Improved certifcate creation, import /etc/mympd/ssl/ca/ca.pem to trust the mympd certificate

2025-10-31 22:03:01 +00:00 · 2018-07-10 22:52:16 +01:00
parent eb2d38c6fd
commit c1a531f162
5 changed files with 74 additions and 15 deletions
--- a/README.md
+++ b/README.md
@@ -43,8 +43,8 @@ Usage: ./mympd [OPTION]...
 -w, --webport <port>          listen port for webserver [80]
 -S, --ssl		       enable ssl
 -W, --sslport		       listen port for ssl webserver [443]
- -C, --sslcert		       filename for ssl certificate [/etc/mympd/server.pem]
+ -C, --sslcert		       filename for ssl certificate [/etc/mympd/ssl/server.pem]
- -K, --sslkey		       filename for ssl key [/etc/mympd/server.key]
+ -K, --sslkey		       filename for ssl key [/etc/mympd/ssl/server.key]
 -s, --streamport <port>       connect to mpd http stream at port [8000]
 -u, --user <username>         drop priviliges to user after socket bind
 -m, --mpdpass <password>      specifies the password to use when connecting to mpd
--- a/contrib/crcert.sh
+++ b/contrib/crcert.sh
@@ -1,18 +1,67 @@
 #!/bin/sh
 [ -d /etc/mympd/ssl ] && rm -r /etc/mympd/ssl
 mkdir -p /etc/mympd/ssl/ca/certs
 cd /etc/mympd/ssl/ca
 echo '01' > serial
 touch index.txt
 touch index.txt.attr
 echo "Creating ca"
 cat > ca.cnf << EOL
 [req]
 distinguished_name = root_ca_distinguished_name
 x509_extensions = root_ca_extensions
 prompt = no
 [root_ca_distinguished_name]
 O = myMPD
 CN = myMPD_CA
 [root_ca_extensions]
 basicConstraints = CA:true
 [ ca ]
 default_ca = mympd_ca
 [mympd_ca]
 dir = /etc/mympd/ssl/ca
 database = /etc/mympd/ssl/ca/index.txt
 new_certs_dir = /etc/mympd/ssl/ca/certs/
 serial = /etc/mympd/ssl/ca/serial
 copy_extensions = copy
 policy = local_ca_policy
 x509_extensions = local_ca_extensions
 default_md = sha256
 [ local_ca_policy ]
 commonName = supplied
 organizationName = supplied
 [ local_ca_extensions ]
 basicConstraints = CA:false
 EOL
 openssl req -new -x509 -newkey rsa:2048 -sha256 -days 1000 -nodes -config ca.cnf \
 	-keyout ca.key -out ca.pem
 HOSTNAME=$(hostname)
 FQDN=$(hostname -f)
 IP=$(getent hosts $HOSTNAME | awk {'print $1'})
 cd /etc/mympd/ssl
 echo "Creating cert:"
 echo "\t$HOSTNAME"
 echo "\t$FQDN"
 echo "\t$IP"
-cat > /etc/mympd/openssl.cnf << EOL
+cat > req.cnf << EOL
 [req]
 distinguished_name = req_distinguished_name
-x509_extensions = v3_req
+req_extensions = v3_req
 prompt = no
 [req_distinguished_name]
@@ -20,17 +69,27 @@ O = myMPD
 CN = $FQDN
 [v3_req]
-keyUsage = keyEncipherment, dataEncipherment
+basicConstraints = CA:FALSE
 keyUsage = digitalSignature, keyEncipherment, dataEncipherment
 extendedKeyUsage = serverAuth
 subjectAltName = @alt_names
 [alt_names]
 DNS.1 = $HOSTNAME
 DNS.2 = $FQDN
 DNS.3 = localhost
 IP.1 = $IP
 IP.2 = 127.0.0.1
 EOL
-openssl req -x509 -sha256 -newkey rsa:2048 -days 1000 -nodes -config /etc/mympd/openssl.cnf\
+openssl req -new -sha256 -newkey rsa:2048 -days 1000 -nodes -config req.cnf \
-	-keyout /etc/mympd/server.key -out /etc/mympd/server.pem \
+	-keyout server.key -out server.csr \
-	-extensions 'v3_req'
+	-extensions v3_req
 echo "Sign cert with ca"
 openssl ca -in server.csr -cert ca/ca.pem -keyfile ca/ca.key -config ca/ca.cnf \
 	-out server.pem -days 1000 -batch
 rm server.csr
 rm ca/ca.cnf
 rm req.cnf
--- a/htdocs/mympd.webmanifest
+++ b/htdocs/mympd.webmanifest
@@ -17,5 +17,5 @@
  ],
  "name": "myMPD",
  "short_name": "myMPD",
-  "start_url": "/index.html/#/Playback!0/-/"
+  "start_url": "/index.html"
 }
--- a/mympd.1
+++ b/mympd.1
@@ -28,10 +28,10 @@ enable ssl
 listen interface/port for ssl webserver [443]
 .TP
 \fB\-C\fR, \fB\-\-sslcert FILENAME\fR
-filename for ssl certificate [/etc/mympd/server.pem]
+filename for ssl certificate [/etc/mympd/ssl/server.pem]
 .TP
 \fB\-K\fR, \fB\-\-sslkey FILENAME\fR
-filename for ssl key [/etc/mympd/server.key]
+filename for ssl key [/etc/mympd/ssl/server.key]
 .TP
 \fB-s\fR, \fB\-\-streamport PORT
 connect to mpd http stream at port [8000]
--- a/src/mympd.c
+++ b/src/mympd.c
@@ -126,8 +126,8 @@ int main(int argc, char **argv)
    struct mg_bind_opts bind_opts;
    const char *err;
    bool ssl = false;
-    char *s_ssl_cert = "/etc/mympd/server.pem";
+    char *s_ssl_cert = "/etc/mympd/ssl/server.pem";
-    char *s_ssl_key = "/etc/mympd/server.key";
+    char *s_ssl_key = "/etc/mympd/ssl/server.key";
    char hostname[1024];
    hostname[1023] = '\0';
    gethostname(hostname, 1023);
@@ -204,8 +204,8 @@ int main(int argc, char **argv)
                        " -w, --webport [ip:]<port>\tlisten interface/port for webserver [80]\n"
                        " -S, --ssl\tenable ssl\n"
                        " -W, --sslport [ip:]<port>\tlisten interface/port for ssl webserver [443]\n"
-                        " -C, --sslcert <filename>\tfilename for ssl certificate [/etc/mympd/server.pem]\n"
+                        " -C, --sslcert <filename>\tfilename for ssl certificate [/etc/mympd/ssl/server.pem]\n"
-                        " -K, --sslkey <filename>\tfilename for ssl key [/etc/mympd/server.key]\n"
+                        " -K, --sslkey <filename>\tfilename for ssl key [/etc/mympd/ssl/server.key]\n"
                        " -u, --user <username>\t\tdrop priviliges to user after socket bind\n"
                        " -v, --version\t\t\tget version\n"
                        " -m, --mpdpass <password>\tspecifies the password to use when connecting to mpd\n"