From 3ea515d705b05d221411d4f34fc2a26feaa94781 Mon Sep 17 00:00:00 2001
From: Kevin Morris <kevr@0cost.org>
Date: Mon, 13 Sep 2021 14:16:44 -0700
Subject: [PATCH] fix(Docker): use cert chain for nginx

Additionally, simplify some of the certificate generation
scripts and rename `ca.ext` to `localhost.ext`.

Certificates should be regenerated as of this commit.
Users can run `rm -rf ./cache/*` to clear out any existing
certs, which will cause the `ca` service to regenerate them.

Additionally, since Docker infrastructure has been modified,
a new `aurweb:latest` image will need to be built.

See https://gitlab.archlinux.org/archlinux/aurweb/-/wikis/Docker

Signed-off-by: Kevin Morris <kevr@0cost.org>
---
 docker/ca-entrypoint.sh          | 68 +++++++++++++++++++++-----------
 docker/{ca.ext => localhost.ext} |  0
 docker/nginx-entrypoint.sh       |  3 +-
 3 files changed, 47 insertions(+), 24 deletions(-)
 rename docker/{ca.ext => localhost.ext} (100%)

diff --git a/docker/ca-entrypoint.sh b/docker/ca-entrypoint.sh
index b7514187..e95d267c 100755
--- a/docker/ca-entrypoint.sh
+++ b/docker/ca-entrypoint.sh
@@ -1,36 +1,58 @@
 #!/bin/bash
 set -eou pipefail
 
-if [ -f /cache/localhost.cert.pem ] && \
-    [ -f /cache/localhost.key.pem ] && \
-    [ -f /cache/ca.root.pem ]; then
+if [ -f /cache/ca.root.pem ]; then
     echo "Already have certs, skipping."
-    exec "$@"
+    exit 0
 fi
 
-openssl genrsa -des3 -out ca.key \
-    -passout pass:devca 2048
+# Generate a new 2048-bit RSA key for the Root CA.
+openssl genrsa -des3 -out /cache/ca.key -passout pass:devca 2048
 
-openssl req -x509 -new -nodes \
-    -key ca.key -sha256 -days 1825 \
-    -out /cache/ca.root.pem \
-    -subj "/C=US/ST=California/L=Nowhere/O=aurweb/CN=localhost" \
-    --passin pass:devca
+# Request and self-sign a new Root CA certificate, using
+# the RSA key. Output Root CA PEM-format certificate and key:
+# /cache/ca.root.pem and /cache/ca.key.pem
+openssl req -x509 -new -nodes -sha256 -days 1825 \
+    -passin pass:devca \
+    -subj "/C=US/ST=California/L=Authority/O=aurweb/CN=localhost" \
+    -in /cache/ca.key -out /cache/ca.root.pem -keyout /cache/ca.key.pem
 
-# Generate keys for aurweb.
-openssl req -nodes -newkey rsa:2048 -keyout /cache/localhost.key.pem \
-    -out localhost.csr \
-    -subj "/C=US/ST=California/L=Nowhere/O=aurweb/CN=localhost"
+# Generate a new 2048-bit RSA key for a localhost server.
+openssl genrsa -out /cache/localhost.key 2048
 
-echo "$(hexdump -n 16 -e '4/4 "%08X" 1 "\n"' /dev/random)" \
-    > /cache/ca.root.srl
-openssl x509 -req -in localhost.csr -CA /cache/ca.root.pem \
-    -CAkey ca.key -CAserial /cache/ca.root.srl \
+# Generate a Certificate Signing Request (CSR) for the localhost server
+# using the RSA key we generated above.
+openssl req -new -key /cache/localhost.key -passout pass:devca \
+    -subj "/C=US/ST=California/L=Server/O=aurweb/CN=localhost" \
+    -out /cache/localhost.csr
+
+# Get our CSR signed by our Root CA PEM-formatted certificate and key
+# to produce a fresh /cache/localhost.cert.pem PEM-formatted certificate.
+openssl x509 -req -in /cache/localhost.csr \
+    -CA /cache/ca.root.pem -CAkey /cache/ca.key.pem \
+    -CAcreateserial \
     -out /cache/localhost.cert.pem \
-    -days 825 -sha256 -extfile /docker/ca.ext \
-    --passin pass:devca
+    -days 825 -sha256 \
+    -passin pass:devca \
+    -extfile /docker/localhost.ext
 
-chmod 666 /cache/localhost.{key,cert}.pem
-chmod 666 /cache/ca.root.pem
+# Convert RSA key to a PEM-formatted key: /cache/localhost.key.pem
+openssl rsa -in /cache/localhost.key -text > /cache/localhost.key.pem
+
+# At the end here, our notable certificates and keys are:
+#   - /cache/ca.root.pem
+#   - /cache/ca.key.pem
+#   - /cache/localhost.key.pem
+#   - /cache/localhost.cert.pem
+#
+# When running a server which uses the localhost certificate, a chain
+# should be used, starting with localhost.cert.pem:
+#   - cat /cache/localhost.cert.pem /cache/ca.root.pem > localhost.chain.pem
+#
+# The Root CA (ca.root.pem) should be imported into browsers or
+# ca-certificates on machines wishing to verify localhost.
+#
+
+chmod 666 /cache/*
 
 exec "$@"
diff --git a/docker/ca.ext b/docker/localhost.ext
similarity index 100%
rename from docker/ca.ext
rename to docker/localhost.ext
diff --git a/docker/nginx-entrypoint.sh b/docker/nginx-entrypoint.sh
index 347af50f..226ded8f 100755
--- a/docker/nginx-entrypoint.sh
+++ b/docker/nginx-entrypoint.sh
@@ -12,7 +12,8 @@ sed -ri 's/^;?(password) = .+/\1 = aur/' conf/config
 sed -ri "s|^(aur_location) = .+|\1 = https://localhost:8444|" conf/config
 sed -ri 's/^(disable_http_login) = .+/\1 = 1/' conf/config
 
-cp -vf /cache/localhost.cert.pem /etc/ssl/certs/localhost.cert.pem
+cat /cache/localhost.cert.pem /cache/ca.root.pem \
+    > /etc/ssl/certs/localhost.cert.pem
 cp -vf /cache/localhost.key.pem /etc/ssl/private/localhost.key.pem
 
 cp -vf /docker/config/nginx.conf /etc/nginx/nginx.conf