add option to reset the self-signed tls certificate (#4412)

* add option to reset the self-signed tls certificate

CHANGES.md

@@ -2,6 +2,7 @@
 
 - New: RaspberryPi5 tested & enabling NVMe PCIe Hats
 - New: BTCPay Server PostgreSQL database backup and restore options [details](https://github.com/raspiblitz/raspiblitz/pull/4409)
+- New: Reset option for the self-signed TLS certificate [details](https://github.com/raspiblitz/raspiblitz/pull/4412)
 - Update: RaspberryOS base image 2023-12-05 (Debian 12 Bookworm)
 - Update: amd64 base image: debian-12.5.0-amd64-netinst.iso
 - Update: Bitcoin Core v26.0 [details](https://bitcoincore.org/en/releases/26.0/)

home.admin/99connectMenu.sh

@@ -34,6 +34,9 @@ if [ "${lightning}" == "lnd" ] || [ "${lnd}" == "on" ]; then
   OPTIONS+=(RESET "Recreate LND Macaroons & tls.cert")
   OPTIONS+=(SYNC "Sync Macaroons & tls.cert with Apps/Users")
 fi
+if [ -f /mnt/hdd/app-data/selfsignedcert/selfsigned.cert ]; then
+  OPTIONS+=(RESET-TLS "Reset the self-signed TLS certificate")
+fi
 
 CHOICE_HEIGHT=$(("${#OPTIONS[@]}/2+1"))
 HEIGHT=$((CHOICE_HEIGHT+6))
@@ -75,7 +78,9 @@ case $CHOICE in
   EXPORT)
     sudo /home/admin/config.scripts/lnd.export.sh
     exit 0;;
-
+  RESET-TLS)
+    sudo /home/admin/config.scripts/internetselfsignedcert.sh reset
+    exit 0;;
   ALBY)
     /home/admin/config.scripts/bonus.alby.sh
     exit 0;

home.admin/config.scripts/blitz.web.sh

@@ -88,7 +88,7 @@ EOF
   fi
 
   # make sure that it is enabled and started
-  sudo systemctl enable nginx 
+  sudo systemctl enable nginx
   sudo systemctl start nginx
   exit 0
 
@@ -134,12 +134,12 @@ elif [ "$1" = "https-on" ]; then
       sudo ln -sf /mnt/hdd/lnd/tls.key /mnt/hdd/app-data/nginx/tls.key
       sudo ln -sf /mnt/hdd/lnd/tls.cert /mnt/hdd/app-data/nginx/tor_tls.cert
       sudo ln -sf /mnt/hdd/lnd/tls.key /mnt/hdd/app-data/nginx/tor_tls.key
-    else 
+    else
       echo "# exists /mnt/hdd/app-data/nginx/tls.cert"
 
       # create a self-signed cert if the LND cert is not present
-      /home/admin/config.scripts/internet.selfsignedcert.sh   
+      /home/admin/config.scripts/internet.selfsignedcert.sh create
-  
+
       sudo ln -sf /mnt/hdd/app-data/selfsignedcert/selfsigned.cert \
                   /mnt/hdd/app-data/nginx/tls.cert
       sudo ln -sf /mnt/hdd/app-data/selfsignedcert/selfsigned.key \

home.admin/config.scripts/internet.selfsignedcert.sh

@@ -2,17 +2,29 @@
 
 # script to create a self-signed SSL certificate
 
-sudo -u bitcoin mkdir /mnt/hdd/app-data/selfsignedcert
+# command info
-cd /mnt/hdd/app-data/selfsignedcert || exit 1
+if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
+  echo "config script to create a self-signed SSL certificate"
+  echo "internet.selfsignedcert.sh [create|reset]"
+  exit 1
+fi
 
-echo "# Create a self signed SSL certificate"
+CERT_DIR="/mnt/hdd/app-data/selfsignedcert"
-localip=$(hostname -I | awk '{print $1}')
+CERT_FILE="${CERT_DIR}/selfsigned.cert"
 
-sudo -u bitcoin openssl genrsa -out selfsigned.key 2048
+create_self_signed_cert() {
-#https://www.humankode.com/ssl/create-a-selfsigned-certificate-for-nginx-in-5-minutes
+  sudo mkdir -p "${CERT_DIR}"
-#https://stackoverflow.com/questions/8075274/is-it-possible-making-openssl-skipping-the-country-common-name-prompts
+  sudo chown -R bitcoin:bitcoin "${CERT_DIR}"
+  cd /mnt/hdd/app-data/selfsignedcert || exit 1
 
-echo "
+  echo "# Create a self signed SSL certificate"
+  localip=$(hostname -I | awk '{print $1}')
+
+  sudo -u bitcoin openssl genrsa -out selfsigned.key 2048
+  #https://www.humankode.com/ssl/create-a-selfsigned-certificate-for-nginx-in-5-minutes
+  #https://stackoverflow.com/questions/8075274/is-it-possible-making-openssl-skipping-the-country-common-name-prompts
+
+  echo "
 [req]
 prompt             = no
 default_bits       = 2048
@@ -42,5 +54,41 @@ DNS.2   = 127.0.0.1
 DNS.3   = $localip
 " | sudo -u bitcoin tee localhost.conf
 
-sudo -u bitcoin openssl req -new -x509 -sha256 -key selfsigned.key \
+  sudo -u bitcoin openssl req -new -x509 -sha256 -key selfsigned.key \
     -out selfsigned.cert -days 3650 -config localhost.conf
+}
+
+check_certificate_validity() {
+  if openssl x509 -checkend 86400 -noout -in "${CERT_FILE}"; then
+    echo "# The certificate is valid for more than one day, keeping it."
+    return 0
+  else
+    echo "# The certificate is invalid, expired or will expire within a day. Regenerating."
+    return 1
+  fi
+}
+
+if [ "$1" = create ]; then
+  if [[ -f "${CERT_DIR}/selfsigned.cert" && -f "${CERT_DIR}/selfsigned.key" ]]; then
+    if ! check_certificate_validity; then
+      create_self_signed_cert
+    fi
+  else
+    # the certificate doesn't exist, so create it
+    create_self_signed_cert
+  fi
+  exit 0
+fi
+
+if [ "$1" = reset ]; then
+  echo "# Make sure the old certificate is not present"
+  sudo rm -f "${CERT_DIR}/selfsigned.cert"
+  sudo rm -f "${CERT_DIR}/selfsigned.key"
+
+  create_self_signed_cert
+
+  exit 0
+fi
+
+echo "# FAIL - Unknown Parameter $1"
+exit 1