From 1dd6f8d3b4d7dc93095e662aaca190d3fe1be264 Mon Sep 17 00:00:00 2001 From: Soispha Date: Wed, 4 Oct 2023 20:11:42 +0200 Subject: feat(system/services/taskserver): Integrate Let's Encrypt certificates The current setup now runs the `taskserver.vhack.eu` domain with a Let's Encrypt certificate and additionally uses a self-signed CA certificate to validate clients. The shell scripts used to generate the CA certificate and the derived client certificate (and keys) are taken nearly unmodified from the upstream repository [1]. [1]: https://github.com/GothenburgBitFactory/taskserver/tree/9794cff61e56bdfb193c6aa4cebb57970ac68aef/pki --- system/services/taskserver/certs/generate.crl | 42 +++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100755 system/services/taskserver/certs/generate.crl (limited to 'system/services/taskserver/certs/generate.crl') diff --git a/system/services/taskserver/certs/generate.crl b/system/services/taskserver/certs/generate.crl new file mode 100755 index 0000000..6a9daa8 --- /dev/null +++ b/system/services/taskserver/certs/generate.crl @@ -0,0 +1,42 @@ +#!/bin/sh + +# Take the correct binary to create the certificates +CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null) +if [ -z "$CERTTOOL" ] +then + echo "ERROR: No certtool found" >&2 + exit 1 +fi + +. ./vars + +if ! [ -f crl.template ] +then + # CRL - Certificate Revocation List + cat <crl.template +expiration_days = $EXPIRATION_DAYS +EOF +fi + +if ! [ -f server.crl.pem ] || [ crl.template -nt server.crl.pem ] +then + $CERTTOOL \ + --generate-crl \ + --load-ca-privkey ca.key.pem \ + --load-ca-certificate ca.cert.pem \ + --template crl.template \ + --outfile server.crl.pem +fi + +chmod 600 server.crl.pem + +# To create a CRL that contains some revoked certificates, place the +# certificates in a file and use --load-certificate as follows: +# $CERTTOOL \ +# --generate-crl \ +# --load-ca-privkey ca.key.pem \ +# --load-ca-certificate ca.cert.pem \ +# --load-certificate revoked-certs.pem + +# To verify a CRL: +# $CERTTOOL --verify-crl --load-ca-certificate ca.cert.pem --infile server.crl.pem -- cgit 1.4.1