elecrs: change to self signed SSL certificate

electrs/3_SSL.sh

@@ -4,27 +4,6 @@
 # To download and run:
 # $ wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/electrs/3_Nginx_and_Certbot_for_SSL.sh && bash 3_Nginx_and_Certbot_for_SSL.sh
 
-# For the certificate to be obtained successfully a dynamic DNS and port forwarding is needed
-# Need to forward port 80 to the IP of your RaspiBlitz for certbot
-# Forward port 50002 to be able to access you electrs from outside of your LAN
-
-# https://www.raspberrypi.org/documentation/remote-access/web-server/nginx.md
-
-echo ""
-echo "***"
-echo "Please type the domain/dynamicDNS you want to use for Electrs and press [ENTER]"
-read YOUR_DOMAIN
-
-echo ""
-echo "***"
-echo "Please type an email that will be used to register the SSL certificate and press [ENTER]"
-read YOUR_EMAIL
-
-echo ""
-echo "***"
-echo "Please confirm that the port 80 is forwarded to the IP of the RaspiBlitz by pressing [ENTER]" 
-read key
-
 echo ""
 echo "***"
 echo "installing Nginx"
@@ -34,70 +13,58 @@ echo ""
 sudo apt-get install -y nginx
 sudo /etc/init.d/nginx start
 
-echo "allow port 80 on ufw"
-sudo ufw allow 80
-
-# https://certbot.eff.org/lets-encrypt/debianother-nginx
 echo ""
 echo "***"
-echo "Installing certbot"
-echo "Will ask for an email address and a domain name - a dynamic DNS can be used"
-echo "Use the default settings in the other options"
+echo "Create a self signed SSL certificate"
 echo "***"
 echo ""
 
-#wget https://dl.eff.org/certbot-auto
-#chmod +x certbot-auto
-#sudo ./certbot-auto --nginx
-
-sudo apt install -y certbot
-# get SSL cert
-sudo certbot certonly -a standalone -m $YOUR_EMAIL --agree-tos -d $YOUR_DOMAIN --pre-hook "service nginx stop" --post-hook "service nginx start"
-
-
-# Your certificate and chain have been saved at:
-# /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem
-# Your key file has been saved at:
-# /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem
-
-echo ""
-echo "***"
-echo "Setting up certbot-auto renewal service"
-echo "***"
-echo ""
+#https://www.humankode.com/ssl/create-a-selfsigned-certificate-for-nginx-in-5-minutes
+#https://stackoverflow.com/questions/8075274/is-it-possible-making-openssl-skipping-the-country-common-name-prompts
 
 echo "
-[Unit]
-Description=Certbot-auto renewal service
+[req]
+prompt=no
+default_bits       = 2048
+default_keyfile    = localhost.key
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+x509_extensions    = v3_ca
 
-[Timer]
-OnBootSec=20min
-OnCalendar=*-*-* 4:00:00
+[req_distinguished_name]
+countryName                 = Country Name (2 letter code)
+countryName_default         = US
+stateOrProvinceName         = State or Province Name (full name)
+stateOrProvinceName_default = New York
+localityName                = Locality Name (eg, city)
+localityName_default        = Rochester
+organizationName            = Organization Name (eg, company)
+organizationName_default    = localhost
+organizationalUnitName      = organizationalunit
+organizationalUnitName_default = Development
+commonName                  = Common Name (e.g. server FQDN or YOUR name)
+commonName_default          = localhost
+commonName_max              = 64
 
-[Install]
-WantedBy=timers.target
-" | sudo tee -a /etc/systemd/system/certbot.timer
+[req_ext]
+subjectAltName = @alt_names
 
-echo "
-[Unit]
-Description=Certbot-auto renewal service
-After=bitcoind.service
+[v3_ca]
+subjectAltName = @alt_names
 
-[Service]
-WorkingDirectory=/home/admin/
-ExecStart=sudo certbot renew --pre-hook \"service nginx stop\" --post-hook \"service nginx start\"
+[alt_names]
+DNS.1   = localhost
+DNS.2   = 127.0.0.1
+" | sudo tee /mnt/hdd/electrs/localhost.conf
 
-User=admin
-Group=admin
-Type=simple
-KillMode=process
-TimeoutSec=60
-Restart=always
-RestartSec=60
-" | sudo tee -a /etc/systemd/system/certbot.service
+cd /mnt/hdd/electrs
+sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf
 
-sudo systemctl enable certbot.timer
+sudo cp localhost.crt /etc/ssl/certs/localhost.crt
+sudo cp localhost.key /etc/ssl/private/localhost.key
 
+echo ""
+echo "***"
 echo "Setting up nginx.conf"
 echo "***"
 echo ""
@@ -119,8 +86,8 @@ stream {
         server {
                 listen 50002 ssl;
                 proxy_pass electrs;
-                ssl_certificate /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem;
-                ssl_certificate_key /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem;
+                ssl_certificate /etc/ssl/certs/localhost.crt;
+                ssl_certificate_key /etc/ssl/private/localhost.key;
                 ssl_session_cache shared:SSL-electrs:1m;
                 ssl_session_timeout 4h;
                 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
@@ -138,8 +105,8 @@ stream {
         server {
                 listen 50002 ssl;
                 proxy_pass electrs;
-                ssl_certificate /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem;
-                ssl_certificate_key /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem;
+                ssl_certificate /etc/ssl/certs/localhost.crt;
+                ssl_certificate_key /etc/ssl/private/localhost.key;
                 ssl_session_cache shared:SSL-electrs:1m;
                 ssl_session_timeout 4h;
                 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

electrs/certbot.sh

@@ -0,0 +1,84 @@
+# For the certificate to be obtained successfully a dynamic DNS and port forwarding is needed
+# Need to forward port 80 to the IP of your RaspiBlitz for certbot
+# Forward port 50002 to be able to access you electrs from outside of your LAN
+
+# https://www.raspberrypi.org/documentation/remote-access/web-server/nginx.md
+
+echo ""
+echo "***"
+echo "Please type the domain/dynamicDNS you want to use for Electrs and press [ENTER]"
+read YOUR_DOMAIN
+
+echo ""
+echo "***"
+echo "Please type an email that will be used to register the SSL certificate and press [ENTER]"
+read YOUR_EMAIL
+
+echo ""
+echo "***"
+echo "Please confirm that the port 80 is forwarded to the IP of the RaspiBlitz by pressing [ENTER]" 
+read key
+
+echo "allow port 80 on ufw"
+sudo ufw allow 80
+
+# https://certbot.eff.org/lets-encrypt/debianother-nginx
+echo ""
+echo "***"
+echo "Installing certbot"
+echo "Will ask for an email address and a domain name - a dynamic DNS can be used"
+echo "Use the default settings in the other options"
+echo "***"
+echo ""
+
+#wget https://dl.eff.org/certbot-auto
+#chmod +x certbot-auto
+#sudo ./certbot-auto --nginx
+
+sudo apt install -y certbot
+# get SSL cert
+sudo certbot certonly -a standalone -m $YOUR_EMAIL --agree-tos -d $YOUR_DOMAIN --pre-hook "service nginx stop" --post-hook "service nginx start"
+
+
+# Your certificate and chain have been saved at:
+# /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem
+# Your key file has been saved at:
+# /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem
+
+echo ""
+echo "***"
+echo "Setting up certbot-auto renewal service"
+echo "***"
+echo ""
+
+echo "
+[Unit]
+Description=Certbot-auto renewal service
+
+[Timer]
+OnBootSec=20min
+OnCalendar=*-*-* 4:00:00
+
+[Install]
+WantedBy=timers.target
+" | sudo tee -a /etc/systemd/system/certbot.timer
+
+echo "
+[Unit]
+Description=Certbot-auto renewal service
+After=bitcoind.service
+
+[Service]
+WorkingDirectory=/home/admin/
+ExecStart=sudo certbot renew --pre-hook \"service nginx stop\" --post-hook \"service nginx start\"
+
+User=admin
+Group=admin
+Type=simple
+KillMode=process
+TimeoutSec=60
+Restart=always
+RestartSec=60
+" | sudo tee -a /etc/systemd/system/certbot.service
+
+sudo systemctl enable certbot.timer