From c92933bfa2d95533ea5c8650ff4d40b6621e600f Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Mon, 4 Mar 2019 23:52:30 +0100 Subject: [PATCH] =?utf8?q?Use=20Let=E2=80=99s=20encrypt=20for=20taskwarrio?= =?utf8?q?r?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit --- nixops/modules/task/default.nix | 54 ++++++++++++++++++++++++++++++- nixops/modules/task/www/index.php | 24 +++++++++++++- 2 files changed, 76 insertions(+), 2 deletions(-) diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix index 2fd61aa..ac16c62 100644 --- a/nixops/modules/task/default.nix +++ b/nixops/modules/task/default.nix @@ -193,6 +193,32 @@ in { install -m 0750 -o ${user} -g ${group} -d ${vardir} install -m 0750 -o ${user} -g ${group} -d ${vardir}/userkeys install -m 0750 -o ${user} -g ${group} -d ${vardir}/keys + + if [ ! -e "${vardir}/keys/ca.key" ]; then + silent_certtool() { + if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then + echo "GNUTLS certtool invocation failed with output:" >&2 + echo "$output" >&2 + fi + } + + silent_certtool -p \ + --bits 4096 \ + --outfile "${vardir}/keys/ca.key" + + silent_certtool -s \ + --template "${pkgs.writeText "taskserver-ca.template" '' + cn = ${fqdn} + expiration_days = -1 + cert_signing_key + ca + ''}" \ + --load-privkey "${vardir}/keys/ca.key" \ + --outfile "${vardir}/keys/ca.cert" + + chown :${group} "${vardir}/keys/ca.key" + chmod g+r "${vardir}/keys/ca.key" + fi ''; }; @@ -201,6 +227,10 @@ in { allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ]; inherit fqdn; listenHost = "::"; + pki.manual.ca.cert = "${vardir}/keys/ca.cert"; + pki.manual.server.cert = "/var/lib/acme/task/fullchain.pem"; + pki.manual.server.crl = "/var/lib/acme/task/invalid.crl"; + pki.manual.server.key = "/var/lib/acme/task/key.pem"; requestLimit = 104857600; }; @@ -228,7 +258,29 @@ in { data.location=${taskwarrior-web.varDir}/${name} taskd.certificate=${vardir}/userkeys/taskwarrior-web.cert.pem taskd.key=${vardir}/userkeys/taskwarrior-web.key.pem - taskd.ca=${vardir}/keys/server.cert + # IdenTrust DST Root CA X3 + # obtained here: https://letsencrypt.org/fr/certificates/ + taskd.ca=${pkgs.writeText "ca.cert" '' + -----BEGIN CERTIFICATE----- + MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ + MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT + DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow + PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD + Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O + rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq + OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b + xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw + 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD + aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV + HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG + SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 + ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr + AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz + R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 + JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo + Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ + -----END CERTIFICATE-----''} taskd.server=${fqdn}:${toString config.services.taskserver.listenPort} taskd.credentials=${credentials} dateformat=${dateFormat} diff --git a/nixops/modules/task/www/index.php b/nixops/modules/task/www/index.php index 829cdd0..deaf8af 100644 --- a/nixops/modules/task/www/index.php +++ b/nixops/modules/task/www/index.php @@ -40,7 +40,29 @@ if (isset($_GET["file"])) { } $certificate = file_get_contents($basecert . ".cert.pem"); $cert_key = file_get_contents($basecert . ".key.pem"); - $server_cert = file_get_contents($vardir . "/keys/server.cert"); + + // IdenTrust DST Root CA X3 + // obtained here: https://letsencrypt.org/fr/certificates/ + $server_cert = "-----BEGIN CERTIFICATE----- +MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow +PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD +Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O +rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq +OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b +xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw +7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD +aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV +HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG +SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 +ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr +AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz +R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 +JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo +Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ +-----END CERTIFICATE-----"; $file = $_GET["file"]; switch($file) { -- 2.41.0