Browse Source

fix for self signed ssl to work in browsers

Thomas Buck 2 years ago
parent
commit
e872371915

+ 9
- 0
roles/sslselfsigned/DESIGN.md View File

1
+# Design Description for SSL Self Signed
2
+
3
+This generates a Certificate Authority (CA) and then a signing request (CSR), which results in the certificate for this server after signing it with our CA.
4
+
5
+The CA cert is placed in the secret folder, you can install it eg. in Arch like this:
6
+
7
+    sudo trust anchor --store secret/DOMAIN/sovereign-self-signed-cert/DOMAIN/etc/letsencrypt/live/DOMAIN/chain.pem
8
+
9
+It will then automatically be picked up by browsers like Firefox and Chrome.

+ 1
- 1
roles/sslselfsigned/tasks/selfsigned.yml View File

37
   file: path=/etc/letsencrypt/live owner=root group=ssl-cert mode=0750 recurse=yes
37
   file: path=/etc/letsencrypt/live owner=root group=ssl-cert mode=0750 recurse=yes
38
 
38
 
39
 - name: Retrieve the self signing CA to remove warning in users browser
39
 - name: Retrieve the self signing CA to remove warning in users browser
40
-  fetch: src=/etc/letsencrypt/live/fritz.box/chain.pem
40
+  fetch: src=/etc/letsencrypt/live/{{ domain }}/chain.pem
41
          dest="{{ secret }}/sovereign-self-signed-cert"
41
          dest="{{ secret }}/sovereign-self-signed-cert"
42
          fail_on_missing=yes
42
          fail_on_missing=yes

+ 7
- 2
roles/sslselfsigned/templates/home_deploy_ssl-self-signed.sh.j2 View File

6
 echo generating CA certificate
6
 echo generating CA certificate
7
 openssl req -x509 -new -nodes -sha256 -days 7300 \
7
 openssl req -x509 -new -nodes -sha256 -days 7300 \
8
     -key /etc/letsencrypt/rootCA.key \
8
     -key /etc/letsencrypt/rootCA.key \
9
-    -subj "/C=DE/ST=BW/O={{ domain }}/CN={{ domain }}" \
9
+    -subj "/C=DE/ST=BW/O={{ domain }}/CN={{ server_fqdn }}" \
10
     -out /etc/letsencrypt/rootCA.crt
10
     -out /etc/letsencrypt/rootCA.crt
11
 
11
 
12
 echo generating server key
12
 echo generating server key
15
 echo generating signing request
15
 echo generating signing request
16
 openssl req -new -sha256 \
16
 openssl req -new -sha256 \
17
     -key /etc/letsencrypt/{{ domain }}.key \
17
     -key /etc/letsencrypt/{{ domain }}.key \
18
-    -subj "/C=DE/ST=BW/O={{ domain }}/CN=*.{{ domain }}" \
18
+    -subj "/C=DE/ST=BW/O={{ domain }}/CN={{ server_fqdn }}" \
19
+    -reqexts SAN \
20
+    -extensions SAN \
21
+    -config <(cat /etc/ssl/openssl.cnf \
22
+        <(printf "\n[SAN]\nsubjectAltName=DNS:{{ server_fqdn }}")) \
19
     -out /etc/letsencrypt/{{ domain }}.csr
23
     -out /etc/letsencrypt/{{ domain }}.csr
20
 
24
 
21
 echo generating server certificate
25
 echo generating server certificate
22
 openssl x509 -req -CAcreateserial -days 7300 -sha256 \
26
 openssl x509 -req -CAcreateserial -days 7300 -sha256 \
27
+    -extfile <(printf "subjectAltName=DNS:{{ server_fqdn }}") \
23
     -in /etc/letsencrypt/{{ domain }}.csr \
28
     -in /etc/letsencrypt/{{ domain }}.csr \
24
     -CA /etc/letsencrypt/rootCA.crt \
29
     -CA /etc/letsencrypt/rootCA.crt \
25
     -CAkey /etc/letsencrypt/rootCA.key \
30
     -CAkey /etc/letsencrypt/rootCA.key \

Loading…
Cancel
Save