ChaoticByte/drinks-manager
1
1
Fork 0
Code Issues Pull requests Projects Releases 20 Packages Wiki Activity Actions

Remove command generate-tls-cert

Browse source
This commit is contained in:
W13R 2022-03-16 18:38:59 +01:00
parent fd3069a172
commit 2bd667d952
8 changed files with 2 additions and 130 deletions
Download patch file Download diff file Expand all files Collapse all files

0
config/tls/.tls_certs_here Normal file
View file

6
config/tls/cert-config.sh
View file

@ -1,6 +0,0 @@
# environment variables for tls generation
export TLS_EXPIRE_AFTER_DAYS=365
export TLS_COMMON_NAME="localhost"
export TLS_ALT_NAME1="127.0.0.1"
export TLS_ALT_NAME2="localhost.localdomain"

5
docs/Commands.md
View file

@ -25,11 +25,6 @@ This sets up some database tables, views, and more, generates a secret key for t
--- ---
`generate-tls-cert` - generate a new self-signed tls certificate for https
This overwrites the original files, if present (see [Setup](Setup.md)).
---
`generate-secret-key` - generate a new random secret key for django `generate-secret-key` - generate a new random secret key for django
This will overwrite the old one. This will overwrite the old one.
Warning: After running this, current sessions will be invalid, and the users have to relogin. Don't run this command while the server is running. Warning: After running this, current sessions will be invalid, and the users have to relogin. Don't run this command while the server is running.

9
docs/Configuration.md
View file

@ -7,15 +7,6 @@
There is no default configuration available, only a sample configuration with explanations. There is no default configuration available, only a sample configuration with explanations.
## Configuration files for tls certificates
This is the configuration for self-signed local TLS certificate generation.
`./config/tls/cert-config.sh`
This is already configured, but you can modify this for your needs.
## Caddy Server Configuration ## Caddy Server Configuration
`./config/Caddyfile` `./config/Caddyfile`

12
docs/Setup.md
View file

@ -81,16 +81,8 @@ You can configure your database connection in `config/config.sh`.
## IV. HTTPS & TLS Certificates ## IV. HTTPS & TLS Certificates
TLS/SSL certificates are required. A TLS/SSL certificate and key is required.
If you don't have a TLS/SSL certificate already, you can generate one Filepaths:
with the command `./run.sh generate-tls-cert`. This will generate a
new TLS certificate and key file at `config/tls/server.pem` (certificate)
and `config/tls/server-key.pem` (key).
WARNING: This will overwrite an existing certificate/key with the same filepath.
By default those generated certificates are valid for one year. After that year,
they have to be regenerated with the same command.
If you have a certificate and key file already, you can put them in the following places:
- `config/tls/server.pem` for the certificate - `config/tls/server.pem` for the certificate
- `config/tls/server-key.pem` for the key - `config/tls/server-key.pem` for the key

93
lib/generate-tls-cert.py
View file

@ -1,93 +0,0 @@
#!/usr/bin/env python3
import json
from datetime import datetime
from datetime import timedelta
from os import environ
from pathlib import Path
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
"""
this script creates a locally signed ca certificate.
"""
# paths
tls_root_dir = Path("config") / "tls"
path_server_cert = tls_root_dir / "server.pem"
path_server_key = tls_root_dir / "server-key.pem"
if __name__ == "__main__":
# get configuration from environment variable
conf_common_name = environ["TLS_COMMON_NAME"]
conf_tls_expire_after_days = int(environ["TLS_EXPIRE_AFTER_DAYS"])
try:
conf_alternative_name1 = environ["TLS_ALT_NAME1"]
except KeyError:
conf_alternative_name1 = None
try:
conf_alternative_name2 = environ["TLS_ALT_NAME2"]
except KeyError:
conf_alternative_name2 = None
# generate server cert & key
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=4096,
backend=default_backend()
)
subject = issuer = x509.Name([
x509.NameAttribute(x509.oid.NameOID.COUNTRY_NAME, "--"),
x509.NameAttribute(x509.oid.NameOID.STATE_OR_PROVINCE_NAME, "--"),
x509.NameAttribute(x509.oid.NameOID.LOCALITY_NAME, "--"),
x509.NameAttribute(x509.oid.NameOID.ORGANIZATION_NAME, "--"),
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, conf_common_name)
])
cert_sans = []
if conf_alternative_name1 != None:
cert_sans.append(x509.DNSName(conf_alternative_name1))
if conf_alternative_name2 != None:
cert_sans.append(x509.DNSName(conf_alternative_name2))
certificate = x509.CertificateBuilder()\
.subject_name(subject)\
.issuer_name(issuer)\
.public_key(private_key.public_key())\
.serial_number(x509.random_serial_number())\
.not_valid_before(datetime.utcnow())\
.not_valid_after(datetime.utcnow() + timedelta(days=conf_tls_expire_after_days))\
.add_extension(x509.SubjectAlternativeName(cert_sans), critical=False)\
.add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=True)\
.sign(private_key, hashes.SHA512(), backend=default_backend())
with path_server_cert.open("wb") as certout:
certout.write(certificate.public_bytes(serialization.Encoding.PEM))
with path_server_key.open("wb") as keyout:
private_key_bytes = private_key.private_bytes(
encoding = serialization.Encoding.PEM,
format = serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption()
)
keyout.write(private_key_bytes)
print("Generated TLS certificate & key.")

1
pip-dependencies.txt
View file

@ -3,4 +3,3 @@ django-currentuser==0.5.3
django-csp==3.7 django-csp==3.7
psycopg2~=2.9.1 psycopg2~=2.9.1
uvicorn~=0.17.6 uvicorn~=0.17.6
cryptography~=36.0.0

6
run.sh
View file

@ -8,7 +8,6 @@ function show_dm_help { # $1 = exit code
echo -e " server\t\tstart server" echo -e " server\t\tstart server"
echo -e " setup\t\t\tset up the application" echo -e " setup\t\t\tset up the application"
echo -e " create-admin\t\tcreate an admin account" echo -e " create-admin\t\tcreate an admin account"
echo -e " generate-tls-cert\tgenerate a new self-signed tls certificate for https"
echo -e " generate-secret-key\tgenerate a new random secret key for django" echo -e " generate-secret-key\tgenerate a new random secret key for django"
echo -e " clear-sessions\tmanually remove all expired sessions from the database" echo -e " clear-sessions\tmanually remove all expired sessions from the database"
echo -e " force-db-upgrade\tforce a database migration & upgrade" echo -e " force-db-upgrade\tforce a database migration & upgrade"
@ -56,11 +55,6 @@ else
source "$(pwd)/lib/setup-application.sh" source "$(pwd)/lib/setup-application.sh"
elif [ $1 = 'generate-tls-cert' ]; then
source "$(pwd)/config/tls/cert-config.sh"
python3 "$(pwd)/lib/generate-tls-cert.py"
elif [ $1 = 'generate-secret-key' ]; then elif [ $1 = 'generate-secret-key' ]; then
python3 "$(pwd)/lib/generate-secret-key.py" --override python3 "$(pwd)/lib/generate-secret-key.py" --override