Browse Source

fix for self signed ssl to work in browsers

Thomas Buck 1 year ago
parent
commit
e872371915

+ 9
- 0
roles/sslselfsigned/DESIGN.md View File

@@ -0,0 +1,9 @@
1
+# Design Description for SSL Self Signed
2
+
3
+This generates a Certificate Authority (CA) and then a signing request (CSR), which results in the certificate for this server after signing it with our CA.
4
+
5
+The CA cert is placed in the secret folder, you can install it eg. in Arch like this:
6
+
7
+    sudo trust anchor --store secret/DOMAIN/sovereign-self-signed-cert/DOMAIN/etc/letsencrypt/live/DOMAIN/chain.pem
8
+
9
+It will then automatically be picked up by browsers like Firefox and Chrome.

+ 1
- 1
roles/sslselfsigned/tasks/selfsigned.yml View File

@@ -37,6 +37,6 @@
37 37
   file: path=/etc/letsencrypt/live owner=root group=ssl-cert mode=0750 recurse=yes
38 38
 
39 39
 - name: Retrieve the self signing CA to remove warning in users browser
40
-  fetch: src=/etc/letsencrypt/live/fritz.box/chain.pem
40
+  fetch: src=/etc/letsencrypt/live/{{ domain }}/chain.pem
41 41
          dest="{{ secret }}/sovereign-self-signed-cert"
42 42
          fail_on_missing=yes

+ 7
- 2
roles/sslselfsigned/templates/home_deploy_ssl-self-signed.sh.j2 View File

@@ -6,7 +6,7 @@ openssl genrsa -out /etc/letsencrypt/rootCA.key 4096
6 6
 echo generating CA certificate
7 7
 openssl req -x509 -new -nodes -sha256 -days 7300 \
8 8
     -key /etc/letsencrypt/rootCA.key \
9
-    -subj "/C=DE/ST=BW/O={{ domain }}/CN={{ domain }}" \
9
+    -subj "/C=DE/ST=BW/O={{ domain }}/CN={{ server_fqdn }}" \
10 10
     -out /etc/letsencrypt/rootCA.crt
11 11
 
12 12
 echo generating server key
@@ -15,11 +15,16 @@ openssl genrsa -out /etc/letsencrypt/{{ domain }}.key 2048
15 15
 echo generating signing request
16 16
 openssl req -new -sha256 \
17 17
     -key /etc/letsencrypt/{{ domain }}.key \
18
-    -subj "/C=DE/ST=BW/O={{ domain }}/CN=*.{{ domain }}" \
18
+    -subj "/C=DE/ST=BW/O={{ domain }}/CN={{ server_fqdn }}" \
19
+    -reqexts SAN \
20
+    -extensions SAN \
21
+    -config <(cat /etc/ssl/openssl.cnf \
22
+        <(printf "\n[SAN]\nsubjectAltName=DNS:{{ server_fqdn }}")) \
19 23
     -out /etc/letsencrypt/{{ domain }}.csr
20 24
 
21 25
 echo generating server certificate
22 26
 openssl x509 -req -CAcreateserial -days 7300 -sha256 \
27
+    -extfile <(printf "subjectAltName=DNS:{{ server_fqdn }}") \
23 28
     -in /etc/letsencrypt/{{ domain }}.csr \
24 29
     -CA /etc/letsencrypt/rootCA.crt \
25 30
     -CAkey /etc/letsencrypt/rootCA.key \

Loading…
Cancel
Save