From 1dd6f8d3b4d7dc93095e662aaca190d3fe1be264 Mon Sep 17 00:00:00 2001 From: Soispha Date: Wed, 4 Oct 2023 20:11:42 +0200 Subject: feat(system/services/taskserver): Integrate Let's Encrypt certificates The current setup now runs the `taskserver.vhack.eu` domain with a Let's Encrypt certificate and additionally uses a self-signed CA certificate to validate clients. The shell scripts used to generate the CA certificate and the derived client certificate (and keys) are taken nearly unmodified from the upstream repository [1]. [1]: https://github.com/GothenburgBitFactory/taskserver/tree/9794cff61e56bdfb193c6aa4cebb57970ac68aef/pki --- system/services/taskserver/certs/generate.client | 54 ++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100755 system/services/taskserver/certs/generate.client (limited to 'system/services/taskserver/certs/generate.client') diff --git a/system/services/taskserver/certs/generate.client b/system/services/taskserver/certs/generate.client new file mode 100755 index 0000000..976cb82 --- /dev/null +++ b/system/services/taskserver/certs/generate.client @@ -0,0 +1,54 @@ +#!/bin/sh + +# Take the correct binary to create the certificates +CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null) +if [ -z "$CERTTOOL" ] +then + echo "ERROR: No certtool found" >&2 + exit 1 +fi + +. ./vars + +NAME=client +if [ $# -gt 0 ] +then + NAME=$1 +fi + +if ! [ -f ${NAME}.key.pem ] +then + # Create a client key. + $CERTTOOL \ + --generate-privkey \ + --sec-param $SEC_PARAM \ + --outfile ${NAME}.key.pem +fi + +chmod 600 ${NAME}.key.pem + +if ! [ -f ${NAME}.template ] +then + # Sign a client cert with the key. + cat <${NAME}.template +organization = $ORGANIZATION +cn = $CN +expiration_days = $EXPIRATION_DAYS +tls_www_client +encryption_key +signing_key +EOF +fi + +if ! [ -f ${NAME}.cert.pem ] || [ ${NAME}.template -nt ${NAME}.cert.pem ] +then + $CERTTOOL \ + --generate-certificate \ + --load-privkey ${NAME}.key.pem \ + --load-ca-certificate ca.cert.pem \ + --load-ca-privkey ca.key.pem \ + --template ${NAME}.template \ + --outfile ${NAME}.cert.pem +fi + +chmod 600 ${NAME}.cert.pem -- cgit 1.4.1