Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WiP] SSL #106

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[WiP] SSL #106

wants to merge 1 commit into from

Conversation

mojodna
Copy link
Member

@mojodna mojodna commented Nov 21, 2016

Requires certificates to be present in /etc/nginx/{fullchain,privkey}.pem.

dehydrated -c was used to produce the necessary challenges (deployed to export.posm.io:/var/www/dehydrated).

export.posm.io:/etc/nginx/sites-enabled/default contains:

        location /.well-known/acme-challenge {
                alias /var/www/dehydrated;
        }

config:

CHALLENGETYPE="http-01"
CONTACT_EMAIL="[email protected]"
KEYSIZE="2048"
HOOK="./hook.sh"
WELLKNOWN=something

domains.txt:

posm.io

hook.sh:

#!/bin/sh

deploy_challenge() {
    local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"

    # This hook is called once for every domain that needs to be
    # validated, including any alternative names you may have listed.
    #
    # Parameters:
    # - DOMAIN
    #   The domain name (CN or subject alternative name) being
    #   validated.
    # - TOKEN_FILENAME
    #   The name of the file containing the token to be served for HTTP
    #   validation. Should be served by your web server as
    #   /.well-known/acme-challenge/${TOKEN_FILENAME}.
    # - TOKEN_VALUE
    #   The token value that needs to be served for validation. For DNS
    #   validation, this is what you want to put in the _acme-challenge
    #   TXT record. For HTTP validation it is the value that is expected
    #   be found in the $TOKEN_FILENAME file.
    echo $DOMAIN
    echo "/.well-known/acme-challenge/${TOKEN_FILENAME}"
    echo $TOKEN_VALUE

    read -s -r -e < /dev/tty
}

clean_challenge() {
    local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"

    # This hook is called after attempting to validate each domain,
    # whether or not validation was successful. Here you can delete
    # files or DNS records that are no longer needed.
    #
    # The parameters are the same as for deploy_challenge.
}

deploy_cert() {
    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"

    # This hook is called once for each certificate that has been
    # produced. Here you might, for instance, copy your new certificates
    # to service-specific locations and reload the service.
    #
    # Parameters:
    # - DOMAIN
    #   The primary domain name, i.e. the certificate common
    #   name (CN).
    # - KEYFILE
    #   The path of the file containing the private key.
    # - CERTFILE
    #   The path of the file containing the signed certificate.
    # - FULLCHAINFILE
    #   The path of the file containing the full certificate chain.
    # - CHAINFILE
    #   The path of the file containing the intermediate certificate(s).
    # - TIMESTAMP
    #   Timestamp when the specified certificate was created.
}

unchanged_cert() {
    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"

    # This hook is called once for each certificate that is still
    # valid and therefore wasn't reissued.
    #
    # Parameters:
    # - DOMAIN
    #   The primary domain name, i.e. the certificate common
    #   name (CN).
    # - KEYFILE
    #   The path of the file containing the private key.
    # - CERTFILE
    #   The path of the file containing the signed certificate.
    # - FULLCHAINFILE
    #   The path of the file containing the full certificate chain.
    # - CHAINFILE
    #   The path of the file containing the intermediate certificate(s).

    echo "Unchanged."
}

HANDLER="$1"; shift
"$HANDLER" "$@"

Refs posm/posm#21

@mojodna
Nginx SSL configuration
a70fe0c 
Requires certificates to be present.
@mojodna
Copy link
Member Author

mojodna commented Nov 21, 2016

When re-running, this is the output produced:

Processing posm.io
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb 19 21:22:00 2017 GMT (Longer than 30 days). Skipping renew!
Unchanged.

This may mean that we can't produce device-specific certificates. (My intent is to produce an "encryption bundle" that can be deployed to a POSM device after it's been provisioned, providing it with device-specific secrets not included with the installer.)

Certificates are also only valid for 3 months, which may be too short under certain circumstances.

@mojodna
Copy link
Member Author

mojodna commented Nov 21, 2016

https://letsencrypt.org/docs/rate-limits/ suggests that duplicate certificates are possible (to the tune of 5/week).

That can be increased to 20/week by including an additional hostname to domains.txt (to make it unique).

@dalekunce you were going to ask ARC IT to map osm.posm.io to the Export instance (same as posm.io). Is it possible to amend that request to map *.posm.io to it?

@mojodna
Copy link
Member Author

mojodna commented Nov 21, 2016

"Duplicate certificates" produce unique PEMs using the same challenges.

@mojodna
Copy link
Member Author

mojodna commented Nov 21, 2016

To really make this secure (prevent certificates from being lifted and re-used to intercept traffic), each POSM will need a unique name, e.g. o.posm.io so that its SSL certificate will only match a specific host (and osm subdomain).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mojodna