095e662aaca190d3fe1be264 (patch) | |
tree | a6b06ec7b3a400f22f41627f8497258fb6b8d6f1 /system/services/taskserver/certs/generate | |
parent | fix(system/services/taskserver): declare certs/keys in pki.manual (diff) | |
download | nixos-server-1dd6f8d3b4d7dc93095e662aaca190d3fe1be264.tar.gz nixos-server-1dd6f8d3b4d7dc93095e662aaca190d3fe1be264.zip |
feat(system/services/taskserver): Integrate Let's Encrypt certificates
The current setup now runs the `taskserver.vhack.eu` domain with a Let's Encrypt certificate and additionally uses a self-signed CA certificate to validate clients. The shell scripts used to generate the CA certificate and the derived client certificate (and keys) are taken nearly unmodified from the upstream repository [1]. [1]: https://github.com/GothenburgBitFactory/taskserver/tree/9794cff61e56bdfb193c6aa4cebb57970ac68aef/pki
Diffstat (limited to '')
-rwxr-xr-x | system/services/taskserver/certs/generate | 41 | ||||
-rwxr-xr-x | system/services/taskserver/certs/generate.ca | 47 | ||||
-rwxr-xr-x | system/services/taskserver/certs/generate.client | 54 | ||||
-rwxr-xr-x | system/services/taskserver/certs/generate.crl | 42 |
4 files changed, 184 insertions, 0 deletions
diff --git a/system/services/taskserver/certs/generate b/system/services/taskserver/certs/generate new file mode 100755 index 0000000..253e4bb --- /dev/null +++ b/system/services/taskserver/certs/generate @@ -0,0 +1,41 @@ +#!/bin/sh + +# For a public or production server, purchase a cert from a known CA, and skip +# the next step. + +# For development, testing and personal server management, create a CA key and +# cert, and use that to generate a server key and cert. Creates: +# ca.key.pem +# ca.cert.pem +# server.key.pem +# server.cert.pem + +GENERATION_LOCATION="/run/user/$(id -u)/taskserver/keys"; + +mkdir -p "$GENERATION_LOCATION" +cp ./vars ./generate.ca ./generate.crl ./generate.client "$GENERATION_LOCATION" +cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2 + +./generate.ca + +# Generate a certificate revocation list (CRL). The initial CRL is empty, but +# can grow over time. Creates: +# server.crl.pem + +./generate.crl + +# The above is sufficient to operate a server. You now need to run a client cert creation +# process per client; Add the required client names and uncomment +# ./generate.client <client_name> +# +./generate.client soispha +./generate.client android-mobile +./generate.client android-tab +# +# Creates: +# <client_name>.key.pem +# <client_name>.cert.pem + + +rm ./vars ./generate.ca ./generate.crl ./generate.client +echo "(INFO) Look for the keys at: $GENERATION_LOCATION" diff --git a/system/services/taskserver/certs/generate.ca b/system/services/taskserver/certs/generate.ca new file mode 100755 index 0000000..4ffc6e9 --- /dev/null +++ b/system/services/taskserver/certs/generate.ca @@ -0,0 +1,47 @@ +#!/bin/sh + +# Take the correct binary to create the certificates +CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null) +if [ -z "$CERTTOOL" ] +then + echo "ERROR: No certtool found" >&2 + exit 1 +fi + +. ./vars + +if ! [ -f ca.key.pem ] +then + # Create a CA key. + $CERTTOOL \ + --generate-privkey \ + --sec-param $SEC_PARAM \ + --outfile ca.key.pem +fi + +chmod 600 ca.key.pem + +if ! [ -f ca.template ] +then + # Sign a CA cert. + cat <<EOF >ca.template +organization = $ORGANIZATION +cn = $CN CA +country = $COUNTRY +expiration_days = $EXPIRATION_DAYS +ca +EOF +#state = $STATE +#locality = $LOCALITY +fi + +if ! [ -f ca.cert.pem ] || [ ca.template -nt ca.cert.pem ] +then + $CERTTOOL \ + --generate-self-signed \ + --load-privkey ca.key.pem \ + --template ca.template \ + --outfile ca.cert.pem +fi + +chmod 600 ca.cert.pem diff --git a/system/services/taskserver/certs/generate.client b/system/services/taskserver/certs/generate.client new file mode 100755 index 0000000..976cb82 --- /dev/null +++ b/system/services/taskserver/certs/generate.client @@ -0,0 +1,54 @@ +#!/bin/sh + +# Take the correct binary to create the certificates +CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null) +if [ -z "$CERTTOOL" ] +then + echo "ERROR: No certtool found" >&2 + exit 1 +fi + +. ./vars + +NAME=client +if [ $# -gt 0 ] +then + NAME=$1 +fi + +if ! [ -f ${NAME}.key.pem ] +then + # Create a client key. + $CERTTOOL \ + --generate-privkey \ + --sec-param $SEC_PARAM \ + --outfile ${NAME}.key.pem +fi + +chmod 600 ${NAME}.key.pem + +if ! [ -f ${NAME}.template ] +then + # Sign a client cert with the key. + cat <<EOF >${NAME}.template +organization = $ORGANIZATION +cn = $CN +expiration_days = $EXPIRATION_DAYS +tls_www_client +encryption_key +signing_key +EOF +fi + +if ! [ -f ${NAME}.cert.pem ] || [ ${NAME}.template -nt ${NAME}.cert.pem ] +then + $CERTTOOL \ + --generate-certificate \ + --load-privkey ${NAME}.key.pem \ + --load-ca-certificate ca.cert.pem \ + --load-ca-privkey ca.key.pem \ + --template ${NAME}.template \ + --outfile ${NAME}.cert.pem +fi + +chmod 600 ${NAME}.cert.pem diff --git a/system/services/taskserver/certs/generate.crl b/system/services/taskserver/certs/generate.crl new file mode 100755 index 0000000..6a9daa8 --- /dev/null +++ b/system/services/taskserver/certs/generate.crl @@ -0,0 +1,42 @@ +#!/bin/sh + +# Take the correct binary to create the certificates +CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null) +if [ -z "$CERTTOOL" ] +then + echo "ERROR: No certtool found" >&2 + exit 1 +fi + +. ./vars + +if ! [ -f crl.template ] +then + # CRL - Certificate Revocation List + cat <<EOF >crl.template +expiration_days = $EXPIRATION_DAYS +EOF +fi + +if ! [ -f server.crl.pem ] || [ crl.template -nt server.crl.pem ] +then + $CERTTOOL \ + --generate-crl \ + --load-ca-privkey ca.key.pem \ + --load-ca-certificate ca.cert.pem \ + --template crl.template \ + --outfile server.crl.pem +fi + +chmod 600 server.crl.pem + +# To create a CRL that contains some revoked certificates, place the +# certificates in a file and use --load-certificate as follows: +# $CERTTOOL \ +# --generate-crl \ +# --load-ca-privkey ca.key.pem \ +# --load-ca-certificate ca.cert.pem \ +# --load-certificate revoked-certs.pem + +# To verify a CRL: +# $CERTTOOL --verify-crl --load-ca-certificate ca.cert.pem --infile server.crl.pem |