From bc1994c31be80d5cd8b081b60eb8f76c088fe052 Mon Sep 17 00:00:00 2001 From: Disassembler Date: Mon, 3 Sep 2018 15:57:47 +0200 Subject: [PATCH] Add option to create selfsigned certs to AppMgr --- basic.sh | 14 ++++++-------- basic/etc/nginx/nginx.conf | 4 ++-- basic/srv/spotter/appmgr/__init__.py | 20 ++++++++++++++++++-- basic/srv/spotter/appmgr/tools.py | 4 ++-- basic/srv/spotter/appmgr/wsgiapp.py | 7 ++----- basic/srv/spotter/cli.py | 5 +++++ 6 files changed, 35 insertions(+), 19 deletions(-) diff --git a/basic.sh b/basic.sh index 5abc349..89f0502 100755 --- a/basic.sh +++ b/basic.sh @@ -33,14 +33,6 @@ cp ${SOURCE_DIR}/etc/conf.d/consolefont /etc/conf.d/consolefont # Configure NTP client cp ${SOURCE_DIR}/etc/conf.d/ntpd /etc/conf.d/ntpd -# Create a self-signed certificate -mkdir /etc/ssl/private -openssl req -x509 -new -out /etc/ssl/certs/services.pem -keyout /etc/ssl/private/services.key -nodes -days 7305 -subj "/CN=spotter.vm" -chmod 640 /etc/ssl/private/services.key - -# Configure nginx -cp ${SOURCE_DIR}/etc/nginx/nginx.conf /etc/nginx/nginx.conf - # Download and configure acme.sh mkdir /etc/acme.sh.d wget https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh -O /usr/bin/acme.sh @@ -53,6 +45,12 @@ rc-update -u cp -r ${SOURCE_DIR}/srv/spotter /srv/spotter ln -s /srv/spotter/cli.py /usr/bin/spotter-appmgr +# Create a self-signed certificate +spotter-appmgr create-selfsigned + +# Configure nginx +cp ${SOURCE_DIR}/etc/nginx/nginx.conf /etc/nginx/nginx.conf + # Configure services for SERVICE in consolefont crond nginx ntpd sshd spotter-appmgr swap; do rc-update add ${SERVICE} boot diff --git a/basic/etc/nginx/nginx.conf b/basic/etc/nginx/nginx.conf index 7d5e0c9..c9d0a41 100644 --- a/basic/etc/nginx/nginx.conf +++ b/basic/etc/nginx/nginx.conf @@ -21,8 +21,8 @@ http { ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; - ssl_certificate /etc/ssl/certs/services.pem; - ssl_certificate_key /etc/ssl/private/services.key; + ssl_certificate /etc/ssl/services.pem; + ssl_certificate_key /etc/ssl/services.key; ssl_session_cache shared:SSL:1m; log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'; diff --git a/basic/srv/spotter/appmgr/__init__.py b/basic/srv/spotter/appmgr/__init__.py index 321aa08..f64c3bc 100644 --- a/basic/srv/spotter/appmgr/__init__.py +++ b/basic/srv/spotter/appmgr/__init__.py @@ -15,8 +15,9 @@ CONF_FILE = '/srv/spotter/config.json' ISSUE_FILE = '/etc/issue' NGINX_DIR = '/etc/nginx/conf.d' ACME_CRON = '/etc/periodic/daily/acme-sh' -CERT_PUB_FILE = '/etc/ssl/certs/services.pem' -CERT_KEY_FILE = '/etc/ssl/private/services.key' +CERT_PUB_FILE = '/etc/ssl/services.pem' +CERT_KEY_FILE = '/etc/ssl/services.key' +CERT_SAN_FILE = '/etc/ssl/san.cnf' NGINX_TEMPLATE = '''server {{ listen [::]:{port} ssl http2; @@ -113,6 +114,14 @@ ACME_CRON_TEMPLATE = '''#!/bin/sh [ -x /usr/bin/acme.sh ] && /usr/bin/acme.sh --cron >/dev/null ''' +CERT_SAN = '''[ req ] +distinguished_name = dn +x509_extensions = ext +[ dn ] +[ ext ] +subjectAltName=DNS:{domain},DNS:*.{domain}" +''' + class AppMgr: def __init__(self): # Load JSON configuration @@ -288,6 +297,13 @@ class AppMgr: # Save config to file self.save_conf() + def create_selfsigned(self): + # Create selfsigned certificate with wildcard alternative subject name + with open(os.path.join(CERT_SAN_FILE), 'w') as f: + f.write(CERT_SAN.format(domain=self.domain)) + subprocess.run(['openssl', 'req', '-config', CERT_SAN_FILE, '-x509', '-new', '-out', CERT_PUB_FILE, '-keyout', CERT_KEY_FILE, '-nodes', '-days', '7305', '-subj', '/CN={}'.format(self.domain)], check=True) + os.chmod(CERT_KEY_FILE, 0o640) + def request_cert(self): # Remove all possible conflicting certificates requested in the past certs = [i for i in os.listdir('/etc/acme.sh.d') if i not in ('account.conf', 'ca', 'http.header')] diff --git a/basic/srv/spotter/appmgr/tools.py b/basic/srv/spotter/appmgr/tools.py index c3630ef..afc7293 100644 --- a/basic/srv/spotter/appmgr/tools.py +++ b/basic/srv/spotter/appmgr/tools.py @@ -101,8 +101,8 @@ def reload_nginx(): def restart_nginx(): restart_service('nginx') -def get_cert_info(): - data = ssl._ssl._test_decode_cert('/etc/ssl/certs/services.pem') +def get_cert_info(cert): + data = ssl._ssl._test_decode_cert(cert) data['subject'] = dict(data['subject'][i][0] for i in range(len(data['subject']))) data['issuer'] = dict(data['issuer'][i][0] for i in range(len(data['issuer']))) return data diff --git a/basic/srv/spotter/appmgr/wsgiapp.py b/basic/srv/spotter/appmgr/wsgiapp.py index 547ac8b..cb75cd9 100644 --- a/basic/srv/spotter/appmgr/wsgiapp.py +++ b/basic/srv/spotter/appmgr/wsgiapp.py @@ -10,7 +10,7 @@ from werkzeug.wrappers import Request, Response from werkzeug.wsgi import ClosingIterator from jinja2 import Environment, FileSystemLoader -from . import AppMgr +from . import AppMgr, CERT_PUB_FILE from . import tools from .validator import InvalidValueException from .wsgilang import WSGILang @@ -107,9 +107,6 @@ class WSGIApp(object): def portal_view(self, request): # Default view. If domain is set to the default dummy domain, redirects to first-run setup instead. - if request.mgr.domain == 'spotter.vm': - request.session['admin'] = True - return redirect('/setup-host') if request.session['admin']: return self.render_template('portal-admin.html', request) return self.render_template('portal-user.html', request) @@ -121,7 +118,7 @@ class WSGIApp(object): in_ipv4 = tools.get_local_ipv4() in_ipv6 = tools.get_local_ipv6() is_letsencrypt = os.path.exists('/etc/periodic/daily/acme-sh') - cert_info = tools.get_cert_info() + cert_info = tools.get_cert_info(CERT_PUB_FILE) return self.render_template('setup-host.html', request, ex_ipv4=ex_ipv4, ex_ipv6=ex_ipv6, in_ipv4=in_ipv4, in_ipv6=in_ipv6, is_letsencrypt=is_letsencrypt, cert_info=cert_info) def setup_apps_view(self, request): diff --git a/basic/srv/spotter/cli.py b/basic/srv/spotter/cli.py index 1864ece..85c14fe 100755 --- a/basic/srv/spotter/cli.py +++ b/basic/srv/spotter/cli.py @@ -65,6 +65,9 @@ parser_update_common.add_argument('--gmaps-api-key', help='Google Maps API key') parser_update_password = subparsers.add_parser('update-password', help='Updates password for HDD encryption and WSGI administration interface') parser_update_password.set_defaults(action='update-password') +parser_create_selfsigned = subparsers.add_parser('create-selfsigned', help='Creates and installs selfsigned certificate for currently set domain') +parser_create_selfsigned.set_defaults(action='create-selfsigned') + parser_request_cert = subparsers.add_parser('request-cert', help='Requests and installs Let\'s Encrypt certificate for currently set domain') parser_request_cert.set_defaults(action='request-cert') @@ -103,6 +106,8 @@ elif args.action == 'update-password': oldpassword = getpass.getpass('Old password: ') newpassword = getpass.getpass('New password: ') mgr.update_password(oldpassword, newpassword) +elif args.action == 'create-selfsigned': + mgr.create_selfsigned() elif args.action == 'request-cert': mgr.request_cert() elif args.action == 'install-cert':