add option to reset the self-signed tls certificate (#4412)

* add option to reset the self-signed tls certificate
2025-02-28 16:58:03 +01:00 · 2024-02-15 08:27:31 +00:00 · 2024-02-15 08:27:31 +00:00 · 26d5e18e7d
commit 26d5e18e7d
parent 6d4784bba8
4 changed files with 68 additions and 14 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -2,6 +2,7 @@

 - New: RaspberryPi5 tested & enabling NVMe PCIe Hats
 - New: BTCPay Server PostgreSQL database backup and restore options [details](https://github.com/raspiblitz/raspiblitz/pull/4409)
+- New: Reset option for the self-signed TLS certificate [details](https://github.com/raspiblitz/raspiblitz/pull/4412)
 - Update: RaspberryOS base image 2023-12-05 (Debian 12 Bookworm)
 - Update: amd64 base image: debian-12.5.0-amd64-netinst.iso
 - Update: Bitcoin Core v26.0 [details](https://bitcoincore.org/en/releases/26.0/)
--- a/home.admin/99connectMenu.sh
+++ b/home.admin/99connectMenu.sh
@ -34,6 +34,9 @@ if [ "${lightning}" == "lnd" ] || [ "${lnd}" == "on" ]; then
  OPTIONS+=(RESET "Recreate LND Macaroons & tls.cert")
  OPTIONS+=(SYNC "Sync Macaroons & tls.cert with Apps/Users")
 fi
+if [ -f /mnt/hdd/app-data/selfsignedcert/selfsigned.cert ]; then
+  OPTIONS+=(RESET-TLS "Reset the self-signed TLS certificate")
+fi

 CHOICE_HEIGHT=$(("${#OPTIONS[@]}/2+1"))
 HEIGHT=$((CHOICE_HEIGHT+6))
@ -75,7 +78,9 @@ case $CHOICE in
  EXPORT)
    sudo /home/admin/config.scripts/lnd.export.sh
    exit 0;;
-
+  RESET-TLS)
+    sudo /home/admin/config.scripts/internetselfsignedcert.sh reset
+    exit 0;;
  ALBY)
    /home/admin/config.scripts/bonus.alby.sh
    exit 0;
--- a/home.admin/config.scripts/blitz.web.sh
+++ b/home.admin/config.scripts/blitz.web.sh
@ -138,7 +138,7 @@ elif [ "$1" = "https-on" ]; then
      echo "# exists /mnt/hdd/app-data/nginx/tls.cert"

      # create a self-signed cert if the LND cert is not present
-      /home/admin/config.scripts/internet.selfsignedcert.sh   
+      /home/admin/config.scripts/internet.selfsignedcert.sh create

      sudo ln -sf /mnt/hdd/app-data/selfsignedcert/selfsigned.cert \
                  /mnt/hdd/app-data/nginx/tls.cert
--- a/home.admin/config.scripts/internet.selfsignedcert.sh
+++ b/home.admin/config.scripts/internet.selfsignedcert.sh
@ -2,17 +2,29 @@

 # script to create a self-signed SSL certificate

-sudo -u bitcoin mkdir /mnt/hdd/app-data/selfsignedcert
-cd /mnt/hdd/app-data/selfsignedcert || exit 1
+# command info
+if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
+  echo "config script to create a self-signed SSL certificate"
+  echo "internet.selfsignedcert.sh [create|reset]"
+  exit 1
+fi

-echo "# Create a self signed SSL certificate"
-localip=$(hostname -I | awk '{print $1}')
+CERT_DIR="/mnt/hdd/app-data/selfsignedcert"
+CERT_FILE="${CERT_DIR}/selfsigned.cert"

-sudo -u bitcoin openssl genrsa -out selfsigned.key 2048
-#https://www.humankode.com/ssl/create-a-selfsigned-certificate-for-nginx-in-5-minutes
-#https://stackoverflow.com/questions/8075274/is-it-possible-making-openssl-skipping-the-country-common-name-prompts
+create_self_signed_cert() {
+  sudo mkdir -p "${CERT_DIR}"
+  sudo chown -R bitcoin:bitcoin "${CERT_DIR}"
+  cd /mnt/hdd/app-data/selfsignedcert || exit 1

-echo "
+  echo "# Create a self signed SSL certificate"
+  localip=$(hostname -I | awk '{print $1}')
+
+  sudo -u bitcoin openssl genrsa -out selfsigned.key 2048
+  #https://www.humankode.com/ssl/create-a-selfsigned-certificate-for-nginx-in-5-minutes
+  #https://stackoverflow.com/questions/8075274/is-it-possible-making-openssl-skipping-the-country-common-name-prompts
+
+  echo "
 [req]
 prompt             = no
 default_bits       = 2048
@ -42,5 +54,41 @@ DNS.2   = 127.0.0.1
 DNS.3   = $localip
 " | sudo -u bitcoin tee localhost.conf

-sudo -u bitcoin openssl req -new -x509 -sha256 -key selfsigned.key \
+  sudo -u bitcoin openssl req -new -x509 -sha256 -key selfsigned.key \
    -out selfsigned.cert -days 3650 -config localhost.conf
+}
+
+check_certificate_validity() {
+  if openssl x509 -checkend 86400 -noout -in "${CERT_FILE}"; then
+    echo "# The certificate is valid for more than one day, keeping it."
+    return 0
+  else
+    echo "# The certificate is invalid, expired or will expire within a day. Regenerating."
+    return 1
+  fi
+}
+
+if [ "$1" = create ]; then
+  if [[ -f "${CERT_DIR}/selfsigned.cert" && -f "${CERT_DIR}/selfsigned.key" ]]; then
+    if ! check_certificate_validity; then
+      create_self_signed_cert
+    fi
+  else
+    # the certificate doesn't exist, so create it
+    create_self_signed_cert
+  fi
+  exit 0
+fi
+
+if [ "$1" = reset ]; then
+  echo "# Make sure the old certificate is not present"
+  sudo rm -f "${CERT_DIR}/selfsigned.cert"
+  sudo rm -f "${CERT_DIR}/selfsigned.key"
+
+  create_self_signed_cert
+
+  exit 0
+fi
+
+echo "# FAIL - Unknown Parameter $1"
+exit 1