Merge pull request #37 from cdpxe/feature/letsencrypt

Feature/letsencrypt
cdpxe · Sep 12, 2024 · a952894 · a952894
2 parents 73d8e69 + 8c7b340
commit a952894
Show file tree

Hide file tree

Showing 4 changed files with 140 additions and 24 deletions.
diff --git a/create_certificate b/create_certificate
@@ -0,0 +1,105 @@
+#!/bin/bash
+
+echo "This is the WendzelNNTPd script for generating SSL certificates"
+echo
+
+mkdir -p /usr/local/etc/ssl
+
+if [ "$USER" != "root" ]; then
+    echo "Run this script with root privileges!"
+    exit
+fi
+
+function usage {
+    echo ""
+    echo "Creates certificates for WendzelNNTPd selfsigned or via LetsEncrypt for production usage"
+    echo ""
+    echo "usage: ./create_certificate --environment localhost | letsencrypt --email string --domain string "
+    echo ""
+    echo "  --environment string    context for generating certificates (localhost or letsnecrypt are allowed values) "
+    echo "  --email string          only needed if letsencrypt is used"
+    echo "                          (example: [email protected])"
+    echo "  --domain string         only needed if letsencrypt is used; specify domain under which your wendzelnntpd server is reachable"
+    echo "                          (example: test.de)"
+    echo ""
+}
+
+while [ $# -gt 0 ]; do
+    if [[ $1 == "--help" ]]; then
+        usage
+        exit
+    fi
+
+    if [[ $1 == "--"* ]]; then
+        v="${1/--/}"
+        declare "$v"="$2"
+        shift
+    fi
+    shift
+done
+
+if [[ -z $environment || "$environment" = "local" ]]; then
+    echo "Environment is set to local. Certificates for local use are generated now..."
+    echo 
+
+    openssl req \
+        -x509 \
+        -new \
+        -newkey rsa:2048 \
+        -days 3650 \
+        -nodes \
+        -extensions v3_ca \
+        -subj "/C=DE/ST=Hagen/O=Test-Cert Inc." \
+        -keyout "/usr/local/etc/ssl/ca-key.pem" \
+        -out "/usr/local/etc/ssl/ca.crt"
+
+    openssl genrsa -out "/usr/local/etc/ssl/server.key" 2048
+    openssl req \
+        -new -key "/usr/local/etc/ssl/server.key" \
+        -out "/usr/local/etc/ssl/server.csr" \
+        -config "./docker/openssl/openssl.cnf"
+
+    openssl x509 \
+        -req \
+        -days 365 \
+        -in "/usr/local/etc/ssl/server.csr" \
+        -CA "/usr/local/etc/ssl/ca.crt" \
+        -CAkey "/usr/local/etc/ssl/ca-key.pem" \
+        -CAcreateserial \
+        -extensions v3_req \
+        -extfile "./docker/openssl/openssl.cnf" \
+        -out "/usr/local/etc/ssl/server.crt"
+
+    echo "Finished ..."
+    echo "You can find certificate at: /usr/local/etc/ssl/server.crt, key: /usr/local/etc/ssl/server.key, CA certificate: /usr/local/etc/ssl/ca.crt"
+    echo
+elif [ "$environment" = "letsencrypt" ]; then
+    echo "Environment is set to local. Certificates are generated now via LetsEncrypt certbot..."
+    echo "Check if certbot is installed..."
+    certbot --version  || exit
+
+    if [ -z $email ]; then
+        echo "You have to add an email with --email parameter"
+        exit
+    fi
+
+    if [ -z $domain ]; then
+        echo "You have to add the domain where running this script with --domain parameter"
+        exit
+    fi
+
+    echo "Generating certificates..."
+    certbot certonly --standalone -n --agree-tos --email $email --domains $domain --cert-name wendzelnntpd
+
+    ln -sf /etc/letsencrypt/live/wendzelnntpd/fullchain.pem /usr/local/etc/ssl/server.crt
+    ln -sf /etc/letsencrypt/live/wendzelnntpd/privkey.pem /usr/local/etc/ssl/server.key
+    ln -sf /etc/letsencrypt/live/wendzelnntpd/chain.pem /usr/local/etc/ssl/ca.crt
+
+    echo "Finished ..."
+    echo "You can find certificate at: /usr/local/etc/ssl/server.crt, key: /usr/local/etc/ssl/server.key, CA certificate: /usr/local/etc/ssl/ca.crt"
+    echo
+else
+    echo "Unknown environment for script generation provided..."
+    echo "Stopping script."
+    echo
+fi
diff --git a/docs/docs.pdf b/docs/docs.pdf
diff --git a/docs/install.tex b/docs/install.tex
@@ -32,6 +32,17 @@ \section{Linux/*nix/BSD}
 ...
 \end{verbatim}
 
+If you want to generate SSL certificates you can use the helper script:
+\begin{verbatim}
+	$ sudo ./create_certificate \
+		--environment letsencrypt \
+		--email <YOUR-EMAIL> \\
+		--domain <YOUR-DOMAIN>
+\end{verbatim}
+For the parameter -{}-environment \textit{local} is also a valid value. Then the certificate is generated only for usage on localhost and is self-signed. After generating the certificate you have to adjust \textit{wendzelnntpd.conf} (check Section \ref{network-settings}) to activate TLS (configuration option \textit{enable-tls})). The paths for certificate and server key can stay as they are. 
+
+~
+
 To install WendzelNNTPd on your system, you need superuser access. Run \textbf{make install} to install it to the default location \textit{/usr/local/*}.
 
 \begin{verbatim}

diff --git a/wendzelnntpd.conf b/wendzelnntpd.conf
@@ -33,17 +33,17 @@ database-password mypass
     port		119
     listen	    127.0.0.1
     ;; configure SSL server certificate
-    ;tls-server-certificate "/usr/local/etc/ssl/server.crt"
+    tls-server-certificate "/usr/local/etc/ssl/server.crt"
     ;; configure SSL private key
-    ;tls-server-key "/usr/local/etc/ssl/server.key"
+    tls-server-key "/usr/local/etc/ssl/server.key"
     ;; configure SSL CA certificate
-    ;tls-ca-certificate "/usr/local/etc/ssl/ca.crt"
+    tls-ca-certificate "/usr/local/etc/ssl/ca.crt"
     ;; configure TLS ciphers for TLSv1.3
-    ;tls-cipher-suites "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
+    tls-cipher-suites "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
     ;; configure TLS ciphers for TLSv1.1 and TLSv1.2
-    ;tls-ciphers "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+    tls-ciphers "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
     ;; configure allowed TLS version (1.0-1.3)
-    ;tls-version "1.2-1.3"
+    tls-version "1.2-1.3"
     ;; possibility to force the client to authenticate with client certificate (none | optional | require)
     ;tls-verify-client "required"
     ;; define depth for checking client certificate
@@ -59,17 +59,17 @@ database-password mypass
     port		119
     listen	    ::1
     ;; configure SSL server certificate
-    ;tls-server-certificate "/usr/local/etc/ssl/server.crt"
+    tls-server-certificate "/usr/local/etc/ssl/server.crt"
     ;; configure SSL private key
-    ;tls-server-key "/usr/local/etc/ssl/server.key"
+    tls-server-key "/usr/local/etc/ssl/server.key"
     ;; configure SSL CA certificate
-    ;tls-ca-certificate "/usr/local/etc/ssl/ca.crt"
+    tls-ca-certificate "/usr/local/etc/ssl/ca.crt"
     ;; configure TLS ciphers for TLSv1.3
-    ;tls-cipher-suites "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
+    tls-cipher-suites "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
     ;; configure TLS ciphers for TLSv1.1 and TLSv1.2
-    ;tls-ciphers "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+    tls-ciphers "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
     ;; configure allowed TLS version (1.0-1.3)
-    ;tls-version "1.2-1.3"
+    tls-version "1.2-1.3"
     ;; possibility to force the client to authenticate with client certificate (none | optional | require)
     ;tls-verify-client "required"
     ;; define depth for checking client certificate
@@ -85,17 +85,17 @@ database-password mypass
     port		563
     listen	    127.0.0.1
     ;; configure SSL server certificate (required)
-    ;tls-server-certificate "/usr/local/etc/ssl/server.crt"
+    tls-server-certificate "/usr/local/etc/ssl/server.crt"
     ;; configure SSL private key (required)
-    ;tls-server-key "/usr/local/etc/ssl/server.key"
+    tls-server-key "/usr/local/etc/ssl/server.key"
     ;; configure SSL CA certificate (required)
-    ;tls-ca-certificate "/usr/local/etc/ssl/ca.crt"
+    tls-ca-certificate "/usr/local/etc/ssl/ca.crt"
     ;; configure TLS ciphers for TLSv1.3
-    ;tls-cipher-suites "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
+    tls-cipher-suites "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
     ;; configure TLS ciphers for TLSv1.1 and TLSv1.2
-    ;tls-ciphers "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+    tls-ciphers "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
     ;; configure allowed TLS version (1.0-1.3)
-    ;tls-version "1.2-1.3"
+    tls-version "1.2-1.3"
     ;; possibility to force the client to authenticate with client certificate (none | optional | require)
     ;tls-verify-client "required"
     ;; define depth for checking client certificate
@@ -111,17 +111,17 @@ database-password mypass
     port		563
     listen	    ::1
     ;; configure SSL server certificate
-    ;tls-server-certificate "/usr/local/etc/ssl/server.crt"
+    tls-server-certificate "/usr/local/etc/ssl/server.crt"
     ;; configure SSL private key
-    ;tls-server-key "/usr/local/etc/ssl/server.key"
+    tls-server-key "/usr/local/etc/ssl/server.key"
     ;; configure SSL CA certificate
-    ;tls-ca-certificate "/usr/local/etc/ssl/ca.crt"
+    tls-ca-certificate "/usr/local/etc/ssl/ca.crt"
     ;; configure TLS ciphers for TLSv1.3
-    ;tls-cipher-suites "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
+    tls-cipher-suites "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
     ;; configure TLS ciphers for TLSv1.1 and TLSv1.2
-    ;tls-ciphers "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+    tls-ciphers "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
     ;; configure allowed TLS version (1.0-1.3)
-    ;tls-version "1.2-1.3"
+    tls-version "1.2-1.3"
     ;; possibility to force the client to authenticate with client certificate (none | optional | require)
     ;tls-verify-client "required"
     ;; define depth for checking client certificate