gf4
/
wagon
2
0
Fork 0
Code Issues 3 Pull Requests Projects Releases Wiki Activity

feat: 🚀 Switch to elliptical curves and rename cert/key files

master
Keith Irwin 2023-12-30 12:56:16 -07:00
parent 324ffeada3
commit beea0a81d6
Signed by: ki9
GPG Key ID: DF773B3F4A88DA86
4 changed files with 48 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
INSTALL.md
View File

@ -330,8 +330,8 @@ A good place to keep your SSL certs and keys is in `/etc/ssl/private/mynet`. Let
```bash
tld='mynet'
crt_dir="/etc/ssl/private/${tld}"
ca_key="${crt_dir}/_ca.key"
ca_crt="${crt_dir}/_ca.crt"
ca_key="${crt_dir}/_ca/key.pem"
ca_crt="${crt_dir}/_ca/cert.pem"
```
Now we'll create the ca key and cert. You will be asked for some details about your organization; put whatever you want. You'll also be asked to create a passphrase: create and store one using the most secure methods! You'll need this passphrase for the `wagon` config later.
@ -344,7 +344,7 @@ openssl req -x509 -new -nodes -key "${ca_key}" -sha256 -days 3650 -out "${ca_crt
ln -s "${ca_crt}" "/etc/ssl/certs/${tld}.pem"
```
The last step makes the cert available to verification from the host OS. This cert file, `/etc/ssl/private/mynet/_ca.crt` should be shared with everyone who will be accessing your network. One easy way to do this is to serve it on your public website at `https://www.example.com/ca.crt` so users can easily download it. It must be added to every user's OS and/or browser. How this is done will depend on the OS and browser... so you should provide instructions to your users! A sample of such instructions can be found at [www.gf4.pw/nebuchadnezzar/ca/](https://www.gf4.pw/nebuchadnezzar/ca/).
The last step makes the cert available to verification from the host OS. This cert file, `/etc/ssl/private/mynet/_ca/cert.pem` should be shared with everyone who will be accessing your network. One easy way to do this is to serve it on your public website at `https://www.example.com/ca.crt` so users can easily download it. It must be added to every user's OS and/or browser. How this is done will depend on the OS and browser... so you should provide instructions to your users! A sample of such instructions can be found at [www.gf4.pw/nebuchadnezzar/ca/](https://www.gf4.pw/nebuchadnezzar/ca/).
We can use these CA files to sign certificates for hosts using our `mynet` domain. Let's sign one for the server first:
@ -355,15 +355,15 @@ host=hn
domain="${host}.${tld}"
crt_dir="/etc/ssl/private/${tld}"
host_dir="${crt_dir}/${host}"
ca_crt="${crt_dir}/_ca.crt"
ca_key="${crt_dir}/_ca.key"
ca_crt="${crt_dir}/_ca/cert.pem"
ca_key="${crt_dir}/_ca/key.pem"
ips='IP:10.99.0.1'
# Create a subdirectory for the host's files
mkdir -p "${host_dir}"
# Generate the host's key
openssl genrsa -out "${host_dir}/server.key" 2048
openssl genrsa -out "${host_dir}/key.pem" 2048
# Set certificate configuration
# If /etc/ssl/openssl.cnf doesn't exist, look for
@ -374,7 +374,7 @@ cat /etc/ssl/openssl.cnf \
# Now we'll create the certificate signing request
openssl req -new -sha256 -reqexts SAN \
-key "${host_dir}/server.key" \
-key "${host_dir}/key.pem" \
-config "${crt_dir}/${host}.cnf" \
-subj "/O=${org}/OU=${host}/CN=${domain}" \
-out "${crt_dir}/${host}.csr"
@ -387,13 +387,13 @@ openssl x509 -req -sha256 -extensions SAN \
-CA "${ca_crt}" -CAkey "${ca_key}" \
-in "${crt_dir}/${host}.csr" \
-extfile "${crt_dir}/${host}.cnf" \
-out "${host_dir}/server.crt"
-out "${host_dir}/cert.pem"
```
That should do it! Let's check that the cert is valid for all domains and IPs:
```bash
openssl x509 -text -noout -in "${host_dir}/server.crt" | grep -A1 'Subject Alternative Name'
openssl x509 -text -noout -in "${host_dir}/cert.pem" | grep -A1 'Subject Alternative Name'
```
That should return something like:
@ -416,38 +416,38 @@ org='My Cool Organization'
tld=mynet
host='pc.myuser'
domain="${host}.${tld}"
crt_dir="/etc/ssl/private/${tld}"
host_dir="${crt_dir}/${host}"
ca_crt="${crt_dir}/_ca.crt"
ca_key="${crt_dir}/_ca.key"
cert_dir="/etc/ssl/private/${tld}"
host_dir="${cert_dir}/${host}"
ca_crt="${cert_dir}/_ca/cert.pem"
ca_key="${cert_dir}/_ca/key.pem"
ips='IP:10.99.1.1'
days=3650
mkdir -p "${host_dir}"
openssl genrsa -out "${host_dir}/server.key" 2048
openssl genrsa -out "${host_dir}/key.pem" 2048
cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS:${domain},DNS:*.${domain},${ips}\n") \
>"${host_dir}.cnf"
openssl req -new -sha256 -reqexts SAN \
-key "${host_dir}/server.key" \
-config "${crt_dir}/${host}.cnf" \
-key "${host_dir}/key.pem" \
-config "${cert_dir}/${host}.cnf" \
-subj "/O=${org}/OU=${host}/CN=${domain}" \
-out "${crt_dir}/${host}.csr"
-out "${cert_dir}/${host}.csr"
openssl x509 -req -sha256 -extensions SAN \
-CAcreateserial -days "3650"
-CA "${ca_crt}" -CAkey "${ca_key}" \
-in "${crt_dir}/${host}.csr" \
-extfile "${crt_dir}/${host}.cnf" \
-out "${host_dir}/server.crt"
-in "${cert_dir}/${host}.csr" \
-extfile "${cert_dir}/${host}.cnf" \
-out "${host_dir}/cert.pem"
openssl x509 -text -noout -in "${host_dir}/server.crt" | grep -A1 'Subject Alternative Name'
openssl x509 -text -noout -in "${host_dir}/cert.pem" | grep -A1 'Subject Alternative Name'
rm -f "${crt_dir}/${host}.csr" "${crt_dir}/${host}.cnf"
rm -f "${cert_dir}/${host}.csr" "${cert_dir}/${host}.cnf"
```
You might be thinking, this would all be easier as a script. A script that could add clients to wireguard and bind, then generate and server the ssl files. This is what `wagon` is designed to do.
@ -492,8 +492,8 @@ IPV6_NET='fd69:1337:0:420:f4:99::/96'
IPV4_HUB=10.3.0.1
IPV6_HUB=fd69:1337:0:420:f4:f3:0:1
SSL_CONFIG_DIR="/etc/ssl/private/${TLD}"
SSL_CA_CERT="${SSL_CONFIG_DIR}/_ca.crt"
SSL_CA_KEY="${SSL_CONFIG_DIR}/_ca.key"
SSL_CA_CERT="${SSL_CONFIG_DIR}/_ca/cert.pem"
SSL_CA_KEY="${SSL_CONFIG_DIR}/_ca/key.pem"
SSL_ORG='My Cool Organization'
SSL_DAYS='3650'
SSL_CA_PASS='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
@ -534,8 +534,8 @@ That's not bad. We could take requests on that port, but let's take secure https
server {
server_name wagon-dashboard-api.hn.mynet;
listen 10.99.0.1:443 ssl http2;
ssl_certificate /etc/ssl/private/mynet/hn/server.crt;
ssl_certificate_key /etc/ssl/private/mynet/hn/server.key;
ssl_certificate /etc/ssl/private/mynet/hn/cert.pem;
ssl_certificate_key /etc/ssl/private/mynet/hn/key.pem;
ssl_stapling off;
allow 10.99.0.0/16; # All users
deny all; # Everyone else
@ -548,8 +548,8 @@ server {
server {
server_name wagon-admin-api.hn.mynet;
listen 10.99.0.1:443 ssl http2;
ssl_certificate /etc/ssl/private/mynet/hn/server.crt;
ssl_certificate_key /etc/ssl/private/mynet/hn/server.key;
ssl_certificate /etc/ssl/private/mynet/hn/cert.pem;
ssl_certificate_key /etc/ssl/private/mynet/hn/key.pem;
ssl_stapling off;
allow 10.99.1.0/24; # One admin
allow 10.99.7.0/24; # Another admin

6
README.md
View File

@ -68,8 +68,8 @@ server {
server_name dev.mypc.myuser.mynet;
listen 10.11.1.1:443 ssl http2;
ssl_certificate /path/to/downloaded/mypc.myuser.mynet/server.crt;
ssl_certificate_key /path/to/downloaded/mypc.myuser.mynet/server.key;
ssl_certificate /path/to/downloaded/mypc.myuser.mynet/cert.pem;
ssl_certificate_key /path/to/downloaded/mypc.myuser.mynet/key.pem;
ssl_stapling off;
allow 10.11.1.0/24; # My devices
@ -85,7 +85,7 @@ server {
## Dashboard
Users can access a dashboard with a list of devices and links to download `server.crt` and `server.key`. Users can add and delete these devices, and admins can add/delete devices and users from a seperate admin interface. When adding a new user or device, the dashboard displays a wireguard configuration which must be copied or saved before the page is refreshed.
Users can access a dashboard with a list of devices and links to download `cert.pem` and `key.pem`. Users can add and delete these devices, and admins can add/delete devices and users from a seperate admin interface. When adding a new user or device, the dashboard displays a wireguard configuration which must be copied or saved before the page is refreshed.
In this way, there is no central server storing all the private keys, like with most wireguard dashboards. In fact, `wagon` does not have a database and does not store any data at all; everything is stored in the server's nameserver and wireguard config.

30
back/lib/ssl_peer_add
View File

@ -17,17 +17,17 @@ if ! sudo mkdir "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/"; then
fi
# Generate key
if ! sudo /usr/bin/openssl genrsa -out "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/server.key" >>/dev/null 2>&1; then
printf 'Failed to generate SSL key %s/%s/%s/server.key\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2
if ! sudo /usr/bin/openssl ecparam -name secp384r1 -out "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/key.pem" >>/dev/null 2>&1; then
printf 'Failed to generate SSL key %s/%s/%s/key.pem\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2
exit 7
fi
if ! sudo [ -f "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" ]; then
printf 'SSL key %s/%s/%s/server.key was not generated!\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2
if ! sudo [ -f "${SSL_CONFIG_DIR}/${username}/${hostname}/key.pem" ]; then
printf 'SSL key %s/%s/%s/key.pem was not generated!\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2
ls "${SSL_CONFIG_DIR}/${username}/${hostname}/" >&2
exit 7
fi
if ! sudo chmod 400 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" >&2 2>&1; then
printf 'Failed to chmod SSL key %s/%s/%s/server.key\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2
if ! sudo chmod 400 "${SSL_CONFIG_DIR}/${username}/${hostname}/key.pem" >&2 2>&1; then
printf 'Failed to chmod SSL key %s/%s/%s/key.pem\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2
exit 7
fi
@ -43,8 +43,8 @@ if ! printf '%s\n' "${san}" | sudo cat '/etc/ssl/openssl.cnf' /dev/stdin \
fi
# Generate CSR
if ! sudo /usr/bin/openssl req -new -sha256 -reqexts SAN -extensions SAN \
-key "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" \
if ! sudo /usr/bin/openssl req -new -sha384 -reqexts SAN -extensions SAN \
-key "${SSL_CONFIG_DIR}/${username}/${hostname}/key.pem" \
-out "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \
-config "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \
-subj "/O=${SSL_ORG}/OU=${username}/CN=${hostname}.${username}.${TLD}" \
@ -54,20 +54,20 @@ if ! sudo /usr/bin/openssl req -new -sha256 -reqexts SAN -extensions SAN \
fi
# Generate cert
if ! sudo /usr/bin/openssl x509 -req -sha256 -extensions SAN -CAcreateserial \
if ! sudo /usr/bin/openssl x509 -req -sha384 -extensions SAN -CAcreateserial \
-extfile "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \
-in "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \
-CA "${SSL_CA_CERT}" -CAkey "${SSL_CA_KEY}" \
-passin "pass:${SSL_CA_PASS}" \
-out "${SSL_CONFIG_DIR}/${username}/${hostname}/server.crt" \
-out "${SSL_CONFIG_DIR}/${username}/${hostname}/cert.pem" \
-days "${SSL_DAYS}" >/dev/null 2>&1; then
printf 'ERROR! Failed to generate SSL cert %s/%s/server.crt\n' "${username}" "${hostname}" >&2
printf 'ERROR! Failed to generate SSL cert %s/%s/cert.pem\n' "${username}" "${hostname}" >&2
exit 7
fi; if ! sudo [ -f "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/server.crt" ]; then
printf 'ERROR! SSL key %s/%s/server.crt was not generated!\n' "${username}" "${hostname}" >&2
fi; if ! sudo [ -f "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/cert.pem" ]; then
printf 'ERROR! SSL key %s/%s/cert.pem was not generated!\n' "${username}" "${hostname}" >&2
exit 7
fi; if ! sudo chmod 640 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.crt" "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key"; then
printf 'ERROR! Failed to chmod SSL cert %s/%s/server.*\n' "${username}" "${hostname}" >&2
fi; if ! sudo chmod 640 "${SSL_CONFIG_DIR}/${username}/${hostname}/cert.pem" "${SSL_CONFIG_DIR}/${username}/${hostname}/key.pem"; then
printf 'ERROR! Failed to chmod SSL cert %s/%s/*.pem\n' "${username}" "${hostname}" >&2
exit 8
fi & if ! sudo chgrp -R www-data "${SSL_CONFIG_DIR}/${username}/"; then
printf 'ERROR! Failed to set group of %s!\n' "${SSL_CONFIG_DIR}/${username}/" >&2

4
etc.sample/config
View File

@ -5,8 +5,8 @@ IPV6_NET='fd69:1337:0:420:f4:f3::/96'
IPV4_HUB=10.3.0.1
IPV6_HUB=fd69:1337:0:420:f4:f3:0:1
SSL_CONFIG_DIR="/etc/ssl/private/${TLD}"
SSL_CA_CERT="${SSL_CONFIG_DIR}/_ca.crt"
SSL_CA_KEY="${SSL_CONFIG_DIR}/_ca.key"
SSL_CA_CERT="${SSL_CONFIG_DIR}/_ca/cert.pem"
SSL_CA_KEY="${SSL_CONFIG_DIR}/_ca/key.pem"
SSL_ORG='My Org'
SSL_DAYS='3650'
SSL_CA_PASS='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'