From 26d5e18e7d11576d4270b0442929ed5c1994abac Mon Sep 17 00:00:00 2001 From: openoms <43343391+openoms@users.noreply.github.com> Date: Thu, 15 Feb 2024 08:27:31 +0000 Subject: [PATCH] add option to reset the self-signed tls certificate (#4412) * add option to reset the self-signed tls certificate --- CHANGES.md | 1 + home.admin/99connectMenu.sh | 7 +- home.admin/config.scripts/blitz.web.sh | 8 +-- .../config.scripts/internet.selfsignedcert.sh | 66 ++++++++++++++++--- 4 files changed, 68 insertions(+), 14 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 59e6ea667..1a271dce4 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -2,6 +2,7 @@ - New: RaspberryPi5 tested & enabling NVMe PCIe Hats - New: BTCPay Server PostgreSQL database backup and restore options [details](https://github.com/raspiblitz/raspiblitz/pull/4409) +- New: Reset option for the self-signed TLS certificate [details](https://github.com/raspiblitz/raspiblitz/pull/4412) - Update: RaspberryOS base image 2023-12-05 (Debian 12 Bookworm) - Update: amd64 base image: debian-12.5.0-amd64-netinst.iso - Update: Bitcoin Core v26.0 [details](https://bitcoincore.org/en/releases/26.0/) diff --git a/home.admin/99connectMenu.sh b/home.admin/99connectMenu.sh index 2a3611b9f..d40210b99 100644 --- a/home.admin/99connectMenu.sh +++ b/home.admin/99connectMenu.sh @@ -34,6 +34,9 @@ if [ "${lightning}" == "lnd" ] || [ "${lnd}" == "on" ]; then OPTIONS+=(RESET "Recreate LND Macaroons & tls.cert") OPTIONS+=(SYNC "Sync Macaroons & tls.cert with Apps/Users") fi +if [ -f /mnt/hdd/app-data/selfsignedcert/selfsigned.cert ]; then + OPTIONS+=(RESET-TLS "Reset the self-signed TLS certificate") +fi CHOICE_HEIGHT=$(("${#OPTIONS[@]}/2+1")) HEIGHT=$((CHOICE_HEIGHT+6)) @@ -75,7 +78,9 @@ case $CHOICE in EXPORT) sudo /home/admin/config.scripts/lnd.export.sh exit 0;; - + RESET-TLS) + sudo /home/admin/config.scripts/internetselfsignedcert.sh reset + exit 0;; ALBY) /home/admin/config.scripts/bonus.alby.sh exit 0; diff --git a/home.admin/config.scripts/blitz.web.sh b/home.admin/config.scripts/blitz.web.sh index a76003c3a..7fd8b8255 100755 --- a/home.admin/config.scripts/blitz.web.sh +++ b/home.admin/config.scripts/blitz.web.sh @@ -88,7 +88,7 @@ EOF fi # make sure that it is enabled and started - sudo systemctl enable nginx + sudo systemctl enable nginx sudo systemctl start nginx exit 0 @@ -134,12 +134,12 @@ elif [ "$1" = "https-on" ]; then sudo ln -sf /mnt/hdd/lnd/tls.key /mnt/hdd/app-data/nginx/tls.key sudo ln -sf /mnt/hdd/lnd/tls.cert /mnt/hdd/app-data/nginx/tor_tls.cert sudo ln -sf /mnt/hdd/lnd/tls.key /mnt/hdd/app-data/nginx/tor_tls.key - else + else echo "# exists /mnt/hdd/app-data/nginx/tls.cert" # create a self-signed cert if the LND cert is not present - /home/admin/config.scripts/internet.selfsignedcert.sh - + /home/admin/config.scripts/internet.selfsignedcert.sh create + sudo ln -sf /mnt/hdd/app-data/selfsignedcert/selfsigned.cert \ /mnt/hdd/app-data/nginx/tls.cert sudo ln -sf /mnt/hdd/app-data/selfsignedcert/selfsigned.key \ diff --git a/home.admin/config.scripts/internet.selfsignedcert.sh b/home.admin/config.scripts/internet.selfsignedcert.sh index 092206580..1e2a662ac 100755 --- a/home.admin/config.scripts/internet.selfsignedcert.sh +++ b/home.admin/config.scripts/internet.selfsignedcert.sh @@ -2,17 +2,29 @@ # script to create a self-signed SSL certificate -sudo -u bitcoin mkdir /mnt/hdd/app-data/selfsignedcert -cd /mnt/hdd/app-data/selfsignedcert || exit 1 +# command info +if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then + echo "config script to create a self-signed SSL certificate" + echo "internet.selfsignedcert.sh [create|reset]" + exit 1 +fi -echo "# Create a self signed SSL certificate" -localip=$(hostname -I | awk '{print $1}') +CERT_DIR="/mnt/hdd/app-data/selfsignedcert" +CERT_FILE="${CERT_DIR}/selfsigned.cert" -sudo -u bitcoin openssl genrsa -out selfsigned.key 2048 -#https://www.humankode.com/ssl/create-a-selfsigned-certificate-for-nginx-in-5-minutes -#https://stackoverflow.com/questions/8075274/is-it-possible-making-openssl-skipping-the-country-common-name-prompts +create_self_signed_cert() { + sudo mkdir -p "${CERT_DIR}" + sudo chown -R bitcoin:bitcoin "${CERT_DIR}" + cd /mnt/hdd/app-data/selfsignedcert || exit 1 -echo " + echo "# Create a self signed SSL certificate" + localip=$(hostname -I | awk '{print $1}') + + sudo -u bitcoin openssl genrsa -out selfsigned.key 2048 + #https://www.humankode.com/ssl/create-a-selfsigned-certificate-for-nginx-in-5-minutes + #https://stackoverflow.com/questions/8075274/is-it-possible-making-openssl-skipping-the-country-common-name-prompts + + echo " [req] prompt = no default_bits = 2048 @@ -42,5 +54,41 @@ DNS.2 = 127.0.0.1 DNS.3 = $localip " | sudo -u bitcoin tee localhost.conf -sudo -u bitcoin openssl req -new -x509 -sha256 -key selfsigned.key \ + sudo -u bitcoin openssl req -new -x509 -sha256 -key selfsigned.key \ -out selfsigned.cert -days 3650 -config localhost.conf +} + +check_certificate_validity() { + if openssl x509 -checkend 86400 -noout -in "${CERT_FILE}"; then + echo "# The certificate is valid for more than one day, keeping it." + return 0 + else + echo "# The certificate is invalid, expired or will expire within a day. Regenerating." + return 1 + fi +} + +if [ "$1" = create ]; then + if [[ -f "${CERT_DIR}/selfsigned.cert" && -f "${CERT_DIR}/selfsigned.key" ]]; then + if ! check_certificate_validity; then + create_self_signed_cert + fi + else + # the certificate doesn't exist, so create it + create_self_signed_cert + fi + exit 0 +fi + +if [ "$1" = reset ]; then + echo "# Make sure the old certificate is not present" + sudo rm -f "${CERT_DIR}/selfsigned.cert" + sudo rm -f "${CERT_DIR}/selfsigned.key" + + create_self_signed_cert + + exit 0 +fi + +echo "# FAIL - Unknown Parameter $1" +exit 1