Commit 3dfa5514 authored by Jacob Priddy's avatar Jacob Priddy 👌
Browse files

Merge branch '32-create-cert-chain' into 'master'

Resolve "Create Cert Chain"

Closes #32

See merge request kretschmar/doorcode!36
parents 73f557cf d48de516
Pipeline #5769 passed with stages
in 3 minutes and 45 seconds
#!/bin/bash
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
"${DIR}/../secrets/gen-certs.sh"
"${DIR}/../secrets/gen-certs.sh doorcode"
docker-compose -f "${DIR}/../docker-compose.yml" up -d
docker-compose -f "${DIR}/../docker-compose.yml" exec api ./install-dev.sh
......@@ -9,6 +9,8 @@ secrets:
file: ./secrets/certs/webserver.cert
webserver_key:
file: ./secrets/certs/webserver.key
root_cert:
file: ./secrets/certs/root.cert
volumes:
db-data:
......@@ -22,11 +24,13 @@ services:
secrets:
- webserver_cert
- webserver_key
- root_cert
ports:
- "8080:443"
volumes:
- ./src/web:/var/www
- ./nginx/conf.d/:/etc/nginx/conf.d/
- ./nginx/conf.d/:/etc/nginx/conf.d
- ./nginx/dhparam/:/run/dhparam
# Saml config
- ./simplesamlphp-1.18.5:/var/simplesamlphp
- ./simple-saml/cert:/var/simplesamlphp/cert
......
# Thers a stupid bug in nginx that's been around for years that makes it so we can't easily put both front and backend
# on the same server. So we'll just do a proxy pass...
# Checkout https://ssl-config.mozilla.org/ for ocnfiguring secure ssl
upstream localhost.api {
server 127.0.0.1:443;
}
server {
listen 443 ssl;
index index.php index.html;
server_name localhost;
listen 443 ssl;
index index.php index.html;
ssl_certificate /run/secrets/webserver_cert;
ssl_certificate_key /run/secrets/webserver_key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /run/dhparam/dhparam;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_trusted_certificate /run/secrets/root_cert;
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
......@@ -52,12 +68,27 @@ server {
server {
server_name localhost.api;
listen 443 ssl;
index index.php index.html;
server_name localhost.api;
ssl_certificate /run/secrets/webserver_cert;
ssl_certificate_key /run/secrets/webserver_key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /run/dhparam/dhparam;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_trusted_certificate /run/secrets/root_cert;
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
......
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----
\ No newline at end of file
......@@ -4,9 +4,34 @@ echo "Generating cert for domain: $1"
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
echo "Generating root certificate..."
openssl ecparam -out "${DIR}/certs/root.key" -name secp256r1 -genkey
# First generate private key for the root certificate as well as a certificate request
openssl req -new -key "${DIR}/certs/root.key" -nodes -out "${DIR}/certs/root.csr" \
-subj "/C=US/ST=Washington/L=College Place/O=WWU/OU=$1 ROOT CA ISSUER/CN=$1"
# Now generate the root certificate good for 50 years
openssl x509 -signkey "${DIR}/certs/root.key" -days 18250 -req -in \
"${DIR}/certs/root.csr" -out "${DIR}/certs/root.cert"
# Delete the certificate request
rm "${DIR}/certs/root.csr"
echo "Root certificate generated."
echo "Generating webserver private key and certificate request..."
# Now generate a webserver certificate in the chain of the root
openssl ecparam -out "${DIR}/certs/webserver.key" -name secp256r1 -genkey
openssl req -new -key "${DIR}/certs/webserver.key" -nodes \
-subj "/C=US/ST=Washington/L=College Place/O=WWU/CN=$1" \
-keyout "${DIR}/certs/webserver.key" -out "${DIR}/certs/webserver.cert"
-out "${DIR}/certs/webserver.csr"
echo "Private key and certificate request generated. Signing certificate request with the CA cert..."
# Sign the certificate with the root ca
openssl x509 -req -days 365 -in "${DIR}/certs/webserver.csr" -CA "${DIR}/certs/root.cert" \
-CAkey "${DIR}/certs/root.key" -set_serial 01 -out "${DIR}/certs/webserver.cert"
rm "${DIR}/certs/webserver.csr"
echo "Request signed, copying the root cert for the doorcode controllers..."
cp "${DIR}/certs/webserver.cert" "${DIR}/../src/embedded/main/doorcode_root_cert.pem"
cp "${DIR}/certs/root.cert" "${DIR}/../src/embedded/main/doorcode_root_cert.pem"
echo "Done!"
......@@ -63,7 +63,7 @@ static void http_task(void* pvParameters)
esp_http_client_config_t config = {
.url = API_BASE_URL "/door?api_token=" API_TOKEN,
.event_handler = _http_event_handler,
// .cert_pem = doorcode_root_cert_pem_start,
.cert_pem = doorcode_root_cert_pem_start,
.skip_cert_common_name_check = true,
};
......
......@@ -15,4 +15,7 @@ use App\Http\Controllers\DoorController;
|
*/
Route::get('/', static function () {
return 'hi';
});
Route::get('access/{doorcode}', [DoorController::class, 'access']);
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment