2014-06-21 22:15:53 +00:00
|
|
|
|
#!/bin/bash
|
|
|
|
|
#
|
2015-11-17 20:41:13 +00:00
|
|
|
|
# RSA private key, SSL certificate, Diffie-Hellman bits files
|
|
|
|
|
# -------------------------------------------
|
2014-10-04 21:57:26 +00:00
|
|
|
|
|
2015-11-17 20:41:13 +00:00
|
|
|
|
# Create an RSA private key, a self-signed SSL certificate, and some
|
|
|
|
|
# Diffie-Hellman cipher bits, if they have not yet been created.
|
2014-06-21 22:15:53 +00:00
|
|
|
|
#
|
2015-11-17 20:41:13 +00:00
|
|
|
|
# The RSA private key and certificate are used for:
|
2014-06-21 22:15:53 +00:00
|
|
|
|
#
|
2015-11-17 20:41:13 +00:00
|
|
|
|
# * DNSSEC DANE TLSA records
|
2014-06-21 22:15:53 +00:00
|
|
|
|
# * IMAP
|
2015-11-17 20:41:13 +00:00
|
|
|
|
# * SMTP (opportunistic TLS for port 25 and submission on port 587)
|
|
|
|
|
# * HTTPS
|
2014-06-21 22:15:53 +00:00
|
|
|
|
#
|
2015-11-17 20:41:13 +00:00
|
|
|
|
# The certificate is created with its CN set to the PRIMARY_HOSTNAME. It is
|
|
|
|
|
# also used for other domains served over HTTPS until the user installs a
|
|
|
|
|
# better certificate for those domains.
|
|
|
|
|
#
|
|
|
|
|
# The Diffie-Hellman cipher bits are used for SMTP and HTTPS, when a
|
|
|
|
|
# Diffie-Hellman cipher is selected during TLS negotiation. Diffie-Hellman
|
2020-11-04 14:25:25 +00:00
|
|
|
|
# provides Perfect Forward Secrecy.
|
2014-06-21 22:15:53 +00:00
|
|
|
|
|
|
|
|
|
source setup/functions.sh # load our functions
|
|
|
|
|
source /etc/mailinabox.conf # load global vars
|
|
|
|
|
|
2015-11-18 14:47:09 +00:00
|
|
|
|
# Show a status line if we are going to take any action in this file.
|
|
|
|
|
if [ ! -f /usr/bin/openssl ] \
|
|
|
|
|
|| [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ] \
|
|
|
|
|
|| [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ] \
|
|
|
|
|
|| [ ! -f $STORAGE_ROOT/ssl/dh2048.pem ]; then
|
|
|
|
|
echo "Creating initial SSL certificate and perfect forward secrecy Diffie-Hellman parameters..."
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# Install openssl.
|
|
|
|
|
|
2014-06-21 22:15:53 +00:00
|
|
|
|
apt_install openssl
|
|
|
|
|
|
2015-11-18 14:47:09 +00:00
|
|
|
|
# Create a directory to store TLS-related things like "SSL" certificates.
|
|
|
|
|
|
2014-06-21 22:15:53 +00:00
|
|
|
|
mkdir -p $STORAGE_ROOT/ssl
|
2020-11-05 15:03:29 +00:00
|
|
|
|
mkdir -p $STORAGE_ROOT/ssl-backup # creating a backup directory for ssl certs just to be safe
|
2015-11-17 20:41:13 +00:00
|
|
|
|
|
2014-10-04 21:57:26 +00:00
|
|
|
|
# Generate a new private key.
|
2015-11-17 20:41:13 +00:00
|
|
|
|
#
|
|
|
|
|
# The key is only as good as the entropy available to openssl so that it
|
|
|
|
|
# can generate a random key. "OpenSSL’s built-in RSA key generator ....
|
|
|
|
|
# is seeded on first use with (on Linux) 32 bytes read from /dev/urandom,
|
|
|
|
|
# the process ID, user ID, and the current time in seconds. [During key
|
|
|
|
|
# generation OpenSSL] mixes into the entropy pool the current time in seconds,
|
|
|
|
|
# the process ID, and the possibly uninitialized contents of a ... buffer
|
2015-11-17 21:55:14 +00:00
|
|
|
|
# ... dozens to hundreds of times."
|
2015-11-17 20:41:13 +00:00
|
|
|
|
#
|
|
|
|
|
# A perfect storm of issues can cause the generated key to be not very random:
|
|
|
|
|
#
|
2015-11-17 21:55:14 +00:00
|
|
|
|
# * improperly seeded /dev/urandom, but see system.sh for how we mitigate this
|
|
|
|
|
# * the user ID of this process is always the same (we're root), so that seed is useless
|
2015-11-17 20:41:13 +00:00
|
|
|
|
# * zero'd memory (plausible on embedded systems, cloud VMs?)
|
|
|
|
|
# * a predictable process ID (likely on an embedded/virtualized system)
|
|
|
|
|
# * a system clock reset to a fixed time on boot
|
|
|
|
|
#
|
2015-11-17 21:55:14 +00:00
|
|
|
|
# Since we properly seed /dev/urandom in system.sh we should be fine, but I leave
|
|
|
|
|
# in the rest of the notes in case that ever changes.
|
2014-07-28 19:38:17 +00:00
|
|
|
|
if [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then
|
2015-11-17 20:41:13 +00:00
|
|
|
|
# Set the umask so the key file is never world-readable.
|
2014-07-16 13:06:45 +00:00
|
|
|
|
(umask 077; hide_output \
|
|
|
|
|
openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048)
|
2014-06-21 22:15:53 +00:00
|
|
|
|
fi
|
2014-09-21 17:43:21 +00:00
|
|
|
|
|
2020-11-04 14:25:25 +00:00
|
|
|
|
# for Double TLSA scheme. More details here (https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html)
|
|
|
|
|
if [ ! -f $STORAGE_ROOT/ssl/next_ssl_private_key.pem ]; then
|
|
|
|
|
# Set the umask so the key file is never world-readable.
|
|
|
|
|
(umask 077; hide_output \
|
|
|
|
|
openssl genrsa -out $STORAGE_ROOT/ssl/next_ssl_private_key.pem 2048)
|
|
|
|
|
fi
|
|
|
|
|
|
2015-11-18 14:33:12 +00:00
|
|
|
|
# Generate a self-signed SSL certificate because things like nginx, dovecot,
|
|
|
|
|
# etc. won't even start without some certificate in place, and we need nginx
|
|
|
|
|
# so we can offer the user a control panel to install a better certificate.
|
|
|
|
|
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
|
|
|
|
|
# Generate a certificate signing request.
|
|
|
|
|
CSR=/tmp/ssl_cert_sign_req-$$.csr
|
2014-07-16 13:06:45 +00:00
|
|
|
|
hide_output \
|
2015-11-18 14:33:12 +00:00
|
|
|
|
openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $CSR \
|
2017-07-30 12:11:39 +00:00
|
|
|
|
-sha256 -subj "/CN=$PRIMARY_HOSTNAME"
|
2014-09-21 17:43:21 +00:00
|
|
|
|
|
2015-11-18 14:33:12 +00:00
|
|
|
|
# Generate the self-signed certificate.
|
2015-11-29 01:27:03 +00:00
|
|
|
|
CERT=$STORAGE_ROOT/ssl/$PRIMARY_HOSTNAME-selfsigned-$(date --rfc-3339=date | sed s/-//g).pem
|
2014-07-16 13:06:45 +00:00
|
|
|
|
hide_output \
|
2014-06-21 22:15:53 +00:00
|
|
|
|
openssl x509 -req -days 365 \
|
2015-11-29 01:27:03 +00:00
|
|
|
|
-in $CSR -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $CERT
|
2015-11-18 14:33:12 +00:00
|
|
|
|
|
2015-11-29 01:27:03 +00:00
|
|
|
|
# Delete the certificate signing request because it has no other purpose.
|
|
|
|
|
rm -f $CSR
|
|
|
|
|
|
|
|
|
|
# Symlink the certificate into the system certificate path, so system services
|
|
|
|
|
# can find it.
|
|
|
|
|
ln -s $CERT $STORAGE_ROOT/ssl/ssl_certificate.pem
|
2014-06-21 22:15:53 +00:00
|
|
|
|
fi
|
|
|
|
|
|
2015-11-17 20:41:13 +00:00
|
|
|
|
# Generate some Diffie-Hellman cipher bits.
|
|
|
|
|
# openssl's default bit length for this is 1024 bits, but we'll create
|
|
|
|
|
# 2048 bits of bits per the latest recommendations.
|
2014-09-26 22:01:38 +00:00
|
|
|
|
if [ ! -f $STORAGE_ROOT/ssl/dh2048.pem ]; then
|
|
|
|
|
openssl dhparam -out $STORAGE_ROOT/ssl/dh2048.pem 2048
|
|
|
|
|
fi
|