From c1a531f16275e704808e4998d8b1d90a5535a269 Mon Sep 17 00:00:00 2001 From: jcorporation Date: Tue, 10 Jul 2018 22:52:16 +0100 Subject: [PATCH] Improved certifcate creation, import /etc/mympd/ssl/ca/ca.pem to trust the mympd certificate --- README.md | 4 +-- contrib/crcert.sh | 71 ++++++++++++++++++++++++++++++++++++---- htdocs/mympd.webmanifest | 2 +- mympd.1 | 4 +-- src/mympd.c | 8 ++--- 5 files changed, 74 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index e6fcd84..8fed198 100644 --- a/README.md +++ b/README.md @@ -43,8 +43,8 @@ Usage: ./mympd [OPTION]... -w, --webport listen port for webserver [80] -S, --ssl enable ssl -W, --sslport listen port for ssl webserver [443] - -C, --sslcert filename for ssl certificate [/etc/mympd/server.pem] - -K, --sslkey filename for ssl key [/etc/mympd/server.key] + -C, --sslcert filename for ssl certificate [/etc/mympd/ssl/server.pem] + -K, --sslkey filename for ssl key [/etc/mympd/ssl/server.key] -s, --streamport connect to mpd http stream at port [8000] -u, --user drop priviliges to user after socket bind -m, --mpdpass specifies the password to use when connecting to mpd diff --git a/contrib/crcert.sh b/contrib/crcert.sh index 3a0b720..1a5e70f 100755 --- a/contrib/crcert.sh +++ b/contrib/crcert.sh @@ -1,18 +1,67 @@ #!/bin/sh +[ -d /etc/mympd/ssl ] && rm -r /etc/mympd/ssl +mkdir -p /etc/mympd/ssl/ca/certs +cd /etc/mympd/ssl/ca + +echo '01' > serial +touch index.txt +touch index.txt.attr + +echo "Creating ca" + +cat > ca.cnf << EOL +[req] +distinguished_name = root_ca_distinguished_name +x509_extensions = root_ca_extensions +prompt = no + +[root_ca_distinguished_name] +O = myMPD +CN = myMPD_CA + +[root_ca_extensions] +basicConstraints = CA:true + +[ ca ] +default_ca = mympd_ca + +[mympd_ca] +dir = /etc/mympd/ssl/ca +database = /etc/mympd/ssl/ca/index.txt +new_certs_dir = /etc/mympd/ssl/ca/certs/ +serial = /etc/mympd/ssl/ca/serial +copy_extensions = copy +policy = local_ca_policy +x509_extensions = local_ca_extensions +default_md = sha256 + +[ local_ca_policy ] +commonName = supplied +organizationName = supplied + +[ local_ca_extensions ] +basicConstraints = CA:false + +EOL + +openssl req -new -x509 -newkey rsa:2048 -sha256 -days 1000 -nodes -config ca.cnf \ + -keyout ca.key -out ca.pem + HOSTNAME=$(hostname) FQDN=$(hostname -f) IP=$(getent hosts $HOSTNAME | awk {'print $1'}) +cd /etc/mympd/ssl echo "Creating cert:" echo "\t$HOSTNAME" echo "\t$FQDN" echo "\t$IP" -cat > /etc/mympd/openssl.cnf << EOL +cat > req.cnf << EOL [req] distinguished_name = req_distinguished_name -x509_extensions = v3_req +req_extensions = v3_req prompt = no [req_distinguished_name] @@ -20,17 +69,27 @@ O = myMPD CN = $FQDN [v3_req] -keyUsage = keyEncipherment, dataEncipherment +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = $HOSTNAME DNS.2 = $FQDN +DNS.3 = localhost IP.1 = $IP +IP.2 = 127.0.0.1 EOL -openssl req -x509 -sha256 -newkey rsa:2048 -days 1000 -nodes -config /etc/mympd/openssl.cnf\ - -keyout /etc/mympd/server.key -out /etc/mympd/server.pem \ - -extensions 'v3_req' +openssl req -new -sha256 -newkey rsa:2048 -days 1000 -nodes -config req.cnf \ + -keyout server.key -out server.csr \ + -extensions v3_req +echo "Sign cert with ca" +openssl ca -in server.csr -cert ca/ca.pem -keyfile ca/ca.key -config ca/ca.cnf \ + -out server.pem -days 1000 -batch + +rm server.csr +rm ca/ca.cnf +rm req.cnf diff --git a/htdocs/mympd.webmanifest b/htdocs/mympd.webmanifest index 598d2de..e267565 100644 --- a/htdocs/mympd.webmanifest +++ b/htdocs/mympd.webmanifest @@ -17,5 +17,5 @@ ], "name": "myMPD", "short_name": "myMPD", - "start_url": "/index.html/#/Playback!0/-/" + "start_url": "/index.html" } \ No newline at end of file diff --git a/mympd.1 b/mympd.1 index aa06809..930d916 100644 --- a/mympd.1 +++ b/mympd.1 @@ -28,10 +28,10 @@ enable ssl listen interface/port for ssl webserver [443] .TP \fB\-C\fR, \fB\-\-sslcert FILENAME\fR -filename for ssl certificate [/etc/mympd/server.pem] +filename for ssl certificate [/etc/mympd/ssl/server.pem] .TP \fB\-K\fR, \fB\-\-sslkey FILENAME\fR -filename for ssl key [/etc/mympd/server.key] +filename for ssl key [/etc/mympd/ssl/server.key] .TP \fB-s\fR, \fB\-\-streamport PORT connect to mpd http stream at port [8000] diff --git a/src/mympd.c b/src/mympd.c index df197dd..93e17ed 100644 --- a/src/mympd.c +++ b/src/mympd.c @@ -126,8 +126,8 @@ int main(int argc, char **argv) struct mg_bind_opts bind_opts; const char *err; bool ssl = false; - char *s_ssl_cert = "/etc/mympd/server.pem"; - char *s_ssl_key = "/etc/mympd/server.key"; + char *s_ssl_cert = "/etc/mympd/ssl/server.pem"; + char *s_ssl_key = "/etc/mympd/ssl/server.key"; char hostname[1024]; hostname[1023] = '\0'; gethostname(hostname, 1023); @@ -204,8 +204,8 @@ int main(int argc, char **argv) " -w, --webport [ip:]\tlisten interface/port for webserver [80]\n" " -S, --ssl\tenable ssl\n" " -W, --sslport [ip:]\tlisten interface/port for ssl webserver [443]\n" - " -C, --sslcert \tfilename for ssl certificate [/etc/mympd/server.pem]\n" - " -K, --sslkey \tfilename for ssl key [/etc/mympd/server.key]\n" + " -C, --sslcert \tfilename for ssl certificate [/etc/mympd/ssl/server.pem]\n" + " -K, --sslkey \tfilename for ssl key [/etc/mympd/ssl/server.key]\n" " -u, --user \t\tdrop priviliges to user after socket bind\n" " -v, --version\t\t\tget version\n" " -m, --mpdpass \tspecifies the password to use when connecting to mpd\n"