[FEATURE] Generate valid ssl certificates

5fb844a3 · Stefan Galinski · 32fecbd7 · 5fb844a3 · 5fb844a3 · 5fb844a3
Commit 5fb844a3 authored 7 years ago by Stefan Galinski
--- a/recipes/default.rb
+++ b/recipes/default.rb
@@ -238,19 +238,40 @@ end
 ### Setup Apache Environment ###
 ################################

-# copy ssl key data
-template '/etc/apache2/ssl/sslKey.key' do
-	source 'sslKey.key'
+# create ssl certificate
+# Instructions are from here: https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate/43666288#43666288
+template '/etc/apache2/ssl/v3.ext' do
+	source 'v3.ext'
 	owner 'vagrant'
 	group data_bag['groupId']
 end

-template '/etc/apache2/ssl/sslKey.crt' do
-	source 'sslKey.crt'
+template '/etc/apache2/ssl/create_certificate_for_domain.sh' do
+	source 'create_certificate_for_domain.sh'
 	owner 'vagrant'
 	group data_bag['groupId']
 end

+# not needed (globally used, but maybe someone else needs this)
+# template 'create_root_cert_and_key.sh' do
+# 	source 'create_root_cert_and_key.sh'
+# 	owner 'vagrant'
+# 	group data_bag['groupId']
+# end
+
+bash 'Create Certificate' do
+	cwd '/etc/apache2/ssl/'
+
+	user 'vagrant'
+	group data_bag['groupId']
+
+	code <<-EOF
+		chmod 755 create_certificate_for_domain.sh
+		./create_certificate_for_domain.sh #{node['typo3_site']['hostname']}
+	EOF
+	action :run
+end
+
 # create vHost directory
 directory "#{node['typo3_site']['webroot']}/#{node['typo3_site']['hostname']}" do
 	owner 'vagrant'

--- a/templates/default/create_certificate_for_domain.sh
+++ b/templates/default/create_certificate_for_domain.sh
+if [ -z "$1" ]
+then
+  echo "Please supply a subdomain to create a certificate for";
+  echo "e.g. www.mysite.com"
+  exit;
+fi
+
+# Create a new private key if one doesnt exist, or use the xeisting one if it does
+if [ -f device.key ]; then
+  KEY_OPT="-key"
+else
+  KEY_OPT="-keyout"
+fi
+
+DOMAIN=$1
+COMMON_NAME=${2:-*.$1}
+SUBJECT="/C=CA/ST=None/L=NB/O=None/CN=$COMMON_NAME"
+NUM_OF_DAYS=999
+openssl req -new -newkey rsa:2048 -sha256 -nodes $KEY_OPT device.key -subj "$SUBJECT" -out device.csr
+cat v3.ext | sed s/%%DOMAIN%%/$COMMON_NAME/g > /tmp/__v3.ext
+openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days $NUM_OF_DAYS -sha256 -extfile /tmp/__v3.ext 
+
+# move output files to final filenames
+mv device.csr $DOMAIN.csr
+cp device.crt $DOMAIN.crt
+
+# remove temp file
+rm -f device.crt;
+
+echo 
+echo "###########################################################################"
+echo Done! 
+echo "###########################################################################"
+echo "To use these files on your server, simply copy both $DOMAIN.csr and"
+echo "device.key to your webserver, and use like so (if Apache, for example)"
+echo 
+echo "    SSLCertificateFile    /path_to_your_files/$DOMAIN.crt"
+echo "    SSLCertificateKeyFile /path_to_your_files/device.key"
--- a/templates/default/create_root_cert_and_key.sh
+++ b/templates/default/create_root_cert_and_key.sh
+openssl genrsa -out rootCA.key 2048
+openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
--- a/templates/default/sslKey.crt
+++ b/templates/default/sslKey.crt
-----BEGIN CERTIFICATE-----
-MIIDfzCCAmegAwIBAgIJAORC8MQ0C9DzMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
-BAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlhMQ8wDQYDVQQHDAZNdW5pY2gxJDAiBgNV
-BAoMG3NnYWxpbnNraSBJbnRlcm5ldCBTZXJ2aWNlczAeFw0xNTA0MjExNzQzMTda
-Fw0xNjA0MjAxNzQzMTdaMFYxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlh
-MQ8wDQYDVQQHDAZNdW5pY2gxJDAiBgNVBAoMG3NnYWxpbnNraSBJbnRlcm5ldCBT
-ZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANSgEUitUshZ
-hpIcKxI5IBSaHx8UEelHuJLCqe2uOPS5LwGLfwftwwJkPYCmQgDRVN3EarZU7ssq
-kkeQ3LoAS6GzZ/R8XKVm2bs8qme9w7K13/Nntv2k3qhtNVfbbB9l3xDzilYRhNY/
-BZ1RxpjSMRKenzkv7KfdDLVQ2xX/YtLjS2qEGTE09oop7m75H7j2PpvnUMz9exnQ
-g1R91177iBhhWPa/HA0+QUirqQ0cica6YgHx4imGmJ8fXCUDpn5kRxqPIl5+Gwrw
-Y/+zUzFcwamz9XJJo2inWRZHz+uHQWHt00g8RPZdJMClPLvcf/a8hXM8Q0V0z+xk
-/RAU9knwS6kCAwEAAaNQME4wHQYDVR0OBBYEFOkJIQ36tTSNGCnwFI6baqxtDKXH
-MB8GA1UdIwQYMBaAFOkJIQ36tTSNGCnwFI6baqxtDKXHMAwGA1UdEwQFMAMBAf8w
-DQYJKoZIhvcNAQELBQADggEBAAhRxgilKKFKWg9jOSu+7qDmxVdnlK17rYNVnDoU
-L6emvKOEHR7eIpLVx/4wwPKfCe8SaKzTQ8EP/y0bAnuv2qrNOiQ/wv3kJa3Miu9x
-47E//+13AY22ADdB0lXDKS6RveJaL8YfgYtjV1aKa3kvnbBpeDD5Lh60n55tXod5
-DVU0WhOxH62d1EgllYP4DN7Pzl8QrSDEREHewj+5gSAfbYqOHr6e865iXZh3lpdi
-C+BYNsvTHWnMC7AxqeEDRpfxJ9paYhgjVU7mNyjhDuvict+bXQ/iqKS/h2tN24fw
-oSPkeMBC4ZxhmYkM+D06FAGBvjGVm9tr5m8sJ9FIkoCWQWY=
-----END CERTIFICATE-----
\ No newline at end of file
--- a/templates/default/sslKey.key
+++ b/templates/default/sslKey.key
-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA1KARSK1SyFmGkhwrEjkgFJofHxQR6Ue4ksKp7a449LkvAYt/
-B+3DAmQ9gKZCANFU3cRqtlTuyyqSR5DcugBLobNn9HxcpWbZuzyqZ73DsrXf82e2
-/aTeqG01V9tsH2XfEPOKVhGE1j8FnVHGmNIxEp6fOS/sp90MtVDbFf9i0uNLaoQZ
-MTT2iinubvkfuPY+m+dQzP17GdCDVH3XXvuIGGFY9r8cDT5BSKupDRyJxrpiAfHi
-KYaYnx9cJQOmfmRHGo8iXn4bCvBj/7NTMVzBqbP1ckmjaKdZFkfP64dBYe3TSDxE
-9l0kwKU8u9x/9ryFczxDRXTP7GT9EBT2SfBLqQIDAQABAoIBADL6gcpcDAoPNO2Z
-JVaELcXiwe1woW6+DGnblGRxLiS2tad4K6faALR1Fi3fLtoFVoSpUDCRIoPBnDre
-Z52M7pVBb341xvy9MRzsSar/24jghGZWipA71EqrjGuZJ05L3XSx/4vtPV0k1RLI
-BYakdrGRKHnMnMAOhrp+PVkD10zaVFuAbiKZKc5Qg5m+KD7785VMY5bBfqZwh66w
-igeqFw0ZU6MZtaVGKeJzxWJGZxW5vbvjJGb/doLxMHYqzn4tjpFopXc0peOk0GiO
-0A76zJVMWCOuQElui4amXC6EmD61GySub3fiBA1NEcptcIu6HVQqGi1dSb1aRbyV
-oeqvRZECgYEA7ADxtY/WqafJadeIVnUkPZFSoyx4Q9X0W4/B2p56e22phJfU2CMZ
-48/Fss79Q80nSKQNlRWmm8dMtQ5m+WqTVhL63OYtl0wb93/DGejEfqyt8oWboWmp
-xqfSnFNOdTzH1GX6qAv/fWhU5oJ9PQ8EZCAuUgockwhcqEk+VCoPu50CgYEA5qQI
-J8nZhzw9ZKu+oXXump/NR4FBEzpLItg7hw2x3Zyef9sfGuxxPuG2PpyvkV+RHsgm
-3dDNTvc042mmMkAdLVPnpAyBw7hmMI32X0fMfEUzBQ7zxY6X09/OB5Mw8s060c6A
-LDeEnAhygAnHWljTVlnj4u+YLubNUbdSeo/RcH0CgYEAyBU81xsteQRhRDSQyAvk
-P7ZXAzQOeiSIWKAWT8yQNtiQIXO/5cZMitF54NCP882YgoNjaIPEjsl3BQFC2C48
-33qT6HfVKzJBe6F7vRmUjXjEuJoBieVVJLDfY91U5Rw0pqQW0CXr41xyrkLu/rce
-l+yYmMEt3JH4TExcZWqLkBkCgYBvl3vurGYYXZgixkoU2veYTqtG5o3y3KiP8mlS
-3dhqLiYuHHn/T9k3IIRJ5Qu5XbDcYOEVP7qmc0teoLZt58F2NfuEzxxV8zlWUsma
-riWNFvopf2OI+YYSWF3aImhzgcLs0moHetEpoZisxI508zdFt3ZgTaanQrqix/0b
-GcyvDQKBgQC3R9KNQygh/a6Bw/SHRAVa06WLgxF5WP905XWhmwZeFKsjX4dbef5a
-3/hpnutUKdUxZ5Tvx9dQAxOQpfKlltbjy0VFDi5i61268Q63y9ON3UPUuduVb7Y3
-EZmYqUTDz8VWDrxp6U/r3gJXxvNCkYf3EmEUNk575QhVZeLiUJXgPA==
-----END RSA PRIVATE KEY-----
\ No newline at end of file
--- a/templates/default/v3.ext
+++ b/templates/default/v3.ext
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = %%DOMAIN%%
--- a/templates/default/vHost-xenial.conf.erb
+++ b/templates/default/vHost-xenial.conf.erb
@@ -40,8 +40,8 @@
  #   SSLCertificateFile directive is needed.
  #SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem
  #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
-  SSLCertificateFile /etc/apache2/ssl/sslKey.crt
-  SSLCertificateKeyFile /etc/apache2/ssl/sslKey.key
+  SSLCertificateFile /etc/apache2/ssl/<%= @params[:server_name] %>.crt
+  SSLCertificateKeyFile /etc/apache2/ssl/device.key

  # HSTS (mod_headers is required) (15768000 seconds = 6 months)
  Header always set Strict-Transport-Security "max-age=15768000"

--- a/templates/default/vHost.conf.erb
+++ b/templates/default/vHost.conf.erb
@@ -37,8 +37,8 @@
  #   SSLCertificateFile directive is needed.
  #SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem
  #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
-  SSLCertificateFile /etc/apache2/ssl/sslKey.crt
-  SSLCertificateKeyFile /etc/apache2/ssl/sslKey.key
+  SSLCertificateFile /etc/apache2/ssl/<%= @params[:server_name] %>.crt
+  SSLCertificateKeyFile /etc/apache2/ssl/device.key

  # HSTS (mod_headers is required) (15768000 seconds = 6 months)
  Header always set Strict-Transport-Security "max-age=15768000"