diff --git a/INSTALL.md b/INSTALL.md index 8b19bd3..764d947 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -330,8 +330,8 @@ A good place to keep your SSL certs and keys is in `/etc/ssl/private/mynet`. Let ```bash tld='mynet' crt_dir="/etc/ssl/private/${tld}" -ca_key="${crt_dir}/_ca.key" -ca_crt="${crt_dir}/_ca.crt" +ca_key="${crt_dir}/_ca/key.pem" +ca_crt="${crt_dir}/_ca/cert.pem" ``` Now we'll create the ca key and cert. You will be asked for some details about your organization; put whatever you want. You'll also be asked to create a passphrase: create and store one using the most secure methods! You'll need this passphrase for the `wagon` config later. @@ -344,7 +344,7 @@ openssl req -x509 -new -nodes -key "${ca_key}" -sha256 -days 3650 -out "${ca_crt ln -s "${ca_crt}" "/etc/ssl/certs/${tld}.pem" ``` -The last step makes the cert available to verification from the host OS. This cert file, `/etc/ssl/private/mynet/_ca.crt` should be shared with everyone who will be accessing your network. One easy way to do this is to serve it on your public website at `https://www.example.com/ca.crt` so users can easily download it. It must be added to every user's OS and/or browser. How this is done will depend on the OS and browser... so you should provide instructions to your users! A sample of such instructions can be found at [www.gf4.pw/nebuchadnezzar/ca/](https://www.gf4.pw/nebuchadnezzar/ca/). +The last step makes the cert available to verification from the host OS. This cert file, `/etc/ssl/private/mynet/_ca/cert.pem` should be shared with everyone who will be accessing your network. One easy way to do this is to serve it on your public website at `https://www.example.com/ca.crt` so users can easily download it. It must be added to every user's OS and/or browser. How this is done will depend on the OS and browser... so you should provide instructions to your users! A sample of such instructions can be found at [www.gf4.pw/nebuchadnezzar/ca/](https://www.gf4.pw/nebuchadnezzar/ca/). We can use these CA files to sign certificates for hosts using our `mynet` domain. Let's sign one for the server first: @@ -355,15 +355,15 @@ host=hn domain="${host}.${tld}" crt_dir="/etc/ssl/private/${tld}" host_dir="${crt_dir}/${host}" -ca_crt="${crt_dir}/_ca.crt" -ca_key="${crt_dir}/_ca.key" +ca_crt="${crt_dir}/_ca/cert.pem" +ca_key="${crt_dir}/_ca/key.pem" ips='IP:10.99.0.1' # Create a subdirectory for the host's files mkdir -p "${host_dir}" # Generate the host's key -openssl genrsa -out "${host_dir}/server.key" 2048 +openssl genrsa -out "${host_dir}/key.pem" 2048 # Set certificate configuration # If /etc/ssl/openssl.cnf doesn't exist, look for @@ -374,7 +374,7 @@ cat /etc/ssl/openssl.cnf \ # Now we'll create the certificate signing request openssl req -new -sha256 -reqexts SAN \ - -key "${host_dir}/server.key" \ + -key "${host_dir}/key.pem" \ -config "${crt_dir}/${host}.cnf" \ -subj "/O=${org}/OU=${host}/CN=${domain}" \ -out "${crt_dir}/${host}.csr" @@ -387,13 +387,13 @@ openssl x509 -req -sha256 -extensions SAN \ -CA "${ca_crt}" -CAkey "${ca_key}" \ -in "${crt_dir}/${host}.csr" \ -extfile "${crt_dir}/${host}.cnf" \ - -out "${host_dir}/server.crt" + -out "${host_dir}/cert.pem" ``` That should do it! Let's check that the cert is valid for all domains and IPs: ```bash -openssl x509 -text -noout -in "${host_dir}/server.crt" | grep -A1 'Subject Alternative Name' +openssl x509 -text -noout -in "${host_dir}/cert.pem" | grep -A1 'Subject Alternative Name' ``` That should return something like: @@ -416,38 +416,38 @@ org='My Cool Organization' tld=mynet host='pc.myuser' domain="${host}.${tld}" -crt_dir="/etc/ssl/private/${tld}" -host_dir="${crt_dir}/${host}" -ca_crt="${crt_dir}/_ca.crt" -ca_key="${crt_dir}/_ca.key" +cert_dir="/etc/ssl/private/${tld}" +host_dir="${cert_dir}/${host}" +ca_crt="${cert_dir}/_ca/cert.pem" +ca_key="${cert_dir}/_ca/key.pem" ips='IP:10.99.1.1' days=3650 mkdir -p "${host_dir}" -openssl genrsa -out "${host_dir}/server.key" 2048 +openssl genrsa -out "${host_dir}/key.pem" 2048 cat /etc/ssl/openssl.cnf \ <(printf "\n[SAN]\nsubjectAltName=DNS:${domain},DNS:*.${domain},${ips}\n") \ >"${host_dir}.cnf" openssl req -new -sha256 -reqexts SAN \ - -key "${host_dir}/server.key" \ - -config "${crt_dir}/${host}.cnf" \ + -key "${host_dir}/key.pem" \ + -config "${cert_dir}/${host}.cnf" \ -subj "/O=${org}/OU=${host}/CN=${domain}" \ - -out "${crt_dir}/${host}.csr" + -out "${cert_dir}/${host}.csr" openssl x509 -req -sha256 -extensions SAN \ -CAcreateserial -days "3650" -CA "${ca_crt}" -CAkey "${ca_key}" \ - -in "${crt_dir}/${host}.csr" \ - -extfile "${crt_dir}/${host}.cnf" \ - -out "${host_dir}/server.crt" + -in "${cert_dir}/${host}.csr" \ + -extfile "${cert_dir}/${host}.cnf" \ + -out "${host_dir}/cert.pem" -openssl x509 -text -noout -in "${host_dir}/server.crt" | grep -A1 'Subject Alternative Name' +openssl x509 -text -noout -in "${host_dir}/cert.pem" | grep -A1 'Subject Alternative Name' -rm -f "${crt_dir}/${host}.csr" "${crt_dir}/${host}.cnf" +rm -f "${cert_dir}/${host}.csr" "${cert_dir}/${host}.cnf" ``` You might be thinking, this would all be easier as a script. A script that could add clients to wireguard and bind, then generate and server the ssl files. This is what `wagon` is designed to do. @@ -492,8 +492,8 @@ IPV6_NET='fd69:1337:0:420:f4:99::/96' IPV4_HUB=10.3.0.1 IPV6_HUB=fd69:1337:0:420:f4:f3:0:1 SSL_CONFIG_DIR="/etc/ssl/private/${TLD}" -SSL_CA_CERT="${SSL_CONFIG_DIR}/_ca.crt" -SSL_CA_KEY="${SSL_CONFIG_DIR}/_ca.key" +SSL_CA_CERT="${SSL_CONFIG_DIR}/_ca/cert.pem" +SSL_CA_KEY="${SSL_CONFIG_DIR}/_ca/key.pem" SSL_ORG='My Cool Organization' SSL_DAYS='3650' SSL_CA_PASS='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' @@ -534,8 +534,8 @@ That's not bad. We could take requests on that port, but let's take secure https server { server_name wagon-dashboard-api.hn.mynet; listen 10.99.0.1:443 ssl http2; - ssl_certificate /etc/ssl/private/mynet/hn/server.crt; - ssl_certificate_key /etc/ssl/private/mynet/hn/server.key; + ssl_certificate /etc/ssl/private/mynet/hn/cert.pem; + ssl_certificate_key /etc/ssl/private/mynet/hn/key.pem; ssl_stapling off; allow 10.99.0.0/16; # All users deny all; # Everyone else @@ -548,8 +548,8 @@ server { server { server_name wagon-admin-api.hn.mynet; listen 10.99.0.1:443 ssl http2; - ssl_certificate /etc/ssl/private/mynet/hn/server.crt; - ssl_certificate_key /etc/ssl/private/mynet/hn/server.key; + ssl_certificate /etc/ssl/private/mynet/hn/cert.pem; + ssl_certificate_key /etc/ssl/private/mynet/hn/key.pem; ssl_stapling off; allow 10.99.1.0/24; # One admin allow 10.99.7.0/24; # Another admin diff --git a/README.md b/README.md index d751273..e5cd36d 100644 --- a/README.md +++ b/README.md @@ -68,8 +68,8 @@ server { server_name dev.mypc.myuser.mynet; listen 10.11.1.1:443 ssl http2; - ssl_certificate /path/to/downloaded/mypc.myuser.mynet/server.crt; - ssl_certificate_key /path/to/downloaded/mypc.myuser.mynet/server.key; + ssl_certificate /path/to/downloaded/mypc.myuser.mynet/cert.pem; + ssl_certificate_key /path/to/downloaded/mypc.myuser.mynet/key.pem; ssl_stapling off; allow 10.11.1.0/24; # My devices @@ -85,7 +85,7 @@ server { ## Dashboard -Users can access a dashboard with a list of devices and links to download `server.crt` and `server.key`. Users can add and delete these devices, and admins can add/delete devices and users from a seperate admin interface. When adding a new user or device, the dashboard displays a wireguard configuration which must be copied or saved before the page is refreshed. +Users can access a dashboard with a list of devices and links to download `cert.pem` and `key.pem`. Users can add and delete these devices, and admins can add/delete devices and users from a seperate admin interface. When adding a new user or device, the dashboard displays a wireguard configuration which must be copied or saved before the page is refreshed. In this way, there is no central server storing all the private keys, like with most wireguard dashboards. In fact, `wagon` does not have a database and does not store any data at all; everything is stored in the server's nameserver and wireguard config. diff --git a/back/lib/ssl_peer_add b/back/lib/ssl_peer_add index e20b433..8a7511c 100755 --- a/back/lib/ssl_peer_add +++ b/back/lib/ssl_peer_add @@ -17,17 +17,17 @@ if ! sudo mkdir "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/"; then fi # Generate key -if ! sudo /usr/bin/openssl genrsa -out "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/server.key" >>/dev/null 2>&1; then - printf 'Failed to generate SSL key %s/%s/%s/server.key\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2 +if ! sudo /usr/bin/openssl ecparam -name secp384r1 -out "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/key.pem" >>/dev/null 2>&1; then + printf 'Failed to generate SSL key %s/%s/%s/key.pem\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2 exit 7 fi -if ! sudo [ -f "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" ]; then - printf 'SSL key %s/%s/%s/server.key was not generated!\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2 +if ! sudo [ -f "${SSL_CONFIG_DIR}/${username}/${hostname}/key.pem" ]; then + printf 'SSL key %s/%s/%s/key.pem was not generated!\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2 ls "${SSL_CONFIG_DIR}/${username}/${hostname}/" >&2 exit 7 fi -if ! sudo chmod 400 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" >&2 2>&1; then - printf 'Failed to chmod SSL key %s/%s/%s/server.key\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2 +if ! sudo chmod 400 "${SSL_CONFIG_DIR}/${username}/${hostname}/key.pem" >&2 2>&1; then + printf 'Failed to chmod SSL key %s/%s/%s/key.pem\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2 exit 7 fi @@ -43,8 +43,8 @@ if ! printf '%s\n' "${san}" | sudo cat '/etc/ssl/openssl.cnf' /dev/stdin \ fi # Generate CSR -if ! sudo /usr/bin/openssl req -new -sha256 -reqexts SAN -extensions SAN \ - -key "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" \ +if ! sudo /usr/bin/openssl req -new -sha384 -reqexts SAN -extensions SAN \ + -key "${SSL_CONFIG_DIR}/${username}/${hostname}/key.pem" \ -out "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \ -config "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \ -subj "/O=${SSL_ORG}/OU=${username}/CN=${hostname}.${username}.${TLD}" \ @@ -54,20 +54,20 @@ if ! sudo /usr/bin/openssl req -new -sha256 -reqexts SAN -extensions SAN \ fi # Generate cert -if ! sudo /usr/bin/openssl x509 -req -sha256 -extensions SAN -CAcreateserial \ +if ! sudo /usr/bin/openssl x509 -req -sha384 -extensions SAN -CAcreateserial \ -extfile "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \ -in "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \ -CA "${SSL_CA_CERT}" -CAkey "${SSL_CA_KEY}" \ -passin "pass:${SSL_CA_PASS}" \ - -out "${SSL_CONFIG_DIR}/${username}/${hostname}/server.crt" \ + -out "${SSL_CONFIG_DIR}/${username}/${hostname}/cert.pem" \ -days "${SSL_DAYS}" >/dev/null 2>&1; then - printf 'ERROR! Failed to generate SSL cert %s/%s/server.crt\n' "${username}" "${hostname}" >&2 + printf 'ERROR! Failed to generate SSL cert %s/%s/cert.pem\n' "${username}" "${hostname}" >&2 exit 7 -fi; if ! sudo [ -f "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/server.crt" ]; then - printf 'ERROR! SSL key %s/%s/server.crt was not generated!\n' "${username}" "${hostname}" >&2 +fi; if ! sudo [ -f "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/cert.pem" ]; then + printf 'ERROR! SSL key %s/%s/cert.pem was not generated!\n' "${username}" "${hostname}" >&2 exit 7 -fi; if ! sudo chmod 640 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.crt" "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key"; then - printf 'ERROR! Failed to chmod SSL cert %s/%s/server.*\n' "${username}" "${hostname}" >&2 +fi; if ! sudo chmod 640 "${SSL_CONFIG_DIR}/${username}/${hostname}/cert.pem" "${SSL_CONFIG_DIR}/${username}/${hostname}/key.pem"; then + printf 'ERROR! Failed to chmod SSL cert %s/%s/*.pem\n' "${username}" "${hostname}" >&2 exit 8 fi & if ! sudo chgrp -R www-data "${SSL_CONFIG_DIR}/${username}/"; then printf 'ERROR! Failed to set group of %s!\n' "${SSL_CONFIG_DIR}/${username}/" >&2 diff --git a/etc.sample/config b/etc.sample/config index 4f8fba8..d9ac981 100644 --- a/etc.sample/config +++ b/etc.sample/config @@ -5,8 +5,8 @@ IPV6_NET='fd69:1337:0:420:f4:f3::/96' IPV4_HUB=10.3.0.1 IPV6_HUB=fd69:1337:0:420:f4:f3:0:1 SSL_CONFIG_DIR="/etc/ssl/private/${TLD}" -SSL_CA_CERT="${SSL_CONFIG_DIR}/_ca.crt" -SSL_CA_KEY="${SSL_CONFIG_DIR}/_ca.key" +SSL_CA_CERT="${SSL_CONFIG_DIR}/_ca/cert.pem" +SSL_CA_KEY="${SSL_CONFIG_DIR}/_ca/key.pem" SSL_ORG='My Org' SSL_DAYS='3650' SSL_CA_PASS='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'