Use a CA to generate the certificates to fix issues with Chrome/Chromium

2025-01-18 23:42:54 +01:00 · 2019-02-07 16:59:04 +00:00 · 2019-02-07 16:59:04 +00:00 · e2f9636feb
commit e2f9636feb
parent 9a4ad3f48d
1 changed files with 64 additions and 31 deletions
--- a/95
+++ b/95
@ -1,6 +1,8 @@
 #!/bin/sh
 set -e
 ssl_dir="/opt/ssl"
 if [ ! "$SERVER_HOSTNAME" ]; then export SERVER_HOSTNAME=example.com; fi
@ -14,40 +16,71 @@ fi
 ########################
-#If there aren't any SSL certs then create a self-signed certificate.
+#If there aren't any SSL certs then create a CA and then CA-signed certificate
-if [ ! -f "/opt/ssl/server.key" ] && [ ! -f "/opt/ssl/server.crt" ]; then
+if [ ! -f "${ssl_dir}/server.key" ] && [ ! -f "${ssl_dir}/server.crt" ]; then
  mkdir -p $ssl_dir
  confout="${ssl_dir}/conf"
  keyout="${ssl_dir}/server.key"
  certout="${ssl_dir}/server.crt"
  cakey="${ssl_dir}/ca.key"
  cacert="${ssl_dir}/ca.crt"
  serialfile="${ssl_dir}/serial"
- ########################
+  echo "Generating CA key"
- #Create self-signed cert
+  openssl genrsa -out $cakey 2048
  if [ $? -ne 0 ]; then exit 1 ; fi
- mkdir -p /opt/ssl
+  echo "Generating CA certificate"
  openssl req \
          -x509 \
          -new \
          -nodes \
          -subj "/C=GB/ST=GB/L=GB/O=CA/OU=CA/CN=Wheelybird" \
          -key $cakey \
          -sha256 \
          -days 7300 \
          -out $cacert
  if [ $? -ne 0 ]; then exit 1 ; fi
- cat <<EoS >/opt/ssl/config
+  echo "Generating openssl configuration"
-[req]
+
-distinguished_name = req_distinguished_name
+  cat <<EoCertConf>$confout
-x509_extensions = v3_req
+subjectAltName = DNS:${SERVER_HOSTNAME},IP:127.0.0.1
 prompt = no
 [req_distinguished_name]
 C = GB
 ST = London
 L = London
 O = LUM
 OU = LUM
 CN = $SERVER_HOSTNAME
 [v3_req]
 keyUsage = critical, digitalSignature, keyAgreement
 extendedKeyUsage = serverAuth
-subjectAltName = @alt_names
+EoCertConf
 [alt_names]
 DNS.1 = $SERVER_HOSTNAME
 EoS
- /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /opt/ssl/server.key -out /opt/ssl/server.crt -config /opt/ssl/config -sha256
+  echo "Generating server key..."
  openssl genrsa -out $keyout 2048
  if [ $? -ne 0 ]; then exit 1 ; fi
  echo "Generating server signing request..."
  openssl req \
               -subj "/CN=${SERVER_HOSTNAME}" \
               -sha256 \
               -new \
               -key $keyout \
               -out /tmp/server.csr
  if [ $? -ne 0 ]; then exit 1 ; fi
  echo "Generating server cert..."
  openssl x509 \
                -req \
                -days 7300 \
                -sha256 \
                -in /tmp/server.csr \
                -CA $cacert \
                -CAkey $cakey \
                -CAcreateserial \
                -CAserial $serialfile \
                -out $certout \
                -extfile $confout
  if [ $? -ne 0 ]; then exit 1 ; fi
 fi
 ########################
 #Create Apache config
@ -58,31 +91,31 @@ cat <<EoC >/etc/apache2/sites-enabled/lum.conf
 Listen 443
-<VirtualHost *:80> 
+<VirtualHost *:80>
- RewriteEngine On 
+ RewriteEngine On
 RewriteRule ^/?(.*) https://%{SERVER_NAME}/\$1 [R,L]
 </VirtualHost>
 <VirtualHost _default_:443>
- 
+
 ServerName $SERVER_HOSTNAME
 DocumentRoot /opt/ldap_user_manager
 DirectoryIndex index.php index.html
- 
+
 <Directory /opt/ldap_user_manager>
   Require all granted
 </Directory>
- 
+
 SSLEngine On
 SSLCertificateFile /opt/ssl/server.crt
 SSLCertificateKeyFile /opt/ssl/server.key
 $ssl_chain
- 
+
 php_value include_path "/opt/ldap_user_manager/includes"
- 
+
 </VirtualHost>
 EoC