external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(Docker): use cert chain for nginx

Browse source 
Additionally, simplify some of the certificate generation
scripts and rename `ca.ext` to `localhost.ext`.

Certificates should be regenerated as of this commit.
Users can run `rm -rf ./cache/*` to clear out any existing
certs, which will cause the `ca` service to regenerate them.

Additionally, since Docker infrastructure has been modified,
a new `aurweb:latest` image will need to be built.

See https://gitlab.archlinux.org/archlinux/aurweb/-/wikis/Docker

Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit is contained in:
Kevin Morris 2021-09-13 14:16:44 -07:00
parent ab8a44cede
commit 3ea515d705
No known key found for this signature in database
GPG key ID: F7E46DED420788F3
3 changed files with 47 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

68
docker/ca-entrypoint.sh
View file

@ -1,36 +1,58 @@
#!/bin/bash #!/bin/bash
set -eou pipefail set -eou pipefail
if [ -f /cache/localhost.cert.pem ] && \ if [ -f /cache/ca.root.pem ]; then
[ -f /cache/localhost.key.pem ] && \
[ -f /cache/ca.root.pem ]; then
echo "Already have certs, skipping." echo "Already have certs, skipping."
exec "$@" exit 0
fi fi
openssl genrsa -des3 -out ca.key \ # Generate a new 2048-bit RSA key for the Root CA.
-passout pass:devca 2048 openssl genrsa -des3 -out /cache/ca.key -passout pass:devca 2048
openssl req -x509 -new -nodes \ # Request and self-sign a new Root CA certificate, using
-key ca.key -sha256 -days 1825 \ # the RSA key. Output Root CA PEM-format certificate and key:
-out /cache/ca.root.pem \ # /cache/ca.root.pem and /cache/ca.key.pem
-subj "/C=US/ST=California/L=Nowhere/O=aurweb/CN=localhost" \ openssl req -x509 -new -nodes -sha256 -days 1825 \
--passin pass:devca -passin pass:devca \
-subj "/C=US/ST=California/L=Authority/O=aurweb/CN=localhost" \
-in /cache/ca.key -out /cache/ca.root.pem -keyout /cache/ca.key.pem
# Generate keys for aurweb. # Generate a new 2048-bit RSA key for a localhost server.
openssl req -nodes -newkey rsa:2048 -keyout /cache/localhost.key.pem \ openssl genrsa -out /cache/localhost.key 2048
-out localhost.csr \
-subj "/C=US/ST=California/L=Nowhere/O=aurweb/CN=localhost"
echo "$(hexdump -n 16 -e '4/4 "%08X" 1 "\n"' /dev/random)" \ # Generate a Certificate Signing Request (CSR) for the localhost server
> /cache/ca.root.srl # using the RSA key we generated above.
openssl x509 -req -in localhost.csr -CA /cache/ca.root.pem \ openssl req -new -key /cache/localhost.key -passout pass:devca \
-CAkey ca.key -CAserial /cache/ca.root.srl \ -subj "/C=US/ST=California/L=Server/O=aurweb/CN=localhost" \
-out /cache/localhost.csr
# Get our CSR signed by our Root CA PEM-formatted certificate and key
# to produce a fresh /cache/localhost.cert.pem PEM-formatted certificate.
openssl x509 -req -in /cache/localhost.csr \
-CA /cache/ca.root.pem -CAkey /cache/ca.key.pem \
-CAcreateserial \
-out /cache/localhost.cert.pem \ -out /cache/localhost.cert.pem \
-days 825 -sha256 -extfile /docker/ca.ext \ -days 825 -sha256 \
--passin pass:devca -passin pass:devca \
-extfile /docker/localhost.ext
chmod 666 /cache/localhost.{key,cert}.pem # Convert RSA key to a PEM-formatted key: /cache/localhost.key.pem
chmod 666 /cache/ca.root.pem openssl rsa -in /cache/localhost.key -text > /cache/localhost.key.pem
# At the end here, our notable certificates and keys are:
# - /cache/ca.root.pem
# - /cache/ca.key.pem
# - /cache/localhost.key.pem
# - /cache/localhost.cert.pem
#
# When running a server which uses the localhost certificate, a chain
# should be used, starting with localhost.cert.pem:
# - cat /cache/localhost.cert.pem /cache/ca.root.pem > localhost.chain.pem
#
# The Root CA (ca.root.pem) should be imported into browsers or
# ca-certificates on machines wishing to verify localhost.
#
chmod 666 /cache/*
exec "$@" exec "$@"

0
docker/ca.ext → docker/localhost.ext
View file

3
docker/nginx-entrypoint.sh
View file

@ -12,7 +12,8 @@ sed -ri 's/^;?(password) = .+/\1 = aur/' conf/config
sed -ri "s|^(aur_location) = .+|\1 = https://localhost:8444|" conf/config sed -ri "s|^(aur_location) = .+|\1 = https://localhost:8444|" conf/config
sed -ri 's/^(disable_http_login) = .+/\1 = 1/' conf/config sed -ri 's/^(disable_http_login) = .+/\1 = 1/' conf/config
cp -vf /cache/localhost.cert.pem /etc/ssl/certs/localhost.cert.pem cat /cache/localhost.cert.pem /cache/ca.root.pem \
> /etc/ssl/certs/localhost.cert.pem
cp -vf /cache/localhost.key.pem /etc/ssl/private/localhost.key.pem cp -vf /cache/localhost.key.pem /etc/ssl/private/localhost.key.pem
cp -vf /docker/config/nginx.conf /etc/nginx/nginx.conf cp -vf /docker/config/nginx.conf /etc/nginx/nginx.conf