thomas
/
sovereign
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

fix for self signed ssl to work in browsers

Thomas Buck 1 year ago
parent
55c30b3899
commit
e872371915
3 changed files with 17 additions and 3 deletions
Unified View Show Diff Stats
  1. 9
    0
      roles/sslselfsigned/DESIGN.md
  2. 1
    1
      roles/sslselfsigned/tasks/selfsigned.yml
  3. 7
    2
      roles/sslselfsigned/templates/home_deploy_ssl-self-signed.sh.j2

+ 9
- 0
roles/sslselfsigned/DESIGN.md View File

1 
+# Design Description for SSL Self Signed
2 
+
3 
+This generates a Certificate Authority (CA) and then a signing request (CSR), which results in the certificate for this server after signing it with our CA.
4 
+
5 
+The CA cert is placed in the secret folder, you can install it eg. in Arch like this:
6 
+
7 
+    sudo trust anchor --store secret/DOMAIN/sovereign-self-signed-cert/DOMAIN/etc/letsencrypt/live/DOMAIN/chain.pem
8 
+
9 
+It will then automatically be picked up by browsers like Firefox and Chrome.

+ 1
- 1
roles/sslselfsigned/tasks/selfsigned.yml View File

37 
   file: path=/etc/letsencrypt/live owner=root group=ssl-cert mode=0750 recurse=yes
 37 
   file: path=/etc/letsencrypt/live owner=root group=ssl-cert mode=0750 recurse=yes
38
38
39 
 - name: Retrieve the self signing CA to remove warning in users browser
 39 
 - name: Retrieve the self signing CA to remove warning in users browser
40 
-  fetch: src=/etc/letsencrypt/live/fritz.box/chain.pem
40 
+  fetch: src=/etc/letsencrypt/live/{{ domain }}/chain.pem
41 
          dest="{{ secret }}/sovereign-self-signed-cert"
 41 
          dest="{{ secret }}/sovereign-self-signed-cert"
42 
          fail_on_missing=yes
 42 
          fail_on_missing=yes

+ 7
- 2
roles/sslselfsigned/templates/home_deploy_ssl-self-signed.sh.j2 View File

6 
 echo generating CA certificate
 6 
 echo generating CA certificate
7 
 openssl req -x509 -new -nodes -sha256 -days 7300 \
 7 
 openssl req -x509 -new -nodes -sha256 -days 7300 \
8 
     -key /etc/letsencrypt/rootCA.key \
 8 
     -key /etc/letsencrypt/rootCA.key \
9 
-    -subj "/C=DE/ST=BW/O={{ domain }}/CN={{ domain }}" \
9 
+    -subj "/C=DE/ST=BW/O={{ domain }}/CN={{ server_fqdn }}" \
10 
     -out /etc/letsencrypt/rootCA.crt
 10 
     -out /etc/letsencrypt/rootCA.crt
11
11
12 
 echo generating server key
 12 
 echo generating server key
15 
 echo generating signing request
 15 
 echo generating signing request
16 
 openssl req -new -sha256 \
 16 
 openssl req -new -sha256 \
17 
     -key /etc/letsencrypt/{{ domain }}.key \
 17 
     -key /etc/letsencrypt/{{ domain }}.key \
18 
-    -subj "/C=DE/ST=BW/O={{ domain }}/CN=*.{{ domain }}" \
18 
+    -subj "/C=DE/ST=BW/O={{ domain }}/CN={{ server_fqdn }}" \
19 
+    -reqexts SAN \
20 
+    -extensions SAN \
21 
+    -config <(cat /etc/ssl/openssl.cnf \
22 
+        <(printf "\n[SAN]\nsubjectAltName=DNS:{{ server_fqdn }}")) \
19 
     -out /etc/letsencrypt/{{ domain }}.csr
 23 
     -out /etc/letsencrypt/{{ domain }}.csr
20
24
21 
 echo generating server certificate
 25 
 echo generating server certificate
22 
 openssl x509 -req -CAcreateserial -days 7300 -sha256 \
 26 
 openssl x509 -req -CAcreateserial -days 7300 -sha256 \
27 
+    -extfile <(printf "subjectAltName=DNS:{{ server_fqdn }}") \
23 
     -in /etc/letsencrypt/{{ domain }}.csr \
 28 
     -in /etc/letsencrypt/{{ domain }}.csr \
24 
     -CA /etc/letsencrypt/rootCA.crt \
 29 
     -CA /etc/letsencrypt/rootCA.crt \
25 
     -CAkey /etc/letsencrypt/rootCA.key \
 30 
     -CAkey /etc/letsencrypt/rootCA.key \

Write Preview
Loading…
Cancel
Save