public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

acme service: generate a CA for self-signed certificate

Browse Source 
This is needed because simp_le expects two certificates in fullchain.pem, leading to error:

> Not enough PEM encoded messages were found in fullchain.pem; at least 2 were expected, found 1.

We now create a CA and sign the key with it instead, providing correct fullchain.pem.

Also cleanup service a bit -- use PATH and a private temporary directory (which
is more suitable).
This commit is contained in:
Nikolay Amiantov 2018-04-03 12:09:45 +03:00
parent d91caac6c3
commit 4fc0b4edca
1 changed files with 26 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
nixos/modules/security/acme.nix
View File

@ -240,6 +240,7 @@ in
}; };
selfsignedService = { selfsignedService = {
description = "Create preliminary self-signed certificate for ${cert}"; description = "Create preliminary self-signed certificate for ${cert}";
path = [ pkgs.openssl ];
preStart = '' preStart = ''
if [ ! -d '${cpath}' ] if [ ! -d '${cpath}' ]
then then
@ -250,37 +251,41 @@ in
''; '';
script = script =
'' ''
# Create self-signed key workdir="$(mktemp -d)"
workdir="/run/acme-selfsigned-${cert}"
${pkgs.openssl.bin}/bin/openssl genrsa -des3 -passout pass:x -out $workdir/server.pass.key 2048 # Create CA
${pkgs.openssl.bin}/bin/openssl rsa -passin pass:x -in $workdir/server.pass.key -out $workdir/server.key openssl genrsa -des3 -passout pass:x -out $workdir/ca.pass.key 2048
${pkgs.openssl.bin}/bin/openssl req -new -key $workdir/server.key -out $workdir/server.csr \ openssl rsa -passin pass:x -in $workdir/ca.pass.key -out $workdir/ca.key
openssl req -new -key $workdir/ca.key -out $workdir/ca.csr \
-subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=Security Department/CN=example.com"
openssl x509 -req -days 1 -in $workdir/ca.csr -signkey $workdir/ca.key -out $workdir/ca.crt
# Create key
openssl genrsa -des3 -passout pass:x -out $workdir/server.pass.key 2048
openssl rsa -passin pass:x -in $workdir/server.pass.key -out $workdir/server.key
openssl req -new -key $workdir/server.key -out $workdir/server.csr \
-subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com" -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com"
${pkgs.openssl.bin}/bin/openssl x509 -req -days 1 -in $workdir/server.csr -signkey $workdir/server.key -out $workdir/server.crt openssl x509 -req -days 1 -in $workdir/server.csr -CA $workdir/ca.crt \
-CAkey $workdir/ca.key -CAserial $workdir/ca.srl -CAcreateserial \
-out $workdir/server.crt
# Move key to destination # Copy key to destination
mv $workdir/server.key ${cpath}/key.pem cp $workdir/server.key ${cpath}/key.pem
mv $workdir/server.crt ${cpath}/fullchain.pem
# Create full.pem for e.g. lighttpd (same format as "simp_le ... -f full.pem" creates) # Create fullchain.pem (same format as "simp_le ... -f fullchain.pem" creates)
cat "${cpath}/key.pem" "${cpath}/fullchain.pem" > "${cpath}/full.pem" cat $workdir/{server.crt,ca.crt} > "${cpath}/fullchain.pem"
# Clean up working directory # Create full.pem for e.g. lighttpd
rm $workdir/server.csr cat $workdir/{server.key,server.crt,ca.crt} > "${cpath}/full.pem"
rm $workdir/server.pass.key
# Give key acme permissions # Give key acme permissions
chmod ${rights} '${cpath}/key.pem' chown '${data.user}:${data.group}' "${cpath}/"{key,fullchain,full}.pem
chown '${data.user}:${data.group}' '${cpath}/key.pem' chmod ${rights} "${cpath}/"{key,fullchain,full}.pem
chmod ${rights} '${cpath}/fullchain.pem'
chown '${data.user}:${data.group}' '${cpath}/fullchain.pem'
chmod ${rights} '${cpath}/full.pem'
chown '${data.user}:${data.group}' '${cpath}/full.pem'
''; '';
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
RuntimeDirectory = "acme-selfsigned-${cert}";
PermissionsStartOnly = true; PermissionsStartOnly = true;
PrivateTmp = true;
User = data.user; User = data.user;
Group = data.group; Group = data.group;
}; };